# Simple AD
Simple AD is a standalone managed directory that is powered by a Samba 4 Active Directory Compatible Server. It is available in two sizes.
+ Small - Supports up to 500 users (approximately 2,000 objects including users, groups, and computers).
+ Large - Supports up to 5,000 users (approximately 20,000 objects including users, groups, and computers).
Simple AD provides a subset of the features offered by AWS Managed Microsoft AD, including the ability to manage user accounts and group memberships, create and apply group policies, securely connect to Amazon EC2 instances, and provide Kerberos-based single sign-on (SSO). However, note that Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains, Active Directory Administrative Center, PowerShell support, Active Directory recycle bin, group managed service accounts, and schema extensions for POSIX and Microsoft applications.
Simple AD offers many advantages:
+ Simple AD makes it easier to [manage amazon EC2 instances running Linux and Windows](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_join_instance.html) and deploy Windows applications in the AWS Cloud.
+ Many of the applications and tools that you use today that require Microsoft Active Directory support can be used with Simple AD.
+ User accounts in Simple AD allow access to AWS applications such as WorkSpaces, WorkDocs, or Amazon WorkMail.
+ You can manage AWS resources through IAM role–based access to the AWS Management Console.
+ Daily automated snapshots enable point-in-time recovery.
Simple AD does not support any of the following:
+ Amazon WorkSpaces Applications
+ Amazon Chime
+ Amazon FSx
+ Amazon RDS for SQL Server
+ Amazon RDS for Oracle
+ AWS IAM Identity Center
+ Trust relationships with other domains
+ Active Directory Administrative Center
+ PowerShell
+ Active Directory recycle bin
+ Group managed service accounts
+ Schema extensions for POSIX and Microsoft applications
Continue reading the topics in this section to learn how to create your own Simple AD.
**Topics**
+ [Getting started with Simple AD](simple_ad_getting_started.md)
+ [Best practices for Simple AD](simple_ad_best_practices.md)
+ [Maintain your Simple AD directory](simple_ad_maintain.md)
+ [Secure your Simple AD directory](simple_ad_security.md)
+ [Monitor your Simple AD directory](simple_ad_monitor.md)
+ [Access to AWS applications and services from your Simple AD](simple_ad_manage_apps_services.md)
+ [Ways to join an Amazon EC2 instance to your Simple AD](simple_ad_join_instance.md)
+ [Users and groups management in Simple AD](simple_ad_manage_users_groups.md)
+ [Simple AD quotas](simple_ad_limits.md)
+ [Troubleshooting Simple AD](simple_ad_troubleshooting.md)
# Getting started with Simple AD
Simple AD creates a fully managed, Samba-based directory in the AWS cloud. When you create a directory with Simple AD, Directory Service creates two domain controllers and DNS servers on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensures that your directory remains accessible even if a failure occurs.
**Topics**
+ [Simple AD prerequisites](#prereq_simple)
+ [Create your Simple AD](#how_to_create_simple_ad)
+ [What gets created with your Simple AD](simple_ad_what_gets_created.md)
## Simple AD prerequisites
To create a Simple AD Active Directory, you need an Amazon VPC with the following:
+ The VPC must have default hardware tenancy.
You can use IPv6 for your VPC. For more information, see [IPv6 support for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html) in the *Amazon Virtual Private Cloud User Guide*.
+ At least two subnets in two different Availability Zones and must be of same network type. The subnets must be in the same Classless Inter-Domain Routing (CIDR) range. If you want to extend or resize the VPC for your directory, then make sure to select both of the domain controller subnets for the extended VPC CIDR range. When you create a Simple AD, Directory Service creates two domain controllers and DNS servers on your behalf.
+ For more information about the CIDR range, see [IP addressing for your VPCs and subnets](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-ip-addressing.html) in the *Amazon VPC User Guide*.
+ If you require LDAPS support with Simple AD, we recommend that you configure it using a Network Load Balancer connected to port 389. This model enables you to use a strong certificate for the LDAPS connection, simplify access to LDAPS through a single NLB IP address, and have automatic fail-over through the NLB. Simple AD does not support the use of self-signed certificates on port 636. For more information about how to configure LDAPS with Simple AD, see [How to configure an LDAPS endpoint for Simple AD](https://aws.amazon.com/blogs/security/how-to-configure-ldaps-endpoint-for-simple-ad/) in the *AWS Security Blog*.
+ The following encryption types must be enabled in the directory:
+ RC4\$1HMAC\$1MD5
+ AES128\$1HMAC\$1SHA1
+ AES256\$1HMAC\$1SHA1
+ Future encryption types
**Note**
Disabling these encryption types can cause communication issues with RSAT (Remote Server Administration Tools) and impact the availability or your directory.
+ For more information, see [What is Amazon VPC?](https://docs.aws.amazon.com//vpc/latest/userguide/what-is-amazon-vpc.html) in the *Amazon VPC User Guide*.
Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside of your AWS account, and are managed by AWS. They have two network adapters, `ETH0` and `ETH1`. `ETH0` is the management adapter, and exists outside of your account. `ETH1` is created within your account.
The management IP range of your directory's `ETH0` network is chosen programmatically to ensure it does not conflict with the VPC where your directory is deployed. This IP range can be in either of the following pairs (as Directories run in two subnets):
+ 10.0.1.0/24 & 10.0.2.0/24
+ 169.254.0.0/16
+ 192.168.1.0/24 & 192.168.2.0/24
We avoid conflicts by checking the first octet of the `ETH1` CIDR. If it starts with a 10, then we choose a 192.168.0.0/16 VPC with 192.168.1.0/24 and 192.168.2.0/24 subnets. If the first octet is anything else other than a 10 we choose a 10.0.0.0/16 VPC with 10.0.1.0/24 and 10.0.2.0/24 subnets.
The selection algorithm does not include routes on your VPC. It is therefore possible to have an IP routing conflict result from this scenario.
**Important**
If any of the Simple AD prerequisites are altered after your Simple AD is created, your Simple AD can become **Impaired**. To resolve your Simple AD **Impaired** status, you will need to contact [AWS Support](https://aws.amazon.com/premiumsupport/).
## Create your Simple AD
This procedure walks you through all the necessary steps to create a Simple AD. It is intended to get you started with Simple AD quickly and easily, but is not intended to be used in a large-scale production environment.
**Topics**
+ [Prerequisites](#gsg_prereqs)
+ [Creating and configuring your Amazon VPC for your Simple AD](#gsg_create_vpc)
+ [Creating your Simple AD](#gsg_create_directory)
### Prerequisites
This procedure assumes the following:
+ You have an active AWS account.
+ Your account has not reached its limit of Amazon VPCs for the Region in which you want to use Simple AD. For more information about VPC, see [What is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Introduction.html) and [Subnets in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPCSubnet) in the *Amazon VPC User Guide*.
+ You do not have an existing VPC in the Region with a CIDR of `10.0.0.0/16`.
+ You are in a Region where Simple AD is available. For more information, see [Region availability for Directory Service](regions.md).
For more information, see [Simple AD prerequisites](#prereq_simple).
### Creating and configuring your Amazon VPC for your Simple AD
First, you will create and configure an Amazon VPC for use with your Simple AD. Before starting this procedure, make sure you have completed the [Prerequisites](#gsg_prereqs).
The VPC you will create will have two public subnets. Directory Service requires two subnets in your VPC, and each subnet must be in a different Availability Zone.
**Create a VPC**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the **VPC Dashboard**, choose **Create VPC**.
1. Under **VPC settings**, choose **VPC and more**.
1. Complete these fields as follows:
+ Keep **Auto-generated** selected under **Name tag auto-generation**. Change **project** to `ADS VPC`.
+ The **IPv4 CIDR block** should be `10.0.0.0/16`.
+ Keep **No IPv6 CIDR block** option selected.
+ The **Tenancy** should remain **Default**.
+ Select **2** for the **Number of Availability Zones (AZs)**.
+ Select **2** for the **Number of public subnets**. The **number of private subnets** can be changed to 0.
+ Choose **Customize subnet CIDR blocks** to configure the public subnet IP address range. The public subnet CIDR blocks should be `10.0.0.0/20` and `10.0.16.0/20`.
1. Choose **Create VPC**. It takes several minutes for the VPC to be created.
### Creating your Simple AD
To create a new Simple AD, perform the following steps. Before starting this procedure, make sure you have completed the following in [Prerequisites](#gsg_prereqs) and [Creating and configuring your Amazon VPC for your Simple AD](#gsg_create_vpc).
**Create a Simple AD**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories** and then choose **Set up directory**.
1. On the **Select directory type** page, choose **Simple AD**, and then choose **Next**.
1. On the **Enter directory information** page, provide the following information:
**Directory size**
Choose from either the **Small** or **Large** size option. For more information about sizes, see [Simple AD](directory_simple_ad.md).
**Organization name**
A unique organization name for your directory that will be used to register client devices.
This field is only available if you are creating your directory as part of launching WorkSpaces.
**Directory DNS name**
The fully qualified name for the directory, such as `corp.example.com`.
**Directory NetBIOS name**
The short name for the directory, such as `CORP`.
**Administrator password**
The password for the directory administrator. The directory creation process creates an administrator account with the username `Administrator` and this password.
The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:
+ Lowercase letters (a-z)
+ Uppercase letters (A-Z)
+ Numbers (0-9)
+ Non-alphanumeric characters (\$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/)
**Confirm password**
Retype the administrator password.
Be sure to save this password. Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the Directory Service console or by using the [ResetUserPassword](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ResetUserPassword.html) API.
**Directory description**
An optional description for the directory.
1. On the **Choose VPC and subnets** page, provide the following information, and then choose **Next**.
**VPC**
The VPC for the directory.
**Subnets**
Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.
1. On the **Review & create** page, review the directory information and make any necessary changes. When the information is correct, choose **Create directory**. It takes several minutes for the directory to be created. Once created, the **Status** value changes to **Active**.
For more information on what is created with your Simple AD, see [What gets created with your Simple AD](simple_ad_what_gets_created.md).
# What gets created with your Simple AD
When you create a Active Directory with Simple AD, Directory Service performs the following tasks on your behalf:
+ Sets up a Samba-based directory within the VPC.
+ Creates a directory administrator account with the user name `Administrator` and the specified password. You use this account to manage your directory.
**Important**
Be sure to save this password. Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the Directory Service console or by using the [ResetUserPassword](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ResetUserPassword.html) API.
+ Creates a security group for the directory controllers.
+ Creates an account with the name `AWSAdminD-xxxxxxxx` that has domain admin privileges. This account is used by Directory Service to perform automated operations for directory maintenance operations, such as taking directory snapshots and FSMO role transfers. The credentials for this account are securely stored by Directory Service.
+ Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with Directory Service by the description: "AWS created network interface for directory *directory-id*". For more information, see [Elastic Network Interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html) in the *Amazon EC2 User Guide*. The default DNS Server of the AWS Managed Microsoft AD Active Directory is the VPC DNS server at Classless Inter-Domain Routing (CIDR)\$12. For more information, see [Amazon DNS server](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#AmazonDNS) in *Amazon VPC User Guide*.
**Note**
Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.
# Best practices for Simple AD
Here are some suggestions and guidelines you should consider to avoid problems and get the most out of Simple AD.
## Setting up: Prerequisites
Consider these guidelines before creating your directory.
### Verify you have the right directory type
Directory Service provides multiple ways to use Microsoft Active Directory with other AWS services. You can choose the directory service with the features you need at a cost that fits your budget:
+ **AWS Directory Service for Microsoft Active Directory** is a feature-rich managed Microsoft Active Directory hosted on the AWS cloud. AWS Managed Microsoft AD is your best choice if you have more than 5,000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories.
+ **AD Connector** simply connects your existing on-premises Active Directory to AWS. AD Connector is your best choice when you want to use your existing on-premises directory with AWS services.
+ **Simple AD** is a low-scale, low-cost directory with basic Active Directory compatibility. It supports 5,000 or fewer users, Samba 4–compatible applications, and LDAP compatibility for LDAP-aware applications.
For a more detailed comparison of Directory Service options, see [Which to choose](what_is.md#choosing_an_option).
### Ensure your VPCs and instances are configured correctly
In order to connect to, manage, and use your directories, you must properly configure the VPCs that the directories are associated with. See either [Prerequisites for creating a AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_prereqs), [AD Connector prerequisites](ad_connector_getting_started.md#prereq_connector), or [Simple AD prerequisites](simple_ad_getting_started.md#prereq_simple) for information about the VPC security and networking requirements.
If you are adding an instance to your domain, ensure that you have connectivity and remote access to your instance as described in [Ways to join an Amazon EC2 instance to your AWS Managed Microsoft AD](ms_ad_join_instance.md).
### Be aware of your limits
Learn about the various limits for your specific directory type. The available storage and the aggregate size of your objects are the only limitations on the number of objects you may store in your directory. See either [AWS Managed Microsoft AD quotas](ms_ad_limits.md), [AD Connector quotas](ad_connector_limits.md), or [Simple AD quotas](simple_ad_limits.md) for details about your chosen directory.
### Understand your directory's AWS security group configuration and use
AWS creates a [security group](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule) and attaches it to your directory's domain controller [elastic network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html). AWS configures the security group to block unnecessary traffic to the directory and allows necessary traffic.
#### Modifying the directory security group
You can modify security groups for your directories, but only do so if you fully understand security group filtering. For more information, see [Amazon EC2 security groups for Linux instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) in the *Amazon EC2 User Guide*. Improper changes may disrupt communications with intended computers and instances. AWS recommends against opening additional ports to your directory as this reduces security. Review the [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) before making changes.
**Warning**
It is technically possible for you to associate the directory's security group with other EC2 instances that you create. However, AWS recommends against this practice. AWS may have reasons to modify the security group without notice to address functional or security needs of the managed directory. Such changes affect any instances with which you associate the directory security group and may disrupt operation of the associated instances. Furthermore, associating the directory security group with your EC2 instances may create a potential security risk for your EC2 instances.
