top of page
hands-with-laptop-virtual-world-map_edited.jpg

AD CONNECT SETUP BETWEEN
AWS AND ON-PREMISES

Problem Statement

The client is having a Domain Controller at On-Premises running on a Windows Server 2019 and all the resources getting created in AWS Cloud Should be a part of the domain and should authenticate with On-Prem DC as a part of compliance requirement. 

Provided Solution

Site to Site VPN along with AD Connect has been provided as the solution. By using Site to Site VPN we will have a dedicated encrypted tunnel between On-Prem and AWS.   AD Connect is used for Seamless Domain Joining in AWS. While launching an EC2 instance by just providing the domain details the machine will be added to domain. The steps for setting up AD Connect and performing a seamless domain join are listed below.

  • Create a VPC at AWS side where the EC2 instances will be launched (eg : 172.16.0.0/16)

  • Establish a Site to Site VPN b/w AWS VPC CIDR (eg : 172.16.0.0/16) and On-Prem AD CIDR (eg : 192.168.6.88)

  • Create two subnets in the VPC which are spread across two different availability zones (eg: 172.16.3.0/24 and 172.16.6.0/24)

  • Ensure that Subnets have proper routes to On-Prem via VPN gateway. Sample route table for one subnet is shown below.
     

blog-ad-connect-fig1.png
  • Now we can setup AD connect by going to the Directory Services in AWS Console and choose AD connect. Provide the relevant details like Domain Name, IP Address, VPC Details, Subnet Details, User with Domain Admin privileges etc and then create. Creation will take around 15 mins . We can see the status in AWS console as shown below.

  • Ensure that Enable DNS resolution and Enable DNS hostnames are checked.

  • Finally we can launch the EC2 instance and while launching, make sure to select correct VPC, Subnet and in the advanced settings ensure that Domain name and correct IAM role is chosen. Also security group should have traffic allowed towards VPC CIDR and On-Prem CIDR.

Challenges

  • AD connect creation was failing multiple times with error “Internal error occurred”. For troubleshooting created two VM’s in two subnets and issued the command “nltest /dsgetdc:starsky.com” and ran the below power shell script and found that “Port 53 TCP connectivity cannot be established”. Eventually found that routes towards On-Prem was missing for the second subnet. Added the same and fixed the issue.

Get-Date
$DomainName = ‘starsky.com’
nslookup -type=srv _ldap._tcp.dc._msdcs.$DomainName
ipconfig /all
$serveraddresess = (Resolve-DnsName $DomainName).Ipaddress
foreach ($ServerIP in $serveraddresess) {
Test-netconnection $ServerIP -port 53 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 88 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 135 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 389 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 445 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 464 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 636 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 3268 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 3269 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 9389 | ft RemoteAddress,TcpTestSucceeded,Remoteport
}

Summary

This article discusses a scenario in which a client had a requirement to authenticate resources running on AWS using the On-Prem domain controller.  Step by step instructions has been provided for AD Connect setup and seamless domain join. This article also covers issues encountered during the implementation and the steps involved in fixing those issues.

Author

Cyril Johnson, StarOne IT Solutions

Explore our Case Studies

pexels-vlada-karpovich-4050349.jpg

Virtual Desktop Infrastructure

Explore how StarOne IT provided Virtual Desktop Infrastructure using Amazon WorkSpaces to on of the prominent Digitization and Imaging Technology Company in Kerala

pexels-edmond-dantès-8068836.jpg

Business Continuity and Disaster Recovery

Explore how StarOne IT provided CloudEndure Disaster Recovery and Business Continuity using Amazon Web Services to one of the leading company in the spices extracts and nutraceutical ingredients market

Explore our Blogs

coding-man.jpg

Automate Provisioning of AWS Storage Infrastructure on Cloud using Terraform

businessman-using-digital-tablet.jpg

Launch, run, and scale feature-rich and highly-performant file systems with Amazon FSx

cloud-computing-electronic-chip-board-cloud-computer-is-system-transfer-data-information-u

Provide on-premises applications with access to virtually unlimited cloud storage with Amazon Storage Gateway

digital-world-banner-background-remixed-from-public-domain-by-nasa.jpg

Multi Region Disaster Recovery Using Aws Cloud

bottom of page