

# AWS Managed Microsoft AD test lab tutorials
<a name="ms_ad_tutorial_test_lab"></a>

This section provides a series of guided tutorials to help you establish a test lab environment in AWS where you can experiment with AWS Managed Microsoft AD.

**Topics**
+ [Tutorial: Setting up your base AWS Managed Microsoft AD test lab in AWS](ms_ad_tutorial_test_lab_base.md)
+ [Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2](ms_ad_tutorial_test_lab_trust.md)

# Tutorial: Setting up your base AWS Managed Microsoft AD test lab in AWS
<a name="ms_ad_tutorial_test_lab_base"></a>

This tutorial teaches you how to set up your AWS environment to prepare for a new AWS Managed Microsoft AD installation that uses a new Amazon EC2 instance running Windows Server 2019. It then teaches you to use typical Active Directory administration tools to manage your AWS Managed Microsoft AD environment from your EC2 Windows instance. By the time you complete the tutorial, you will have set up the network prerequisites and have configured a new AWS Managed Microsoft AD forest. 

As shown in the following illustration, the lab you create from this tutorial is the foundational component for hands-on learning about AWS Managed Microsoft AD. You can later add optional tutorials for more hands-on experience. This tutorial series is ideal for anyone who is new to AWS Managed Microsoft AD and wants a test lab for evaluation purposes. This tutorial takes approximately 1 hour to complete.

![\[Diagram showing tutorial steps: 1 set up your environment, 2 create your AWS Managed Microsoft AD, 3 deploy an Amazon EC2, and 4 test the lab.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadbase.png)


**[Step 1: Set up your AWS environment for AWS Managed Microsoft AD Active Directory](microsoftadbasestep1.md)**  
After you've completed your prerequisite tasks, you create and configure an Amazon VPC in your EC2 instance.

**[Step 2: Create your AWS Managed Microsoft AD Active Directory](microsoftadbasestep2.md)**  
In this step, you set up AWS Managed Microsoft AD in AWS for the first time.

**[Step 3: Deploy an Amazon EC2 instance to manage your AWS Managed Microsoft AD Active Directory](microsoftadbasestep3.md)**  
Here, you walk through the various post-deployment tasks necessary for client computers to connect to your new domain and set up a new Windows Server system in EC2.

**[Step 4: Verify that the base test lab is operational](microsoftadbasestep4.md)**  
Finally, as an administrator, you verify that you can log in and connect to AWS Managed Microsoft AD from your Windows Server system in EC2. Once you've successfully tested that the lab is operational, you can continue to add other test lab guide modules.

# Prerequisites
<a name="microsoftadbaseprereq"></a>

If you plan to use only the UI steps in this tutorial to create your test lab, you can skip this prerequisites section and move on to Step 1. However, if you plan to use either AWS CLI commands or AWS Tools for Windows PowerShell modules to create your test lab environment, you must first configure the following:
+ **IAM user with the access and secret access key** – An IAM user with an access key is required if you want to use the AWS CLI or AWS Tools for Windows PowerShell modules. If you do not have an access key, see [Creating, modifying, and viewing access keys (AWS Management Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey).
+ **AWS Command Line Interface (optional)** – Download and [Install the AWS CLI on Windows](https://docs.aws.amazon.com/cli/latest/userguide/install-windows.html). Once installed, open the command prompt or PowerShell window, and then type `aws configure`. Note that you need the access key and secret key to complete the setup. See the first prerequisite for steps on how to do this. You will be prompted for the following:
  + AWS access key ID [None]: `AKIAIOSFODNN7EXAMPLE`
  + AWS secret access key [None]: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`
  + Default Region name [None]: `us-west-2`
  + Default output format [None]: `json`
+ **AWS Tools for Windows PowerShell** **(optional)** – Download and install the latest version of the AWS Tools for Windows PowerShell from [https://aws.amazon.com/powershell/](https://aws.amazon.com/powershell/), and then run the following command. Note that you need your access key and secret key to complete the setup. See the first prerequisite for the steps on how to do this.

  `Set-AWSCredentials -AccessKey {AKIAIOSFODNN7EXAMPLE} -SecretKey {wJalrXUtnFEMI/K7MDENG/ bPxRfiCYEXAMPLEKEY} -StoreAs {default}`

# Step 1: Set up your AWS environment for AWS Managed Microsoft AD Active Directory
<a name="microsoftadbasestep1"></a>

Before you can create AWS Managed Microsoft AD in your AWS test lab, you first need to set up your Amazon EC2 key pair so that all login data is encrypted.

## Create a key pair
<a name="createkeypair2"></a>

If you already have a key pair, you can skip this step. For more information about Amazon EC2 key pairs, see [Create key pairs](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/create-key-pairs.html).

**To create a key pair**

1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, under **Network & Security**, choose **Key Pairs**, and then choose **Create Key Pair**.

1. For **Key pair name**, type **AWS-DS-KP**. For **Key pair file format**, select **pem**, and then choose **Create**.

1. The private key file is automatically downloaded by your browser. The file name is the name you specified when you created your key pair with an extension of `.pem`. Save the private key file in a safe place.
**Important**  
This is the only chance for you to save the private key file. You need to provide the name of your key pair when you launch an instance and the corresponding private key each time you decrypt the password for the instance.