### Use AWS Managed Microsoft AD if trusts are required
Simple AD does not support trust relationships. If you need to establish a trust between your Directory Service directory and another directory, you should use AWS Directory Service for Microsoft Active Directory.
## Setting up: Creating your directory
Here are some suggestions to consider as you create your directory.
### Remember your administrator ID and password
When you set up your directory, you provide a password for the administrator account. That account ID is *Administrator* for Simple AD. Remember the password that you create for this account; otherwise you will not be able to add objects to your directory.
### Understand username restrictions for AWS applications
Directory Service provides support for most character formats that can be used in the construction of usernames. However, there are character restrictions that are enforced on usernames that will be used for signing in to AWS applications, such as WorkSpaces, WorkDocs, Amazon WorkMail, or Quick. These restrictions require that the following characters not be used:
+ Spaces
+ Multibyte characters
+ \$1"\$1\$1%&'()\$1\$1,/:;<=>?@[\$1]^`\$1\$1\$1\$1
**Note**
The @ symbol is allowed as long as it precedes a UPN suffix.
## Programming your applications
Before you program your applications, consider the following:
### Use the Windows DC locator service
When developing applications, use the Windows DC locator service or use the Dynamic DNS (DDNS) service of your AWS Managed Microsoft AD to locate domain controllers (DCs). Do not hard code applications with the address of a DC. The DC locator service helps ensure directory load is distributed and enables you to take advantage of horizontal scaling by adding domain controllers to your deployment. If you bind your application to a fixed DC and the DC undergoes patching or recovery, your application will lose access to the DC instead of using one of the remaining DCs. Furthermore, hard coding of the DC can result in hot spotting on a single DC. In severe cases, hot spotting may cause your DC to become unresponsive. Such cases may also cause AWS directory automation to flag the directory as impaired and may trigger recovery processes that replace the unresponsive DC.
### Load test before rolling out to production
Be sure to do lab testing with objects and requests that are representative of your production workload to confirm that the directory scales to the load of your application. Should you require additional capacity, you should use Directory Service for Microsoft Active Directory, which enables you to add domain controllers for high performance. For more information, see [Deploying additional domain controllers for your AWS Managed Microsoft AD](ms_ad_deploy_additional_dcs.md).
### Use efficient LDAP queries
Broad LDAP queries to a domain controller across thousands of objects can consume significant CPU cycles in a single DC, resulting in hot spotting. This may affect applications that share the same DC during the query.
# Maintain your Simple AD directory
You can use the AWS Management Console to maintain your Simple AD and complete day-to-day administrative tasks. Ways you can maintain your Simple AD include:
+ [View details about your Simple AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_view_directory_info.html) like the DNS name, Directory ID, and directory status.
+ [Update the DNS address for your Simple AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_dns.html).
+ [Restore your Simple AD with snapshots](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_snapshots.html). You can also create snapshot and delete snapshots.
+ [Delete your Simple AD](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_delete.html) when it is no longer needed.
# Viewing Simple AD directory information
**To view detailed directory information**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, under **Active Directory**, select **Directories**.
1. Choose the directory ID link for your directory. Information about the directory is displayed in the **Directory details** page.
For more information about the **Status** field, see [Understanding your Simple AD directory status](simple_ad_directory_status.md).
![\[Simple AD Directory details page.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_directory_details.png)
# Updating directory network type
You can update your Directory Service directory's network type from IPv4 to Dual-stack (IPv4 and IPv6). Updating the network type to include IPv6 IP addresses provides a larger address space than IPv4. IPv4 and IPv6 communication are independent of each other.
For details, see [Compare IPv4 and IPv6](https://docs.aws.amazon.com/vpc/latest/userguide/ipv4-ipv6-comparison.html) in the *Amazon Virtual Private Cloud User Guide*.
**Important**
This is a one-way operation that cannot be reversed. Test in a non-production environment first.
## Prerequisites
Before updating your directory network type, ensure the following requirements are met:
+ Your VPC must be configured with IPv6 CIDR ranges. For details, see [IPv6 support for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html) in the *Amazon Virtual Private Cloud User Guide*.
+ You have administrative access to the AWS Management Console.
+ Your directory must be in Active state.
+ You have appropriate IAM permissions to modify Directory Service settings.
## To update directory network type
**To update your directory to dual-stack networking**
**Note**
If your directory is replicated in multiple regions, perform this update in each region.
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. Select the target directory.
1. Go to the **Networking & security** tab.
1. Choose **Add IPv6 support**. This option is only available for IPv4-only directories.
IPv6 only directories are not supported.
1. Review the update information and pricing details.
1. Choose **Add** to confirm the update.
After initiating the update, the directory status changes to **Updating** during the update process The update typically takes 15-30 minutes to complete Once complete, the directory status returns to **Active**.
# Configuring DNS servers for Simple AD
You can configure DNS for Simple AD in two ways depending on your network architecture and requirements.
## Using Simple AD as Your Primary DNS
Configure your client computers to use the Simple AD DNS server IP addresses as their primary DNS resolvers. Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your Amazon VPC. These DNS servers will resolve names configured in your Amazon Route 53 private hosted zones. By pointing your on-premises computers to your Simple AD, you can now resolve DNS requests to the private hosted zone. For more information on Route 53, see [What is Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html).
During Simple AD creation, the service performs a reachability test to amazon.com to determine which DNS resolver to use:
+ **Customer VPC DNS Resolver (ETH1)** – Selected when amazon.com is reachable from customer VPC resolver. This option enables Route 53 private hosted zones and Resolver firewall rules.
+ **Amazon Internal Resolver (ETH0)** – Selected when amazon.com is unreachable from customer VPC DNS Resolver (ETH1). Route 53 integration, private hosted zones, and Resolver firewall rules will not function with this option.
**Important**
The DNS resolver selection occurs automatically during Simple AD creation and cannot be modified afterward. We recommend that you ensure amazon.com is resolvable in your VPC before creating Simple AD to enable Route 53 integration.
## Using Route 53 as Your Primary DNS
You can also use Route 53 as your primary DNS service:
+ Configure your client computers to use Route 53 Resolver IP addresses as their primary DNS resolvers
+ Create Route 53 Resolver rules to conditionally forward only your domain's fully qualified domain name (FQDN) queries to Simple AD
+ This approach maintains Route 53 as the authoritative DNS source, with Simple AD handling only domain-specific queries
Note that to enable your Simple AD to respond to external DNS queries, the network access control list (ACL) for the VPC containing your Simple AD must be configured to allow traffic from outside the VPC.
+ If you are not using Route 53 private hosted zones, your DNS requests will be forwarded to public DNS servers.
+ If you're using custom DNS servers that are outside of your VPC and you want to use private DNS, you must reconfigure to use custom DNS servers on EC2 instances within your VPC. For more information, see [Working with private hosted zones](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html).
+ If you want your Simple AD to resolve names using both DNS servers within your VPC and private DNS servers outside of your VPC, you can do this using a DHCP options set. For a detailed example, see [this article](https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/).
+ [ Integrating your Directory Service's DNS resolution with Amazon Route 53 Resolver](https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/).
**Note**
DNS dynamic updates are not supported in Simple AD domains. You can instead make the changes directly by connecting to your directory using DNS Manager on an instance that is joined to your domain.
# Restoring your Simple AD with snapshot
AWS Directory Service provides the ability to take manual snapshots of data for your Simple AD directory. These snapshots can be used to perform a point-in-time restore for your directory. You cannot take snapshots of AD Connector directories.
**Topics**
+ [Creating a snapshot of your directory](#simple_ad_snapshot_create)
+ [Restoring your directory from a snapshot](#simple_ad_snapshot_restore)
+ [Deleting a snapshot](#simple_ad_snapshot_delete)
## Creating a snapshot of your directory
A snapshot can be used to restore your directory to what it was at the point in time that the snapshot was taken. To create a manual snapshot of your directory, perform the following steps.
**Note**
You are limited to 5 manual snapshots for each directory. If you have already reached this limit, you must delete one of your existing manual snapshots before you can create another.
**To create a manual snapshot**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Maintenance** tab.
1. In the **Snapshots** section, choose **Actions**, and then select **Create snapshot**.
1. In the **Create directory snapshot** dialog box, provide a name for the snapshot, if desired. When ready, choose **Create**.
Depending on the size of your directory, it may take several minutes to create the snapshot. When the snapshot is ready, the **Status** value changes to `Completed`.
## Restoring your directory from a snapshot
Restoring a directory from a snapshot is equivalent to moving the directory back in time. Directory snapshots are unique to the directory they were created from. A snapshot can only be restored to the directory from which it was created. In addition, the maximum supported age of a manual snapshot is 180 days. For more information, see [Useful shelf life of a system-state backup of Active Directory](https://learn.microsoft.com/en-us/troubleshoot/windows-server/backup-and-storage/shelf-life-system-state-backup-ad) on the Microsoft website.
**Warning**
We recommend that you contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/) before any snapshot restore; we may be able to help you avoid the need to do a snapshot restore. Any restore from snapshot can result in data loss as they are a point in time. It is important you understand that all of the DCs and DNS servers associated with the directory will be offline until the restore operation has been completed.
To restore your directory from a snapshot, perform the following steps.
**To restore a directory from a snapshot**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Maintenance** tab.
1. In the **Snapshots** section, select a snapshot in the list, choose **Actions**, and then select **Restore snapshot**.
1. Review the information in the **Restore directory snapshot** dialog box, and choose **Restore**.
For a Simple AD directory, it may take several minutes for the directory to be restored. When it has been successfully restored, the **Status** value of the directory changes to `Active`. Any changes made to the directory after the snapshot date are overwritten.
## Deleting a snapshot
**To delete a snapshot**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Maintenance** tab.
1. In the **Snapshots** section, choose **Actions**, and then select **Delete snapshot**.
1. Verify that you want to delete the snapshot, and then choose **Delete**.
# Deleting your Simple AD
When a Simple AD is deleted, all of the directory data and snapshots are deleted and cannot be recovered. After the directory is deleted, all instances that are joined to the directory remain intact. You cannot, however, use your directory credentials to log in to these instances. You need to log in to these instances with a user account that is local to the instance.
When a AWS Managed Microsoft AD, Simple AD, or hybrid directory is deleted, all of the directory data and snapshots are deleted and cannot be recovered. After the directory is deleted, all instances that are joined to the directory remain intact. You cannot, however, use your directory credentials to log in to these instances. You need to log in to these instances with a user account that is local to the instance.
When an AD Connector is deleted, your on-premises directory remains intact. All instances that are joined to the directory also remain intact and remain joined to your on-premises directory. You can still use your directory credentials to log in to these instances.
**To delete a directory**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**. Ensure you are in the AWS Region where your Active Directory is deployed. For more information, see [Choosing a Region](https://docs.aws.amazon.com//awsconsolehelpdocs/latest/gsg/select-region.html).
1. Ensure that no AWS applications are enabled for the directory you intend to delete. Enabled AWS applications will prevent you for deleting your AWS Managed Microsoft AD or Simple AD.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Application management** tab. In the **AWS apps & services** section, you see which AWS applications are enabled for your directory.
+ Disable AWS Management Console access. For more information, see [Disabling AWS Management Console access](ms_ad_management_console_access.md#console_disable).
+ To disable Amazon WorkSpaces, you must deregister the service from the directory in the WorkSpaces console. For more information, see [Delete a directory](https://docs.aws.amazon.com/workspaces/latest/adminguide/delete-workspaces-directory.html) in the *Amazon WorkSpaces Administration Guide*.
+ To disable WorkDocs, you must delete the WorkDocs site in the WorkDocs console. For more information, see [Delete a site](https://docs.aws.amazon.com/workdocs/latest/adminguide/delete_site.html) in the *Amazon WorkDocs Administration Guide*.
+ To disable Amazon WorkMail, you must remove the Amazon WorkMail organization in the Amazon WorkMail console. For more information, see [Remove an organization](https://docs.aws.amazon.com/workmail/latest/adminguide/remove_organization.html) in the *Amazon WorkMail Administrator Guide*.
+ To disable Amazon FSx for Windows File Server, you must remove the Amazon FSx file system from the domain. For more information, see [Working with Active Directory in FSx for Windows File Server](https://docs.aws.amazon.com/fsx/latest/WindowsGuide/aws-ad-integration-fsxW.html) in the *Amazon FSx for Windows File Server User Guide*.
+ To disable Amazon Relational Database Service, you must remove the Amazon RDS instance from the domain. For more information, see [Managing a DB instance in a domain](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_SQLServerWinAuth.html#USER_SQLServerWinAuth.Managing) in the *Amazon RDS User Guide*.
+ To disable AWS Client VPN Service, you must remove the directory service from the Client VPN Endpoint. For more information, see [Work with Client VPN](https://docs.aws.amazon.com//vpn/latest/clientvpn-admin/cvpn-working.html) in the *AWS Client VPN Administrator Guide*.
+ To disable Amazon Connect, you must delete the Amazon Connect Instance. For more information, see [Delete your Amazon Connect instance](https://docs.aws.amazon.com/connect/latest/adminguide/delete-connect-instance.html) in the *Amazon Connect Administration Guide*.
+ To disable Amazon Quick, you must unsubscribe from Amazon Quick. For more information, see [Closing your Amazon Quick account](https://docs.aws.amazon.com/quicksight/latest/user/closing-account.html) in the *Amazon Quick User Guide*.
**Note**
If you are using AWS IAM Identity Center and have previously connected it to the AWS Managed Microsoft AD directory you plan to delete, you must first change the identity source before you can delete it. For more information, see [Change your identity source ](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-change.html) in the *IAM Identity Center User Guide*.
1. In the navigation pane, choose **Directories**.
1. Select only the directory to be deleted and click **Delete**. It takes several minutes for the directory to be deleted. When the directory has been deleted, it is removed from your directory list.
# Secure your Simple AD directory
This section describes considerations for securing your Simple AD environment.
