Extend Self-Managed Microsoft Active Directory on EC2 into a new AWS Region
This article aims to assist customers with existing Microsoft Active Directory services, whether deployed in AWS or on-premises, in extending their domain into new AWS region(s)
Introduction
Deploying a self-managed Microsoft Active Directory (AD) on Amazon EC2 in a new AWS region offers organisations increased control and availability of their Microsoft AD service. In this guide, we’ll explore the steps to expand your existing self-managed AD on EC2 into a new AWS region. This article will cover pre-requisites for configuration, deployment steps, DNS changes as well as updating Microsoft AD Sites and Services, following these steps will help you create a robust and scalable directory service setup in a multi-region AWS environment.
Suggested Reading
I would suggest reviewing the following two links as they deep dive into Self-Managed AD on EC2 as well and DNS using Route 53.
- Self-Managed Active Directory on EC2
- How to achieve DNS high availability with Route 53 Resolver endpoints
Prerequisites
- Amazon Virtual Private Cloud (VPC) deployed and configured in the desired AWS Region - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html
- VPC connectivity - This can be achieved via an AWS Transit Gateway or VPC Peering
- Security Groups for the domain controllers
Inbound
- TCP/UDP 53 - DNS
- TCP/UDP 88 - Kerberos authentication
- UDP 123 - NTP
- TCP 135 - RPC
- TCP/UDP 389 - LDAP
- TCP/UDP 445 - SMB
- TCP/UDP 464 - Kerberos authentication
- TCP 636 - LDAPS (LDAP over TLS/SSL)
- TCP 3268-3269 - Global Catalog
- TCP/UDP 49152-65535 - Ephemeral ports for RPC
- Any other required ports you need open
Configure DNS
Before we can start deploying a new domain controllers into the new region, we need to set up DNS in the new region to allow the EC2 domain controllers to resolve our Microsoft Active Directory’s Fully Qualified Domain Name (FQDN), which will enable you to add domain controllers to your existing domain. By default, a VPC in your AWS environment includes a DNS resolver that leverages Amazon Route 53, referred to as AmazonProvidedDNS. This resolver operates on the second IPv4 address within your VPC’s address range (known as the VPC+2 address). However, AmazonProvidedDNS does not recognise the fully qualified domain name (FQDN) of your directory. There are two main components that need to be configured in Route 53, the Outbound Endpoint and a Route 53 Rule.
Outbound Endpoint Resolver
To forward DNS queries from your VPCs to your network, you create an outbound endpoint. An outbound endpoint specifies the IP addresses that queries originate from. Those IP addresses, which you choose from the range of IP addresses available to your VPC, aren't public IP addresses. . Note that you can use the same outbound endpoint for multiple VPCs in the same Region, or you can create multiple outbound endpoints.
- Log in to your AWS Management Console
- Select the Region you want to configure the domain controller in 3.Open the Route 53 Service
- From the left hand menu, under resolvers, select Outbound Endpoints
- Click Create Outbound Endpoint
- Give the endpoint a name
- Select the VPC the domain controller will reside in
- Select a security groups that you want to use to control access to this VPC. The security group that you specify must include one or more outbound rules. Outbound rules must allow TCP and UDP access on the port that you're using for DNS queries on your network. You can't change this value after you create an endpoint.
- For Endpoint Type select IPv4 (unless you are running IPv6)
- Select two Availability Zones within your selected VPC
- Click Create Outbound Endpoint
This will take a few minutes to create you should see the below view in the console
Once complete it will show as "Operational"
Outbound Rule
To specify the domain names of the queries that you want to forward to DNS resolvers on your network, you can create one or more rules in Route 53, each rule specifies one domain name. You then associate rules with the VPCs for which you want to forward queries to your network.
- Within the Route 53 console, select Rules from the left hand menu
- Select Create rule
- Give the rule a name
- Rule type should be "Forward"
- In the domain name input your FQDN of your domain (I have used onpremad.local for this article)
- Select the VPC that will use this rule (this is the VPC your domain controllers will reside in)
- Select the Outbound endpoint you created in the previous step
- Enter the target IP address/s of an existing DNS server (e.g., domain controller running DNS) Note: At this point you probably don't have a domain joined DNS server in the VPC you are wanting to deploy your domain controllers to, if that is the case you will want to use a DNS server IP that is located elsewhere in your AWS environment (or even on-premises). We will come back and change this target IP address later. Make sure the target has the right security groups to allow for DNS queries.
- Select Submit
We have now configured Route 53 to forward any queries that include our FQDN to forward theses queries to an existing DNS server in our existing domain.
Deploy EC2 Instance
The next step is to deploy the EC2 instance you would like to promote to a domain controller. Deploy the instance with the required settings for your environment. Once you have deployed the EC2 instance you will need to login and install the "Active Directory Domain Services" from the roles and features in Server Manager, also install any other roles and features you require on your domain controllers.
Finally, configure any other required changes to the server, once this is done you can promote this server to a domain controller.
Once your domain controller has joined the domain and rebooted the final step is to configure Active Directory Sites and Services.
Active Directory Sites and Services
Now that we have our new domain controller set up, we now need to add a new site to Active Directory Sites and Services, create a new subnet and link it to that site and finally move the new domain controller into the new site.
- Login to one of your domain controllers and open Active Directory Sites and Services
- Right Click Sites and select New Site
- Give the site a name (I have used the AWS region name)
- Select a site link - Note: I have used the default site link, make sure you are setting up Active Directory Site links in line with your your Active Directory site link design)
- The next step is to configure the subnet that will be associate to the site, right click subnet and select New Subnet
- Input the subnet (I have used the VPC CIDR) and select the Site to associate this to
- The final step is to move the new domain controller to the new site
- My new domain controllers by default go into the Default-First-Site-Name site
- Right click your newly created domain controller server name and select move and select the new site you have just created
Update Route 53 Rule
The final step is to now update the Route 53 Rule we created earlier, to point to the newly created domain controller / DNS server
- Login to your AWS Management Console
- Select the Region that we will update the Route 53 rule in
- Open the Route 53 Service
- Select Rule from the left hand menu
- Click on the Rule name you created earlier
- Scroll down to Target IP Address and Select Add target IP address
- Update the existing IP address with your new domain controller / DNS server IP Address. If you have deployed multiple domain controllers / DNS servers enter these target IP addresses
- Click Add
Conclusion
You have now set up your new domain controller in your new region, complete with Route 53 to handle DNS queries for your domain.
Relevant content
- Accepted Answerasked a year agolg...
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago