# Tutorial: Setting up your base AWS Managed Microsoft AD test lab in AWS
This tutorial teaches you how to set up your AWS environment to prepare for a new AWS Managed Microsoft AD installation that uses a new Amazon EC2 instance running Windows Server 2019. It then teaches you to use typical Active Directory administration tools to manage your AWS Managed Microsoft AD environment from your EC2 Windows instance. By the time you complete the tutorial, you will have set up the network prerequisites and have configured a new AWS Managed Microsoft AD forest.
As shown in the following illustration, the lab you create from this tutorial is the foundational component for hands-on learning about AWS Managed Microsoft AD. You can later add optional tutorials for more hands-on experience. This tutorial series is ideal for anyone who is new to AWS Managed Microsoft AD and wants a test lab for evaluation purposes. This tutorial takes approximately 1 hour to complete.
![\[Diagram showing tutorial steps: 1 set up your environment, 2 create your AWS Managed Microsoft AD, 3 deploy an Amazon EC2, and 4 test the lab.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadbase.png)
**[Step 1: Set up your AWS environment for AWS Managed Microsoft AD Active Directory](microsoftadbasestep1.md)**
After you've completed your prerequisite tasks, you create and configure an Amazon VPC in your EC2 instance.
**[Step 2: Create your AWS Managed Microsoft AD Active Directory](microsoftadbasestep2.md)**
In this step, you set up AWS Managed Microsoft AD in AWS for the first time.
**[Step 3: Deploy an Amazon EC2 instance to manage your AWS Managed Microsoft AD Active Directory](microsoftadbasestep3.md)**
Here, you walk through the various post-deployment tasks necessary for client computers to connect to your new domain and set up a new Windows Server system in EC2.
**[Step 4: Verify that the base test lab is operational](microsoftadbasestep4.md)**
Finally, as an administrator, you verify that you can log in and connect to AWS Managed Microsoft AD from your Windows Server system in EC2. Once you've successfully tested that the lab is operational, you can continue to add other test lab guide modules.
# Prerequisites
If you plan to use only the UI steps in this tutorial to create your test lab, you can skip this prerequisites section and move on to Step 1. However, if you plan to use either AWS CLI commands or AWS Tools for Windows PowerShell modules to create your test lab environment, you must first configure the following:
+ **IAM user with the access and secret access key** – An IAM user with an access key is required if you want to use the AWS CLI or AWS Tools for Windows PowerShell modules. If you do not have an access key, see [Creating, modifying, and viewing access keys (AWS Management Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey).
+ **AWS Command Line Interface (optional)** – Download and [Install the AWS CLI on Windows](https://docs.aws.amazon.com/cli/latest/userguide/install-windows.html). Once installed, open the command prompt or PowerShell window, and then type `aws configure`. Note that you need the access key and secret key to complete the setup. See the first prerequisite for steps on how to do this. You will be prompted for the following:
+ AWS access key ID [None]: `AKIAIOSFODNN7EXAMPLE`
+ AWS secret access key [None]: `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`
+ Default Region name [None]: `us-west-2`
+ Default output format [None]: `json`
+ **AWS Tools for Windows PowerShell** **(optional)** – Download and install the latest version of the AWS Tools for Windows PowerShell from [https://aws.amazon.com/powershell/](https://aws.amazon.com/powershell/), and then run the following command. Note that you need your access key and secret key to complete the setup. See the first prerequisite for the steps on how to do this.
`Set-AWSCredentials -AccessKey {AKIAIOSFODNN7EXAMPLE} -SecretKey {wJalrXUtnFEMI/K7MDENG/ bPxRfiCYEXAMPLEKEY} -StoreAs {default}`
# Step 1: Set up your AWS environment for AWS Managed Microsoft AD Active Directory
Before you can create AWS Managed Microsoft AD in your AWS test lab, you first need to set up your Amazon EC2 key pair so that all login data is encrypted.
## Create a key pair
If you already have a key pair, you can skip this step. For more information about Amazon EC2 key pairs, see [Create key pairs](https://docs.aws.amazon.com//AWSEC2/latest/UserGuide/create-key-pairs.html).
**To create a key pair**
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, under **Network & Security**, choose **Key Pairs**, and then choose **Create Key Pair**.
1. For **Key pair name**, type **AWS-DS-KP**. For **Key pair file format**, select **pem**, and then choose **Create**.
1. The private key file is automatically downloaded by your browser. The file name is the name you specified when you created your key pair with an extension of `.pem`. Save the private key file in a safe place.