**Topics**
+ [How to reset a Simple AD krbtgt account password](#simple_ad_reset_krbtgt_acct_pswd)
## How to reset a Simple AD krbtgt account password
The krbtgt account plays an important role in the Kerberos ticket exchanges. The krbtgt account is a special account used for Kerberos ticket-granting ticket (TGT) encryption, and it plays a crucial role in the security of the Kerberos authentication protocol. In Samba AD, krbtgt is represented as a (disabled) user account. The password to this account is randomly generated at the time the domain is provisioned. Access to this secret can result in undetectable total domain compromise as new Kerberos tickets can be printed without auditing. For more information, see [Samba documentation](https://wiki.samba.org/index.php/Samba_Security_Documentation#Particularly_critical_secret_attributes).
It is recommended to change this password regularly every 90 days. You can reset the krbtgt account password from an Amazon EC2 Windows instanced joined to your Simple AD.
**Note**
AWS Simple AD is powered by Samba-AD. Samba-AD doesn't store N-1 hash for the krbtgt account. Therefore, when the krbtgt account password is reset, the Kerberos client will be required to negotiate a new Ticket Granting Ticket (TGT) during their next Service Ticket (ST) request. To minimize potential service disruptions, you should schedule the krbtgt account password resets outside of business hours. This approach mitigates impacts on ongoing operations and ensures smooth authentication continuity.
The following procedures shows how you can reset the krbtgt account password from an Amazon EC2 Windows instance.
**Prerequisites**
+ Before you can begin this procedure, complete the following:
+ You have domain joined an EC2 instance to your Simple AD directory.
+ For more information on how to join an EC2 Windows instance to a Simple AD, see [Joining an Amazon EC2 Windows instance to your Simple AD Active Directory](simple_ad_launching_instance.md).
+ You have the Simple AD directory administrator credentials. You will be signing in as the Simple AD directory administrator for this procedure.
**Note**
Some AWS services like Amazon WorkDocs and Amazon WorkSpaces, will create a Simple AD on your behalf.
**Reset Simple AD krbtgt account password**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the Amazon EC2 console, choose **Instances** and select the Windows Server instance. Then choose **Connect**.
1. In the **Connect to instance** page, choose **RDP client**.
1. In the **Windows Security** dialog box, copy your local administrator credentials for the Windows Server computer to sign in. The username can be in the following formats: `NetBIOS-Name\administrator` or `DNS-Name\administrator`. For example, `corp\administrator` would be the username if you followed the procedure in [Create your Simple AD](simple_ad_getting_started.md#how_to_create_simple_ad).
1. Once signed in to the Windows Server computer, open **Windows Administrative Tools** from the Start menu by choosing **Windows Administrative Tools** folder.
![\[Windows Server start menu showing administrative tools and system management options.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_5.png)
1. In the Windows Administrative Tools dashboard, open **Active Directory Users and Computers** by choosing **Active Directory User and Computers**.
![\[Windows Administrative Tools dashboard showing various system management shortcuts.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_6.png)
1. In the **Active Directory Users and Computers** window, select **View** and then choose **Enable Advanced Features**.
![\[View menu options in a software interface, with "Advanced Features" selected.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_7.png)
1. In the **Active Directory Users and Computers** window, select **Users** from the left panel.
![\[Active Directory Users and Computers folder structure with Users folder highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_8.png)
1. Find the user named **krbtgt**, right click on it and select **Reset Password**.
![\[Context menu with options including Reset Password, Move, Open Home Page, and Send Mail.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_9.png)
1. In the new window, enter the new password, enter it again, and then choose **OK** to reset the krbtgt account password.
![\[Password reset dialog with fields for new password, confirmation, and account options.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_10.png)
1. In the Windows Administrative Tools dashboard, choose **Active Directory Sites and Services**.
![\[Windows Administrative Tools folder showing various Active Directory management shortcuts.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_11.png)
1. In the Active Directory Sites and Services window, expand **Site**, **Default-First-Site-Name**, and **Servers**.
![\[Active Directory Sites and Services window showing expanded hierarchy with NTDS Settings.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_12.png)
1. In the NTDS Settings window, right click on the server and select **Replicate Now**.
![\[Context menu showing "Replicate Now" option selected for a server in NTDS Settings window.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/simple_ad_krbtgt_acct_step_13.png)
1. Repeat steps 13 - 14 for your other servers.
# Monitor your Simple AD directory
You can get the most out of your Simple AD by learning more about the different Simple AD statuses and what they mean for your Simple AD. You can also use AWS services like Amazon Simple Notification Service to monitor your Simple AD. Amazon Simple Notification Service can send you notifications of your Simple AD directory status.
**Topics**
+ [Understanding your Simple AD directory status](simple_ad_directory_status.md)
+ [Enabling Simple AD directory status notifications with Amazon Simple Notification Service](simple_ad_enable_notifications.md)
# Understanding your Simple AD directory status
The following are the various statuses for a directory.
**Active**
The directory is operating normally. No issues have been detected by the Directory Service for your directory.
**Creating**
The directory is currently being created. Directory creation typically takes between 20 to 45 minutes but may vary depending on the system load.
**Deleted**
The directory has been deleted. All resources for the directory have been released. Once a directory enters this state, it cannot be recovered.
**Deleting**
The directory is currently being deleted. The directory will remain in this state until it has been completely deleted. Once a directory enters this state, the delete operation cannot be cancelled, and the directory cannot be recovered.
**Failed**
The directory could not be created. Please delete this directory. If this problem persists, please contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
**Impaired**
The directory is running in a degraded state. One or more issues have been detected, and not all directory operations may be working at full operational capacity. There are many potential reasons for the directory being in this state. These include normal operational maintenance activity such as patching or EC2 instance rotation, temporary hot spotting by an application on one of your domain controllers, or changes you made to your network that inadvertently disrupt directory communications. Your directory can have an impaired status if you alter the settings outlined in [Simple AD prerequisites](simple_ad_getting_started.md#prereq_simple). For more information, see either [Troubleshooting AWS Managed Microsoft AD](ms_ad_troubleshooting.md), [Troubleshooting AD Connector](ad_connector_troubleshooting.md), [Troubleshooting Simple AD](simple_ad_troubleshooting.md). For normal maintenance related issues, AWS resolves these issues within 40 minutes. If after reviewing the troubleshooting topic, your directory is in an Impaired state longer than 40 minutes, we recommend that you contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
Do not restore a snapshot while a directory is in an Impaired state. It is rare that snapshot restore is necessary to resolve impairments. For more information, see [Restoring your AWS Managed Microsoft AD with snapshots](ms_ad_snapshots.md).
**Inoperable**
The directory is not functional. All directory endpoints have reported issues.
**Requested**
A request to create your directory is currently pending.
**RestoreFailed**
Restoring the directory from a snapshot failed. Please retry the restore operation. If this continues, try a different snapshot, or contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
**Restoring**
The directory is currently being restored from an automatic or manual snapshot. Restoring from a snapshot typically takes several minutes, depending on the size of the directory data in the snapshot.
For more information, see [Troubleshooting Simple AD directory status messages](simple_ad_troubleshooting_reasons.md).
# Enabling Simple AD directory status notifications with Amazon Simple Notification Service
Using Amazon Simple Notification Service (Amazon SNS), you can receive email or text (SMS) messages when the status of your directory changes. You get notified if your directory goes from an Active status to an [Impaired or Inoperable status](simple_ad_directory_status.md). You also receive a notification when the directory returns to an Active status.
## How it works
Amazon SNS uses “topics” to collect and distribute messages. Each topic has one or more subscribers who receive the messages that have been published to that topic. Using the steps below you can add Directory Service as publisher to an Amazon SNS topic. When Directory Service detects a change in your directory’s status, it publishes a message to that topic, which is then sent to the topic's subscribers.
You can associate multiple directories as publishers to a single topic. You can also add directory status messages to topics that you’ve previously created in Amazon SNS. You have detailed control over who can publish to and subscribe to a topic. For complete information about Amazon SNS, see [What is Amazon SNS?](https://docs.aws.amazon.com/sns/latest/dg/welcome.html).
**To enable SNS messaging for your directory**
1. Sign in to the AWS Management Console and open the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/).
1. On the **Directories** page, choose your directory ID.
1. Select the **Maintenance** tab.
1. In the **Directory monitoring** section, choose **Actions**, and then select **Create notification**.
1. On the **Create notification** page, select **Choose a notification type**, and then choose **Create a new notification**. Alternatively, if you already have an existing SNS topic, you can choose **Associate existing SNS topic** to send status messages from this directory to that topic.
**Note**
If you choose **Create a new notification** but then use the same topic name for an SNS topic that already exists, Amazon SNS does not create a new topic, but just adds the new subscription information to the existing topic.
If you choose **Associate existing SNS topic**, you will only be able to choose an SNS topic that is in the same Region as the directory.
1. Choose the **Recipient type** and enter the **Recipient** contact information. If you enter a phone number for SMS, use numbers only. Do not include dashes, spaces, or parentheses.
1. (Optional) Provide a name for your topic and an SNS display name. The display name is a short name up to 10 characters that is included in all SMS messages from this topic. When using the SMS option, the display name is required.
**Note**
If you are logged in using an IAM user or role that has only the [DirectoryServiceFullAccess](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/role_ds_full_access.html) managed policy, your topic name must start with “DirectoryMonitoring”. If you’d like to further customize your topic name you’ll need additional privileges for SNS.
1. Choose **Create**.
If you want to designate additional SNS subscribers, such as an additional email address, Amazon SQS queues or AWS Lambda, you can do this from the [Amazon SNS console](https://console.aws.amazon.com//sns/v3/home.).
**To remove directory status messages from a topic**
1. Sign in to the AWS Management Console and open the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/).
1. On the **Directories** page, choose your directory ID.
1. Select the **Maintenance** tab.
1. In the **Directory monitoring** section, select an SNS topic name in the list, choose **Actions**, and then select **Remove**.
1. Choose **Remove**.
This removes your directory as a publisher to the selected SNS topic. If you want to delete the entire topic, you can do this from the [Amazon SNS console](https://console.aws.amazon.com/sns/v3/home.).
**Note**
Before deleting an Amazon SNS topic using the SNS console, you should ensure that a directory is not sending status messages to that topic.
If you delete an Amazon SNS topic using the SNS console, this change will not immediately be reflected within the Directory Services console. You would only be notified the next time a directory publishes a notification to the deleted topic, in which case you would see an updated status on the directory’s **Monitoring** tab indicating the topic could not be found.
Therefore, to avoid missing important directory status messages, before deleting any topic that receives messages from Directory Service, associate your directory with a different Amazon SNS topic.
# Access to AWS applications and services from your Simple AD
You can grant access to your Simple AD users to access AWS applications and services. Some of these AWS applications and services include:
+ Amazon WorkDocs
+ AWS Management Console
+ Amazon WorkSpaces
You can also use access URLs and single sign-on with your Simple AD.
**Topics**
+ [Application compatibility policy for Simple AD](simple_ad_app_compatibility.md)
+ [Enabling access to AWS applications and services for your Simple AD](simple_ad_enable_apps_services.md)
+ [Enabling access to the AWS Management Console with Simple AD credentials](simple_ad_management_console_access.md)
+ [Creating an access URL for Simple AD](simple_ad_create_access_url.md)
+ [Enabling single sign-on](simple_ad_single_sign_on.md)
# Application compatibility policy for Simple AD
Simple AD is an implementation of Samba that provides many of the basic features of Active Directory. Due to the magnitude of custom and commercial off-the-shelf applications that use Active Directory, AWS does not and cannot perform formal or broad verification of third-party application compatibility with Simple AD. Although AWS works with customers in an attempt to overcome any potential application installation challenges they might encounter, we are unable to guarantee that any application is or will continue to be compatible with Simple AD.
The following third-party applications are compatible with Simple AD:
+ Microsoft Internet Information Services (IIS) on the following platforms:
+ Windows Server 2003 R2
+ Windows Server 2008 R1
+ Windows Server 2008 R2
+ Windows Server 2012
+ Windows Server 2012 R2
+ Microsoft SQL Server:
+ SQL Server 2005 R2 (Express, Web, and Standard editions)
+ SQL Server 2008 R2 (Express, Web, and Standard editions)
+ SQL Server 2012 (Express, Web, and Standard editions)
+ SQL Server 2014 (Express, Web, and Standard editions)
+ Microsoft SharePoint:
+ SharePoint 2010 Foundation
+ SharePoint 2010 Enterprise
+ SharePoint 2013 Enterprise
Customers can choose to use AWS Directory Service for Microsoft Active Directory ([AWS Managed Microsoft AD](directory_microsoft_ad.md)) for a higher level of compatibility based on actual Active Directory.
# Enabling access to AWS applications and services for your Simple AD
Users can authorize Simple AD to give AWS applications and services, such as Amazon WorkSpaces, access to your Active Directory. The following AWS applications and services can be enabled or disabled to work with Simple AD.
| AWS application / service | More information... |
| --- | --- |
| Amazon WorkDocs | For more information, see the [Amazon WorkDocs Administration Guide](https://docs.aws.amazon.com/workdocs/latest/adminguide/) |
| Amazon WorkMail | For more information, see the [Amazon WorkMail Administrator Guide](https://docs.aws.amazon.com/workmail/latest/adminguide/). |
| Amazon WorkSpaces | You can create a Simple AD, AWS Managed Microsoft AD, or AD Connector directly from WorkSpaces. Simply launch **Advanced Setup** when creating your Workspace. For more information, see the [Amazon WorkSpaces Administration Guide](https://docs.aws.amazon.com/workspaces/latest/adminguide/). |
| AWS Management Console | For more information, see [Enabling AWS Management Console access with AWS Managed Microsoft AD credentials](ms_ad_management_console_access.md). |
Once enabled, you manage access to your directories in the console of the application or service that you want to give access to your directory. To find the AWS applications and services links described above in the Directory Service console, perform the following steps.
**To display the applications and services for a directory**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Application management** tab.
1. Review the list under the **AWS apps & services** section.
For more information about how to authorize or deauthorize AWS applications and services using Directory Service, see [Authorization for AWS applications and services using Directory Service](ad_manage_apps_services_authorization.md).
