AD CONNECT SETUP BETWEEN
AWS AND ON-PREMISES
Problem Statement
The client is having a Domain Controller at On-Premises running on a Windows Server 2019 and all the resources getting created in AWS Cloud Should be a part of the domain and should authenticate with On-Prem DC as a part of compliance requirement.
​
Provided Solution
Site to Site VPN along with AD Connect has been provided as the solution. By using Site to Site VPN we will have a dedicated encrypted tunnel between On-Prem and AWS. AD Connect is used for Seamless Domain Joining in AWS. While launching an EC2 instance by just providing the domain details the machine will be added to domain. The steps for setting up AD Connect and performing a seamless domain join are listed below.
-
Create a VPC at AWS side where the EC2 instances will be launched (eg : 172.16.0.0/16)
-
Establish a Site to Site VPN b/w AWS VPC CIDR (eg : 172.16.0.0/16) and On-Prem AD CIDR (eg : 192.168.6.88)
-
Create two subnets in the VPC which are spread across two different availability zones (eg: 172.16.3.0/24 and 172.16.6.0/24)
-
Ensure that Subnets have proper routes to On-Prem via VPN gateway. Sample route table for one subnet is shown below.
-
Now we can setup AD connect by going to the Directory Services in AWS Console and choose AD connect. Provide the relevant details like Domain Name, IP Address, VPC Details, Subnet Details, User with Domain Admin privileges etc and then create. Creation will take around 15 mins . We can see the status in AWS console as shown below.
-
For Seamless domain join we need to create an IAM role with AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess policies. Detailed steps are mentioned here - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html
-
In the VPC we need to create a DHCP Option Set with the On-Prem Domain name and IP as shown below.
-
Ensure that Enable DNS resolution and Enable DNS hostnames are checked.
-
Finally we can launch the EC2 instance and while launching, make sure to select correct VPC, Subnet and in the advanced settings ensure that Domain name and correct IAM role is chosen. Also security group should have traffic allowed towards VPC CIDR and On-Prem CIDR.
Challenges
-
AD connect creation was failing multiple times with error “Internal error occurred”. For troubleshooting created two VM’s in two subnets and issued the command “nltest /dsgetdc:starsky.com” and ran the below power shell script and found that “Port 53 TCP connectivity cannot be established”. Eventually found that routes towards On-Prem was missing for the second subnet. Added the same and fixed the issue.
Get-Date
$DomainName = ‘starsky.com’
nslookup -type=srv _ldap._tcp.dc._msdcs.$DomainName
ipconfig /all
$serveraddresess = (Resolve-DnsName $DomainName).Ipaddress
foreach ($ServerIP in $serveraddresess) {
Test-netconnection $ServerIP -port 53 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 88 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 135 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 389 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 445 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 464 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 636 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 3268 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 3269 | ft RemoteAddress,TcpTestSucceeded,Remoteport
Test-netconnection $ServerIP -port 9389 | ft RemoteAddress,TcpTestSucceeded,Remoteport
}
-
Initially DC was running on Windows Server 2016 and Seamless Domain was not working. Had to install two windows updates (https://www.catalog.update.microsoft.com/Search.aspx?q=kb5017396 and https://www.catalog.update.microsoft.com/Search.aspx?q=kb5021235)
​
Summary
This article discusses a scenario in which a client had a requirement to authenticate resources running on AWS using the On-Prem domain controller. Step by step instructions has been provided for AD Connect setup and seamless domain join. This article also covers issues encountered during the implementation and the steps involved in fixing those issues.
​
Author
Cyril Johnson, StarOne IT Solutions