## Create, configure, and peer two Amazon VPCs
<a name="createvpc"></a>

As shown in the following illustration, by the time you finish this multi-step process you will have created and configured two public VPCs, two public subnets per VPC, one Internet Gateway per VPC, and one VPC Peering connection between the VPCs. We chose to use public VPCs and subnets for the purpose of simplicity and cost. For production workloads, we recommend that you use private VPCs. For more information about improving VPC Security, see [Security in Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/security.html).

![\[Amazon VPC environment with subnets, and Internet Gateways to create an AWS Managed Microsoft AD Active Directory.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadbase_vpclayout.png)


All of the AWS CLI and PowerShell examples use the VPC information from below and are built in us-west-2. You may choose any [supported Region](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/regions.html) to build you environment in. For general information, see [What is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html).

**Step 1: Create two VPCs**

In this step, you need to create two VPCs in the same account using the specified parameters in the following table. AWS Managed Microsoft AD supports the use of separate accounts with the [Share your AWS Managed Microsoft AD](ms_ad_directory_sharing.md) feature. The first VPC will be used for AWS Managed Microsoft AD. The second VPC will be used for resources that can be used later in [Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2](ms_ad_tutorial_test_lab_trust.md).


****  

|  Managed Active Directory VPC information  |  On-premises VPC information  | 
| --- | --- | 
|  Name tag: AWS-DS-VPC01 IPv4 CIDR block: 10.0.0.0/16 IPv6 CIDR block: No IPv6 CIDR Block Tenancy: Default  |  Name tag: AWS-OnPrem-VPC01 IPv4 CIDR block: 10.100.0.0/16 IPv6 CIDR block: No IPv6 CIDR Block Tenancy: Default  | 

For detailed instructions, see [Creating a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#Create-VPC).

**Step 2: Create two subnets per VPC**

After you have created the VPCs you will need to create two subnets per VPC using the specified parameters in the following table. For this test lab each subnet will be a /24. This will allows up to 256 addresses to be issued per subnet. Each subnet must be a in a separate AZ. Putting each subnet in a separate in AZ is one of the [Prerequisites for creating a AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_prereqs).


****  

|  AWS-DS-VPC01 subnet Information:  |  AWS-OnPrem-VPC01 subnet information  | 
| --- | --- | 
|  Name tag: AWS-DS-VPC01-Subnet01 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Availability Zone: us-west-2a IPv4 CIDR block: 10.0.0.0/24  |  Name tag: AWS-OnPrem-VPC01-Subnet01  VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 Availability Zone: us-west-2a IPv4 CIDR block: 10.100.0.0/24  | 
|  Name tag: AWS-DS-VPC01-Subnet02 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Availability Zone: us-west-2b IPv4 CIDR block: 10.0.1.0/24  |  Name tag: AWS-OnPrem-VPC01-Subnet02 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 Availability Zone: us-west-2b IPv4 CIDR block: 10.100.1.0/24  | 

For detailed instructions, see [Creating a subnet in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet).

**Step 3: Create and attach an Internet Gateway to your VPCs**

Since we are using public VPCs you will need to create and attach an Internet gateway to your VPCs using the specified parameters in the following table. This will allow you to be able to connect to and manage your EC2 instances.


****  

|  AWS-DS-VPC01 Internet Gateway information  |  AWS-OnPrem-VPC01 Internet Gateway information  | 
| --- | --- | 
|  Name tag: AWS-DS-VPC01-IGW VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01  |  Name tag: AWS-OnPrem-VPC01-IGW VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01  | 

For detailed instructions, see [Internet gateways](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html).

**Step 4: Configure a VPC peering connection between AWS-DS-VPC01 and AWS-OnPrem-VPC01**

Since you already created two VPCs earlier, you will need to network them together using VPC peering using the specified parameters in the following table. While there are many ways to connect your VPCs, this tutorial will use VPC Peering. AWS Managed Microsoft AD supports many solutions to connect your VPCs, some of these include [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html), [Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html), and [VPN](https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html). 


****  

|  | 
| --- |
|  Peering connection name tag: AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer VPC (Requester): vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Account: My Account Region: This Region VPC (Accepter): vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01  | 

For instructions on how to create a VPC Peering Connection with another VPC from with in your account, see [Creating a VPC peering connection with another VPC in your account](https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html#create-vpc-peering-connection-local).

**Step 5: Add two routes to each VPC's main route table**

In order for the Internet Gateways and VPC Peering Connection created in the previous steps to be functional you will need to update the main route table of both VPCs using the specified parameters in the following table. You will be adding two routes; 0.0.0.0/0 which will route to all destinations not explicitly known to the route table and 10.0.0.0/16 or 10.100.0.0/16 which will route to each VPC over the VPC Peering Connection established above. 

You can easily find the correct route table for each VPC by filtering on the VPC name tag (AWS-DS-VPC01 or AWS-OnPrem-VPC01).


****  

|  AWS-DS-VPC01 route 1 information  |  AWS-DS-VPC01 route 2 information  |  AWS-OnPrem-VPC01 route 1 Information  |  AWS-OnPrem-VPC01 route 2 Information  | 
| --- | --- | --- | --- | 
|  Destination: 0.0.0.0/0 Target: igw-xxxxxxxxxxxxxxxxx AWS-DS-VPC01-IGW  |  Destination: 10.100.0.0/16 Target: pcx-xxxxxxxxxxxxxxxxx AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer  |  Destination: 0.0.0.0/0 Target: igw-xxxxxxxxxxxxxxxxx AWS-Onprem-VPC01  |  Destination: 10.0.0.0/16 Target: pcx-xxxxxxxxxxxxxxxxx AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer  | 

For instructions on how to add routes to a VPC route table, see [Adding and removing routes from a route table](https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html#AddRemoveRoutes).