# Enabling access to the AWS Management Console with Simple AD credentials
Directory Service allows you to grant members of your directory access to the AWS Management Console. By default, your directory members do not have access to any AWS resources. You assign IAM roles to your directory members to give them access to the various AWS services and resources. The IAM role defines the services, resources, and level of access that your directory members have.
Before you can grant console access to your directory members, your directory must have an access URL. For more information about how to view directory details and get your access URL, see [Viewing AWS Managed Microsoft AD directory information](ms_ad_view_directory_info.md). For more information about how to create an access URL, see [Creating an access URL for AWS Managed Microsoft AD](ms_ad_create_access_url.md).
For more information about how to create and assign IAM roles to your directory members, see [Granting AWS Managed Microsoft AD users and groups access to AWS resources with IAM roles](ms_ad_manage_roles.md).
**Topics**
+ [Enabling AWS Management Console access](#simple_ad_console_enable)
+ [Disabling AWS Management Console access](#simple_ad_console_disable)
+ [Setting login session length](#simple_ad_console_session)
**Related AWS Security Blog Article**
+ [How to Access the AWS Management Console Using AWS Managed Microsoft AD and Your On-Premises Credentials](https://aws.amazon.com/blogs/security/how-to-access-the-aws-management-console-using-aws-microsoft-ad-and-your-on-premises-credentials/)
**Related AWS re:Post Article**
+ [How can I grant access to the AWS Management Console for an on-premises Active Directory users?](https://repost.aws/knowledge-center/enable-active-directory-console-access)
## Enabling AWS Management Console access
By default, console access is not enabled for any directory. To enable console access for your directory users and groups, perform the following steps:
**To enable console access**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Application management** tab.
1. Under the **AWS Management Console** section, choose **Enable**. Console access is now enabled for your directory.
**Important**
Before users can sign-in to the console with your access URL, you must first add your users to the IAM role. For general information about assigning users to IAM roles, see [Assigning users or groups to an existing IAM role](assign_role.md). After the IAM roles have been assigned, users can then access the console using your access URL. For example, if your directory access URL is example-corp.awsapps.com, the URL to access the console is https://example-corp.awsapps.com/console/.
## Disabling AWS Management Console access
To disable console access for your directory users and groups, perform the following steps:
**To disable console access**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Application management** tab.
1. Under the **AWS Management Console** section, choose **Disable**. Console access is now disabled for your directory.
1. If any IAM roles have been assigned to users or groups in the directory, the **Disable** button may be unavailable. In this case, you must remove all IAM role assignments for the directory before proceeding, including assignments for users or groups in your directory that have been deleted, which will show as **Deleted User** or **Deleted Group**.
After all IAM role assignments have been removed, repeat the steps above.
## Setting login session length
By default, users have 1 hour to use their session after successfully signing in to the console before they are logged out. After that, users must sign in again to start the next 1 hour session before being logged off again. You can use the following procedure to change the length of time to up to 12 hours per session.
**To set login session length**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Application management** tab.
1. Under the **AWS apps & services** section, choose **AWS Management Console**.
1. In the **Manage Access to AWS Resource** dialog box, choose **Continue**.
1. In the **Assign users and groups to IAM roles** page, under **Set login session length**, edit the numbered value, and then choose **Save**.
# Creating an access URL for Simple AD
An access URL is used with AWS applications and services, such as Amazon WorkDocs, to reach a login page that is associated with your directory. The URL must be unique globally. You can create an access URL for your directory by performing the following steps.
**Warning**
Once you create an application access URL for this directory, it cannot be changed. After an access URL is created, it cannot be used by others. If you delete your directory, the access URL is also deleted and can then be used by any other account.
**To create an access URL**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Application management** tab.
1. In the **Application access URL** section, if an access URL has not been assigned to the directory, the **Create** button is displayed. Enter a directory alias and choose **Create**. If an **Entity Already Exists** error is returned, the specified directory alias has already been allocated. Choose another alias and repeat this procedure.
Your access URL is displayed in the format **.awsapps.com.
# Enabling single sign-on
AWS Directory Service provides the ability to allow your users to access WorkDocs from a computer joined to the directory without having to enter their credentials separately.
Before you enable single sign-on, you need to take additional steps to enable your users web browsers to support single sign-on. Users may need to modify their web browser settings to enable single sign-on.
**Note**
Single sign-on only works when used on a computer that is joined to the Directory Service directory. It cannot be used on computers that are not joined to the directory.
If your directory is an AD Connector directory and the AD Connector service account does not have the permission to add or remove its service principal name attribute, then for Steps 5 and 6 below, you have two options:
1. You can proceed and will be prompted for the username and password for a directory user that has this permission to add or remove the service principal name attribute on the AD Connector service account. These credentials are only used to enable single sign-on and are not stored by the service. The AD Connector service account permissions are not changed.
1. You can delegate permissions to allow the AD Connector service account to add or remove the service principal name attribute on itself, you can run the below PowerShell commands from a domain joined computer using an account that has permissions to modify the permissions on the AD Connector service account. The below command will give the AD Connector service account the ability to add and remove a service principal name attribute only for itself.
```
$AccountName = 'ConnectorAccountName'
# DO NOT modify anything below this comment.
# Getting Active Directory information.
Import-Module 'ActiveDirectory'
$RootDse = Get-ADRootDSE
[System.GUID]$ServicePrincipalNameGuid = (Get-ADObject -SearchBase $RootDse.SchemaNamingContext -Filter { lDAPDisplayName -eq 'servicePrincipalName' } -Properties 'schemaIDGUID').schemaIDGUID
# Getting AD Connector service account Information.
$AccountProperties = Get-ADUser -Identity $AccountName
$AclPath = $AccountProperties.DistinguishedName
$AccountSid = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' $AccountProperties.SID.Value
# Getting ACL settings for AD Connector service account.
$ObjectAcl = Get-ACL -Path "AD:\$AclPath"
# Setting ACL allowing the AD Connector service account the ability to add and remove a Service Principal Name (SPN) to itself
$AddAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'WriteProperty', 'Allow', $ServicePrincipalNameGUID, 'None'
$ObjectAcl.AddAccessRule($AddAccessRule)
Set-ACL -AclObject $ObjectAcl -Path "AD:\$AclPath"
```
**To enable or disable single sign-on with WorkDocs**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, select the **Application management** tab.
1. In the **Application access URL** section, choose **Enable** to enable single sign-on for WorkDocs.
If you do not see the **Enable** button, you may need to first create an Access URL before this option will be displayed. For more information about how to create an access URL, see [Creating an access URL for AWS Managed Microsoft AD](ms_ad_create_access_url.md).
1. In the **Enable Single Sign-On for this directory** dialog box, choose **Enable**. Single sign-on is enabled for the directory.
1. If you later want to disable single sign-on with WorkDocs, choose **Disable**, and then in the **Disable Single Sign-On for this directory** dialog box, choose **Disable** again.
**Topics**
+ [Single sign-on for IE and Chrome](#ie_sso)
+ [Single sign-on for Firefox](#firefox_sso)
## Single sign-on for IE and Chrome
To allow Microsoft Internet Explorer (IE) and Google Chrome browsers to support single sign-on, the following tasks must be performed on the client computer:
+ Add your access URL (e.g., https://**.awsapps.com) to the list of approved sites for single sign-on.
+ Enable active scripting (JavaScript).
+ Allow automatic logon.
+ Enable integrated authentication.
You or your users can perform these tasks manually, or you can change these settings using Group Policy settings.
**Topics**
+ [Manual update for single sign-on on Windows](#ie_sso_manual_windows)
+ [Manual update for single sign-on on OS X](#chrome_sso_manual_mac)
+ [Group policy settings for single sign-on](#ie_sso_gpo)
### Manual update for single sign-on on Windows
To manually enable single sign-on on a Windows computer, perform the following steps on the client computer. Some of these settings may already be set correctly.
**To manually enable single sign-on for Internet Explorer and Chrome on Windows**
1. To open the **Internet Properties** dialog box, choose the **Start** menu, type `Internet Options` in the search box, and choose **Internet Options**.
1. Add your access URL to the list of approved sites for single sign-on by performing the following steps:
1. In the **Internet Properties** dialog box, select the **Security** tab.
1. Select **Local intranet** and choose **Sites**.
1. In the **Local intranet** dialog box, choose **Advanced**.
1. Add your access URL to the list of websites and choose **Close**.
1. In the **Local intranet** dialog box, choose **OK**.
1. To enable active scripting, perform the following steps:
1. In the **Security** tab of the **Internet Properties** dialog box, choose **Custom level**.
1. In the **Security Settings - Local Intranet Zone** dialog box, scroll down to **Scripting** and select **Enable** under **Active scripting**.
1. In the **Security Settings - Local Intranet Zone** dialog box, choose **OK**.
1. To enable automatic logon, perform the following steps:
1. In the **Security** tab of the **Internet Properties** dialog box, choose **Custom level**.
1. In the **Security Settings - Local Intranet Zone** dialog box, scroll down to **User Authentication** and select **Automatic logon only in Intranet zone** under **Logon**.
1. In the **Security Settings - Local Intranet Zone** dialog box, choose **OK**.
1. In the **Security Settings - Local Intranet Zone** dialog box, choose **OK**.
1. To enable integrated authentication, perform the following steps:
1. In the **Internet Properties** dialog box, select the **Advanced** tab.
1. Scroll down to **Security** and select **Enable Integrated Windows Authentication**.
1. In the **Internet Properties** dialog box, choose **OK**.
1. Close and re-open your browser to have these changes take effect.
### Manual update for single sign-on on OS X
To manually enable single sign-on for Chrome on OS X, perform the following steps on the client computer. You will need administrator rights on your computer to complete these steps.
**To manually enable single sign-on for Chrome on OS X**
1. Add your access URL to the [AuthServerAllowlist](https://chromeenterprise.google/policies/#AuthServerAllowlist) policy by running the following command:
```
defaults write com.google.Chrome AuthServerAllowlist "https://.awsapps.com"
```
1. Open **System Preferences**, go to the **Profiles** panel, and delete the `Chrome Kerberos Configuration` profile.
1. Restart Chrome and open chrome://policy in Chrome to confirm that the new settings are in place.
### Group policy settings for single sign-on
The domain administrator can implement Group Policy settings to make the single sign-on changes on client computers that are joined to the domain.
**Note**
If you manage the Chrome web browsers on the computers in your domain with Chrome policies, you must add your access URL to the [AuthServerAllowlist](https://chromeenterprise.google/policies/#AuthServerAllowlist) policy. For more information about setting Chrome policies, go to [Policy Settings in Chrome](https://source.chromium.org/chromium/chromium/src/+/main:docs/enterprise/add_new_policy.md).
**To enable single sign-on for Internet Explorer and Chrome using Group Policy settings**
1. Create a new Group Policy object by performing the following steps:
1. Open the Group Policy Management tool, navigate to your domain and select **Group Policy Objects**.
1. From the main menu, choose **Action** and select **New**.
1. In the **New GPO** dialog box, enter a descriptive name for the Group Policy object, such as `IAM Identity Center Policy`, and leave **Source Starter GPO** set to **(none)**. Click **OK**.
1. Add the access URL to the list of approved sites for single sign-on by performing the following steps:
1. In the Group Policy Management tool, navigate to your domain, select **Group Policy Objects**, open the context (right-click) menu for your IAM Identity Center policy, and choose **Edit**.
1. In the policy tree, navigate to **User Configuration** > **Preferences** > **Windows Settings**.
1. In the **Windows Settings** list, open the context (right-click) menu for **Registry** and choose **New registry item**.
1. In the **New Registry Properties** dialog box, enter the following settings and choose **OK**:
**Action**
`Update`
**Hive**
`HKEY_CURRENT_USER`
**Path**
`Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awsapps.com\`
The value for ** is derived from your access URL. If your access URL is `https://examplecorp.awsapps.com`, the alias is `examplecorp`, and the registry key will be `Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awsapps.com\examplecorp`.
**Value name**
`https`
**Value type**
`REG_DWORD`
**Value data**
`1`
1. To enable active scripting, perform the following steps:
1. In the Group Policy Management tool, navigate to your domain, select **Group Policy Objects**, open the context (right-click) menu for your IAM Identity Center policy, and choose **Edit**.
1. In the policy tree, navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Security Page** > **Intranet Zone**.
1. In the **Intranet Zone** list, open the context (right-click) menu for **Allow active scripting** and choose **Edit**.
1. In the **Allow active scripting** dialog box, enter the following settings and choose **OK**:
+ Select the **Enabled** radio button.
+ Under **Options** set **Allow active scripting** to **Enable**.
1. To enable automatic logon, perform the following steps:
1. In the Group Policy Management tool, navigate to your domain, select Group Policy Objects, open the context (right-click) menu for your SSO policy, and choose **Edit**.
1. In the policy tree, navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Security Page** > **Intranet Zone**.
1. In the **Intranet Zone** list, open the context (right-click) menu for **Logon options** and choose **Edit**.
1. In the **Logon options** dialog box, enter the following settings and choose **OK**:
+ Select the **Enabled** radio button.
+ Under **Options** set **Logon options** to **Automatic logon only in Intranet zone**.
1. To enable integrated authentication, perform the following steps:
1. In the Group Policy Management tool, navigate to your domain, select **Group Policy Objects**, open the context (right-click) menu for your IAM Identity Center policy, and choose **Edit**.
1. In the policy tree, navigate to **User Configuration** > **Preferences** > **Windows Settings**.
1. In the **Windows Settings** list, open the context (right-click) menu for **Registry** and choose **New registry item**.
1. In the **New Registry Properties** dialog box, enter the following settings and choose **OK**:
**Action**
`Update`
**Hive**
`HKEY_CURRENT_USER`
**Path**
`Software\Microsoft\Windows\CurrentVersion\Internet Settings`
**Value name**
`EnableNegotiate`
**Value type**
`REG_DWORD`
**Value data**
`1`
1. Close the **Group Policy Management Editor** window if it is still open.
1. Assign the new policy to your domain by following these steps:
1. In the Group Policy Management tree, open the context (right-click) menu for your domain and choose **Link an Existing GPO**.