**Important**
This is the only chance for you to save the private key file. You need to provide the name of your key pair when you launch an instance and the corresponding private key each time you decrypt the password for the instance.
## Create, configure, and peer two Amazon VPCs
As shown in the following illustration, by the time you finish this multi-step process you will have created and configured two public VPCs, two public subnets per VPC, one Internet Gateway per VPC, and one VPC Peering connection between the VPCs. We chose to use public VPCs and subnets for the purpose of simplicity and cost. For production workloads, we recommend that you use private VPCs. For more information about improving VPC Security, see [Security in Amazon Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/security.html).
![\[Amazon VPC environment with subnets, and Internet Gateways to create an AWS Managed Microsoft AD Active Directory.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadbase_vpclayout.png)
All of the AWS CLI and PowerShell examples use the VPC information from below and are built in us-west-2. You may choose any [supported Region](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/regions.html) to build you environment in. For general information, see [What is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html).
**Step 1: Create two VPCs**
In this step, you need to create two VPCs in the same account using the specified parameters in the following table. AWS Managed Microsoft AD supports the use of separate accounts with the [Share your AWS Managed Microsoft AD](ms_ad_directory_sharing.md) feature. The first VPC will be used for AWS Managed Microsoft AD. The second VPC will be used for resources that can be used later in [Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2](ms_ad_tutorial_test_lab_trust.md).
****
| Managed Active Directory VPC information | On-premises VPC information |
| --- | --- |
| Name tag: AWS-DS-VPC01 IPv4 CIDR block: 10.0.0.0/16 IPv6 CIDR block: No IPv6 CIDR Block Tenancy: Default | Name tag: AWS-OnPrem-VPC01 IPv4 CIDR block: 10.100.0.0/16 IPv6 CIDR block: No IPv6 CIDR Block Tenancy: Default |
For detailed instructions, see [Creating a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#Create-VPC).
**Step 2: Create two subnets per VPC**
After you have created the VPCs you will need to create two subnets per VPC using the specified parameters in the following table. For this test lab each subnet will be a /24. This will allows up to 256 addresses to be issued per subnet. Each subnet must be a in a separate AZ. Putting each subnet in a separate in AZ is one of the [Prerequisites for creating a AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_prereqs).
****
| AWS-DS-VPC01 subnet Information: | AWS-OnPrem-VPC01 subnet information |
| --- | --- |
| Name tag: AWS-DS-VPC01-Subnet01 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Availability Zone: us-west-2a IPv4 CIDR block: 10.0.0.0/24 | Name tag: AWS-OnPrem-VPC01-Subnet01 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 Availability Zone: us-west-2a IPv4 CIDR block: 10.100.0.0/24 |
| Name tag: AWS-DS-VPC01-Subnet02 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Availability Zone: us-west-2b IPv4 CIDR block: 10.0.1.0/24 | Name tag: AWS-OnPrem-VPC01-Subnet02 VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 Availability Zone: us-west-2b IPv4 CIDR block: 10.100.1.0/24 |
For detailed instructions, see [Creating a subnet in your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet).
**Step 3: Create and attach an Internet Gateway to your VPCs**
Since we are using public VPCs you will need to create and attach an Internet gateway to your VPCs using the specified parameters in the following table. This will allow you to be able to connect to and manage your EC2 instances.
****
| AWS-DS-VPC01 Internet Gateway information | AWS-OnPrem-VPC01 Internet Gateway information |
| --- | --- |
| Name tag: AWS-DS-VPC01-IGW VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 | Name tag: AWS-OnPrem-VPC01-IGW VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 |
For detailed instructions, see [Internet gateways](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html).
**Step 4: Configure a VPC peering connection between AWS-DS-VPC01 and AWS-OnPrem-VPC01**
Since you already created two VPCs earlier, you will need to network them together using VPC peering using the specified parameters in the following table. While there are many ways to connect your VPCs, this tutorial will use VPC Peering. AWS Managed Microsoft AD supports many solutions to connect your VPCs, some of these include [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html), [Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html), and [VPN](https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html).
****
| |
| --- |
| Peering connection name tag: AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer VPC (Requester): vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 Account: My Account Region: This Region VPC (Accepter): vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 |
For instructions on how to create a VPC Peering Connection with another VPC from with in your account, see [Creating a VPC peering connection with another VPC in your account](https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html#create-vpc-peering-connection-local).
