# Ways to join an Amazon EC2 instance to your AWS Managed Microsoft AD
You can seamlessly join an Amazon EC2 instance to your Active Directory domain when the instance is launched. For more information, see [Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory](launching_instance.md). You can also launch an EC2 instance and join it to an Active Directory domain directly from the Directory Service console with [AWS Systems Manager Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html).
If you need to manually join an EC2 instance to your Active Directory domain, you must launch the instance in the proper Region and security group or subnet, then join the instance to the domain.
To be able to connect remotely to these instances, you must have IP connectivity to the instances from the network you are connecting from. In most cases, this requires that an internet gateway be attached to your VPC and that the instance has a public IP address.
**Topics**
+ [
# Launching a directory administration instance in your AWS Managed Microsoft AD Active Directory
](console_instance.md)
+ [
# Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory
](launching_instance.md)
+ [
# Joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory
](joining_linux_instance.md)
+ [
# Joining an Amazon EC2 Mac instance to your AWS Managed Microsoft AD Active Directory
](join_mac_instance.md)
+ [
# Delegating directory join privileges for AWS Managed Microsoft AD
](directory_join_privileges.md)
+ [
# Creating or changing a DHCP options set for AWS Managed Microsoft AD
](dhcp_options_set.md)
# Launching a directory administration instance in your AWS Managed Microsoft AD Active Directory
This procedure launches an Amazon EC2 directory administration Windows instance in the AWS Management Console using AWS Systems Manager Automation to manage your directories. You can also accomplish this by running the automation [AWS-CreateDSManagementInstance](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-create-ds-management-instance.html) in the AWS Systems Manager Automation console directly.
For more information, see the following links:
+ [Simplifying Active Directory domain join with AWS Systems Manager](https://aws.amazon.com/blogs//modernizing-with-aws/simplifying-active-directory-domain-join-with-aws-systems-manager-2/)
+ [How do I use AWS Systems Manager to join a running EC2 Windows instances to my Directory Service domain?](https://repost.aws/knowledge-center/ec2-systems-manager-dx-domain)
## Prerequisites
The following prerequisites are required to complete this tutorial:
+ You will need to set up AWS Systems Manager. For more information, see [Setting up AWS Systems Manager](https://docs.aws.amazon.com//systems-manager/latest/userguide/systems-manager-setting-up-console.html).
+ You will need an [IAM instance profile role](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) that allows Systems Manager and AWS Managed Microsoft AD.
+ For more information on Systems Manager, see [Configure instance permissions required for Systems Manager](https://docs.aws.amazon.com//systems-manager/latest/userguide/setup-instance-permissions.html).
+ The IAM instance role needs the following AWS managed policies so your EC2 directory administration Windows instance can domain join your AWS Managed Microsoft AD:
+ **`AmazonSSMManagedInstanceCore`**
+ **`AmazonSSMDirectoryServiceAccess`**
+ The VPC connected to your AWS Managed Microsoft AD needs to allow access to public Directory Service endpoints. For more information, see [Prerequisites for creating a AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_prereqs).
+ You must have the following permissions enabled in your account to launch a directory administration EC2 instance from the console:
+ `ds:DescribeDirectories`
+ `ec2:AuthorizeSecurityGroupIngress`
+ `ec2:CreateSecurityGroup`
+ `ec2:CreateTags`
+ `ec2:DeleteSecurityGroup`
+ `ec2:DescribeInstances`
+ `ec2:DescribeInstanceStatus`
+ `ec2:DescribeKeyPairs`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeVpcs`
+ `ec2:RunInstances`
+ `ec2:TerminateInstances`
+ `iam:AddRoleToInstanceProfile`
+ `iam:AttachRolePolicy`
+ `iam:CreateInstanceProfile`
+ `iam:CreateRole`
+ `iam:DeleteInstanceProfile`
+ `iam:DeleteRole`
+ `iam:DetachRolePolicy`
+ `iam:GetInstanceProfile`
+ `iam:GetRole`
+ `iam:ListAttachedRolePolicies`
+ `iam:ListInstanceProfiles`
+ `iam:ListInstanceProfilesForRole`
+ `iam:PassRole`
+ `iam:RemoveRoleFromInstanceProfile`
+ `iam:TagInstanceProfile`
+ `iam:TagRole`
+ `ssm:CreateDocument`
+ `ssm:DeleteDocument`
+ `ssm:DescribeInstanceInformation`
+ `ssm:GetAutomationExecution`
+ `ssm:GetParameters`
+ `ssm:ListCommandInvocations`
+ `ssm:ListCommands`
+ `ssm:ListDocuments`
+ `ssm:SendCommand`
+ `ssm:StartAutomationExecution`
+ `ssm:GetDocument`
## Launching a directory administration EC2 instance in the AWS Management Console
1. Sign in to the [Directory Service console](https://console.aws.amazon.com/directoryservicev2/).
1. Under **Active Directory**, choose **Directories**.
1. Choose the **Directory ID** of the directory where you want to launch a directory administration EC2 instance.
1. On the directory page, in the top right corner, choose **Actions**.
1. In the **Actions** dropdown list, choose **Launch directory administration EC2 instance**.
1. On the **Launch directory administration EC2 instance** page, under **Input parameters**, complete the fields.
1. (Optional) You can provide a key pair for the instance. From the **Key Pair Name - *optional*** dropdown list, select a key pair.
1. (Optional) Choose **View AWS CLI command** to see an example that you use in the AWS CLI to run this automation.
1. Choose **Submit**.
1. You're taken back to the directory page. A green flashbar displays at the top of your screen to indicate that you successfully began the launch.
## Viewing directory administration EC2 instance
If you haven't launched any EC2 instances for a directory, a dash (**-**) displays under **Directory administration EC2 instance**.
1. Under **Active Directory**, choose **Directories** and select the directory you want to view.
1. Under **Directory details**, under **Directory administration EC2 instance**, choose one or all of your instances to view.
1. When you choose an instance, you're routed to the EC2 **Connect to instance** page to connect a remote desktop to your instance.
# Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory
You can launch and join an Amazon EC2 Windows instance to an AWS Managed Microsoft AD. Alternatively, you can manually join an existing EC2 Windows instance to an AWS Managed Microsoft AD.
------
#### [ Seamlessly join EC2 Windows instance ]
This procedure seamlessly joins an Amazon EC2 Windows instance to your AWS Managed Microsoft AD. If you need to perform seamless domain join across multiple AWS accounts, see [Tutorial: Sharing your AWS Managed Microsoft AD directory for seamless EC2 domain-join](ms_ad_tutorial_directory_sharing.md). For more information about Amazon EC2, see [What is Amazon EC2?](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html).
**Prerequisites**
To seamlessly domain join an EC2 instance, you will need to complete the following:
+ Have an AWS Managed Microsoft AD. To learn more, see [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ You'll need the following IAM permissions to seamlessly join an EC2 Windows instance:
+ IAM Instance Profile with the following IAM permissions:
+ `AmazonSSMManagedInstanceCore`
+ `AmazonSSMDirectoryServiceAccess`
+ The user seamlessly domain joining the EC2 to the AWS Managed Microsoft AD needs the following IAM permissions:
+ Directory Service Permissions:
+ `"ds:DescribeDirectories"`
+ `"ds:CreateComputer"`
+ Amazon VPC Permissions:
+ `"ec2:DescribeVpcs"`
+ `"ec2:DescribeSubnets"`
+ `"ec2:DescribeNetworkInterfaces"`
+ `"ec2:CreateNetworkInterface"`
+ `"ec2:AttachNetworkInterface"`
+ EC2 Permissions:
+ `"ec2:DescribeInstances"`
+ `"ec2:DescribeImages"`
+ `"ec2:DescribeInstanceTypes"`
+ `"ec2:RunInstances"`
+ `"ec2:CreateTags"`
+ AWS Systems Manager Permissions:
+ `"ssm:DescribeInstanceInformation"`
+ `"ssm:SendCommand"`
+ `"ssm:GetCommandInvocation"`
+ `"ssm:CreateBatchAssociation"`
When your AWS Managed Microsoft AD is created, a security group is created with inbound and outbound rules. To learn more about these rules and ports, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md). To seamlessly domain join an EC2 Windows instance, your VPC where you're launching your instance should allow the same ports allowed in your AWS Managed Microsoft AD security group's inbound and outbound rules.
+ Depending on your network security and firewall settings, you could be required to allow additional outbound traffic. This traffic would be for HTTPS (port 443) to the following endpoints:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html)
+ We recommend to use a DNS server that will resolve your AWS Managed Microsoft AD domain name. To do so, you can create a DHCP option set. See [Creating or changing a DHCP options set for AWS Managed Microsoft AD](dhcp_options_set.md) for more information.
+ If you choose not to create a DHCP option set, then your DNS servers will be static and configured to by your AWS Managed Microsoft AD.
**To seamlessly join an Amazon EC2 Windows instance**
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation bar, choose the same AWS Region as the existing directory.