## Create security groups for Amazon EC2 instances
<a name="createsecuritygroup"></a>

By default, AWS Managed Microsoft AD creates a security group to manage traffic between its domain controllers. In this section, you will need to create 2 security groups (one for each VPC) which will be used to manage traffic within your VPC for your EC2 instances using the specified parameters in the following tables. You also add a rule that allows RDP (3389) inbound from anywhere and for all traffic types inbound from the local VPC. For more information, see [Amazon EC2 security groups for Windows instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-network-security.html).


****  

|  AWS-DS-VPC01 security group information:  | 
| --- | 
|  Security group name: AWS DS Test Lab Security Group Description: AWS DS Test Lab Security Group VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01  | 

**Security Group Inbound Rules for AWS-DS-VPC01**


****  

| Type | Protocol | Port range | Source | Type of traffic | 
| --- | --- | --- | --- | --- | 
| Custom TCP Rule  | TCP | 3389 | My IP | Remote Desktop | 
| All Traffic | All | All | 10.0.0.0/16 | All local VPC traffic | 

**Security Group Outbound Rules for AWS-DS-VPC01**


****  

| Type | Protocol | Port range | Destination | Type of traffic | 
| --- | --- | --- | --- | --- | 
| All Traffic | All | All | 0.0.0.0/0 | All traffic | 


****  

| AWS-OnPrem-VPC01 security group information: | 
| --- | 
|  Security group name: AWS OnPrem Test Lab Security Group. Description: AWS OnPrem Test Lab Security Group. VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01  | 

**Security Group Inbound Rules for AWS-OnPrem-VPC01**


****  

| Type | Protocol | Port range | Source | Type of traffic | 
| --- | --- | --- | --- | --- | 
| Custom TCP Rule  | TCP | 3389 | My IP | Remote Desktop | 
| Custom TCP Rule  | TCP | 53 | 10.0.0.0/16 | DNS | 
| Custom TCP Rule  | TCP  | 88 | 10.0.0.0/16 | Kerberos | 
| Custom TCP Rule  | TCP  | 389 | 10.0.0.0/16 | LDAP | 
| Custom TCP Rule  | TCP | 464 | 10.0.0.0/16 | Kerberos change / set password | 
| Custom TCP Rule  | TCP | 445 | 10.0.0.0/16 | SMB / CIFS | 
| Custom TCP Rule  | TCP | 135 | 10.0.0.0/16 | Replication | 
| Custom TCP Rule  | TCP | 636 | 10.0.0.0/16 | LDAP SSL | 
| Custom TCP Rule  | TCP | 49152 - 65535 | 10.0.0.0/16 | RPC | 
| Custom TCP Rule  | TCP | 3268 - 3269 | 10.0.0.0/16 | LDAP GC & LDAP GC SSL | 
| Custom UDP Rule  | UDP | 53 | 10.0.0.0/16 | DNS | 
| Custom UDP Rule  | UDP | 88 | 10.0.0.0/16 | Kerberos | 
| Custom UDP Rule  | UDP | 123 | 10.0.0.0/16 | Windows Time | 
| Custom UDP Rule  | UDP | 389 | 10.0.0.0/16 | LDAP | 
| Custom UDP Rule  | UDP | 464 | 10.0.0.0/16 | Kerberos change / set password | 
| All Traffic | All | All | 10.100.0.0/16 | All local VPC traffic | 

**Security Group Outbound Rules for AWS-OnPrem-VPC01**


****  

| Type | Protocol | Port range | Destination | Type of traffic | 
| --- | --- | --- | --- | --- | 
| All Traffic | All | All | 0.0.0.0/0 | All traffic | 

For detailed instructions on how to create and add rules to your security groups, see [Working with security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#WorkingWithSecurityGroups).

# Step 2: Create your AWS Managed Microsoft AD Active Directory
<a name="microsoftadbasestep2"></a>

You can use three different methods to create your directory. You can use the AWS Management Console procedure (recommended for this tutorial) or you can use either the AWS CLI or AWS Tools for Windows PowerShell procedures to create your directory.

**Method 1: To create your AWS Managed Microsoft AD directory (AWS Management Console)**

1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories** and then choose **Set up directory**.

1. On the **Select directory type** page, choose **AWS Managed Microsoft AD**, and then choose **Next**.

1. On the **Enter directory information** page, provide the following information, and then choose **Next**.
   + For **Edition**, select either **Standard Edition** or **Enterprise Edition**. For more information about editions, see [AWS Directory Service for Microsoft Active Directory](what_is.md#microsoftad). 
   + For **Directory DNS name**, type **corp.example.com**.
   + For **Directory NetBIOS name**, type **corp**.
   + For **Directory description**, type **AWS DS Managed**.
   + For **Admin password**, type the password you want to use for this account and type the password again in **Confirm password**. This **Admin** account is automatically created during the directory creation process. The password cannot include the word *admin*. The directory administrator password is case sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:
     + Lowercase letters (a-z)
     + Uppercase letters (A-Z)
     + Numbers (0-9)
     + Non-alphanumeric characters (\$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/)

1. On the **Choose VPC and subnets** page, provide the following information, and then choose **Next**.
   + For **VPC**, choose the option that begins with **AWS-DS-VPC01** and ends with **(10.0.0.0/16)**.
   + For **Subnets**, choose the **10.0.0.0/24** and **10.0.1.0/24** public subnets.