**Step 5: Add two routes to each VPC's main route table**
In order for the Internet Gateways and VPC Peering Connection created in the previous steps to be functional you will need to update the main route table of both VPCs using the specified parameters in the following table. You will be adding two routes; 0.0.0.0/0 which will route to all destinations not explicitly known to the route table and 10.0.0.0/16 or 10.100.0.0/16 which will route to each VPC over the VPC Peering Connection established above.
You can easily find the correct route table for each VPC by filtering on the VPC name tag (AWS-DS-VPC01 or AWS-OnPrem-VPC01).
****
| AWS-DS-VPC01 route 1 information | AWS-DS-VPC01 route 2 information | AWS-OnPrem-VPC01 route 1 Information | AWS-OnPrem-VPC01 route 2 Information |
| --- | --- | --- | --- |
| Destination: 0.0.0.0/0 Target: igw-xxxxxxxxxxxxxxxxx AWS-DS-VPC01-IGW | Destination: 10.100.0.0/16 Target: pcx-xxxxxxxxxxxxxxxxx AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer | Destination: 0.0.0.0/0 Target: igw-xxxxxxxxxxxxxxxxx AWS-Onprem-VPC01 | Destination: 10.0.0.0/16 Target: pcx-xxxxxxxxxxxxxxxxx AWS-DS-VPC01&AWS-OnPrem-VPC01-Peer |
For instructions on how to add routes to a VPC route table, see [Adding and removing routes from a route table](https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html#AddRemoveRoutes).
## Create security groups for Amazon EC2 instances
By default, AWS Managed Microsoft AD creates a security group to manage traffic between its domain controllers. In this section, you will need to create 2 security groups (one for each VPC) which will be used to manage traffic within your VPC for your EC2 instances using the specified parameters in the following tables. You also add a rule that allows RDP (3389) inbound from anywhere and for all traffic types inbound from the local VPC. For more information, see [Amazon EC2 security groups for Windows instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-network-security.html).
****
| AWS-DS-VPC01 security group information: |
| --- |
| Security group name: AWS DS Test Lab Security Group Description: AWS DS Test Lab Security Group VPC: vpc-xxxxxxxxxxxxxxxxx AWS-DS-VPC01 |
**Security Group Inbound Rules for AWS-DS-VPC01**
****
| Type | Protocol | Port range | Source | Type of traffic |
| --- | --- | --- | --- | --- |
| Custom TCP Rule | TCP | 3389 | My IP | Remote Desktop |
| All Traffic | All | All | 10.0.0.0/16 | All local VPC traffic |
**Security Group Outbound Rules for AWS-DS-VPC01**
****
| Type | Protocol | Port range | Destination | Type of traffic |
| --- | --- | --- | --- | --- |
| All Traffic | All | All | 0.0.0.0/0 | All traffic |
****
| AWS-OnPrem-VPC01 security group information: |
| --- |
| Security group name: AWS OnPrem Test Lab Security Group. Description: AWS OnPrem Test Lab Security Group. VPC: vpc-xxxxxxxxxxxxxxxxx AWS-OnPrem-VPC01 |
**Security Group Inbound Rules for AWS-OnPrem-VPC01**
****
| Type | Protocol | Port range | Source | Type of traffic |
| --- | --- | --- | --- | --- |
| Custom TCP Rule | TCP | 3389 | My IP | Remote Desktop |
| Custom TCP Rule | TCP | 53 | 10.0.0.0/16 | DNS |
| Custom TCP Rule | TCP | 88 | 10.0.0.0/16 | Kerberos |
| Custom TCP Rule | TCP | 389 | 10.0.0.0/16 | LDAP |
| Custom TCP Rule | TCP | 464 | 10.0.0.0/16 | Kerberos change / set password |
| Custom TCP Rule | TCP | 445 | 10.0.0.0/16 | SMB / CIFS |
| Custom TCP Rule | TCP | 135 | 10.0.0.0/16 | Replication |
| Custom TCP Rule | TCP | 636 | 10.0.0.0/16 | LDAP SSL |
| Custom TCP Rule | TCP | 49152 - 65535 | 10.0.0.0/16 | RPC |
| Custom TCP Rule | TCP | 3268 - 3269 | 10.0.0.0/16 | LDAP GC & LDAP GC SSL |
| Custom UDP Rule | UDP | 53 | 10.0.0.0/16 | DNS |
| Custom UDP Rule | UDP | 88 | 10.0.0.0/16 | Kerberos |
| Custom UDP Rule | UDP | 123 | 10.0.0.0/16 | Windows Time |
| Custom UDP Rule | UDP | 389 | 10.0.0.0/16 | LDAP |
| Custom UDP Rule | UDP | 464 | 10.0.0.0/16 | Kerberos change / set password |
| All Traffic | All | All | 10.100.0.0/16 | All local VPC traffic |
**Security Group Outbound Rules for AWS-OnPrem-VPC01**
****
| Type | Protocol | Port range | Destination | Type of traffic |
| --- | --- | --- | --- | --- |
| All Traffic | All | All | 0.0.0.0/0 | All traffic |
For detailed instructions on how to create and add rules to your security groups, see [Working with security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#WorkingWithSecurityGroups).
