Step 1: Set up your Amazon environment for Amazon Managed Microsoft AD Active Directory - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 1: Set up your Amazon environment for Amazon Managed Microsoft AD Active Directory

Before you can create Amazon Managed Microsoft AD in your Amazon test lab, you first need to set up your Amazon EC2 key pair so that all login data is encrypted.

Create a key pair

If you already have a key pair, you can skip this step. For more information about Amazon EC2 key pairs, see Create key pairs.

To create a key pair
  1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, under Network & Security, choose Key Pairs, and then choose Create Key Pair.

  3. For Key pair name, type Amazon-DS-KP. For Key pair file format, select pem, and then choose Create.

  4. The private key file is automatically downloaded by your browser. The file name is the name you specified when you created your key pair with an extension of .pem. Save the private key file in a safe place.

    Important

    This is the only chance for you to save the private key file. You need to provide the name of your key pair when you launch an instance and the corresponding private key each time you decrypt the password for the instance.

Create, configure, and peer two Amazon VPCs

As shown in the following illustration, by the time you finish this multi-step process you will have created and configured two public VPCs, two public subnets per VPC, one Internet Gateway per VPC, and one VPC Peering connection between the VPCs. We chose to use public VPCs and subnets for the purpose of simplicity and cost. For production workloads, we recommend that you use private VPCs. For more information about improving VPC Security, see Security in Amazon Virtual Private Cloud.

Amazon VPC environment with subnets, and Internet Gateways to create an Amazon Managed Microsoft AD Active Directory.

All of the Amazon CLI and PowerShell examples use the VPC information from below and are built in us-west-2. You may choose any supported Region to build you environment in. For general information, see What is Amazon VPC?.

Step 1: Create two VPCs

In this step, you need to create two VPCs in the same account using the specified parameters in the following table. Amazon Managed Microsoft AD supports the use of separate accounts with the Share your Amazon Managed Microsoft AD feature. The first VPC will be used for Amazon Managed Microsoft AD. The second VPC will be used for resources that can be used later in Tutorial: Creating a trust from Amazon Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2.

Managed Active Directory VPC information

On-premises VPC information

Name tag: Amazon-DS-VPC01

IPv4 CIDR block: 10.0.0.0/16

IPv6 CIDR block: No IPv6 CIDR Block

Tenancy: Default

Name tag: Amazon-OnPrem-VPC01

IPv4 CIDR block: 10.100.0.0/16

IPv6 CIDR block: No IPv6 CIDR Block

Tenancy: Default

For detailed instructions, see Creating a VPC.

Step 2: Create two subnets per VPC

After you have created the VPCs you will need to create two subnets per VPC using the specified parameters in the following table. For this test lab each subnet will be a /24. This will allows up to 256 addresses to be issued per subnet. Each subnet must be a in a separate AZ. Putting each subnet in a separate in AZ is one of the Prerequisites for creating a Amazon Managed Microsoft AD.

Amazon-DS-VPC01 subnet Information:

Amazon-OnPrem-VPC01 subnet information

Name tag: Amazon-DS-VPC01-Subnet01

VPC: vpc-xxxxxxxxxxxxxxxxx Amazon-DS-VPC01

Availability Zone: us-west-2a

IPv4 CIDR block: 10.0.0.0/24

Name tag: Amazon-OnPrem-VPC01-Subnet01

VPC: vpc-xxxxxxxxxxxxxxxxx Amazon-OnPrem-VPC01

Availability Zone: us-west-2a

IPv4 CIDR block: 10.100.0.0/24

Name tag: Amazon-DS-VPC01-Subnet02

VPC: vpc-xxxxxxxxxxxxxxxxx Amazon-DS-VPC01

Availability Zone: us-west-2b

IPv4 CIDR block: 10.0.1.0/24

Name tag: Amazon-OnPrem-VPC01-Subnet02

VPC: vpc-xxxxxxxxxxxxxxxxx Amazon-OnPrem-VPC01

Availability Zone: us-west-2b

IPv4 CIDR block: 10.100.1.0/24

For detailed instructions, see Creating a subnet in your VPC.

Step 3: Create and attach an Internet Gateway to your VPCs

Since we are using public VPCs you will need to create and attach an Internet gateway to your VPCs using the specified parameters in the following table. This will allow you to be able to connect to and manage your EC2 instances.

Amazon-DS-VPC01 Internet Gateway information

Amazon-OnPrem-VPC01 Internet Gateway information

Name tag: Amazon-DS-VPC01-IGW

VPC: vpc-xxxxxxxxxxxxxxxxx Amazon-DS-VPC01

Name tag: Amazon-OnPrem-VPC01-IGW

VPC: vpc-xxxxxxxxxxxxxxxxx Amazon-OnPrem-VPC01

For detailed instructions, see Internet gateways.

Step 4: Configure a VPC peering connection between Amazon-DS-VPC01 and Amazon-OnPrem-VPC01

Since you already created two VPCs earlier, you will need to network them together using VPC peering using the specified parameters in the following table. While there are many ways to connect your VPCs, this tutorial will use VPC Peering. Amazon Managed Microsoft AD supports many solutions to connect your VPCs, some of these include VPC peering, Transit Gateway, and VPN.