1. In the **Group Policy Objects** list, select your IAM Identity Center policy and choose **OK**.
These changes will take effect after the next Group Policy update on the client, or the next time the user logs in.
## Single sign-on for Firefox
To allow Mozilla Firefox browser to support single sign-on, add your access URL (e.g., https://**.awsapps.com) to the list of approved sites for single sign-on. This can be done manually, or automated with a script.
**Topics**
+ [Manual update for single sign-on](#firefox_sso_manual)
+ [Automatic update for single sign-on](#firefox_sso_script)
### Manual update for single sign-on
To manually add your access URL to the list of approved sites in Firefox, perform the following steps on the client computer.
**To manually add your access URL to the list of approved sites in Firefox**
1. Open Firefox and open the `about:config` page.
1. Open the `network.negotiate-auth.trusted-uris` preference and add your access URL to the list of sites. Use a comma (,) to separate multiple entries.
### Automatic update for single sign-on
As a domain administrator, you can use a script to add your access URL to the Firefox `network.negotiate-auth.trusted-uris` user preference on all computers on your network. For more information, go to [https://support.mozilla.org/en-US/questions/939037](https://support.mozilla.org/en-US/questions/939037).
# Ways to join an Amazon EC2 instance to your Simple AD
You can seamlessly join an Amazon EC2 instance to your Active Directory domain when the instance is launched. For more information, see [Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory](launching_instance.md). You can also launch an EC2 instance and join it to an Active Directory domain directly from the Directory Service console with [AWS Systems Manager Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html).
If you need to manually join an EC2 instance to your Active Directory domain, you must launch the instance in the proper Region and security group or subnet, then join the instance to the domain.
To be able to connect remotely to these instances, you must have IP connectivity to the instances from the network you are connecting from. In most cases, this requires that an internet gateway be attached to your VPC and that the instance has a public IP address.
**Topics**
+ [Joining an Amazon EC2 Windows instance to your Simple AD Active Directory](simple_ad_launching_instance.md)
+ [Join an Amazon EC2 Linux instance to your Simple AD Active Directory](simple_ad_linux_domain_join.md)
+ [Delegating directory join privileges for Simple AD](simple_ad_directory_join_privileges.md)
+ [Creating a DHCP options set for Simple AD](simple_ad_dhcp_options_set.md)
# Joining an Amazon EC2 Windows instance to your Simple AD Active Directory
You can launch and join an Amazon EC2 Windows instance to a Simple AD. Alternatively, you can manually join an existing EC2 Windows instance to a Simple AD
------
#### [ Seamlessly join an EC2 Windows ]
To seamlessly domain join an EC2 instance, you'll need to complete the following:
**Prerequisites**
+ Have an Simple AD To learn more, see [Create your Simple AD](simple_ad_getting_started.md#how_to_create_simple_ad).
+ You'll need the following IAM permissions to seamlessly join an EC2 Windows instance:
+ IAM Instance Profile with the following IAM permissions:
+ `AmazonSSMManagedInstanceCore`
+ `AmazonSSMDirectoryServiceAccess`
+ The user seamlessly domain joining the EC2 to the Simple AD needs the following IAM permissions:
+ Directory Service Permissions:
+ `"ds:DescribeDirectories"`
+ `"ds:CreateComputer"`
+ Amazon VPC Permissions:
+ `"ec2:DescribeVpcs"`
+ `"ec2:DescribeSubnets"`
+ `"ec2:DescribeNetworkInterfaces"`
+ `"ec2:CreateNetworkInterface"`
+ `"ec2:AttachNetworkInterface"`
+ EC2 Permissions:
+ `"ec2:DescribeInstances"`
+ `"ec2:DescribeImages"`
+ `"ec2:DescribeInstanceTypes"`
+ `"ec2:RunInstances"`
+ `"ec2:CreateTags"`
+ AWS Systems Manager Permissions:
+ `"ssm:DescribeInstanceInformation"`
+ `"ssm:SendCommand"`
+ `"ssm:GetCommandInvocation"`
+ `"ssm:CreateBatchAssociation"`
When your Simple AD is created, a security group is created with inbound and outbound rules. To learn more about these rules and ports, see [What gets created with your Simple AD](simple_ad_what_gets_created.md). To seamlessly domain join an EC2 Windows instance, your VPC where you're launching your instance should allow the same ports allowed in your Simple AD security group's inbound and outbound rules.
+ Depending on your network security and firewall settings, you could be required to allow additional outbound traffic. This traffic would be for HTTPS (port 443) to the following endpoints:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_launching_instance.html)
+ We recommend to use a DNS server that will resolve your Simple AD domain name. To do so, you can create a DHCP option set. See [Creating a DHCP options set for Simple AD](simple_ad_dhcp_options_set.md) for more information.
+ If you choose not to create a DHCP option set, then your DNS servers will be static and configured to by your Simple AD.
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation bar, choose the same AWS Region as the existing directory.
1. On the **EC2 Dashboard**, in the **Launch instance** section, choose **Launch instance**.
1. On the **Launch an instance** page, under the **Name and Tags** section, enter the name you would like to use for your Windows EC2 instance.
1. (Optional) Choose **Add additional tags** to add one or more tag key-value pairs to organize, track, or control access for this EC2 instance.
1. In the **Application and OS Image (Amazon Machine Image)** section, choose **Windows** in the **Quick Start** pane. You can change the Windows Amazon Machine Image (AMI) from the **Amazon Machine Image (AMI)** dropdown list.
1. In the **Instance type** section, choose the instance type you would like to use from **Instance type** dropdown list.
1. In the **Key pair (login)** section, you can either choose to create a new key pair or choose from an existing key pair.
1. To create a new key pair, choose **Create new key pair**.
1. Enter a name for the key pair and select an option for the **Key pair type** and **Private key file format**.
1. To save the private key in a format that can be used with OpenSSH, choose **.pem**. To save the private key in a format that can be used with PuTTY, choose **.ppk**.
1. Choose **create key pair**.
1. The private key file is automatically downloaded by your browser. Save the private key file in a safe place.
**Important**
This is the only chance for you to save the private key file.
1. On the **Launch an instance** page, under **Network settings** section, choose **Edit**. Choose the **VPC** that your directory was created in from the **VPC -* required*** dropdown list.
1. Choose one of the public subnets in your VPC from the **Subnet** dropdown list. The subnet you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely.
For more information on how to connect to a internet gateway, see [Connect to the internet using an internet gateway](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_Internet_Gateway.html) in the *Amazon VPC User Guide*.
1. Under **Auto-assign public IP**, choose **Enable**.
For more information about public and private IP addressing, see [Amazon EC2 instance IP addressing](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-instance-addressing.html) in the *Amazon EC2 User Guide*.
1. For **Firewall (security groups)** settings, you can use the default settings or make changes to meet your needs.
1. For **Configure storage** settings, you can use the default settings or make changes to meet your needs.
1. Select **Advanced details** section, choose your domain from the **Domain join directory** dropdown list.
**Note**
After choosing the Domain join directory, you may see:
![\[An error message when selecting your Domain join directory. There is an error with your existing SSM document.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/SSM-Error-Message.png)
This error occurs if the EC2 launch wizard identifies an existing SSM document with unexpected properties. You can do one of the following:
If you previously edited the SSM document and the properties are expected, choose close and proceed to launch the EC2 instance with no changes.
Select the delete the existing SSM document here link to delete the SSM document. This will allow for the creation of an SSM document with the correct properties. The SSM document will automatically be created when you launch the EC2 instance.
1. For **IAM instance profile**, you can select an existing IAM instance profile or create a new one. Select an IAM instance profile that has the AWS managed policies **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess** attached to it from the **IAM instance profile** dropdown list. To create a new one, choose **Create new IAM profile** link, and then do the following:
1. Choose **Create role**.
1. Under **Select trusted entity**, choose **AWS service**.
1. Under **Use case**, choose **EC2**.
1. Under **Add permissions**, in the list of policies, select the **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess** policies. To filter the list, type **SSM** in the search box. Choose **Next**.
**Note**
**AmazonSSMDirectoryServiceAccess** provides the permissions to join instances to an Active Directory managed by Directory Service. **AmazonSSMManagedInstanceCore** provides the minimum permissions necessary to use the AWS Systems Manager service. For more information about creating a role with these permissions, and for information about other permissions and policies you can assign to your IAM role, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*.
1. On the **Name, review, and create** page, enter a **Role name**. You will need this role name to attach to the EC2 instance.
1. (Optional) You can provide a description of the IAM instance profile in the **Description** field.
1. Choose **Create role**.
1. Return to **Launch an instance** page and choose the refresh icon next to the **IAM instance profile**. Your new IAM instance profile should be visible in the **IAM instance profile** dropdown list. Choose the new profile and leave the rest of the settings with their default values.
1. Choose **Launch instance**.
------
#### [ Manually join an EC2 Windows ]
To manually join an existing Amazon EC2 Windows instance to a Simple AD Active Directory, the instance must be launched using the parameters as specified in [Joining an Amazon EC2 Windows instance to your Simple AD Active Directory](#simple_ad_launching_instance).
You will need the IP addresses of the Simple AD DNS servers. This information can be found under **Directory Services** > **Directories** > the **Directory ID ** link for your directory > **Directory details** and **Networking & Security** sections.
![\[On the Directory Service console on the directory details page, the IP addresses of the Directory Service provided DNS servers are highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/directory_details_highlighted.png)
**To join a Windows instance to a Simple AD Active Directory**
1. Connect to the instance using any Remote Desktop Protocol client.
1. Open the TCP/IPv4 properties dialog box on the instance.
1. Open **Network Connections**.
**Tip**
You can open **Network Connections** directly by running the following from a command prompt on the instance.
```
%SystemRoot%\system32\control.exe ncpa.cpl
```
1. Open the context menu (right-click) for any enabled network connection and then choose **Properties**.
1. In the connection properties dialog box, open (double-click) **Internet Protocol Version 4**.
1. Select **Use the following DNS server addresses**, change the **Preferred DNS server** and **Alternate DNS server** addresses to the IP addresses of your Simple AD-provided DNS servers, and choose **OK**.
![\[The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box with the preferred DNS server and alternative DNS server fields highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/dns_server_addresses.png)
1. Open the **System Properties** dialog box for the instance, select the **Computer Name** tab, and choose **Change**.
**Tip**
You can open the **System Properties** dialog box directly by running the following from a command prompt on the instance.
```
%SystemRoot%\system32\control.exe sysdm.cpl
```
1. In the **Member of** field, select **Domain**, enter the fully qualified name of your Simple AD Active Directory, and choose **OK**.
1. When prompted for the name and password for the domain administrator, enter the username and password of an account that has domain join privileges. For more information about delegating these privileges, see [Delegating directory join privileges for Simple AD](simple_ad_directory_join_privileges.md).
**Note**
You can enter either the fully qualified name of your domain or the NetBIOS name, followed by a backslash (\$1), and then the username. The username would be **Administrator**. For example, **corp.example.com\$1administrator** or **corp\$1administrator**.
1. After you receive the message welcoming you to the domain, restart the instance to have the changes take effect.
Now that your instance has been joined to the Simple AD Active Directory domain, you can log into that instance remotely and install utilities to manage the directory, such as adding users and groups. The Active Directory Administration Tools can be used to create users and groups. For more information, see [Installing the Active Directory Administration Tools for Simple AD](simple_ad_install_ad_tools.md).
------
# Join an Amazon EC2 Linux instance to your Simple AD Active Directory
You can launch and join an Amazon EC2 Linux instance to your Simple AD in the AWS Management Console. You can also manually join EC2 Linux instance to your Simple AD.
The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Distributions prior to Ubuntu 14 and Red Hat Enterprise Linux 7 and 8 do not support the seamless domain join feature.
**Topics**
+ [Seamlessly join an Amazon EC2 Linux instance to your Simple AD Active Directory](simple_ad_seamlessly_join_linux_instance.md)
+ [Manually join an Amazon EC2 Linux instance to your Simple AD Active Directory](simple_ad_join_linux_instance.md)
# Seamlessly join an Amazon EC2 Linux instance to your Simple AD Active Directory
This procedure seamlessly joins an Amazon EC2 Linux instance to your Simple AD Active Directory.
The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Distributions prior to Ubuntu 14 and Red Hat Enterprise Linux 7 and 8 do not support the seamless domain join feature.
## Prerequisites
Before you can set up seamless domain join to a Linux instance, you need to complete the procedures in this section.
### Select your seamless domain join service account
You can seamlessly join Linux computers to your Simple AD domain. To do that, you must create a user account with create computer account permissions to join the computers to the domain. Although members of the *Domain Admins* or other groups may have sufficient privileges to join computers to the domain, we do not recommend this. As a best practice, we recommend you use a service account that has the minimum privileges necessary to join the computers to the domain.
For information about how to process and delegate permissions to your service account for computer account creation, see [Delegate privileges to your service account](ad_connector_getting_started.md#connect_delegate_privileges).
### Create the secrets to store the domain service account
You can use AWS Secrets Manager to store the domain service account. For more information, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com//secretsmanager/latest/userguide/create_secret.html).
**Note**
There are fees associated with Secrets Manager. For more information see, [Pricing](https://docs.aws.amazon.com//secretsmanager/latest/userguide/intro.html#asm_pricing) in the *AWS Secrets Manager User Guide*.
**To create secrets and store the domain service account information**
1. Sign in to the AWS Management Console and open the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
1. Choose **Store a new secret**.
1. On the **Store a new secret** page, do the following:
1. Under **Secret type**, choose **Other type of secrets**.
1. Under **Key/value pairs**, do the following:
1. In the first box, enter **awsSeamlessDomainUsername**. On the same row, in the next box, enter the username for your service account. For example, if you used the PowerShell command previously, the service account name would be **awsSeamlessDomain**.
**Note**
You must enter **awsSeamlessDomainUsername** exactly as it is. Make sure there are not any leading or ending spaces. Otherwise the domain join will fail.
![\[In the AWS Secrets Manager console on the choose a secret type page. Other type of secret is selected under secret type and awsSeamlessDomainUsername is entered as the key value.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/secrets_manager_1.png)
1. Choose **Add row**.
1. On the new row, in the first box, enter **awsSeamlessDomainPassword**. On the same row, in the next box, enter the password for your service account.