# Step 2: Create your AWS Managed Microsoft AD Active Directory
You can use three different methods to create your directory. You can use the AWS Management Console procedure (recommended for this tutorial) or you can use either the AWS CLI or AWS Tools for Windows PowerShell procedures to create your directory.
**Method 1: To create your AWS Managed Microsoft AD directory (AWS Management Console)**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories** and then choose **Set up directory**.
1. On the **Select directory type** page, choose **AWS Managed Microsoft AD**, and then choose **Next**.
1. On the **Enter directory information** page, provide the following information, and then choose **Next**.
+ For **Edition**, select either **Standard Edition** or **Enterprise Edition**. For more information about editions, see [AWS Directory Service for Microsoft Active Directory](what_is.md#microsoftad).
+ For **Directory DNS name**, type **corp.example.com**.
+ For **Directory NetBIOS name**, type **corp**.
+ For **Directory description**, type **AWS DS Managed**.
+ For **Admin password**, type the password you want to use for this account and type the password again in **Confirm password**. This **Admin** account is automatically created during the directory creation process. The password cannot include the word *admin*. The directory administrator password is case sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:
+ Lowercase letters (a-z)
+ Uppercase letters (A-Z)
+ Numbers (0-9)
+ Non-alphanumeric characters (\$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/)
1. On the **Choose VPC and subnets** page, provide the following information, and then choose **Next**.
+ For **VPC**, choose the option that begins with **AWS-DS-VPC01** and ends with **(10.0.0.0/16)**.
+ For **Subnets**, choose the **10.0.0.0/24** and **10.0.1.0/24** public subnets.
1. On the **Review & create** page, review the directory information and make any necessary changes. When the information is correct, choose **Create directory**. Creating the directory takes 20 to 40 minutes. Once created, the **Status** value changes to **Active**.
**Method 2: To create your AWS Managed Microsoft AD (PowerShell) (Optional)**
1. Open PowerShell.
1. Type the following command. Make sure to use the values provided in Step 4 of the preceding AWS Management Console procedure.
```
New-DSMicrosoftAD -Name corp.example.com –ShortName corp –Password P@ssw0rd –Description "AWS DS Managed" - VpcSettings_VpcId vpc-xxxxxxxx -VpcSettings_SubnetId subnet-xxxxxxxx, subnet-xxxxxxxx
```
**Method 3: To create your AWS Managed Microsoft AD (AWS CLI) (Optional)**
1. Open the AWS CLI.
1. Type the following command. Make sure to use the values provided in Step 4 of the preceding AWS Management Console procedure.
```
aws ds create-microsoft-ad --name corp.example.com --short-name corp --password P@ssw0rd --description "AWS DS Managed" --vpc-settings VpcId= vpc-xxxxxxxx,SubnetIds= subnet-xxxxxxxx, subnet-xxxxxxxx
```
# Step 3: Deploy an Amazon EC2 instance to manage your AWS Managed Microsoft AD Active Directory
For this lab, we are using Amazon EC2 instances that have public IP addresses to make it easy to access the management instance from anywhere. In a production setting, you can use instances that are in a private VPC that are only accessible through a VPN or Direct Connect link. There is no requirement the instance have a public IP address.
In this section, you walk through the various post-deployment tasks necessary for client computers to connect to your domain using the Windows Server on your new EC2 instance. You use the Windows Server in the next step to verify that the lab is operational.
## Optional: Create a DHCP options set in AWS-DS-VPC01 for your directory
In this optional procedure, you set up a DHCP option scope so that EC2 instances in your VPC automatically use your AWS Managed Microsoft AD for DNS resolution. For more information, see [DHCP options sets](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html).