1. On the **EC2 Dashboard**, in the **Launch instance** section, choose **Launch instance**.
1. On the **Launch an instance** page, under the **Name and Tags** section, enter the name you would like to use for your Windows EC2 instance.
1. (Optional) Choose **Add additional tags** to add one or more tag key-value pairs to organize, track, or control access for this EC2 instance.
1. In the **Application and OS Image (Amazon Machine Image)** section, choose **Windows** in the **Quick Start** pane. You can change the Windows Amazon Machine Image (AMI) from the **Amazon Machine Image (AMI)** dropdown list.
1. In the **Instance type** section, choose the instance type you would like to use from **Instance type** dropdown list.
1. In the **Key pair (login)** section, you can either choose to create a new key pair or choose from an existing key pair.
1. To create a new key pair, choose **Create new key pair**.
1. Enter a name for the key pair and select an option for the **Key pair type** and **Private key file format**.
1. To save the private key in a format that can be used with OpenSSH, choose **.pem**. To save the private key in a format that can be used with PuTTY, choose **.ppk**.
1. Choose **create key pair**.
1. The private key file is automatically downloaded by your browser. Save the private key file in a safe place.
**Important**
This is the only chance for you to save the private key file.
1. On the **Launch an instance** page, under **Network settings** section, choose **Edit**. Choose the **VPC** that your directory was created in from the **VPC -* required*** dropdown list.
1. Choose one of the public subnets in your VPC from the **Subnet** dropdown list. The subnet you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely.
For more information on how to connect to a internet gateway, see [Connect to the internet using an internet gateway](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_Internet_Gateway.html) in the *Amazon VPC User Guide*.
1. Under **Auto-assign public IP**, choose **Enable**.
For more information about public and private IP addressing, see [Amazon EC2 instance IP addressing](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-instance-addressing.html) in the *Amazon EC2 User Guide*.
1. For **Firewall (security groups)** settings, you can use the default settings or make changes to meet your needs.
1. For **Configure storage** settings, you can use the default settings or make changes to meet your needs.
1. Select **Advanced details** section, choose your domain from the **Domain join directory** dropdown list.
**Note**
After choosing the Domain join directory, you may see:
![\[An error message when selecting your Domain join directory. There is an error with your existing SSM document.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/SSM-Error-Message.png)
This error occurs if the EC2 launch wizard identifies an existing SSM document with unexpected properties. You can do one of the following:
If you previously edited the SSM document and the properties are expected, choose close and proceed to launch the EC2 instance with no changes.
Select the delete the existing SSM document here link to delete the SSM document. This will allow for the creation of an SSM document with the correct properties. The SSM document will automatically be created when you launch the EC2 instance.
1. For **IAM instance profile**, you can select an existing IAM instance profile or create a new one. Select an IAM instance profile that has the AWS managed policies **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess** attached to it from the **IAM instance profile** dropdown list. To create a new one, choose **Create new IAM profile** link, and then do the following:
1. Choose **Create role**.
1. Under **Select trusted entity**, choose **AWS service**.
1. Under **Use case**, choose **EC2**.
1. Under **Add permissions**, in the list of policies, select the **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess** policies. To filter the list, type **SSM** in the search box. Choose **Next**.
**Note**
**AmazonSSMDirectoryServiceAccess** provides the permissions to join instances to an Active Directory managed by Directory Service. **AmazonSSMManagedInstanceCore** provides the minimum permissions necessary to use the AWS Systems Manager service. For more information about creating a role with these permissions, and for information about other permissions and policies you can assign to your IAM role, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*.
1. On the **Name, review, and create** page, enter a **Role name**. You will need this role name to attach to the EC2 instance.
1. (Optional) You can provide a description of the IAM instance profile in the **Description** field.
1. Choose **Create role**.
1. Return to **Launch an instance** page and choose the refresh icon next to the **IAM instance profile**. Your new IAM instance profile should be visible in the **IAM instance profile** dropdown list. Choose the new profile and leave the rest of the settings with their default values.
1. Choose **Launch instance**.
------
#### [ Manually join EC2 Windows instance ]
To manually join an existing Amazon EC2 Windows instance to an AWS Managed Microsoft AD Active Directory, the instance must be launched using the parameters as specified in [Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory](#launching_instance).
You will need the IP addresses of the AWS Managed Microsoft AD DNS servers. This information can be found under **Directory Services** > **Directories** > the **Directory ID ** link for your directory > **Directory details** and **Networking & Security** sections.
![\[On the Directory Service console on the directory details page, the IP addresses of the Directory Service provided DNS servers are highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/directory_details_highlighted.png)
**To join a Windows instance to an AWS Managed Microsoft AD Active Directory**
1. Connect to the instance using any Remote Desktop Protocol client.
1. Open the TCP/IPv4 properties dialog box on the instance.
1. Open **Network Connections**.
**Tip**
You can open **Network Connections** directly by running the following from a command prompt on the instance.
```
%SystemRoot%\system32\control.exe ncpa.cpl
```
1. Open the context menu (right-click) for any enabled network connection and then choose **Properties**.
1. In the connection properties dialog box, open (double-click) **Internet Protocol Version 4**.
1. Select **Use the following DNS server addresses**, change the **Preferred DNS server** and **Alternate DNS server** addresses to the IP addresses of your AWS Managed Microsoft AD-provided DNS servers, and choose **OK**.
![\[The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box with the preferred DNS server and alternative DNS server fields highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/dns_server_addresses.png)
1. Open the **System Properties** dialog box for the instance, select the **Computer Name** tab, and choose **Change**.
**Tip**
You can open the **System Properties** dialog box directly by running the following from a command prompt on the instance.
```
%SystemRoot%\system32\control.exe sysdm.cpl
```
1. In the **Member of** field, select **Domain**, enter the fully qualified name of your AWS Managed Microsoft AD Active Directory, and choose **OK**.
1. When prompted for the name and password for the domain administrator, enter the username and password of an account that has domain join privileges. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
**Note**
You can enter either the fully qualified name of your domain or the NetBIOS name, followed by a backslash (\$1), and then the username. The username would be **Admin**. For example, **corp.example.com\$1admin** or **corp\$1admin**.
1. After you receive the message welcoming you to the domain, restart the instance to have the changes take effect.
Now that your instance has been joined to the AWS Managed Microsoft AD Active Directory domain, you can log into that instance remotely and install utilities to manage the directory, such as adding users and groups. The Active Directory Administration Tools can be used to create users and groups. For more information, see [Installing Active Directory Administration Tools for AWS Managed Microsoft AD](ms_ad_install_ad_tools.md).
**Note**
You can also use Amazon Route 53 to process DNS queries instead of manually changing the DNS addresses on your Amazon EC2 instances. For more information, see [Integrating your Directory Service's DNS resolution with Amazon Route 53 Resolver](https://aws.amazon.com/blogs//networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/) and [ Forwarding outbound DNS queries to your network](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-forwarding-outbound-queries).
------
# Joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory
You can launch and join an EC2 Linux instance to your AWS Managed Microsoft AD in the AWS Management Console. You can also manually join EC2 Linux instance to your AWS Managed Microsoft AD. Tools like Winbind can also be used so you can domain join an EC2 Linux instance to your AWS Managed Microsoft AD.
The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Distributions prior to Ubuntu 14 and Red Hat Enterprise Linux 7 and 8 do not support the seamless domain join feature.
**Topics**
+ [
# Seamlessly joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory
](seamlessly_join_linux_instance.md)
+ [
# Seamlessly joining an Amazon EC2 Linux instance to a shared AWS Managed Microsoft AD
](seamlessly_join_linux_to_shared_MAD.md)
+ [
# Manually joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory
](join_linux_instance.md)
+ [
# Manually joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory using Winbind
](join_linux_instance_winbind.md)
# Seamlessly joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory
This procedure seamlessly joins an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory. To complete this procedure, you will need to create an AWS Secrets Manager secret which can incur additional costs. For more information, see [AWS Secrets Manager Pricing](https://aws.amazon.com/secrets-manager/pricing/).
If you need to perform seamless domain join across multiple AWS accounts, you can optionally choose to enable [Directory sharing](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html).
The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Distributions prior to Ubuntu 14 and Red Hat Enterprise Linux 7 and 8 do not support the seamless domain join feature.
For a demonstration on the process of seamlessly joining a Linux instance to your AWS Managed Microsoft AD Active Directory, see the following YouTube video.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/NNUtdVVZVxU?si=_0zOiXhUObcW0_Wo)
## Prerequisites
Before you can set up seamless domain join to an EC2 Linux instance, you need to complete the procedures in these sections.
### Networking prerequisites for seamless domain join
To seamlessly domain join an EC2 Linux instance, you will need to complete the following:
+ You will need the following IAM permissions to seamlessly join an EC2 Linux instance:
+ Have an AWS Managed Microsoft AD. To learn more, see [Creating your AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory).