1. On the **Review & create** page, review the directory information and make any necessary changes. When the information is correct, choose **Create directory**. Creating the directory takes 20 to 40 minutes. Once created, the **Status** value changes to **Active**.

**Method 2: To create your AWS Managed Microsoft AD (PowerShell) (Optional)**

1. Open PowerShell.

1. Type the following command. Make sure to use the values provided in Step 4 of the preceding AWS Management Console procedure.

   ```
   New-DSMicrosoftAD -Name corp.example.com –ShortName corp –Password P@ssw0rd –Description "AWS DS Managed" - VpcSettings_VpcId vpc-xxxxxxxx -VpcSettings_SubnetId subnet-xxxxxxxx, subnet-xxxxxxxx
   ```

**Method 3: To create your AWS Managed Microsoft AD (AWS CLI) (Optional)**

1. Open the AWS CLI.

1. Type the following command. Make sure to use the values provided in Step 4 of the preceding AWS Management Console procedure.

   ```
   aws ds create-microsoft-ad --name corp.example.com --short-name corp --password P@ssw0rd --description "AWS DS Managed" --vpc-settings VpcId= vpc-xxxxxxxx,SubnetIds= subnet-xxxxxxxx, subnet-xxxxxxxx
   ```

# Step 3: Deploy an Amazon EC2 instance to manage your AWS Managed Microsoft AD Active Directory
<a name="microsoftadbasestep3"></a>

For this lab, we are using Amazon EC2 instances that have public IP addresses to make it easy to access the management instance from anywhere. In a production setting, you can use instances that are in a private VPC that are only accessible through a VPN or Direct Connect link. There is no requirement the instance have a public IP address.

In this section, you walk through the various post-deployment tasks necessary for client computers to connect to your domain using the Windows Server on your new EC2 instance. You use the Windows Server in the next step to verify that the lab is operational.

## Optional: Create a DHCP options set in AWS-DS-VPC01 for your directory
<a name="createdhcpoptionsset"></a>

In this optional procedure, you set up a DHCP option scope so that EC2 instances in your VPC automatically use your AWS Managed Microsoft AD for DNS resolution. For more information, see [DHCP options sets](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html).

**To create a DHCP options set for your directory**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **DHCP Options Sets**, and then choose **Create DHCP options set**.

1. On the **Create DHCP options set** page, provide the following values for your directory:
   + For **Name**, type **AWS DS DHCP**.
   + For **Domain name**, type **corp.example.com**.
   + For **Domain name servers**, type the IP addresses of your AWS provided directory's DNS servers. 
**Note**  
To find these addresses, go to the Directory Service **Directories** page, and then choose the applicable directory ID. On the **Details** page, identify and use the IPs that are displayed in **DNS address**.  
Alternatively, to find these addresses, go to the Directory Service **Directories** page, and choose the applicable directory ID. Then, choose **Scale & share**. Under **Domain controllers**, identify and use the IPs that are displayed in **IP address**.
   + Leave the settings blank for **NTP servers**, **NetBIOS name servers**, and **NetBIOS node type**.

1. Choose **Create DHCP options set**, and then choose **Close**. The new set of DHCP options appear in your list of DHCP options.

1. Make a note of the ID of the new set of DHCP options (**dopt-*xxxxxxxx***). You use it at the end of this procedure when you associate the new options set with your VPC.
**Note**  
Seamless domain join works without having to configure a DHCP Options Set. 

1. In the navigation pane, choose **Your VPCs**.

1. In the list of VPCs, select **AWS DS VPC**, choose **Actions**, and then choose **Edit DHCP options set**.

1. On the **Edit DHCP options set** page, select the options set that you recorded in Step 5, and then choose **Save**.

## Create a role to join Windows instances to your AWS Managed Microsoft AD domain
<a name="configureec2"></a>

Use this procedure to configure a role that joins an Amazon EC2 Windows instance to a domain. For more information, see [Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory](launching_instance.md).

**To configure EC2 to join Windows instances to your domain**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.

1. Under **Select type of trusted entity**, choose **AWS service**.

1. Immediately under **Choose the service that will use this role**, choose **EC2**, and then choose **Next: Permissions**.

1. On the **Attached permissions policy** page, do the following:
   + Select the box next to the **AmazonSSMManagedInstanceCore** managed policy. This policy provides the minimum permissions necessary to use the Systems Manager service.
   + Select the box next to **AmazonSSMDirectoryServiceAccess** managed policy. The policy provides the permissions to join instances to an Active Directory managed by Directory Service.

   For information about these managed policies and other policies you can attach to an IAM instance profile for Systems Manager, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*. For information about managed policies, see [AWS Managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.

1. Choose **Next: Tags**.

1. (Optional) Add one or more tag key-value pairs to organize, track, or control access for this role, and then choose **Next: Review**. 