**To create a DHCP options set for your directory**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **DHCP Options Sets**, and then choose **Create DHCP options set**.
1. On the **Create DHCP options set** page, provide the following values for your directory:
+ For **Name**, type **AWS DS DHCP**.
+ For **Domain name**, type **corp.example.com**.
+ For **Domain name servers**, type the IP addresses of your AWS provided directory's DNS servers.
**Note**
To find these addresses, go to the Directory Service **Directories** page, and then choose the applicable directory ID. On the **Details** page, identify and use the IPs that are displayed in **DNS address**.
Alternatively, to find these addresses, go to the Directory Service **Directories** page, and choose the applicable directory ID. Then, choose **Scale & share**. Under **Domain controllers**, identify and use the IPs that are displayed in **IP address**.
+ Leave the settings blank for **NTP servers**, **NetBIOS name servers**, and **NetBIOS node type**.
1. Choose **Create DHCP options set**, and then choose **Close**. The new set of DHCP options appear in your list of DHCP options.
1. Make a note of the ID of the new set of DHCP options (**dopt-*xxxxxxxx***). You use it at the end of this procedure when you associate the new options set with your VPC.
**Note**
Seamless domain join works without having to configure a DHCP Options Set.
1. In the navigation pane, choose **Your VPCs**.
1. In the list of VPCs, select **AWS DS VPC**, choose **Actions**, and then choose **Edit DHCP options set**.
1. On the **Edit DHCP options set** page, select the options set that you recorded in Step 5, and then choose **Save**.
## Create a role to join Windows instances to your AWS Managed Microsoft AD domain
Use this procedure to configure a role that joins an Amazon EC2 Windows instance to a domain. For more information, see [Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory](launching_instance.md).
**To configure EC2 to join Windows instances to your domain**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the IAM console, choose **Roles**, and then choose **Create role**.
1. Under **Select type of trusted entity**, choose **AWS service**.
1. Immediately under **Choose the service that will use this role**, choose **EC2**, and then choose **Next: Permissions**.
1. On the **Attached permissions policy** page, do the following:
+ Select the box next to the **AmazonSSMManagedInstanceCore** managed policy. This policy provides the minimum permissions necessary to use the Systems Manager service.
+ Select the box next to **AmazonSSMDirectoryServiceAccess** managed policy. The policy provides the permissions to join instances to an Active Directory managed by Directory Service.
For information about these managed policies and other policies you can attach to an IAM instance profile for Systems Manager, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*. For information about managed policies, see [AWS Managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
1. Choose **Next: Tags**.
1. (Optional) Add one or more tag key-value pairs to organize, track, or control access for this role, and then choose **Next: Review**.
1. For **Role name**, enter a name for the role that describes that it is used to join instances to a domain, such as **EC2DomainJoin**.
1. (Optional) For **Role description**, enter a description.
1. Choose **Create role**. The system returns you to the **Roles** page.
## Create an Amazon EC2 instance and automatically join the directory
In this procedure you set up a Windows Server system in a EC2 instance that can be used later to administer users, groups, and policies in Active Directory.
**To create an EC2 instance and automatically join the directory**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. Choose **Launch Instance**.
1. On the **Step 1** page, next to **Microsoft Windows Server 2019 Base - ami-*xxxxxxxxxxxxxxxxx*** choose **Select**.
1. On the **Step 2** page, select **t3.micro** (note, you can choose a larger instance type), and then choose **Next: Configure Instance Details**.
1. On the **Step 3** page, do the following:
+ For **Network**, choose the VPC that ends with **AWS-DS-VPC01** (for example, **vpc-*xxxxxxxxxxxxxxxxx* \$1 AWS-DS-VPC01**).
+ For **Subnet** choose **Public subnet 1**, which should be preconfigured for your preferred Availability Zone (for example, **subnet-*xxxxxxxxxxxxxxxxx* \$1 AWS-DS-VPC01-Subnet01 \$1 *us-west-2a***).
+ For **Auto-assign Public IP**, choose **Enable** (if the subnet setting is not set to enable by default).
+ For **Domain join directory**, choose **corp.example.com (d-*xxxxxxxxxx*)**.
+ For **IAM role** choose the name you gave your instance role in [Create a role to join Windows instances to your AWS Managed Microsoft AD domain](#configureec2), such as **EC2DomainJoin**.
+ Leave the rest of the settings at their defaults.
+ Choose **Next: Add Storage**.