**Note**
You must enter **awsSeamlessDomainPassword** exactly as it is. Make sure there are not any leading or ending spaces. Otherwise the domain join will fail.
1. Under **Encryption key, ** leave the default value `aws/secretsmanager`. AWS Secrets Manager always encrypts the secret when you choose this option. You also may choose a key you created.
1. Choose **Next**.
1. Under **Secret name**, enter a secret name that includes your directory ID using the following format, replacing *d-xxxxxxxxx* with your directory ID:
```
aws/directory-services/d-xxxxxxxxx/seamless-domain-join
```
This will be used to retrieve secrets in the application.
**Note**
You must enter **aws/directory-services/*d-xxxxxxxxx*/seamless-domain-join** exactly as it is but replace *d-xxxxxxxxxx* with your directory ID. Make sure that there are no leading or ending spaces. Otherwise the domain join will fail.
![\[In the AWS Secrets Manager console on the configure secret page. The secret name is entered and highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/secrets_manager_2.png)
1. Leave everything else set to defaults, and then choose **Next**.
1. Under **Configure automatic rotation**, choose **Disable automatic rotation**, and then choose **Next**.
You can turn on rotation for this secret after you store it.
1. Review the settings, and then choose **Store** to save your changes. The Secrets Manager console returns you to the list of secrets in your account with your new secret now included in the list.
1. Choose your newly created secret name from the list, and take note of the **Secret ARN** value. You will need it in the next section.
### Turn on rotation for the domain service account secret
We recommend that you regularly rotate secrets to improve your security posture.
**To turn on rotation for the domain service account secret**
+ Follow the instructions in [Set up automatic rotation for AWS Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html) in the *AWS Secrets Manager User Guide*.
For Step 5, use the rotation template [Microsoft Active Directory credentials](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#template-AD-password) in the *AWS Secrets Manager User Guide*.
For help, see [Troubleshoot AWS Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.html) in the *AWS Secrets Manager User Guide*.
### Create the required IAM policy and role
Use the following prerequisite steps to create a custom policy that allows read-only access to your Secrets Manager seamless domain join secret (which you created earlier), and to create a new LinuxEC2DomainJoin IAM role.
#### Create the Secrets Manager IAM read policy
You use the IAM console to create a policy that grants read-only access to your Secrets Manager secret.
**To create the Secrets Manager IAM read policy**
1. Sign in to the AWS Management Console as a user that has permission to create IAM policies. Then open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, **Access Management**, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab and copy the text from the following JSON policy document. Then paste it into the **JSON** text box.
**Note**
Make sure you replace the Region and Resource ARN with the actual Region and ARN of the secret that you created earlier.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:aws/directory-services/d-xxxxxxxxx/seamless-domain-join"
]
}
]
}
```
1. When you are finished, choose **Next**. The policy validator reports any syntax errors. For more information, see [Validating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html).
1. On the **Review policy** page, enter a policy name, such as **SM-Secret-Linux-DJ-*d-xxxxxxxxxx*-Read**. Review the **Summary** section to see the permissions that your policy grants. Then choose **Create policy** to save your changes. The new policy appears in the list of managed policies and is now ready to attach to an identity.
**Note**
We recommend you create one policy per secret. Doing so ensures that instances only have access to the appropriate secret and minimizes the impact if an instance is compromised.
#### Create the LinuxEC2DomainJoin role
You use the IAM console to create the role that you will use to domain join your Linux EC2 instance.
**To create the LinuxEC2DomainJoin role**
1. Sign in to the AWS Management Console as a user that has permission to create IAM policies. Then open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, under **Access Management**, choose **Roles**.
1. In the content pane, choose **Create role**.
1. Under **Select type of trusted entity**, choose **AWS service**.
1. Under **Use case**, choose **EC2**, and then choose **Next**.
![\[In the IAM console on the select trusted entity page. AWS service and EC2 are selected.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/iam-console-trusted-entity.png)
1. For **Filter policies**, do the following:
1. Enter **AmazonSSMManagedInstanceCore**. Then select the check box for that item in the list.
1. Enter **AmazonSSMDirectoryServiceAccess**. Then select the check box for that item in the list.
1. Enter **SM-Secret-Linux-DJ-*d-xxxxxxxxxx*-Read** (or the name of the policy that you created in the previous procedure). Then select the check box for that item in the list.
1. After adding the three policies listed above, select **Create role**.
**Note**
AmazonSSMDirectoryServiceAccess provides the permissions to join instances to an Active Directory managed by Directory Service. AmazonSSMManagedInstanceCore provides the minimum permissions necessary to use the AWS Systems Manager service. For more information about creating a role with these permissions, and for information about other permissions and policies you can assign to your IAM role, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*.
1. Enter a name for your new role, such as **LinuxEC2DomainJoin** or another name that you prefer in the **Role name** field.
1. (Optional) For **Role description**, enter a description.
1. (Optional) Choose **Add new tag** under **Step 3: Add tags** to add tags. Tag key-value pairs are used to organize, track, or control access for this role.
1. Choose **Create role**.
## Seamlessly join a Linux instance to your Simple AD Active Directory
**To seamlessly join your Linux instance**
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. From the Region selector in the navigation bar, choose the same AWS Region as the existing directory.
1. On the **EC2 Dashboard**, in the **Launch instance** section, choose **Launch instance**.
1. On the **Launch an instance** page, under the **Name and Tags** section, enter the name you would like to use for your Linux EC2 instance.
1. *(Optional)* Choose **Add additional tags** to add one or more tag key-value pairs to organize, track, or control access for this EC2 instance.
1. In the **Application and OS Image (Amazon Machine Image)** section, choose a Linux AMI you wish to launch.
**Note**
The AMI used must have AWS Systems Manager (SSM Agent) version 2.3.1644.0 or higher. To check the installed SSM Agent version in your AMI by launching an instance from that AMI, see [Getting the currently installed SSM Agent version](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-get-version.html). If you need to upgrade the SSM Agent, see [Installing and configuring SSM Agent on EC2 instances for Linux](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html).
SSM uses the `aws:domainJoin` plugin when joining a Linux instance to a Active Directory domain. The plugin changes the hostname for the Linux instances to the format EC2AMAZ-*XXXXXXX*. For more information about `aws:domainJoin`, see [AWS Systems Manager command document plugin reference](https://docs.aws.amazon.com//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.html#aws-domainJoin) in the *AWS Systems Manager User Guide*.
1. In the **Instance type** section, choose the instance type you would like to use from **Instance type** dropdown list.
1. In the **Key pair (login)** section, you can either choose to create a new key pair or choose from an existing key pair. To create a new key pair, choose **Create new key pair**. Enter a name for the key pair and select an option for the **Key pair type** and **Private key file format**. To save the private key in a format that can be used with OpenSSH, choose **.pem**. To save the private key in a format that can be used with PuTTY, choose **.ppk**. Choose **create key pair**. The private key file is automatically downloaded by your browser. Save the private key file in a safe place.
**Important**
This is the only chance for you to save the private key file.
1. On the **Launch an instance** page, under **Network settings** section, choose **Edit**. Choose the **VPC** that your directory was created in from the **VPC -* required*** dropdown list.
1. Choose one of the public subnets in your VPC from the **Subnet** dropdown list. The subnet you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely.
For more information on how to connect to a internet gateway, see [Connect to the internet using an internet gateway](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_Internet_Gateway.html) in the *Amazon VPC User Guide*.
1. Under **Auto-assign public IP**, choose **Enable**.
For more information about public and private IP addressing, see [Amazon EC2 instance IP addressing](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-instance-addressing.html) in the *Amazon EC2 User Guide*.
1. For **Firewall (security groups)** settings, you can use the default settings or make changes to meet your needs.
1. For **Configure storage** settings, you can use the default settings or make changes to meet your needs.
1. Select **Advanced details** section, choose your domain from the **Domain join directory** dropdown list.
**Note**
After choosing the Domain join directory, you may see:
![\[An error message when selecting your Domain join directory. There is an error with your existing SSM document.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/SSM-Error-Message.png)
This error occurs if the EC2 launch wizard identifies an existing SSM document with unexpected properties. You can do one of the following:
If you previously edited the SSM document and the properties are expected, choose close and proceed to launch the EC2 instance with no changes.
Select the delete the existing SSM document here link to delete the SSM document. This will allow for the creation of an SSM document with the correct properties. The SSM document will automatically be created when you launch the EC2 instance.
1. For **IAM instance profile**, choose the IAM role that you previously created in the prerequisites section **Step 2: Create the LinuxEC2DomainJoin role**.
1. Choose **Launch instance**.
**Note**
If you are performing a seamless domain join with SUSE Linux, a reboot is required before authentications will work. To reboot SUSE from the Linux terminal, type **sudo reboot**.
# Manually join an Amazon EC2 Linux instance to your Simple AD Active Directory
In addition to Amazon EC2 Windows instances, you can also join certain Amazon EC2 Linux instances to your Simple AD Active Directory. The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Amazon Linux 2023 AMI
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Other Linux distributions and versions may work but have not been tested.
## Prerequisites
Before you can join either an Amazon Linux, CentOS, Red Hat, or Ubuntu instance to your directory, the instance must first be launched as specified in [Seamlessly join an Amazon EC2 Linux instance to your Simple AD Active Directory](simple_ad_seamlessly_join_linux_instance.md).
**Important**
Some of the following procedures, if not performed correctly, can render your instance unreachable or unusable. Therefore, we strongly suggest you make a backup or take a snapshot of your instance before performing these procedures.
**To join a Linux instance to your directory**
Follow the steps for your specific Linux instance using one of the following tabs:
------
#### [ Amazon Linux ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your Amazon Linux - 64bit instance is up to date.
```
sudo yum -y update
```
1. Install the required Amazon Linux packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
Amazon Linux
```
sudo yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
```
**Note**
For help with determining the Amazon Linux version you are using, see [Identifying Amazon Linux images](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#amazon-linux-image-id) in the *Amazon EC2 User Guide for Linux Instances*.
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account@EXAMPLE.COM example.com --verbose
```
*join\$1account@EXAMPLE.COM*
An account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "Domain Admins" group from the example.com domain.
%Domain\ Admins@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ CentOS ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your CentOS 7 instance is up to date.
```
sudo yum -y update
```
1. Install the required CentOS 7 packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo yum -y install sssd realmd krb5-workstation samba-common-tools
```
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account@example.com example.com --verbose
```
*join\$1account@example.com*
An account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "Domain Admins" group from the example.com domain.
%Domain\ Admins@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ Red hat ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure the Red Hat - 64bit instance is up to date.
```
sudo yum -y update
```
1. Install the required Red Hat packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo yum -y install sssd realmd krb5-workstation samba-common-tools
```
1. Join the instance to the directory with the following command.
```
sudo realm join -v -U join_account example.com --install=/
```
*join\$1account*
The **sAMAccountName** for an account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "Domain Admins" group from the example.com domain.
%Domain\ Admins@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ Ubuntu ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your Ubuntu - 64bit instance is up to date.
```
sudo apt-get update
sudo apt-get -y upgrade
```
1. Install the required Ubuntu packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli
```
1. Disable Reverse DNS resolution and set the default realm to your domain's FQDN. Ubuntu Instances **must** be reverse-resolvable in DNS before the realm will work. Otherwise, you have to disable reverse DNS in /etc/krb5.conf as follows:
```
sudo vi /etc/krb5.conf
```
```
[libdefaults]
default_realm = EXAMPLE.COM
rdns = false
```
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account example.com --verbose
```
*join\$1account@example.com*
The **sAMAccountName** for an account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "Domain Admins" group from the example.com domain.
%Domain\ Admins@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
**Note**
When using Simple AD, if you create a user account on a Linux instance with the option "Force user to change password at first login," that user will not be able to initially change their password using **kpasswd**. In order to change the password the first time, a domain administrator must update the user password using the Active Directory Management Tools.
## Manage accounts from a Linux instance
To manage accounts in Simple AD from a Linux instance, you must update specific configuration files on your Linux instance as follows:
1. Set **krb5\$1use\$1kdcinfo** to **False** in the **/etc/sssd/sssd.conf** file. For example:
```
[domain/example.com]
krb5_use_kdcinfo = False
```
1. In order for the configuration to take affect you need to restart the sssd service:
```
$ sudo systemctl restart sssd.service
```
Alternatively, you could use:
```
$ sudo service sssd start
```
1. If you will be managing users from a CentOS Linux instance, you must also edit the file **/etc/smb.conf** to include:
```
[global]
workgroup = EXAMPLE.COM
realm = EXAMPLE.COM
netbios name = EXAMPLE
security = ads
```
## Restricting account login access
Since all accounts are defined in Active Directory, by default, all the users in the directory can log in to the instance. You can allow only specific users to log in to the instance with **ad\$1access\$1filter** in **sssd.conf**. For example:
```
ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
```
*memberOf*
Indicates that users should only be allowed access to the instance if they are a member of a specific group.
*cn*
The common name of the group that should have access. In this example, the group name is *admins*.
*ou*
This is the organizational unit in which the above group is located. In this example, the OU is *Testou*.
*dc*
This is the domain component of your domain. In this example, *example*.
*dc*
This is an additional domain component. In this example, *com*.
You must manually add **ad\$1access\$1filter** to your **/etc/sssd/sssd.conf**.
Open the **/etc/sssd/sssd.conf** file in a text editor.
```
sudo vi /etc/sssd/sssd.conf
```
After you do this, your **sssd.conf** might look like this:
```
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
```
In order for the configuration to take effect, you need to restart the sssd service:
```
sudo systemctl restart sssd.service
```
Alternatively, you could use:
```
sudo service sssd restart
```
## ID Mapping
ID mapping can be performed by two methods to maintain a unified experience between UNIX/Linux User Identifier (UID) and Group Identifier (GID) and Windows and Active Directory Security Identifier (SID) identities. These methods are:
1. Centralized
1. Distributed
**Note**
Centralized user identity mapping in Active Directory requires Portable Operating System Interface or POSIX.