1. For **Role name**, enter a name for the role that describes that it is used to join instances to a domain, such as **EC2DomainJoin**.

1. (Optional) For **Role description**, enter a description.

1. Choose **Create role**. The system returns you to the **Roles** page.

## Create an Amazon EC2 instance and automatically join the directory
<a name="deployec2instance"></a>

In this procedure you set up a Windows Server system in a EC2 instance that can be used later to administer users, groups, and policies in Active Directory. 

**To create an EC2 instance and automatically join the directory**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. Choose **Launch Instance**.

1. On the **Step 1** page, next to **Microsoft Windows Server 2019 Base - ami-*xxxxxxxxxxxxxxxxx*** choose **Select**.

1. On the **Step 2** page, select **t3.micro** (note, you can choose a larger instance type), and then choose **Next: Configure Instance Details**.

1. On the **Step 3** page, do the following:
   + For **Network**, choose the VPC that ends with **AWS-DS-VPC01** (for example, **vpc-*xxxxxxxxxxxxxxxxx* \$1 AWS-DS-VPC01**).
   + For **Subnet** choose **Public subnet 1**, which should be preconfigured for your preferred Availability Zone (for example, **subnet-*xxxxxxxxxxxxxxxxx* \$1 AWS-DS-VPC01-Subnet01 \$1 *us-west-2a***). 
   + For **Auto-assign Public IP**, choose **Enable** (if the subnet setting is not set to enable by default).
   + For **Domain join directory**, choose **corp.example.com (d-*xxxxxxxxxx*)**.
   + For **IAM role** choose the name you gave your instance role in [Create a role to join Windows instances to your AWS Managed Microsoft AD domain](#configureec2), such as **EC2DomainJoin**.
   + Leave the rest of the settings at their defaults.
   + Choose **Next: Add Storage**.

1. On the **Step 4** page, leave the default settings, and then choose **Next: Add Tags**.

1. On the **Step 5** page, choose **Add Tag**. Under **Key** type **corp.example.com-mgmt** and then choose **Next: Configure Security Group**.

1. On the **Step 6** page, choose **Select an existing security group**, select **AWS DS Test Lab Security Group** (which you previously set up in the [Base tutorial](microsoftadbasestep1.md#createsecuritygroup)), and then choose **Review and Launch** to review your instance.

1. On the **Step 7** page, review the page, and then choose **Launch**.

1. On the **Select an existing key pair or create a new key pair** dialog box, do the following:
   + Choose **Choose an existing key pair**.
   + Under **Select a key pair**, choose **AWS-DS-KP**.
   + Select the **I acknowledge...** check box.
   + Choose **Launch Instances**.

1. Choose **View Instances** to return to the Amazon EC2 console and view the status of the deployment.

## Install the Active Directory tools on your EC2 instance
<a name="installadtools"></a>

You can choose from two methods to install the Active Directory Domain Management Tools on your EC2 instance. You can use the Server Manager UI (recommended for this tutorial) or PowerShell.

**To install the Active Directory tools on your EC2 instance (Server Manager)**

1. In the Amazon EC2 console, choose **Instances**, select the instance you just created, and then choose **Connect**. 

1. In the **Connect To Your Instance** dialog box, choose **Get Password** to retrieve your password if you haven't already, and then choose **Download Remote Desktop File**. 

1. In the **Windows Security** dialog box, type your local administrator credentials for the Windows Server computer to log in (for example, **administrator**).

1. From the **Start** menu, choose **Server Manager**.

1. In the **Dashboard**, choose **Add Roles and Features**.

1. In the **Add Roles and Features Wizard**, choose **Next**. 

1. On the **Select installation type** page, choose **Role-based or feature-based installation**, and then choose **Next**.

1. On the **Select destination server** page, make sure that the local server is selected, and then choose **Next**.

1. On the **Select server roles** page, choose **Next**. 

1. On the **Select features** page, do the following:
   + Select the **Group Policy Management** check box.
   + Expand **Remote Server Administration Tools**, and then expand **Role Administration Tools**.
   + Select the **AD DS and AD LDS Tools** check box.
   + Select the **DNS Server Tools** check box.
   + Choose **Next**.

1. On the **Confirm installation selections** page, review the information, and then choose **Install**. When the feature installation is finished, the following new tools or snap-ins will be available in the Windows Administrative Tools folder in the Start menu. 
   + Active Directory Administrative Center
   + Active Directory Domains and Trusts
   + Active Directory Module for PowerShell
   + Active Directory Sites and Services
   + Active Directory Users and Computers
   + ADSI Edit
   + DNS
   + Group Policy Management

**To install the Active Directory tools on your EC2 instance (PowerShell) (Optional)**

1. Start PowerShell.

1. Type the following command. 

   ```
   Install-WindowsFeature -Name GPMC,RSAT-AD-PowerShell,RSAT-AD-AdminCenter,RSAT-ADDS-Tools,RSAT-DNS-Server
   ```

# Step 4: Verify that the base test lab is operational
<a name="microsoftadbasestep4"></a>

Use the following procedure to verify that the test lab has been set up successfully before adding on additional test lab guide modules. This procedure verifies that your Windows Server is configured appropriately, can connect to the corp.example.com domain, and be used to administer your AWS Managed Microsoft AD forest. 