+ You'll need the following IAM permissions to seamlessly join an EC2 Windows instance:
+ IAM Instance Profile with the following IAM permissions:
+ `AmazonSSMManagedInstanceCore`
+ `AmazonSSMDirectoryServiceAccess`
+ The user seamlessly domain joining the EC2 to the AWS Managed Microsoft AD needs the following IAM permissions:
+ Directory Service Permissions:
+ `"ds:DescribeDirectories"`
+ `"ds:CreateComputer"`
+ Amazon VPC Permissions:
+ `"ec2:DescribeVpcs"`
+ `"ec2:DescribeSubnets"`
+ `"ec2:DescribeNetworkInterfaces"`
+ `"ec2:CreateNetworkInterface"`
+ `"ec2:AttachNetworkInterface"`
+ EC2 Permissions:
+ `"ec2:DescribeInstances"`
+ `"ec2:DescribeImages"`
+ `"ec2:DescribeInstanceTypes"`
+ `"ec2:RunInstances"`
+ `"ec2:CreateTags"`
+ AWS Systems Manager Permissions:
+ `"ssm:DescribeInstanceInformation"`
+ `"ssm:SendCommand"`
+ `"ssm:GetCommandInvocation"`
+ `"ssm:CreateBatchAssociation"`
+ When your AWS Managed Microsoft AD is created, a security group is created with inbound and outbound rules. To learn more about these rules and ports, see [What gets created with your AWS Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md). To seamlessly domain join an EC2 Linux instance, your VPC where you're launching your instance should allow the same ports allowed in your AWS Managed Microsoft AD security group's inbound and outbound rules.
+ Depending on your network security and firewall settings, you could be required to allow additional outbound traffic. This traffic would be for HTTPS (port 443) to the following endpoints:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/seamlessly_join_linux_instance.html)
+ We recommend to use a DNS server that will resolve your AWS Managed Microsoft AD domain name. To do so, you can create a DHCP option set. See [Creating or changing a DHCP options set for AWS Managed Microsoft AD](dhcp_options_set.md) for more information.
+ If you choose not to create a DHCP option set, then your DNS servers will be static and configured to by your AWS Managed Microsoft AD.
### Select your seamless domain join service account
You can seamlessly join Linux computers to your AWS Managed Microsoft AD Active Directory domain. To do that, you must use a user account with create computer account permissions to join the machines to the domain. Although members of the *AWS delegated administrators* or other groups might have sufficient privileges to join computers to the domain, we do not recommend using these. As a best practice, we recommend that you use a service account that has the minimum privileges necessary to join the computers to the domain.
To delegate an account with the minimum privileges necessary to join the computers to the domain, you can run the following PowerShell commands. You must run these commands from a domain-joined Windows computer with the [Installing Active Directory Administration Tools for AWS Managed Microsoft AD](ms_ad_install_ad_tools.md) installed. In addition, you must use an account that has permission to modify the permissions on your Computers OU or container. The PowerShell command sets permissions allowing the service account to create computer objects in your domain's default computers container.
```
$AccountName = 'awsSeamlessDomain'
# DO NOT modify anything below this comment.
# Getting Active Directory information.
Import-Module 'ActiveDirectory'
$Domain = Get-ADDomain -ErrorAction Stop
$BaseDn = $Domain.DistinguishedName
$ComputersContainer = $Domain.ComputersContainer
$SchemaNamingContext = Get-ADRootDSE | Select-Object -ExpandProperty 'schemaNamingContext'
[System.GUID]$ServicePrincipalNameGuid = (Get-ADObject -SearchBase $SchemaNamingContext -Filter { lDAPDisplayName -eq 'Computer' } -Properties 'schemaIDGUID').schemaIDGUID
# Getting Service account Information.
$AccountProperties = Get-ADUser -Identity $AccountName
$AccountSid = New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' $AccountProperties.SID.Value
# Getting ACL settings for the Computers container.
$ObjectAcl = Get-ACL -Path "AD:\$ComputersContainer"
# Setting ACL allowing the service account the ability to create child computer objects in the Computers container.
$AddAccessRule = New-Object -TypeName 'System.DirectoryServices.ActiveDirectoryAccessRule' $AccountSid, 'CreateChild', 'Allow', $ServicePrincipalNameGUID, 'All'
$ObjectAcl.AddAccessRule($AddAccessRule)
Set-ACL -AclObject $ObjectAcl -Path "AD:\$ComputersContainer"
```
If you prefer using a graphical user interface (GUI) you can use the manual process that is described in [Delegate privileges to your service account](ad_connector_getting_started.md#connect_delegate_privileges).
### Create the secrets to store the domain service account
You can use AWS Secrets Manager to store the domain service account. For more information, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com//secretsmanager/latest/userguide/create_secret.html).
**Note**
There are fees associated with Secrets Manager. For more information see, [Pricing](https://docs.aws.amazon.com//secretsmanager/latest/userguide/intro.html#asm_pricing) in the *AWS Secrets Manager User Guide*.
**To create secrets and store the domain service account information**
1. Sign in to the AWS Management Console and open the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
1. Choose **Store a new secret**.
1. On the **Store a new secret** page, do the following:
1. Under **Secret type**, choose **Other type of secrets**.
1. Under **Key/value pairs**, do the following:
1. In the first box, enter **awsSeamlessDomainUsername**. On the same row, in the next box, enter the username for your service account. For example, if you used the PowerShell command previously, the service account name would be **awsSeamlessDomain**.
**Note**
You must enter **awsSeamlessDomainUsername** exactly as it is. Make sure there are not any leading or ending spaces. Otherwise the domain join will fail.
![\[In the AWS Secrets Manager console on the choose a secret type page. Other type of secret is selected under secret type and awsSeamlessDomainUsername is entered as the key value.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/secrets_manager_1.png)
1. Choose **Add row**.
1. On the new row, in the first box, enter **awsSeamlessDomainPassword**. On the same row, in the next box, enter the password for your service account.
**Note**
You must enter **awsSeamlessDomainPassword** exactly as it is. Make sure there are not any leading or ending spaces. Otherwise the domain join will fail.
1. Under **Encryption key, ** leave the default value `aws/secretsmanager`. AWS Secrets Manager always encrypts the secret when you choose this option. You also may choose a key you created.
1. Choose **Next**.
1. Under **Secret name**, enter a secret name that includes your directory ID using the following format, replacing *d-xxxxxxxxx* with your directory ID:
```
aws/directory-services/d-xxxxxxxxx/seamless-domain-join
```
This will be used to retrieve secrets in the application.
**Note**
You must enter **aws/directory-services/*d-xxxxxxxxx*/seamless-domain-join** exactly as it is but replace *d-xxxxxxxxxx* with your directory ID. Make sure that there are no leading or ending spaces. Otherwise the domain join will fail.
![\[In the AWS Secrets Manager console on the configure secret page. The secret name is entered and highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/secrets_manager_2.png)
1. Leave everything else set to defaults, and then choose **Next**.
1. Under **Configure automatic rotation**, choose **Disable automatic rotation**, and then choose **Next**.
You can turn on rotation for this secret after you store it.
1. Review the settings, and then choose **Store** to save your changes. The Secrets Manager console returns you to the list of secrets in your account with your new secret now included in the list.
1. Choose your newly created secret name from the list, and take note of the **Secret ARN** value. You will need it in the next section.
### Turn on rotation for the domain service account secret
We recommend that you regularly rotate secrets to improve your security posture.
**To turn on rotation for the domain service account secret**
+ Follow the instructions in [Set up automatic rotation for AWS Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html) in the *AWS Secrets Manager User Guide*.
For Step 5, use the rotation template [Microsoft Active Directory credentials](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#template-AD-password) in the *AWS Secrets Manager User Guide*.
For help, see [Troubleshoot AWS Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.html) in the *AWS Secrets Manager User Guide*.
### Create the required IAM policy and role
Use the following prerequisite steps to create a custom policy that allows read-only access to your Secrets Manager seamless domain join secret (which you created earlier), and to create a new LinuxEC2DomainJoin IAM role.
#### Create the Secrets Manager IAM read policy
You use the IAM console to create a policy that grants read-only access to your Secrets Manager secret.
**To create the Secrets Manager IAM read policy**
1. Sign in to the AWS Management Console as a user that has permission to create IAM policies. Then open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, **Access Management**, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab and copy the text from the following JSON policy document. Then paste it into the **JSON** text box.
**Note**
Make sure you replace the Region and Resource ARN with the actual Region and ARN of the secret that you created earlier.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:aws/directory-services/d-xxxxxxxxx/seamless-domain-join"
]
}
]
}
```
1. When you are finished, choose **Next**. The policy validator reports any syntax errors. For more information, see [Validating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html).
1. On the **Review policy** page, enter a policy name, such as **SM-Secret-Linux-DJ-*d-xxxxxxxxxx*-Read**. Review the **Summary** section to see the permissions that your policy grants. Then choose **Create policy** to save your changes. The new policy appears in the list of managed policies and is now ready to attach to an identity.