1. On the **Step 4** page, leave the default settings, and then choose **Next: Add Tags**.
1. On the **Step 5** page, choose **Add Tag**. Under **Key** type **corp.example.com-mgmt** and then choose **Next: Configure Security Group**.
1. On the **Step 6** page, choose **Select an existing security group**, select **AWS DS Test Lab Security Group** (which you previously set up in the [Base tutorial](microsoftadbasestep1.md#createsecuritygroup)), and then choose **Review and Launch** to review your instance.
1. On the **Step 7** page, review the page, and then choose **Launch**.
1. On the **Select an existing key pair or create a new key pair** dialog box, do the following:
+ Choose **Choose an existing key pair**.
+ Under **Select a key pair**, choose **AWS-DS-KP**.
+ Select the **I acknowledge...** check box.
+ Choose **Launch Instances**.
1. Choose **View Instances** to return to the Amazon EC2 console and view the status of the deployment.
## Install the Active Directory tools on your EC2 instance
You can choose from two methods to install the Active Directory Domain Management Tools on your EC2 instance. You can use the Server Manager UI (recommended for this tutorial) or PowerShell.
**To install the Active Directory tools on your EC2 instance (Server Manager)**
1. In the Amazon EC2 console, choose **Instances**, select the instance you just created, and then choose **Connect**.
1. In the **Connect To Your Instance** dialog box, choose **Get Password** to retrieve your password if you haven't already, and then choose **Download Remote Desktop File**.
1. In the **Windows Security** dialog box, type your local administrator credentials for the Windows Server computer to log in (for example, **administrator**).
1. From the **Start** menu, choose **Server Manager**.
1. In the **Dashboard**, choose **Add Roles and Features**.
1. In the **Add Roles and Features Wizard**, choose **Next**.
1. On the **Select installation type** page, choose **Role-based or feature-based installation**, and then choose **Next**.
1. On the **Select destination server** page, make sure that the local server is selected, and then choose **Next**.
1. On the **Select server roles** page, choose **Next**.
1. On the **Select features** page, do the following:
+ Select the **Group Policy Management** check box.
+ Expand **Remote Server Administration Tools**, and then expand **Role Administration Tools**.
+ Select the **AD DS and AD LDS Tools** check box.
+ Select the **DNS Server Tools** check box.
+ Choose **Next**.
1. On the **Confirm installation selections** page, review the information, and then choose **Install**. When the feature installation is finished, the following new tools or snap-ins will be available in the Windows Administrative Tools folder in the Start menu.
+ Active Directory Administrative Center
+ Active Directory Domains and Trusts
+ Active Directory Module for PowerShell
+ Active Directory Sites and Services
+ Active Directory Users and Computers
+ ADSI Edit
+ DNS
+ Group Policy Management
**To install the Active Directory tools on your EC2 instance (PowerShell) (Optional)**
1. Start PowerShell.
1. Type the following command.
```
Install-WindowsFeature -Name GPMC,RSAT-AD-PowerShell,RSAT-AD-AdminCenter,RSAT-ADDS-Tools,RSAT-DNS-Server
```
# Step 4: Verify that the base test lab is operational
Use the following procedure to verify that the test lab has been set up successfully before adding on additional test lab guide modules. This procedure verifies that your Windows Server is configured appropriately, can connect to the corp.example.com domain, and be used to administer your AWS Managed Microsoft AD forest.
**To verify that the test lab is operational**
1. Sign out of the EC2 instance where you were logged in as the local administrator.
1. Back in the Amazon EC2 console, choose **Instances** in the navigation pane. Then select the instance that you created. Choose **Connect**.
1. In the **Connect To Your Instance** dialog box, choose **Download Remote Desktop File**.
1. In the **Windows Security** dialog box, type your administrator credentials for the CORP domain to log in (for example, **corp\$1admin**).
1. Once you are logged in, in the **Start** menu, under **Windows Administrative Tools**, choose **Active Directory Users and Computers**.
1. You should see **corp.example.com** displayed with all the default OUs and accounts associated with a new domain. Under **Domain Controllers**, notice the names of the domain controllers that were automatically created when you created your AWS Managed Microsoft AD back in Step 2 of this tutorial.
Congratulations\$1 Your AWS Managed Microsoft AD base test lab environment has now been configured. You are ready to begin adding the next test lab in the series.
Next tutorial: [Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2](ms_ad_tutorial_test_lab_trust.md)