**To verify that the test lab is operational**

1. Sign out of the EC2 instance where you were logged in as the local administrator. 

1. Back in the Amazon EC2 console, choose **Instances** in the navigation pane. Then select the instance that you created. Choose **Connect**. 

1. In the **Connect To Your Instance** dialog box, choose **Download Remote Desktop File**. 

1. In the **Windows Security** dialog box, type your administrator credentials for the CORP domain to log in (for example, **corp\$1admin**).

1. Once you are logged in, in the **Start** menu, under **Windows Administrative Tools**, choose **Active Directory Users and Computers**. 

1. You should see **corp.example.com** displayed with all the default OUs and accounts associated with a new domain. Under **Domain Controllers**, notice the names of the domain controllers that were automatically created when you created your AWS Managed Microsoft AD back in Step 2 of this tutorial. 

Congratulations\$1 Your AWS Managed Microsoft AD base test lab environment has now been configured. You are ready to begin adding the next test lab in the series.

Next tutorial: [Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2](ms_ad_tutorial_test_lab_trust.md)

# Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2
<a name="ms_ad_tutorial_test_lab_trust"></a>

In this tutorial, you learn how to create a trust between the AWS Directory Service for Microsoft Active Directory forest that you created in the [Base tutorial](ms_ad_tutorial_test_lab_base.md). You also learn to create a new native Active Directory forest on a Windows Server in Amazon EC2. As shown in the following illustration, the lab that you create from this tutorial is the second building block necessary when setting up a complete AWS Managed Microsoft AD test lab. You can use the test lab to test your pure cloud or hybrid cloud–based AWS solutions. 

You should only need to create this tutorial once. After that you can add optional tutorials when necessary for more experience.

![\[Steps to create a trust from a Microsoft Active Directory to a self-managed Active Directory: Set up your environment, create your Microsoft Active Directory, Deploy an Amazon EC2 instance, and test the lab.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadtrust.png)


**[Step 1: Set up your environment for trusts](microsoftadtruststep1.md)**  
Before you can establish trusts between a new Active Directory forest and the AWS Managed Microsoft AD forest that you created in the [Base tutorial](ms_ad_tutorial_test_lab_base.md), you need to prepare your Amazon EC2 environment. To do that, you first create a Windows Server 2019 server, promote that server to a domain controller, and then configure your VPC accordingly.

**[Step 2: Create the trusts](microsoftadtruststep2.md)**  
In this step, you create a two-way forest trust relationship between your newly created Active Directory forest hosted in Amazon EC2 and your AWS Managed Microsoft AD forest in AWS. 

**[Step 3: Verify the trust](microsoftadtruststep3.md)**  
Finally, as an administrator, you use the Directory Service console to verify that the new trusts are operational.

# Step 1: Set up your environment for trusts
<a name="microsoftadtruststep1"></a>

In this section, you set up your Amazon EC2 environment, deploy your new forest, and prepare your VPC for trusts with AWS.

![\[Amazon EC2 environment with Amazon VPC, subnets, and Internet Gateways to deploy a new forest and establish a trust relationship.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadbase_vpclayout.png)


## Create a Windows Server 2019 EC2 instance
<a name="createkeypair1"></a>

Use the following procedure to create a Windows Server 2019 member server in Amazon EC2. 

**To create a Windows Server 2019 EC2 instance**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the Amazon EC2 console, choose **Launch Instance**.

1. On the **Step 1** page, locate **Microsoft Windows Server 2019 Base - ami-*xxxxxxxxxxxxxxxxx*** in the list. Then choose **Select**.

1. On the **Step 2** page, select **t2.large**, and then choose **Next: Configure Instance Details**.

1. On the **Step 3** page, do the following:
   + For **Network**, select **vpc-*xxxxxxxxxxxxxxxxx* AWS-OnPrem-VPC01** (which you previously set up in the [Base tutorial](microsoftadbasestep1.md#createvpc)).
   + For **Subnet**, select **subnet-*xxxxxxxxxxxxxxxxx* \$1 AWS-OnPrem-VPC01-Subnet01 \$1 AWS-OnPrem-VPC01**.
   + For **Auto-assign Public IP** list, choose **Enable** (if the subnet setting is not set to **Enable** by default).
   + Leave the rest of the settings at their defaults.
   + Choose **Next: Add Storage**.

1. On the **Step 4** page, leave the default settings, and then choose **Next: Add Tags**.

1. On the **Step 5** page, choose **Add Tag**. Under **Key** type **example.local-DC01**, and then choose **Next: Configure Security Group**.

1. On the **Step 6** page, choose **Select an existing security group**, select **AWS On-Prem Test Lab Security Group** (which you previously set up in the [Base tutorial](microsoftadbasestep1.md#createsecuritygroup)), and then choose **Review and Launch** to review your instance.

1. On the **Step 7** page, review the page, and then choose **Launch**.

1. On the **Select an existing key pair or create a new key pair** dialog box, do the following:
   + Choose **Choose an existing key pair**.
   + Under **Select a key pair**, choose **AWS-DS-KP** (which you previously set up in the [Base tutorial](microsoftadbasestep1.md#createkeypair2)).
   + Select the **I acknowledge...** check box.
   + Choose **Launch Instances**.