**Note**
We recommend you create one policy per secret. Doing so ensures that instances only have access to the appropriate secret and minimizes the impact if an instance is compromised.
#### Create the LinuxEC2DomainJoin role
You use the IAM console to create the role that you will use to domain join your Linux EC2 instance.
**To create the LinuxEC2DomainJoin role**
1. Sign in to the AWS Management Console as a user that has permission to create IAM policies. Then open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, under **Access Management**, choose **Roles**.
1. In the content pane, choose **Create role**.
1. Under **Select type of trusted entity**, choose **AWS service**.
1. Under **Use case**, choose **EC2**, and then choose **Next**.
![\[In the IAM console on the select trusted entity page. AWS service and EC2 are selected.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/iam-console-trusted-entity.png)
1. For **Filter policies**, do the following:
1. Enter **AmazonSSMManagedInstanceCore**. Then select the check box for that item in the list.
1. Enter **AmazonSSMDirectoryServiceAccess**. Then select the check box for that item in the list.
1. Enter **SM-Secret-Linux-DJ-*d-xxxxxxxxxx*-Read** (or the name of the policy that you created in the previous procedure). Then select the check box for that item in the list.
1. After adding the three policies listed above, select **Create role**.
**Note**
AmazonSSMDirectoryServiceAccess provides the permissions to join instances to an Active Directory managed by Directory Service. AmazonSSMManagedInstanceCore provides the minimum permissions necessary to use the AWS Systems Manager service. For more information about creating a role with these permissions, and for information about other permissions and policies you can assign to your IAM role, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*.
1. Enter a name for your new role, such as **LinuxEC2DomainJoin** or another name that you prefer in the **Role name** field.
1. (Optional) For **Role description**, enter a description.
1. (Optional) Choose **Add new tag** under **Step 3: Add tags** to add tags. Tag key-value pairs are used to organize, track, or control access for this role.
1. Choose **Create role**.
## Seamlessly join your Linux instance
**To seamlessly join your Linux instance**
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. From the Region selector in the navigation bar, choose the same AWS Region as the existing directory.
1. On the **EC2 Dashboard**, in the **Launch instance** section, choose **Launch instance**.
1. On the **Launch an instance** page, under the **Name and Tags** section, enter the name you would like to use for your Linux EC2 instance.
1. *(Optional)* Choose **Add additional tags** to add one or more tag key-value pairs to organize, track, or control access for this EC2 instance.
1. In the **Application and OS Image (Amazon Machine Image)** section, choose a Linux AMI you wish to launch.
**Note**
The AMI used must have AWS Systems Manager (SSM Agent) version 2.3.1644.0 or higher. To check the installed SSM Agent version in your AMI by launching an instance from that AMI, see [Getting the currently installed SSM Agent version](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-get-version.html). If you need to upgrade the SSM Agent, see [Installing and configuring SSM Agent on EC2 instances for Linux](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html).
SSM uses the `aws:domainJoin` plugin when joining a Linux instance to a Active Directory domain. The plugin changes the hostname for the Linux instances to the format EC2AMAZ-*XXXXXXX*. For more information about `aws:domainJoin`, see [AWS Systems Manager command document plugin reference](https://docs.aws.amazon.com//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.html#aws-domainJoin) in the *AWS Systems Manager User Guide*.
1. In the **Instance type** section, choose the instance type you would like to use from **Instance type** dropdown list.
1. In the **Key pair (login)** section, you can either choose to create a new key pair or choose from an existing key pair. To create a new key pair, choose **Create new key pair**. Enter a name for the key pair and select an option for the **Key pair type** and **Private key file format**. To save the private key in a format that can be used with OpenSSH, choose **.pem**. To save the private key in a format that can be used with PuTTY, choose **.ppk**. Choose **create key pair**. The private key file is automatically downloaded by your browser. Save the private key file in a safe place.
**Important**
This is the only chance for you to save the private key file.
1. On the **Launch an instance** page, under **Network settings** section, choose **Edit**. Choose the **VPC** that your directory was created in from the **VPC -* required*** dropdown list.
1. Choose one of the public subnets in your VPC from the **Subnet** dropdown list. The subnet you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely.
For more information on how to connect to a internet gateway, see [Connect to the internet using an internet gateway](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_Internet_Gateway.html) in the *Amazon VPC User Guide*.
1. Under **Auto-assign public IP**, choose **Enable**.
For more information about public and private IP addressing, see [Amazon EC2 instance IP addressing](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-instance-addressing.html) in the *Amazon EC2 User Guide*.
1. For **Firewall (security groups)** settings, you can use the default settings or make changes to meet your needs.
1. For **Configure storage** settings, you can use the default settings or make changes to meet your needs.
1. Select **Advanced details** section, choose your domain from the **Domain join directory** dropdown list.
**Note**
After choosing the Domain join directory, you may see:
![\[An error message when selecting your Domain join directory. There is an error with your existing SSM document.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/SSM-Error-Message.png)
This error occurs if the EC2 launch wizard identifies an existing SSM document with unexpected properties. You can do one of the following:
If you previously edited the SSM document and the properties are expected, choose close and proceed to launch the EC2 instance with no changes.
Select the delete the existing SSM document here link to delete the SSM document. This will allow for the creation of an SSM document with the correct properties. The SSM document will automatically be created when you launch the EC2 instance.
1. For **IAM instance profile**, choose the IAM role that you previously created in the prerequisites section **Step 2: Create the LinuxEC2DomainJoin role**.
1. Choose **Launch instance**.
**Note**
If you are performing a seamless domain join with SUSE Linux, a reboot is required before authentications will work. To reboot SUSE from the Linux terminal, type **sudo reboot**.
# Seamlessly joining an Amazon EC2 Linux instance to a shared AWS Managed Microsoft AD
In this procedure, you will seamlessly join an Amazon EC2 Linux instance to a shared AWS Managed Microsoft AD. To do this, you will create an AWS Secrets Manager IAM read policy in the EC2 instance role in the account where you wish to launch the EC2 Linux instance. This will be referred to as `Account 2` in this procedure. This instance will be using the AWS Managed Microsoft AD that is being shared from the other account which is referred to as `Account 1`.
## Prerequisites
Before you can seamlessly join an Amazon EC2 Linux instance to a shared AWS Managed Microsoft AD, you will need to complete the following:
+ Steps 1 through 3 in the tutorial, [Tutorial: Sharing your AWS Managed Microsoft AD directory for seamless EC2 domain-join](ms_ad_tutorial_directory_sharing.md). This tutorial walks you through setting up your network and sharing your AWS Managed Microsoft AD.
+ The procedure outlined in [Seamlessly joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory](seamlessly_join_linux_instance.md).
## Step 1. Create LinuxEC2DomainJoin role in Account 2
In this step, you will use the IAM console to create the IAM role that you will use to domain join your EC2 Linux instance while signed in to `Account 2`.
**Create the LinuxEC2DomainJoin role**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the left navigation pane, under **Access Management**, choose **Roles**.
1. On the **Roles** page, choose **Create role**.
1. Under **Select type of trusted entity**, choose **AWS service**.
1. Under **Use case**, choose **EC2**, and then choose **Next**
1. For **Filter policies**, do the following:
1. Enter `AmazonSSMManagedInstanceCore`. Then select the checkbox for that item in the list.
1. Enter `AmazonSSMDirectoryServiceAccess`. Then select the checkbox for that item in the list.
1. After adding these policies, select **Create role**.
**Note**
`AmazonSSMDirectoryServiceAccess` provides the permissions to join instances to an Active Directory managed by Directory Service. `AmazonSSMManagedInstanceCore` provides the minimum permissions necessary to use AWS Systems Manager. For more information about creating a role with these permissions, and for information about other permissions and policies you can assign to your IAM role, see [Configure instance permissions required for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-permissions.html) in the *AWS Systems Manager User Guide*.
1. Enter a name for your new role, such as `LinuxEC2DomainJoin` or another name that you prefer in the **Role name** field.
1. *(Optional)* For **Role description**, enter a description.
1. *(Optional)* Choose **Add new tag** under **Step 3: Add tags** to add tags. Tag key-value pairs are used to organize, track, or control access for this role.
1. Choose **Create role**.
## Step 2. Create cross account resource access to share AWS Secrets Manager secrets
The next section are additional requirements that need to be met to seamlessly join EC2 Linux instances with a shared AWS Managed Microsoft AD. These requirements include creating resource policies and attaching them to the appropriate services and resources.
To allow users in an account to access AWS Secrets Manager secrets in another account, you must allow access in both a resource policy and identity policy. This type of access is called [cross account resource access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html).