**Centralized user identity mapping**
Active Directory or another Lightweight Directory Access Protocol (LDAP) service provides UID and GID to the Linux users. In Active Directory, these identifiers are stored in the users' attributes if the POSIX extension is configured:
+ UID - The Linux username (String)
+ UID Number - The Linux User ID number (Integer)
+ GID Number - The Linux Group ID number (Integer)
To configure a Linux instance to use the UID and GID from Active Directory, set `ldap_id_mapping = False` in the sssd.conf file. Before setting this value, verify you have added a UID, UID number and GID number to the users and groups in Active Directory.
**Distributed user identity mapping**
If Active Directory doesn't have the POSIX extension or if you choose not to centrally manage identity mapping, Linux can calculate the UID and GID values. Linux uses the user's unique Security Identifier (SID) to maintain consistency.
To configure distributed user ID mapping, set `ldap_id_mapping = True` in the sssd.conf file.
**Common issues**
If you set `ldap_id_mapping = False`, sometimes starting the SSSD service will fail. The reason for this failure is due to changing UIDs not supported. We recommend you delete the SSSD cache whenever you change from ID mapping to POSIX attributes or from POSIX attributes to ID mapping. For further details about ID mapping and the ldap\$1id\$1mapping parameters, see the sssd-ldap(8) man page in the Linux command line.
## Connect to the Linux instance
When a user connects to the instance using an SSH client, they are prompted for their username. The user can enter the username in either the `username@example.com` or `EXAMPLE\username` format. The response will appear similar to the following, depending on which Linux distribution you are using:
**Amazon Linux, Red Hat Enterprise Linux, and CentOS Linux**
```
login as: johndoe@example.com
johndoe@example.com's password:
Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX
```
**SUSE Linux**
```
SUSE Linux Enterprise Server 15 SP1 x86_64 (64-bit)
As "root" (sudo or sudo -i) use the:
- zypper command for package management
- yast command for configuration management
Management and Config: https://www.suse.com/suse-in-the-cloud-basics
Documentation: https://www.suse.com/documentation/sles-15/
Forum: https://forums.suse.com/forumdisplay.php?93-SUSE-Public-Cloud
Have a lot of fun...
```
**Ubuntu Linux**
```
login as: admin@example.com
admin@example.com@10.24.34.0's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1057-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 18 22:03:35 UTC 2020
System load: 0.01 Processes: 102
Usage of /: 18.6% of 7.69GB Users logged in: 2
Memory usage: 16% IP address for eth0: 10.24.34.1
Swap usage: 0%
```
# Delegating directory join privileges for Simple AD
To join a computer to your directory, you need an account that has privileges to join computers to the directory.
With Simple AD, members of the **Domain Admins** group have sufficient privileges to join computers to the directory.
However, as a best practice, you should use an account that has only the minimum privileges necessary. The following procedure demonstrates how to create a new group called `Joiners` and delegate the privileges to this group that are needed to join computers to the directory.
You must perform this procedure on a computer that is joined to your directory and has the **Active Directory User and Computers** MMC snap-in installed. You must also be logged in as a domain administrator.
**To delegate join privileges for Simple AD**
1. Open **Active Directory User and Computers** and select your domain root in the navigation tree.
1. In the navigation tree on the left, open the context menu (right-click) for **Users**, choose **New**, and then choose **Group**.
1. In the **New Object - Group** box, type the following and choose **OK**.
+ For **Group name**, type **Joiners**.
+ For **Group scope**, choose **Global**.
+ For **Group type**, choose **Security**.
1. In the navigation tree, select your domain root. From the **Action** menu, choose **Delegate Control**.
1. On the **Delegation of Control Wizard** page, choose **Next**, and then choose **Add**.
1. In the **Select Users, Computers, or Groups** box, type `Joiners` and choose **OK**. If more than one object is found, select the `Joiners` group created above. Choose **Next**.
1. On the **Tasks to Delegate** page, select **Create a custom task to delegate**, and then choose **Next**.
1. Select **Only the following objects in the folder**, and then select **Computer objects**.
1. Select **Create selected objects in this folder** and **Delete selected objects in this folder**. Then choose **Next**.
![\[Delegation of Control Wizard Active Directory Object Type dialog box with only the following objects in the folder selected user objects, create selected objects in this folder, and delete selected objects in this folder.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/aduc_delegate_join_linux.png)
1. Select **Read** and **Write**, and then choose **Next**.
![\[Delegation of Control Wizard permissions dialog box with the following permissions selected general, property-specific, and read.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/aduc_delegate_join_permissions.png)
1. Verify the information on the **Completing the Delegation of Control Wizard** page and choose **Finish**.
1. Create a user with a strong password and add that user to the `Joiners` group. The user will then have sufficient privileges to connect Directory Service to the directory.
# Creating a DHCP options set for Simple AD
AWS recommends that you create a DHCP options set for your Directory Service directory and assign the DHCP options set to the VPC that your directory is in. This allows any instances in that VPC to point to the specified domain and DNS servers to resolve their domain names.
For more information about DHCP options sets, see [DHCP options sets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) in the *Amazon VPC User Guide*.
**To create a DHCP options set for your directory**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **DHCP Options Sets**, and then choose **Create DHCP options set**.
1. On the **Create DHCP options set** page, enter the following values for your directory:
**Name**
An optional tag for the options set.
**Domain name**
The fully qualified name of your directory, such as `corp.example.com`.
**Domain name servers**
The IP addresses of your AWS-provided directory's DNS servers.
You can find these addresses by going to the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, selecting **Directories** and then choosing the correct directory ID.
**NTP servers**
Leave this field blank.
**NetBIOS name servers**
Leave this field blank.
**NetBIOS node type**
Leave this field blank.
1. Choose **Create DHCP options set**. The new set of DHCP options appears in your list of DHCP options.
1. Make a note of the ID of the new set of DHCP options (dopt-*xxxxxxxx*). You use it to associate the new options set with your VPC.
**To change the DHCP options set associated with a VPC**
After you create a set of DHCP options, you can't modify them. If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC. You can also set up your VPC to use no DHCP options at all.
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Your VPCs**.
1. Select the VPC, and then choose **Actions**, **Edit VPC settings**.
1. For **DHCP options set**, select an options set or choose **No DHCP options set**, and then choose **Save**.
To change the DHCP options set associated with a VPC using command line see the following:
+ **AWS CLI**: [associate-dhcp-options](https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-dhcp-options.html)
+ **AWS Tools for Windows PowerShell**: [Register-EC2DhcpOption](https://docs.aws.amazon.com/powershell/latest/reference/items/Register-EC2DhcpOption.html)
# Users and groups management in Simple AD
Users represent individual people or entities that have access to your directory. Groups are very useful for giving or denying privileges to groups of users, rather than having to apply those privileges to each individual user. If a user moves to a different organization, you move that user to a different group and they automatically receive the privileges needed for the new organization.
To create users and groups in an Directory Service directory, you must use any instance (from either on-premises or EC2) that has been joined to your Directory Service directory, and be logged in as a user that has privileges to create users and groups. You will also need to install the Active Directory Tools on your EC2 instance so you can add your users and groups with the Active Directory Users and Computers snap-in. For more information about how to set up an EC2 instance and install the necessary tools, see [Ways to join an Amazon EC2 instance to your Simple AD](simple_ad_join_instance.md).
**Note**
Your user accounts must have Kerberos preauthentication enabled. This is the default setting for new user accounts, but it should not be modified. For more information about this setting, go to [Preauthentication](http://technet.microsoft.com/en-us/library/cc961961.aspx) on Microsoft TechNet.
The following topics include instructions on how to create and manage users and groups.
**Topics**
+ [Installing the Active Directory Administration Tools for Simple AD](simple_ad_install_ad_tools.md)
+ [Creating a Simple AD user](simple_ad_manage_users_groups_create_user.md)
+ [Deleting a Simple AD user](simple_ad_manage_users_groups_delete_user.md)
+ [Resetting a Simple AD user password](simple_ad_manage_users_groups_reset_password.md)
+ [Creating a Simple AD group](simple_ad_manage_users_groups_create_group.md)
+ [Adding a Simple AD user to a group](simple_ad_manage_users_groups_add_user_to_group.md)
# Installing the Active Directory Administration Tools for Simple AD
To manage your Active Directory from an Amazon EC2 Windows Server instance, you need to install the Active Directory Domain Services and Active Directory Lightweight Directory Services Tools on the instance. Use the following procedure to install these tools on an EC2 Windows Server instance.
## Prerequisites
Before you can begin this procedure, complete the following:
1. Create a Simple AD Active Directory. For more information, see [Create your Simple AD](simple_ad_getting_started.md#how_to_create_simple_ad).
1. Launch and join an EC2 Windows Server instance to your Simple AD Active Directory. The EC2 instance needs the following policies to create users and groups: **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess**. For more information, see [Joining an Amazon EC2 Windows instance to your Simple AD Active Directory](simple_ad_launching_instance.md).
1. You will need the credentials for your Active Directory domain Administrator. These credentials were created when the Simple AD was created. If you followed the procedure in [Create your Simple AD](simple_ad_getting_started.md#how_to_create_simple_ad), your Administrator username includes your NetBIOS name, **corp\$1administrator**.
**To install the Active Directory administration tools on EC2 Windows Server instance**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the Amazon EC2 console, choose **Instances**, select the Windows Server instance, and then choose **Connect**.
1. In the **Connect to instance** page, choose **RDP client**.
1. In the **RDP client** tab, choose **Download Remote Desktop File**, then choose **Get Password** to retrieve your password.
1. In the **Get Windows password**, choose **Upload private key file**. Choose the .pem private key file associated with the Windows Server instance. After uploading the private key file, select **Decrypt password**.
1. In the **Windows Security** dialog box, copy your local administrator credentials for the Windows Server computer to sign in. The username can be in the following formats: ***NetBIOS-Name*\$1administrator** or ***DNS-Name*\$1administrator**. For example, **corp\$1administrator** would be the username if you followed the procedure in [Create your Simple AD](simple_ad_getting_started.md#how_to_create_simple_ad).
1. Once signed in to the Windows Server instance, open **Server Manager** from the Start menu by choosing **Server Manager**.
1. In the **Server Manager Dashboard**, choose **Add roles and features**.
1. In the **Add Roles and Features Wizard** choose **Installation Type**, select **Role-based or feature-based installation**, and choose **Next**.
1. Under **Server Selection**, make sure the local server is selected, and choose **Features** in the left navigation pane.
1. In the **Features** tree, select and open **Remote Server Administration Tools**, **Role Administration Tools**, and **AD DS and AD LDS Tools**. With **AD DS and AD LDS Tools** selected, **Active Directory module for PowerShell**, **AD DS Tools**, and **AD LDS Snap-ins and Command-Line Tools** are selected. Scroll down and select **DNS Server Tools**, and then choose **Next**.
![\[Installing Microsoft AD Tools, the Add Roles and Features Wizard Features Tree with tools selected.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/ms-install-ad-tools.png)
1. Review the information and choose **Install**. When the feature installation is finished, the Active Directory Domain Services and Active Directory Lightweight Directory Services Tools are available from the Start menu in the **Administrative Tools** folder.
# Creating a Simple AD user
Use the following procedure to create a user with an Amazon EC2 instance that is joined to your Simple AD directory. Before you can create users, you need to complete the procedures in [Installing the Active Directory Administration Tools](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_install_ad_tools.html).
**Note**
When using Simple AD, if you create a user account on a Linux instance with the option "Force user to change password at first login," that user will not be able to initially change their password using **kpasswd**. In order to change the password the first time, a domain administrator must update the user password using the Active Directory Management Tools.
**To create a user**
1. Connect to the instance where the Active Directory Administration Tools were installed.
1. Open the Active Directory Users and Computers tool from the Windows Start menu. There is a shortcut to this tool found in the **Windows Administrative Tools** folder.
**Tip**
You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly.
```
%SystemRoot%\system32\dsa.msc
```
1. In the directory tree, select an OU under your directory's NetBIOS name OU where you want to store your user (for example, **corp\$1Users**). For more information about the OU structure used by directories in AWS, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md).
![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png)
1. On the **Action** menu, choose **New**, and then choose **User** to open the new user wizard.
1. On the first page of the wizard, enter the values for the following fields, and then choose **Next**.
+ **First name**
+ **Last name**
+ **User logon name**
1. On the second page of the wizard, enter a temporary password in **Password** and **Confirm Password**. Make sure the **User must change password at next logon** option is selected. None of the other options should be selected. Choose **Next**.
1. On the third page of the wizard, verify that the new user information is correct and choose **Finish**. The new user will appear in the **Users** folder.
# Deleting a Simple AD user
Use the following procedure to delete a user with an Amazon EC2 Windows instance that is joined to your Simple AD directory.
**To delete a user**
1. Connect to the instance where the Active Directory Administration Tools were installed.
1. Open the Active Directory Users and Computers tool from the Windows Start menu. There is a shortcut to this tool found in the **Windows Administrative Tools** folder.
**Tip**
You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly.
```
%SystemRoot%\system32\dsa.msc
```
1. In the directory tree, select the OU containing the user that you want to delete (for example, **corp\$1Users**).
![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png)
1. Select the user you wish to delete. On the **Action** menu, choose **Delete**.
1. A dialog box will appear prompting you to confirm you want to delete the user. Choose **Yes** to delete the user. This permanently deletes the selected user.
# Resetting a Simple AD user password
Users must adhere to password policies as defined in the Active Directory. Sometimes this can get the best of users, including the Active Directory administrator, and they forget their password. When this happens, you can quickly reset the user's password using Directory Service if the user resides in Simple AD.
You must be signed in as a user with the necessary permissions to reset passwords. For more information about permissions, see [Overview of managing access permissions to your Directory Service resources](IAM_Auth_Access_Overview.md).