1. Choose **View Instances** to return to the Amazon EC2 console and view the status of the deployment.

## Promote your server to a domain controller
<a name="promoteserver"></a>

Before you can create trusts, you must build and deploy the first domain controller for a new forest. During this process you configure a new Active Directory forest, install DNS, and set this server to use the local DNS server for name resolution. You must reboot the server at the end of this procedure.

**Note**  
If you want to create a domain controller in AWS that replicates with your on-premises network, you would first manually join the EC2 instance to your on-premises domain. After that you can promote the server to a domain controller.

**To promote your server to a domain controller**

1. In the Amazon EC2 console, choose **Instances**, select the instance you just created, and then choose **Connect**. 

1. In the **Connect To Your Instance** dialog box, choose **Download Remote Desktop File**. 

1. In the **Windows Security** dialog box, type your local administrator credentials for the Windows Server computer to login (for example, **administrator**). If you do not yet have the local administrator password, go back to the Amazon EC2 console, right-click on the instance, and choose **Get Windows Password**. Navigate to your `AWS DS KP.pem` file or your personal `.pem` key, and then choose **Decrypt Password**.

1. From the **Start** menu, choose **Server Manager**.

1. In the **Dashboard**, choose **Add Roles and Features**.

1. In the **Add Roles and Features Wizard**, choose **Next**. 

1. On the **Select installation type** page, choose **Role-based or feature-based installation**, and then choose **Next**.

1. On the **Select destination server** page, make sure that the local server is selected, and then choose **Next**.

1. On the **Select server roles** page, select **Active Directory Domain Services**. In the **Add Roles and Features Wizard** dialog box, verify that the **Include management tools (if applicable)** check box is selected. Choose **Add Features**, and then choose **Next**.

1. On the **Select features** page, choose **Next**. 

1. On the **Active Directory Domain Services** page, choose **Next**.

1. On the **Confirm installation selections** page, choose **Install**.

1. Once the Active Directory binaries are installed, choose **Close**.

1. When Server Manager opens, look for a flag at the top next to the word **Manage**. When this flag turns yellow, the server is ready to be promoted. 

1. Choose the yellow flag, and then choose **Promote this server to a domain controller**.

1. On the **Deployment Configuration** page, choose **Add a new forest**. In **Root domain name**, type **example.local**, and then choose **Next**.

1. On the **Domain Controller Options** page, do the following:
   + In both **Forest functional level** and **Domain functional level**, choose **Windows Server 2016**.
   + Under **Specify domain controller capabilities**, verify that both **DNS server** and **Global Catalog (GC)** are selected.
   + Type and then confirm a Directory Services Restore Mode (DSRM) password. Then choose **Next**.

1. On the **DNS Options** page, ignore the warning about delegation and choose **Next**.

1. On the **Additional options** page, make sure that **EXAMPLE** is listed as the NetBios domain name.

1. On the **Paths** page, leave the defaults, and then choose **Next**.

1. On **Review Options** page, choose **Next**. The server now checks to make sure all the prerequisites for the domain controller are satisfied. You may see some warnings displayed, but you can safely ignore them. 

1. Choose **Install**. Once the installation is complete, the server reboots and then becomes a functional domain controller.

## Configure your VPC
<a name="configurevpc1"></a>

The following three procedures guide you through the steps to configure your VPC for connectivity with AWS.

**To configure your VPC outbound rules**

1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/), make a note of the AWS Managed Microsoft AD directory ID for corp.example.com that you previously created in the [Base tutorial](microsoftadbasestep2.md).

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Security Groups**.

1. Search for your AWS Managed Microsoft AD directory ID. In the search results, select the item with the description **AWS created security group for d-*xxxxxx* directory controllers**.
**Note**  
This security group was automatically created when you initially created your directory.

1. Choose the **Outbound Rules** tab under that security group. Choose **Edit**, choose **Add another rule**, and then add the following values:
   + For **Type**, choose **All Traffic**.
   + For **Destination**, type **0.0.0.0/0**.
   + Leave the rest of the settings at their defaults.
   + Select **Save**.

**To verify kerberos preauthentication is enabled**

1. On the **example.local** domain controller, open **Server Manager**.

1. On the **Tools** menu, choose **Active Directory Users and Computers**.

1. Navigate to the **Users** directory, right-click on any user and select **Properties**, and then choose the **Account** tab. In the **Account options** list, scroll down and ensure that **Do not require Kerberos preauthentication** is **not** selected.

1. Perform the same steps for the **corp.example.com** domain from the **corp.example.com-mgmt **instance.

**To configure DNS conditional forwarders**
**Note**  
A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

1. Open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/).

1. In the navigation pane, choose **Directories**.

1. Select the **directory ID** of your AWS Managed Microsoft AD.

1. Take note of the fully qualified domain name (FQDN), **corp.example.com**, and the DNS addresses of your directory.

1. Now, return to your **example.local** domain controller, and then open **Server Manager**.

1. On the **Tools** menu, choose **DNS**.

1. In the console tree, expand the DNS server of the domain for which you are setting up the trust, and navigate to **Conditional Forwarders**.

1. Right-click **Conditional Forwarders**, and then choose **New Conditional Forwarder**.

1. In DNS domain, type **corp.example.com**.

1. Under **IP addresses of the primary servers**, choose **<Click here to add ...>**, type the first DNS address of your AWS Managed Microsoft AD directory (which you made note of in the previous procedure), and then press **Enter**. Do the same for the second DNS address. After typing the DNS addresses, you might get a "timeout" or "unable to resolve" error. You can generally ignore these errors.