Peering connection name tag: Amazon-DS-VPC01&Amazon-OnPrem-VPC01-Peer

VPC (Requester): vpc-xxxxxxxxxxxxxxxxx Amazon-DS-VPC01

Account: My Account

Region: This Region

VPC (Accepter): vpc-xxxxxxxxxxxxxxxxx Amazon-OnPrem-VPC01

For instructions on how to create a VPC Peering Connection with another VPC from with in your account, see Creating a VPC peering connection with another VPC in your account.

Step 5: Add two routes to each VPC’s main route table

In order for the Internet Gateways and VPC Peering Connection created in the previous steps to be functional you will need to update the main route table of both VPCs using the specified parameters in the following table. You will be adding two routes; 0.0.0.0/0 which will route to all destinations not explicitly known to the route table and 10.0.0.0/16 or 10.100.0.0/16 which will route to each VPC over the VPC Peering Connection established above.

You can easily find the correct route table for each VPC by filtering on the VPC name tag (Amazon-DS-VPC01 or Amazon-OnPrem-VPC01).

Amazon-DS-VPC01 route 1 information

Amazon-DS-VPC01 route 2 information

Amazon-OnPrem-VPC01 route 1 Information

Amazon-OnPrem-VPC01 route 2 Information

Destination: 0.0.0.0/0

Target: igw-xxxxxxxxxxxxxxxxx Amazon-DS-VPC01-IGW

Destination: 10.100.0.0/16

Target: pcx-xxxxxxxxxxxxxxxxx Amazon-DS-VPC01&Amazon-OnPrem-VPC01-Peer

Destination: 0.0.0.0/0

Target: igw-xxxxxxxxxxxxxxxxx Amazon-Onprem-VPC01

Destination: 10.0.0.0/16

Target: pcx-xxxxxxxxxxxxxxxxx Amazon-DS-VPC01&Amazon-OnPrem-VPC01-Peer

For instructions on how to add routes to a VPC route table, see Adding and removing routes from a route table.

Create security groups for Amazon EC2 instances

By default, Amazon Managed Microsoft AD creates a security group to manage traffic between its domain controllers. In this section, you will need to create 2 security groups (one for each VPC) which will be used to manage traffic within your VPC for your EC2 instances using the specified parameters in the following tables. You also add a rule that allows RDP (3389) inbound from anywhere and for all traffic types inbound from the local VPC. For more information, see Amazon EC2 security groups for Windows instances.

Amazon-DS-VPC01 security group information:

Security group name: Amazon DS Test Lab Security Group

Description: Amazon DS Test Lab Security Group

VPC: vpc-xxxxxxxxxxxxxxxxx Amazon-DS-VPC01

Security Group Inbound Rules for Amazon-DS-VPC01

Type Protocol Port range Source Type of traffic
Custom TCP Rule TCP 3389 My IP Remote Desktop
All Traffic All All 10.0.0.0/16 All local VPC traffic

Security Group Outbound Rules for Amazon-DS-VPC01

Type Protocol Port range Destination Type of traffic
All Traffic All All 0.0.0.0/0 All traffic
Amazon-OnPrem-VPC01 security group information:

Security group name: Amazon OnPrem Test Lab Security Group.

Description: Amazon OnPrem Test Lab Security Group.

VPC: vpc-xxxxxxxxxxxxxxxxx Amazon-OnPrem-VPC01

Security Group Inbound Rules for Amazon-OnPrem-VPC01

Type Protocol Port range Source Type of traffic
Custom TCP Rule TCP 3389 My IP Remote Desktop
Custom TCP Rule TCP 53 10.0.0.0/16 DNS
Custom TCP Rule TCP 88 10.0.0.0/16 Kerberos
Custom TCP Rule TCP 389 10.0.0.0/16 LDAP
Custom TCP Rule TCP 464 10.0.0.0/16 Kerberos change / set password
Custom TCP Rule TCP 445 10.0.0.0/16 SMB / CIFS
Custom TCP Rule TCP 135 10.0.0.0/16 Replication
Custom TCP Rule TCP 636 10.0.0.0/16 LDAP SSL
Custom TCP Rule TCP 49152 - 65535 10.0.0.0/16 RPC
Custom TCP Rule TCP 3268 - 3269 10.0.0.0/16 LDAP GC & LDAP GC SSL
Custom UDP Rule UDP 53 10.0.0.0/16 DNS
Custom UDP Rule UDP 88 10.0.0.0/16 Kerberos
Custom UDP Rule UDP 123 10.0.0.0/16 Windows Time
Custom UDP Rule UDP 389 10.0.0.0/16 LDAP
Custom UDP Rule UDP 464 10.0.0.0/16 Kerberos change / set password
All Traffic All All 10.100.0.0/16 All local VPC traffic

Security Group Outbound Rules for Amazon-OnPrem-VPC01

Type Protocol Port range Destination Type of traffic
All Traffic All All 0.0.0.0/0 All traffic

For detailed instructions on how to create and add rules to your security groups, see Working with security groups.