This type of access is different than granting access to identities in the same account as the Secrets Manager secret. You must also allow the identity to use [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) (KMS) key that the secret is encrypted with. This permission is necessary as you can't use the AWS managed key (`aws/secretsmanager`) for cross-account access. Instead, you will encrypt your secret with a KMS key that you create, and then attach a key policy to it. To change the encryption key for a secret, see [Modify an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html).
**Note**
There are fees associated with AWS Secrets Manager, depending on which secret you use. For the current complete pricing list, see [AWS Secrets Manager Pricing](https://aws.amazon.com/secrets-manager/pricing/). You can use the AWS managed key `aws/secretsmanager` that Secrets Manager creates to encrypt your secrets for free. If you create your own KMS keys to encrypt your secrets, AWS charges you at the current AWS KMS rate. For more information, see [AWS Key Management Service Pricing](https://aws.amazon.com/kms/pricing/).
The following steps allow you to create the resource policies to enable users to seamlessly join a EC2 Linux instance to a shared AWS Managed Microsoft AD.
**Attach a resource policy to the secret in Account 1**
1. Open the Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
1. From the list of secrets, choose your **Secret** you created during the [Prerequisites](#seamlessly_join_linux_to_shared_MAD_prereqs).
1. On the **Secret's details page** under the **Overview** tab, scroll down to **Resource permissions**.
1. Select **Edit permissions**.
1. In the policy field, enter the following policy. The following policy allows **LinuxEC2DomainJoin** in `Account 2` to access the secret in `Account 1`. Replace the ARN value with the ARN value for your `Account 2`, `LinuxEC2DomainJoin` role you created in [Step 1](#seamlessly_join_linux_to_shared_MAD_step_1). To use this policy, see [Attach a permissions policy to an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/LinuxEC2DomainJoin"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}
```
------
**Add a statement to the key policy for the KMS key in Account 1**
1. Open the Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
1. In the left navigation pane, select **Customer managed keys**.
1. On the **Customer managed keys** page, select the key you created.
1. On the **Key Details** page, navigate to **Key policy**, and select **Edit**.
1. The following key policy statement allows `ApplicationRole` in `Account 2` to use the KMS key in `Account 1` to decrypt the secret in `Account 1`. To use this statement, add it to the key policy for your KMS key. For more information, see [Changing a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html).
```
{
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account2:role/ApplicationRole"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
```
**Create an identity policy to the identity in Account 2**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the left navigation pane, under **Access management**, select **Policies**.
1. Select **Create Policy**. Choose **JSON** in the **Policy editor**.
1. The following policy allows `ApplicationRole` in `Account 2` to access the secret in `Account 1` and decrypt the secret value by using the encryption key which is also in `Account 1`. You can find the ARN for your secret in the Secrets Manager console on the **Secret Details** page under **Secret ARN**. Alternatively, you can call [describe-secret](https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/describe-secret.html) to identify the secret's ARN. Replace the Resource ARN with the Resource ARN for the secret ARN and `Account 1`. To use this policy, see [Attach a permissions policy to an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secretName-AbCdEf"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Describekey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/Your_Encryption_Key"
}
]
}
```
------
1. Select **Next** and then select **Save changes**.
1. Find and select the Role you created in `Account 2` in [Attach a resource policy to the secret in Account 1](#step1ResourcePolicy).
1. Under **Add permissions**, select **Attach policies**.
1. In the search bar, find the policy you created in [Add a statement to the key policy for the KMS key in Account 1](#step2KeyPolicy) and select the box to add the policy to the role. Then select **Add permissions**.
## Step 3. Seamlessly join your Linux instance
You can now use the following procedure to seamlessly join your EC2 Linux instance to your shared AWS Managed Microsoft AD.
**To seamlessly join your Linux instance**
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. From the Region selector in the navigation bar, choose the same AWS Region as the existing directory.
1. On the **EC2 Dashboard**, in the **Launch instance** section, choose **Launch instance**.
1. On the **Launch an instance** page, under the **Name and Tags** section, enter the name you would like to use for your Linux EC2 instance.
1. *(Optional)* Choose **Add additional tags** to add one or more tag key-value pairs to organize, track, or control access for this EC2 instance.
1. In the **Application and OS Image (Amazon Machine Image)** section, choose a Linux AMI you wish to launch.
**Note**
The AMI used must have AWS Systems Manager (SSM Agent) version 2.3.1644.0 or higher. To check the installed SSM Agent version in your AMI by launching an instance from that AMI, see [Getting the currently installed SSM Agent version](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-get-version.html). If you need to upgrade the SSM Agent, see [Installing and configuring SSM Agent on EC2 instances for Linux](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html).
SSM uses the `aws:domainJoin` plugin when joining a Linux instance to a Active Directory domain. The plugin changes the hostname for the Linux instances to the format EC2AMAZ-*XXXXXXX*. For more information about `aws:domainJoin`, see [AWS Systems Manager command document plugin reference](https://docs.aws.amazon.com//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.html#aws-domainJoin) in the *AWS Systems Manager User Guide*.
1. In the **Instance type** section, choose the instance type you would like to use from **Instance type** dropdown list.
1. In the **Key pair (login)** section, you can either choose to create a new key pair or choose from an existing key pair. To create a new key pair, choose **Create new key pair**. Enter a name for the key pair and select an option for the **Key pair type** and **Private key file format**. To save the private key in a format that can be used with OpenSSH, choose **.pem**. To save the private key in a format that can be used with PuTTY, choose **.ppk**. Choose **create key pair**. The private key file is automatically downloaded by your browser. Save the private key file in a safe place.
**Important**
This is the only chance for you to save the private key file.
1. On the **Launch an instance** page, under **Network settings** section, choose **Edit**. Choose the **VPC** that your directory was created in from the **VPC -* required*** dropdown list.
1. Choose one of the public subnets in your VPC from the **Subnet** dropdown list. The subnet you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely.
For more information on how to connect to a internet gateway, see [Connect to the internet using an internet gateway](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_Internet_Gateway.html) in the *Amazon VPC User Guide*.
1. Under **Auto-assign public IP**, choose **Enable**.
For more information about public and private IP addressing, see [Amazon EC2 instance IP addressing](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-instance-addressing.html) in the *Amazon EC2 User Guide*.
1. For **Firewall (security groups)** settings, you can use the default settings or make changes to meet your needs.
1. For **Configure storage** settings, you can use the default settings or make changes to meet your needs.
1. Select **Advanced details** section, choose your domain from the **Domain join directory** dropdown list.
**Note**
After choosing the Domain join directory, you may see:
![\[An error message when selecting your Domain join directory. There is an error with your existing SSM document.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/SSM-Error-Message.png)
This error occurs if the EC2 launch wizard identifies an existing SSM document with unexpected properties. You can do one of the following:
If you previously edited the SSM document and the properties are expected, choose close and proceed to launch the EC2 instance with no changes.
Select the delete the existing SSM document here link to delete the SSM document. This will allow for the creation of an SSM document with the correct properties. The SSM document will automatically be created when you launch the EC2 instance.
1. For **IAM instance profile**, choose the IAM role that you previously created in the prerequisites section **Step 2: Create the LinuxEC2DomainJoin role**.
1. Choose **Launch instance**.
**Note**
If you are performing a seamless domain join with SUSE Linux, a reboot is required before authentications will work. To reboot SUSE from the Linux terminal, type **sudo reboot**.
# Manually joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory
In addition to Amazon EC2 Windows instances, you can also join certain Amazon EC2 Linux instances to your AWS Managed Microsoft AD Active Directory. The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Amazon Linux 2023 AMI
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Other Linux distributions and versions may work but have not been tested.
## Join a Linux instance to your AWS Managed Microsoft AD
Before you can join either an Amazon Linux, CentOS, Red Hat, or Ubuntu instance to your directory, the instance must first be launched as specified in [Seamlessly join your Linux instance](seamlessly_join_linux_instance.md#seamless-linux-join-instance).
**Important**
Some of the following procedures, if not performed correctly, can render your instance unreachable or unusable. Therefore, we strongly suggest you make a backup or take a snapshot of your instance before performing these procedures.
**To join a Linux instance to your directory**
Follow the steps for your specific Linux instance using one of the following tabs:
------
#### [ Amazon Linux ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your Amazon Linux - 64bit instance is up to date.
```
sudo yum -y update
```
1. Install the required Amazon Linux packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
Amazon Linux
```
sudo yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
```
**Note**
For help with determining the Amazon Linux version you are using, see [Identifying Amazon Linux images](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#amazon-linux-image-id) in the *Amazon EC2 User Guide for Linux Instances*.
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account@EXAMPLE.COM example.com --verbose
```
*join\$1account@EXAMPLE.COM*
An account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "AWS Delegated Administrators" group from the example.com domain.
%AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ CentOS ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your CentOS 7 instance is up to date.
```
sudo yum -y update
```
1. Install the required CentOS 7 packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo yum -y install sssd realmd krb5-workstation samba-common-tools
```
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account@example.com example.com --verbose
```
*join\$1account@example.com*
An account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "AWS Delegated Administrators" group from the example.com domain.
%AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ Red Hat ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure the Red Hat - 64bit instance is up to date.
```
sudo yum -y update
```
1. Install the required Red Hat packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo yum -y install sssd realmd krb5-workstation samba-common-tools
```
1. Join the instance to the directory with the following command.
```
sudo realm join -v -U join_account example.com --install=/
```
*join\$1account*
The **sAMAccountName** for an account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "AWS Delegated Administrators" group from the example.com domain.
%AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ SUSE ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your SUSE Linux 15 instance is up to date.
1. Connect the package repository.
```
sudo SUSEConnect -p PackageHub/15.1/x86_64
```
1. Update SUSE.
```
sudo zypper update -y
```
1. Install the required SUSE Linux 15 packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo zypper -n install realmd adcli sssd sssd-tools sssd-ad samba-client krb5-client
```
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account example.com --verbose
```
*join\$1account*
The sAMAccountName in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully-qualified DNS name of your directory.
```
…
realm: Couldn't join realm: Enabling SSSD in nsswitch.conf and PAM failed.
```
Note that both of the following returns are expected.
```
! Couldn't authenticate with keytab while discovering which salt to use:
! Enabling SSSD in nsswitch.conf and PAM failed.
```
1. Manually enable **SSSD** in **PAM**.
```
sudo pam-config --add --sss
```
1. Edit nsswitch.conf to enable SSSD in nsswitch.conf
```
sudo vi /etc/nsswitch.conf
```
```
passwd: compat sss
group: compat sss
shadow: compat sss
```
1. Add the following line to /etc/pam.d/common-session to auto create a home directory at initial login
```
sudo vi /etc/pam.d/common-session
```
```
session optional pam_mkhomedir.so skel=/etc/skel umask=077
```
1. Reboot the instance to complete the domain joined process.
```
sudo reboot
```
1. Reconnect to the instance using any SSH client to verify the domain join has completed successfully and finalize additional steps.
1. To confirm the instance has been enrolled on the domain
```
sudo realm list
```
```
example.com
type: kerberos
realm-name: EXAMPLE.COM
domain-name: example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: adcli
required-package: samba-client
login-formats: %U@example.com
login-policy: allow-realm-logins
```
1. To verify the status of SSSD daemon
```
systemctl status sssd
```
```
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-04-15 16:22:32 UTC; 3min 49s ago
Main PID: 479 (sssd)
Tasks: 4
CGroup: /system.slice/sssd.service
├─479 /usr/sbin/sssd -i --logger=files
├─505 /usr/lib/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files
├─548 /usr/lib/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─549 /usr/lib/sssd/sssd_pam --uid 0 --gid 0 --logger=files
```
1. To permit a user access via SSH and console
```
sudo realm permit join_account@example.com
```
To permit a domain group access via SSH and console
```
sudo realm permit -g 'AWS Delegated Administrators'
```
Or to permit all users access
```
sudo realm permit --all
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. 13. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:
1. Open the sudoers file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the sudoers file and save it.
```
## Add the "Domain Admins" group from the awsad.com domain.
%AWS\ Delegated\ Administrators@example.com ALL=(ALL) NOPASSWD: ALL
```
------
#### [ Ubuntu ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your Ubuntu - 64bit instance is up to date.
```
sudo apt-get update
sudo apt-get -y upgrade
```
1. Install the required Ubuntu packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli
```
1. Disable Reverse DNS resolution and set the default realm to your domain's FQDN. Ubuntu Instances **must** be reverse-resolvable in DNS before the realm will work. Otherwise, you have to disable reverse DNS in /etc/krb5.conf as follows:
```
sudo vi /etc/krb5.conf
```
```
[libdefaults]
default_realm = EXAMPLE.COM
rdns = false
```
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account example.com --verbose
```
*join\$1account@example.com*
The **sAMAccountName** for an account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "AWS Delegated Administrators" group from the example.com domain.
%AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
## Restricting account login access
Since all accounts are defined in Active Directory, by default, all the users in the directory can log in to the instance. You can allow only specific users to log in to the instance with **ad\$1access\$1filter** in **sssd.conf**. For example:
```
ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
```
*memberOf*
Indicates that users should only be allowed access to the instance if they are a member of a specific group.
*cn*
The common name of the group that should have access. In this example, the group name is *admins*.
*ou*
This is the organizational unit in which the above group is located. In this example, the OU is *Testou*.
*dc*
This is the domain component of your domain. In this example, *example*.
*dc*
This is an additional domain component. In this example, *com*.
You must manually add **ad\$1access\$1filter** to your **/etc/sssd/sssd.conf**.
Open the **/etc/sssd/sssd.conf** file in a text editor.
```
sudo vi /etc/sssd/sssd.conf
```
After you do this, your **sssd.conf** might look like this:
```
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
```
In order for the configuration to take effect, you need to restart the sssd service:
```
sudo systemctl restart sssd.service
```
Alternatively, you could use:
```
sudo service sssd restart
```
Since all accounts are defined in Active Directory, by default, all the users in the directory can log in to the instance. You can allow only specific users to log in to the instance with **ad\$1access\$1filter** in **sssd.conf**.
For example:
```
ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
```
*memberOf*
Indicates that users should only be allowed access to the instance if they are a member of a specific group.
*cn*
The common name of the group that should have access. In this example, the group name is *admins*.
*ou*
This is the organizational unit in which the above group is located. In this example, the OU is *Testou*.
*dc*
This is the domain component of your domain. In this example, *example*.
*dc*
This is an additional domain component. In this example, *com*.
You must manually add **ad\$1access\$1filter** to your **/etc/sssd/sssd.conf**.
1. Open the **/etc/sssd/sssd.conf** file in a text editor.
```
sudo vi /etc/sssd/sssd.conf
```
1. After you do this, your **sssd.conf** might look like this:
```
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
```
1. In order for the configuration to take effect, you need to restart the sssd service:
```
sudo systemctl restart sssd.service
```
Alternatively, you could use:
```
sudo service sssd restart
```
## ID Mapping
ID mapping can be performed by two methods to maintain a unified experience between UNIX/Linux User Identifier (UID) and Group Identifier (GID) and Windows and Active Directory Security Identifier (SID) identities. These methods are:
1. Centralized
1. Distributed
**Note**
Centralized user identity mapping in Active Directory requires Portable Operating System Interface or POSIX.
**Centralized user identity mapping**
Active Directory or another Lightweight Directory Access Protocol (LDAP) service provides UID and GID to the Linux users. In Active Directory, these identifiers are stored in the users' attributes if the POSIX extension is configured:
+ UID - The Linux username (String)
+ UID Number - The Linux User ID number (Integer)
+ GID Number - The Linux Group ID number (Integer)
To configure a Linux instance to use the UID and GID from Active Directory, set `ldap_id_mapping = False` in the sssd.conf file. Before setting this value, verify you have added a UID, UID number and GID number to the users and groups in Active Directory.
**Distributed user identity mapping**
If Active Directory doesn't have the POSIX extension or if you choose not to centrally manage identity mapping, Linux can calculate the UID and GID values. Linux uses the user's unique Security Identifier (SID) to maintain consistency.
To configure distributed user ID mapping, set `ldap_id_mapping = True` in the sssd.conf file.
**Common issues**
If you set `ldap_id_mapping = False`, sometimes starting the SSSD service will fail. The reason for this failure is due to changing UIDs not supported. We recommend you delete the SSSD cache whenever you change from ID mapping to POSIX attributes or from POSIX attributes to ID mapping. For further details about ID mapping and the ldap\$1id\$1mapping parameters, see the sssd-ldap(8) man page in the Linux command line.
## Connect to the Linux instance
When a user connects to the instance using an SSH client, they are prompted for their username. The user can enter the username in either the `username@example.com` or `EXAMPLE\username` format. The response will appear similar to the following, depending on which Linux distribution you are using:
**Amazon Linux, Red Hat Enterprise Linux, and CentOS Linux**
```
login as: johndoe@example.com
johndoe@example.com's password:
Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX
```
**SUSE Linux**
```
SUSE Linux Enterprise Server 15 SP1 x86_64 (64-bit)
As "root" (sudo or sudo -i) use the:
- zypper command for package management
- yast command for configuration management
Management and Config: https://www.suse.com/suse-in-the-cloud-basics
Documentation: https://www.suse.com/documentation/sles-15/
Forum: https://forums.suse.com/forumdisplay.php?93-SUSE-Public-Cloud
Have a lot of fun...
```
**Ubuntu Linux**
```
login as: admin@example.com
admin@example.com@10.24.34.0's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1057-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 18 22:03:35 UTC 2020
System load: 0.01 Processes: 102
Usage of /: 18.6% of 7.69GB Users logged in: 2
Memory usage: 16% IP address for eth0: 10.24.34.1
Swap usage: 0%
```
# Manually joining an Amazon EC2 Linux instance to your AWS Managed Microsoft AD Active Directory using Winbind
You can use the Winbind service to manually join your Amazon EC2 Linux instances to an AWS Managed Microsoft AD Active Directory domain. This enables your existing on-premises Active Directory users to use their Active Directory credentials when accessing the Linux instances joined to your AWS Managed Microsoft AD Active Directory. The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Amazon Linux 2023 AMI
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Other Linux distributions and versions may work but have not been tested.