1. Select the **Store this conditional forwarder in Active Directory, and replicate as follows** check box. In the drop-down menu, choose **All DNS servers in this Forest**, and then choose **OK**.

# Step 2: Create the trusts
<a name="microsoftadtruststep2"></a>

In this section, you create two separate forest trusts. One trust is created from the Active Directory domain on your EC2 instance and the other from your AWS Managed Microsoft AD in AWS.

![\[Two way trust between corp.example.com and example.local\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadtrust_twoway.png)


**To create the trust from your EC2 domain to your AWS Managed Microsoft AD**

1. Log into **example.local**.

1. Open **Server Manager** and in the console tree choose **DNS**. Take note of the IPv4 address listed for the server. You will need this in the next procedure when you create a conditional forwarder from **corp.example.com** to the **example.local** directory.

1. In the **Tools** menu, choose **Active Directory Domains and Trusts**.

1. In the console tree, right-click **example.local** and then choose **Properties**.

1. On the **Trusts** tab, choose **New Trust**, and then choose **Next**.

1. On the **Trust Name** page, type **corp.example.com**, and then choose **Next**.

1. On the **Trust Type** page, choose **Forest trust**, and then choose **Next**.
**Note**  
AWS Managed Microsoft AD also supports external trusts. However, for the purposes of this tutorial, you will create a two-way forest trust.

1. On the **Direction of Trust** page, choose **Two-way**, and then choose **Next**.
**Note**  
If you decide later to try this with a one-way trust instead, ensure that the trust directions are setup correctly (Outgoing on trusting domain, Incoming on trusted domain). For general information, see [Understanding trust direction](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731404(v=ws.11)) on Microsoft's website.

1. On the **Sides of Trust** page, choose **This domain only**, and then choose **Next**.

1. On the **Outgoing Trust Authentication Level** page, choose **Forest-wide authentication**, and then choose **Next**.
**Note**  
Although **Selective authentication** in an option, for the simplicity of this tutorial we recommend that you do not enable it here. When configured it restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. For more information, see [Configuring selective authentication settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816580(v=ws.10)).

1. On the **Trust Password** page, type the trust password twice, and then choose **Next**. You will use this same password in the next procedure.

1. On the **Trust Selections Complete** page, review the results, and then choose **Next**.

1. On the **Trust Creation Complete** page, review the results, and then choose **Next**.

1. On the **Confirm Outgoing Trust** page, choose **No, do not confirm the outgoing trust**. Then choose **Next**

1. On the **Confirm Incoming Trust** page, choose **No, do not confirm the incoming trust**. Then choose **Next**

1. On the **Completing the New Trust Wizard** page, choose **Finish**.

**Note**  
Trust relationships is a global feature of AWS Managed Microsoft AD. If you are using [Configure Multi-Region replication for AWS Managed Microsoft AD](ms_ad_configure_multi_region_replication.md), the following procedures must be performed in the [Primary Region](multi-region-global-primary-additional.md#multi-region-primary). The changes will be applied across all replicated Regions automatically. For more information, see [Global vs Regional features](multi-region-global-region-features.md).

**To create the trust from your AWS Managed Microsoft AD to your EC2 domain**

1. Open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/).

1. Choose the **corp.example.com** directory.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the primary Region, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.

1. In the **Trust relationships** section, choose **Actions**, and then select **Add trust relationship**.

1. In the **Add a trust relationship** dialog box, do the following:
   + Under **Trust type** select **Forest trust**.
**Note**  
Make sure that the **Trust type** you choose here matches the same trust type configured in the previous procedure (To create the trust from your EC2 domain to your AWS Managed Microsoft AD).
   + For **Existing or new remote domain name**, type **example.local**.
   + For **Trust password**, type the same password that you provided in the previous procedure.
   + Under **Trust direction**, select **Two-Way**.
**Note**  
If you decide later to try this with a one-way trust instead, ensure that the trust directions are setup correctly (Outgoing on trusting domain, Incoming on trusted domain). For general information, see [Understanding trust direction](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731404(v=ws.11)) on Microsoft's website.
Although **Selective authentication** in an option, for the simplicity of this tutorial we recommend that you do not enable it here. When configured it restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. For more information, see [Configuring selective authentication settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816580(v=ws.10)).
   + For **Conditional forwarder**, type the IP address of your DNS server in the **example.local** forest (which you noted in the previous procedure). 
**Note**  
A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

1. Choose **Add**. 

# Step 3: Verify the trust
<a name="microsoftadtruststep3"></a>

In this section, you test whether the trusts were set up successfully between AWS and Active Directory on Amazon EC2.

**To verify the trust**

1. Open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/).

1. Choose the **corp.example.com** directory.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the primary Region, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.

1. In the **Trust relationships** section, select the trust relationship you just created.

1. Choose **Actions**, and then choose **Verify trust relationship**.

Once the verification has completed, you should see **Verified** displayed under the **Status** column. 

Congratulations on completing this tutorial\$1 You now have a fully functional multiforest Active Directory environment from which you can begin testing various scenarios. Additional test lab tutorials are planned in 2018, so check back on occasion to see what's new.