You can reset the password for any user in your Active Directory with the following exceptions:
+ You can reset the password for any user within the Organizational Unit (OU) that is based off of the NetBIOS name you used when you created your Active Directory. For example, if you followed the procedure in [Create your Simple AD](simple_ad_getting_started.md#how_to_create_simple_ad), your NetBIOS name would be CORP and the users passwords you could reset would be members of Corp/Users OU.
+ You cannot reset the password of any user outside of the OU that is based off the NetBIOS name you used when you created your Active Directory. For more information about the OU structure for Simple AD, see [What gets created with your Simple AD](simple_ad_what_gets_created.md).
+ You cannot reset the password for any user that is a member of two domains. You also cannot reset the password of any user that is a member of either the **Domain Admins** or **Enterprise Admins** group except for the Administrator user.
+ You cannot reset the password for any user that is a member of either the Domain Admins or Enterprise Admins group except for the administrator user.
**You can use any of the following methods to reset a user password:**
+ AWS Management Console
+ AWS CLI
------
#### [ AWS Management Console ]
1. In the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, under **Active Directory**, choose **Directories**, and then select the Active Directory in the list where you want to reset a user password.
1. On the **Directory details** page, choose **Actions**, and then choose **Reset user password**.
1. In the **Reset user password** dialog, in **Username** type the username of the user whose password needs to change.
1. Type a password in **New password** and **Confirm password**, and then choose **Reset password**.
------
#### [ AWS CLI ]
1. To install the AWS CLI, see [Install or update the latest version of the AWS CLI](https://docs.aws.amazon.com//cli/latest/userguide/getting-started-install.html).
1. Open the AWS CLI.
1. Type the following command and replace the Directory ID, username **jane.doe**, and password **P@ssw0rd** with your Active Directory Directory ID and desired credentials. See [reset-user-password](https://docs.aws.amazon.com/cli/latest/reference/ds/reset-user-password.html) in the *AWS CLI Command Reference* for more information.
```
aws ds reset-user-password --directory-id d-1234567890 --user-name "jane.doe" --new-password "P@ssw0rd"
```
------
# Creating a Simple AD group
Use the following procedure to create a security group with an Amazon EC2 instance that is joined to your Simple AD directory. Before you can create security groups, you need to complete the procedures in [Installing the Active Directory Administration Tools](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_install_ad_tools.html).
**To create a group**
1. Connect to the instance where the Active Directory Administration Tools were installed.
1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the **Administrative Tools** folder.
**Tip**
You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly.
```
%SystemRoot%\system32\dsa.msc
```
1. In the directory tree, select an OU under your directory's NetBIOS name OU where you want to store your group (for example, Corp\$1Users). For more information about the OU structure used by directories in AWS, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md).
![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png)
1. On the **Action** menu, click **New**, and then click **Group** to open the new group wizard.
1. Type a name for the group in **Group name**, select a **Group scope** that meets your needs, and select **Security** for the **Group type**. For more information on Active Directory group scope and security groups, see [ Active Directory security groups](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups) in Microsoft Windows Server documentation.
1. Click **OK**. The new security group will appear in the **Users** folder.
# Adding a Simple AD user to a group
Use the following procedure to add a user to a security group with an EC2 instance that is joined to your Simple AD directory.
**To add a user to a group**
1. Connect to the instance where the Active Directory Administration Tools were installed.
1. Open the Active Directory Users and Computers tool. There is a shortcut to this tool in the **Administrative Tools** folder.
**Tip**
You can run the following from a command prompt on the instance to open the Active Directory Users and Computers tool box directly.
```
%SystemRoot%\system32\dsa.msc
```
1. In the directory tree, select the OU under your directory's NetBIOS name OU where you stored your group, and select the group that you want to add a user as a member.
![\[Active Directory Users and Computers tool showing example OU structure.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/create-security-groups-OU.png)
1. On the **Action** menu, click **Properties** to open the properties dialog box for the group.
1. Select the **Members** tab and click **Add**.
1. For **Enter the object names to select**, type the username you want to add and click **OK**. The name will be displayed in the **Members** list. Click **OK** again to update the group membership.
1. Verify that the user is now a member of the group by selecting the user in the **Users** folder and clicking **Properties** in the **Action** menu to open the properties dialog box. Select the **Member Of** tab. You should see the name of the group in the list of groups that the user belongs to.
# Simple AD quotas
Generally, you should not add more than 500 users to a Small Simple AD directory and no more than 5,000 users to a Large Simple AD directory. For more flexible scaling options and additional Active Directory features, consider using AWS Directory Service for Microsoft Active Directory (Standard Edition or Enterprise Edition) instead.
The following are the default quotas for Simple AD. Each quota is per Region unless otherwise noted.
**Simple AD quotas**
| Resource | Default quota |
| --- | --- |
| Simple AD directories | 10 |
| Manual snapshots \$1 | 5 per Simple AD |
\$1 The manual snapshot quota cannot be changed.
**Note**
You cannot attach a public IP address to your AWS elastic network interface (ENI).
# Troubleshooting Simple AD
The following can help you troubleshoot some common problems you might encounter when creating or using your Simple AD Active Directory.
**Topics**
+ [Password recovery](#simple_ad_tshoot_password_recovery)
+ [I receive a 'KDC can't fulfill requested option' error when adding a user to Simple AD](#kdc_requested_option)
+ [I am not able to update the DNS name or IP address of an instance joined to my domain (DNS dynamic update)](#dns_dynamic_updates)
+ [I can't log onto SQL Server using a SQL Server account](#sql_login_fail)
+ [My Simple AD is stuck in the 'Requested' state](#stuck_in_requested1)
+ [I receive an 'AZ constrained' error when I create a Simple AD](#contrained_az1)
+ [Some of my users can't authenticate with my Simple AD](#kerberos_preauth1)
+ [Additional resources](#troubleshoot_general_resources)
+ [Troubleshooting Simple AD directory status messages](simple_ad_troubleshooting_reasons.md)
## Password recovery
If a user forgets a password or is having trouble signing in to your Simple AD directory, you can reset their password using either the AWS Management Console, PowerShell or the AWS CLI.
For more information, see [Resetting a Simple AD user password](simple_ad_manage_users_groups_reset_password.md).
## I receive a 'KDC can't fulfill requested option' error when adding a user to Simple AD
This can occur when the Samba CLI client does not correctly send the `net` commands to all domain controllers. If you see this error message when using the `net ads` command to add a user to your Simple AD directory, use the `-S` argument and specify the IP address of one of your domain controllers. If you still see the error, try the other domain controller. You can also use the Active Directory Administration Tools to add users to your directory. For more information, see [Installing the Active Directory Administration Tools for Simple AD](simple_ad_install_ad_tools.md).
## I am not able to update the DNS name or IP address of an instance joined to my domain (DNS dynamic update)
DNS dynamic updates are not supported in Simple AD domains. You can instead make the changes directly by connecting to your directory using DNS Manager on an instance that is joined to your domain.
## I can't log onto SQL Server using a SQL Server account
You might receive an error if you attempt to use SQL Server Management Studio (SSMS) with a SQL Server account to log into SQL Server running on a Windows 2012 R2 Amazon EC2 instance. The issue occurs when SSMS runs as a domain user and can result in the error `Login failed for user`, even when valid credentials are provided. This is a known issue and AWS is actively working to resolve it.
To work around the issue, you can log into SQL Server with Windows Authentication instead of SQL Authentication. Or launch SSMS as a local user instead of a Simple AD domain user.
## My Simple AD is stuck in the 'Requested' state
If you have a Simple AD that has been in the `Requested` state for more than five minutes, try deleting the directory and recreating it. If this problem persists, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
## I receive an 'AZ constrained' error when I create a Simple AD
Some AWS accounts created before 2012 might have access to Availability Zones in the US East (N. Virginia), US West (N. California), or Asia Pacific (Tokyo) Region that do not support Directory Service directories. If you receive an error such as this when creating a directory, choose a subnet in a different Availability Zone and try to create the directory again.
## Some of my users can't authenticate with my Simple AD
Your user accounts must have Kerberos preauthentication enabled. This is the default setting for new user accounts, and it should not be modified. For more information about this setting, go to [Preauthentication](http://technet.microsoft.com/en-us/library/cc961961.aspx) on Simple AD TechNet.
## Additional resources
The following resources can help you troubleshoot as you work with AWS.
+ **[AWS Knowledge Center](https://aws.amazon.com/premiumsupport/knowledge-center/)**–Find FAQs and links to other resources to help you troubleshoot issues.
+ **[AWS Support Center](https://console.aws.amazon.com/support/home#/)**–Get technical support.
+ **[AWS Premium Support Center](https://aws.amazon.com/premiumsupport/)**–Get premium technical support.
**Topics**
+ [Password recovery](#simple_ad_tshoot_password_recovery)
+ [I receive a 'KDC can't fulfill requested option' error when adding a user to Simple AD](#kdc_requested_option)
+ [I am not able to update the DNS name or IP address of an instance joined to my domain (DNS dynamic update)](#dns_dynamic_updates)
+ [I can't log onto SQL Server using a SQL Server account](#sql_login_fail)
+ [My Simple AD is stuck in the 'Requested' state](#stuck_in_requested1)
+ [I receive an 'AZ constrained' error when I create a Simple AD](#contrained_az1)
+ [Some of my users can't authenticate with my Simple AD](#kerberos_preauth1)
+ [Additional resources](#troubleshoot_general_resources)
+ [Troubleshooting Simple AD directory status messages](simple_ad_troubleshooting_reasons.md)
# Troubleshooting Simple AD directory status messages
When a Simple AD is impaired or inoperable, the directory status message contains additional information. The status message is displayed in the Directory Service console, or returned in the [https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DirectoryDescription.html#ADS-Type-DirectoryDescription-StageReason](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DirectoryDescription.html#ADS-Type-DirectoryDescription-StageReason) member by the [https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDirectories.html](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDirectories.html) API. For more information about the directory status, see [Understanding your AWS Managed Microsoft AD directory status](ms_ad_directory_status.md).
The following are the status messages for a Simple AD directory:
**Topics**
+ [The directory service's elastic network interface is not attached](#sr_eni_detached)
+ [Issue(s) detected by instance](#sr_internal_error)
+ [The critical Directory Service reserved user is missing from the directory](#sr_service_account_missing)
+ [The critical Directory Service reserved user needs to belong to the Domain Admins group](#sr_service_account_not_admin)
+ [The critical Directory Service reserved user is disabled](#sr_service_account_disabled)
+ [The main domain controller does not have all FSMO roles](#sr_dc_fsmo_role)
+ [Domain controller replication failures](#sr_dc_repl_failures)
## The directory service's elastic network interface is not attached
**Description**
The critical elastic network interface (ENI) that was created on your behalf during directory creation to establish network connectivity with your VPC is not attached to the directory instance. AWS applications backed by this directory will not be functional. Your directory cannot connect to your on-premises network.
**Troubleshooting**
If the ENI is detached but still exists, contact Support. If the ENI is deleted, there is no way to resolve the issue and your directory is permanently unusable. You must delete the directory and create a new one.
## Issue(s) detected by instance
**Description**
An internal error was detected by the instance. This usually signifies that the monitoring service is actively attempting to recover the impaired instances.
**Troubleshooting**
In most cases, this is a transient issue, and the directory eventually returns to the Active state. If the problem persists, contact Support for more assistance.
## The critical Directory Service reserved user is missing from the directory
**Description**
When a Simple AD is created, Directory Service creates a service account in the directory with the name `AWSAdminD-xxxxxxxxx`. This error is received when this service account cannot be found. Without this account, Directory Service cannot perform administrative functions on the directory, rendering the directory unusable.
**Troubleshooting**
To correct this issue, restore the directory to a previous snapshot that was created before the service account was deleted. Automatic snapshots are taken of your Simple AD directory one time a day. If it has been more than five days after this account was deleted, you may not be able to restore the directory to a state where this account exists. If you are not able to restore the directory from a snapshot where this account exists, your directory may become permanently unusable. If this is the case, you must delete your directory and create a new one.
## The critical Directory Service reserved user needs to belong to the Domain Admins group
**Description**
When a Simple AD is created, Directory Service creates a service account in the directory with the name `AWSAdminD-xxxxxxxxx`. This error is received when this service account is not a member of the `Domain Admins` group. Membership in this group is needed to give Directory Service the privileges it needs to perform maintenance and recovery operations, such as transferring FSMO roles, domain joining new directory controllers, and restoring from snapshots.
**Troubleshooting**
Use the Active Directory Users and Computers tool to re-add the service account to the `Domain Admins` group.
## The critical Directory Service reserved user is disabled
**Description**
When a Simple AD is created, Directory Service creates a service account in the directory with the name `AWSAdminD-xxxxxxxxx`. This error is received when this service account is disabled. This account must be enabled so that Directory Service can perform maintenance and recovery operations on the directory.
**Troubleshooting**
Use the Active Directory Users and Computers tool to re-enable the service account.
## The main domain controller does not have all FSMO roles
**Description**
All the FSMO roles are not owned by the Simple AD directory controller. Directory Service cannot guarantee certain behavior and functionality if the FSMO roles do not belong to the correct Simple AD directory controller.
**Troubleshooting**
Use Active Directory tools to move the FSMO roles back to the original working directory controller. For more information about moving the FSMO roles, go to [https://docs.microsoft.com/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds](https://docs.microsoft.com/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds). If this does not correct the problem, please contact Support for more assistance.
## Domain controller replication failures
**Description**
The Simple AD directory controllers are failing to replicate with one another. This can be caused by one or more of the following issues:
+ The security groups for the directory controllers does not have the correct ports open.
+ The network ACLs are too restrictive.
+ The VPC route table is not routing network traffic between the directory controllers correctly.
+ Another instance has been promoted to a domain controller in the directory.
**Troubleshooting**
For more information about your VPC network requirements, see either AWS Managed Microsoft AD [Prerequisites for creating a AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_prereqs), AD Connector [AD Connector prerequisites](ad_connector_getting_started.md#prereq_connector), or Simple AD [Simple AD prerequisites](simple_ad_getting_started.md#prereq_simple). If there is an unknown domain controller in your directory, you must demote it. If your VPC network setup is correct, but the error persists, please contact Support for more assistance.