## Join a Linux instance to your AWS Managed Microsoft AD Active Directory
**Important**
Some of the following procedures, if not performed correctly, can render your instance unreachable or unusable. Therefore, we strongly suggest you make a backup or take a snapshot of your instance before performing these procedures.
**To join a Linux instance to your directory**
Follow the steps for your specific Linux instance using one of the following tabs:
------
#### [ Amazon Linux/CENTOS/REDHAT ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your Linux instance is up to date.
```
sudo yum -y update
```
1. Install the required Samba / Winbind packages on your Linux instance.
```
sudo yum -y install authconfig samba samba-client samba-winbind samba-winbind-clients
```
1. Make a backup of the main `smb.conf` file so you can revert back to it in case of any failure:
```
sudo cp /etc/samba/smb.conf /etc/samba/smb.bk
```
1. Open the original configuration file [`/etc/samba/smb.conf`] in a text editor.
```
sudo vim /etc/samba/smb.conf
```
Fill in your Active Directory domain environment information as shown in the below example:
```
[global]
workgroup = example
security = ads
realm = example.com
idmap config * : rangesize = 1000000
idmap config * : range = 1000000-19999999
idmap config * : backend = autorid
winbind enum users = no
winbind enum groups = no
template homedir = /home/%U@%D
template shell = /bin/bash
winbind use default domain = false
```
1. Open the hosts file [`/etc/hosts`] in a text editor.
```
sudo vim /etc/hosts
```
Add your Linux instance private IP address as follows:
```
10.x.x.x Linux_hostname.example.com Linux_hostname
```
**Note**
If you did not specify your IP Address in the `/etc/hosts` file, you might receive the following DNS error while joining the instance to the domain.:
`No DNS domain configured for linux-instance. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER`
This error means that the join was successful but the [net ads] command was unable to register the DNS record in DNS.
1. Join the Linux instance to Active Directory using the net utility.
```
sudo net ads join -U join_account@example.com
```
*join\$1account@example.com*
An account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
Enter join_account@example.com's password:
Using short domain name -- example
Joined 'IP-10-x-x-x' to dns domain 'example.com'
```
1. Modify PAM Configuration file, Use the command below to add the necessary entries for winbind authentication:
```
sudo authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --update
```
1. Set the SSH service to allow password authentication by editing the `/etc/ssh/sshd_config` file..
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the root privileges for a domain user or group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the required groups or users from your Trusting or Trusted domain as follows, and then save it.
```
## Adding Domain Users/Groups.
%domainname\\AWS\ Delegated\ Administrators ALL=(ALL:ALL) ALL
%domainname\\groupname ALL=(ALL:ALL) ALL
domainname\\username ALL=(ALL:ALL) ALL
%Trusted_DomainName\\groupname ALL=(ALL:ALL) ALL
Trusted_DomainName\\username ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ SUSE ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your SUSE Linux 15 instance is up to date.
1. Connect the package repository.
```
sudo SUSEConnect -p PackageHub/15.1/x86_64
```
1. Update SUSE.
```
sudo zypper update -y
```
1. Install the required Samba / Winbind packages on your Linux instance.
```
sudo zypper in -y samba samba-winbind
```
1. Make a backup of the main `smb.conf` file so you can revert back to it in case of any failure:
```
sudo cp /etc/samba/smb.conf /etc/samba/smb.bk
```
1. Open the original configuration file [`/etc/samba/smb.conf`] in a text editor.
```
sudo vim /etc/samba/smb.conf
```
Fill in your Active directory domain environment information as shown in the below example:
```
[global]
workgroup = example
security = ads
realm = example.com
idmap config * : rangesize = 1000000
idmap config * : range = 1000000-19999999
idmap config * : backend = autorid
winbind enum users = no
winbind enum groups = no
template homedir = /home/%U@%D
template shell = /bin/bash
winbind use default domain = false
```
1. Open the hosts file [`/etc/hosts`] in a text editor.
```
sudo vim /etc/hosts
```
Add your Linux instance private IP address as follows:
```
10.x.x.x Linux_hostname.example.com Linux_hostname
```
**Note**
If you did not specify your IP Address in the `/etc/hosts` file, you might receive the following DNS error while joining the instance to the domain.:
`No DNS domain configured for linux-instance. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER`
This error means that the join was successful but the [net ads] command was unable to register the DNS record in DNS.
1. Join the Linux instance to the directory with the following command.
```
sudo net ads join -U join_account@example.com
```
*join\$1account*
The sAMAccountName in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully-qualified DNS name of your directory.
```
Enter join_account@example.com's password:
Using short domain name -- example
Joined 'IP-10-x-x-x' to dns domain 'example.com'
```
1. Modify PAM Configuration file, Use the command below to add the necessary entries for Winbind authentication:
```
sudo pam-config --add --winbind --mkhomedir
```
1. Open the Name Service Switch configuration file [`/etc/nsswitch.conf`] in a text editor.
```
vim /etc/nsswitch.conf
```
Add the Winbind directive as shown below.
```
passwd: files winbind
shadow: files winbind
group: files winbind
```
1. Set the SSH service to allow password authentication by editing the `/etc/ssh/sshd_config` file..
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vim /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add root privileges for a domain user or group, to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the required groups or users from your Trusting or Trusted domain as follows, and then save it.
```
## Adding Domain Users/Groups.
%domainname\\AWS\ Delegated\ Administrators ALL=(ALL:ALL) ALL
%domainname\\groupname ALL=(ALL:ALL) ALL
domainname\\username ALL=(ALL:ALL) ALL
%Trusted_DomainName\\groupname ALL=(ALL:ALL) ALL
Trusted_DomainName\\username ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ Ubuntu ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your Linux instance is up to date.
```
sudo apt-get -y upgrade
```
1. Install the required Samba / Winbind packages on your Linux instance.
```
sudo apt -y install samba winbind libnss-winbind libpam-winbind
```
1. Make a backup of the main `smb.conf` file so you can revert back to it in case of any failure.
```
sudo cp /etc/samba/smb.conf /etc/samba/smb.bk
```
1. Open the original configuration file [`/etc/samba/smb.conf`] in a text editor.
```
sudo vim /etc/samba/smb.conf
```
Fill in your Active directory domain environment information as shown in the below example:
```
[global]
workgroup = example
security = ads
realm = example.com
idmap config * : rangesize = 1000000
idmap config * : range = 1000000-19999999
idmap config * : backend = autorid
winbind enum users = no
winbind enum groups = no
template homedir = /home/%U@%D
template shell = /bin/bash
winbind use default domain = false
```
1. Open the hosts file [`/etc/hosts`] in a text editor.
```
sudo vim /etc/hosts
```
Add your Linux instance private IP address as follows:
```
10.x.x.x Linux_hostname.example.com Linux_hostname
```
**Note**
If you did not specify your IP Address in the `/etc/hosts` file, you might receive the following DNS error while joining the instance to the domain.:
`No DNS domain configured for linux-instance. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER`
This error means that the join was successful but the [net ads] command was unable to register the DNS record in DNS.
1. Join the Linux instance to Active Directory using the net utility.
```
sudo net ads join -U join_account@example.com
```
*join\$1account@example.com*
An account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
Enter join_account@example.com's password:
Using short domain name -- example
Joined 'IP-10-x-x-x' to dns domain 'example.com'
```
1. Modify PAM Configuration file, Use the command below to add the necessary entries for Winbind authentication:
```
sudo pam-auth-update --add --winbind --enable mkhomedir
```
1. Open the Name Service Switch configuration file [`/etc/nsswitch.conf`] in a text editor.
```
vim /etc/nsswitch.conf
```
Add the Winbind directive as shown below.
```
passwd: compat winbind
group: compat winbind
shadow: compat winbind
```
1. Set the SSH service to allow password authentication by editing the `/etc/ssh/sshd_config` file..
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vim /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add root privileges for a domain user or group, to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the required groups or users from your Trusting or Trusted domain as follows, and then save it.
```
## Adding Domain Users/Groups.
%domainname\\AWS\ Delegated\ Administrators ALL=(ALL:ALL) ALL
%domainname\\groupname ALL=(ALL:ALL) ALL
domainname\\username ALL=(ALL:ALL) ALL
%Trusted_DomainName\\groupname ALL=(ALL:ALL) ALL
Trusted_DomainName\\username ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
## Connect to the Linux instance
When a user connects to the instance using an SSH client, they are prompted for their username. The user can enter the username in either the `username@example.com` or `EXAMPLE\username` format. The response will appear similar to the following, depending on which Linux distribution you are using:
**Amazon Linux, Red Hat Enterprise Linux, and CentOS Linux**
```
login as: johndoe@example.com
johndoe@example.com's password:
Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX
```
**SUSE Linux**
```
SUSE Linux Enterprise Server 15 SP1 x86_64 (64-bit)
As "root" (sudo or sudo -i) use the:
- zypper command for package management
- yast command for configuration management
Management and Config: https://www.suse.com/suse-in-the-cloud-basics
Documentation: https://www.suse.com/documentation/sles-15/
Forum: https://forums.suse.com/forumdisplay.php?93-SUSE-Public-Cloud
Have a lot of fun...
```
**Ubuntu Linux**
```
login as: admin@example.com
admin@example.com@10.24.34.0's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1057-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 18 22:03:35 UTC 2020
System load: 0.01 Processes: 102
Usage of /: 18.6% of 7.69GB Users logged in: 2
Memory usage: 16% IP address for eth0: 10.24.34.1
Swap usage: 0%
```
# Joining an Amazon EC2 Mac instance to your AWS Managed Microsoft AD Active Directory
This procedure manually joins an Amazon EC2 Mac instance to your AWS Managed Microsoft AD Active Directory.
## Prerequisites
+ Amazon EC2 Mac instances require [Amazon EC2 Dedicated Hosts](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/dedicated-hosts-overview.html). You must allocate a dedicated host and launch an instance onto the host. For more information, see [Launch a Mac instance](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-launch) in *Amazon EC2 User Guide*.
+ We recommend creating a DHCP option set for your AWS Managed Microsoft AD Active Directory. This will allow any instances in your Amazon VPC to point to the specified domain and DNS servers to resolve their domain names. See [Creating or changing a DHCP options set for AWS Managed Microsoft AD](dhcp_options_set.md) for more information.
**Note**
Dedicated Host pricing varies by the payment option that you select. For more information, see [Pricing and Billing](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/dedicated-hosts-billing.html) in *Amazon EC2 User Guide*.
## Manually joining a Mac instance
1. Use the following SSH command to connect to your Mac instance. For more information about connecting to your Mac instance, see [Connect to your Mac instance.](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/ec2-mac-instances.html#connect-to-mac-instance)
```
ssh -i /path/key-pair-name.pem ec2-user@my-instance-public-dns-name
```
1. After you connect to your Mac instance, create a password for the *ec2-user* account using the following command:
```
sudo passwd ec2-user
```
1. When prompted at the command line, provide a password for the *ec2-user* account. You can update your operating system and software by following the procedure in [Update the operating system and software](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-updates) in *Amazon EC2 User Guide*.
1. Use the following *dsconfigad* command to join your Mac instance to the AWS Managed Microsoft AD Active Directory domain. Make sure to replace the domain name, computer name, and organizational unit with your AWS Managed Microsoft AD Active Directory domain information. For more information, see [Configuring domain access in Directory Utility on Mac](https://support.apple.com/guide/directory-utility/configure-domain-access-diru11f4f748/mac) on Apple website.
**Warning**
The computer name shouldn't contain a hyphen. Hyphens might prevent the bind to the AWS Managed Microsoft AD Active Directory.
```
sudo dsconfigad -add domainName -computer computerName -username Username -ou "Your-AWS-Delegated-Organizational-Unit"
```
The following example is what the command should look like when joining an administrative user on a Mac instance named **myec2mac01** to the **example.com** domain:
```
sudo dsconfigad -add example.com -computer myec2mac01 -username admin -ou "OU=Computers,OU=Example,DC=Example,DC=com"
```
1. Use the following command to add the **AWS Delegated Administrators** to the administrative user on your Mac instance:
```
sudo dsconfigad -group "EXAMPLE\aws delegated administrators
```
1. Use the following command to confirm the AWS Managed Microsoft AD Active Directory domain join was successful:
```
dsconfigad -show
```
You have successfully joined your Mac instance to your AWS Managed Microsoft AD Active Directory. You can now log in to your Mac instance using your AWS Managed Microsoft AD Active Directory credentials.
When you first log in to your Mac instance, you should be provided with an option to log in as the "Other" user. At this point, you can use your Active Directory domain credentials to log in to the Mac instance. If you're not provided with "Other" on the log in screen after completing these steps, log in as ec2-user and then log out.
To log in using the graphical user interface with a domain user, follow the steps in [Connect to your instance's graphical user interface (GUI)](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-vnc) in *Amazon EC2 User Guide*.
# Delegating directory join privileges for AWS Managed Microsoft AD
To join a computer to your AWS Managed Microsoft AD, you need an account that has privileges to join computers to the directory.
With AWS Directory Service for Microsoft Active Directory, members of the **Admins** and **AWS Delegated Server Administrators** groups have these privileges.
However, as a best practice, you should use an account that has only the minimum privileges necessary. The following procedure demonstrates how to create a new group called `Joiners` and delegate the privileges to this group that are needed to join computers to the directory.
You must perform this procedure on a computer that is joined to your directory and has the **Active Directory User and Computers** MMC snap-in installed. You must also be logged in as a domain administrator.
**To delegate join privileges for AWS Managed Microsoft AD**
1. Open **Active Directory User and Computers** and select the organizational unit (OU) that has your NetBIOS name in the navigation tree, then select the **Users** OU.
**Important**
When you launch a AWS Directory Service for Microsoft Active Directory, AWS creates an organizational unit (OU) that contains all your directory's objects. This OU, which has the NetBIOS name that you typed when you created your directory, is located in the domain root. The domain root is owned and managed by AWS. You cannot make changes to the domain root itself, therefore, you must create the **Joiners** group within the OU that has your NetBIOS name.
1. Open the context menu (right-click) for **Users**, choose **New**, and then choose **Group**.
1. In the **New Object - Group** box, type the following and choose **OK**.
+ For **Group name**, type **Joiners**.
+ For **Group scope**, choose **Global**.
+ For **Group type**, choose **Security**.
1. In the navigation tree, select the **Computers** container under your NetBIOS name. From the **Action** menu, choose **Delegate Control**.
1. On the **Delegation of Control Wizard** page, choose **Next**, and then choose **Add**.
1. In the **Select Users, Computers, or Groups** box, type `Joiners` and choose **OK**. If more than one object is found, select the `Joiners` group created above. Choose **Next**.
1. On the **Tasks to Delegate** page, select **Create a custom task to delegate**, and then choose **Next**.
1. Select **Only the following objects in the folder**, and then select **Computer objects**.
1. Select **Create selected objects in this folder** and **Delete selected objects in this folder**. Then choose **Next**.
![\[Object type\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/aduc_directory_join_linux.png)
1. Select **Read** and **Write**, and then choose **Next**.
![\[Object type\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/aduc_directory_join_permissions.png)
1. Verify the information on the **Completing the Delegation of Control Wizard** page and choose **Finish**.
1. Create a user with a strong password and add that user to the `Joiners` group. This user must be in the **Users** container that is under your NetBIOS name. The user will then have sufficient privileges to connect instances to the directory.
# Creating or changing a DHCP options set for AWS Managed Microsoft AD
AWS recommends that you create a DHCP options set for your Directory Service directory and assign the DHCP options set to the VPC that your directory is in. This allows any instances in that VPC to point to the specified domain and DNS servers to resolve their domain names.
For more information about DHCP options sets, see [DHCP options sets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) in the *Amazon VPC User Guide*.
**To create a DHCP options set for your directory**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **DHCP Options Sets**, and then choose **Create DHCP options set**.
1. On the **Create DHCP options set** page, enter the following values for your directory:
**Name**
An optional tag for the options set.
**Domain name**
The fully qualified name of your directory, such as `corp.example.com`.
**Domain name servers**
The IP addresses of your AWS-provided directory's DNS servers.
You can find these addresses by going to the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, selecting **Directories** and then choosing the correct directory ID.
**NTP servers**
Leave this field blank.
**NetBIOS name servers**
Leave this field blank.
**NetBIOS node type**
Leave this field blank.
1. Choose **Create DHCP options set**. The new set of DHCP options appears in your list of DHCP options.
1. Make a note of the ID of the new set of DHCP options (dopt-*xxxxxxxx*). You use it to associate the new options set with your VPC.
**To change the DHCP options set associated with a VPC**
After you create a set of DHCP options, you can't modify them. If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC. You can also set up your VPC to use no DHCP options at all.
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Your VPCs**.
1. Select the VPC, and then choose **Actions**, **Edit VPC settings**.
1. For **DHCP options set**, select an options set or choose **No DHCP options set**, and then choose **Save**.
To change the DHCP options set associated with a VPC using command line see the following:
+ **AWS CLI**: [associate-dhcp-options](https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-dhcp-options.html)
+ **AWS Tools for Windows PowerShell**: [Register-EC2DhcpOption](https://docs.aws.amazon.com/powershell/latest/reference/items/Register-EC2DhcpOption.html)