Seamlessly Join EC2 Instances to a Domain
Way back in 2008 I announced that you could run Microsoft Windows on Amazon EC2. Since that time, we have made many additions to the initial offering. You now have your choice of several different versions of Windows Server including 2003 R2, 2008, 2008 R2, 2012, and 2012 R2. You can build AWS-powered applications using the AWS SDK for .NET and you can use the AWS Tools for Windows PowerShell to script and automate your Windows-hosted, AWS-centric activities.
Today we are making Windows on EC2 even more powerful by giving you the ability to seamlessly join EC2 instances to a domain that you have configured with AWS Directory Service. After you configure this new feature using the AWS Management Console, the EC2 API, or the AWS Tools for Windows PowerShell you can choose which domain a new instance will join when it launches. You can also seamlessly join existing instances to a domain.
After you have joined your EC2 instances to a domain, you can use Domain Administrator credentials to access the instances via RDP (the generated local administrator password can still be used).
Joining a Domain at Launch Time
Here’s how you can choose to join a domain when you launch a new EC2 instance that’s running Windows. You will need to create a new IAM role (or modify an existing one) to allow the instance to access the EC2 SSM (Simple System Manager) API. I created a new IAM policy called allow-all-ssm and then used it to create a role called allow-ssm. Here’s the policy that I used:
Then I selected the VPC with my directory, requested an auto-assigned public IP address, and chose the role (all of these are prerequisites for this feature):
Simply choose one of your directories and the instance will seamlessly join it as part of the launch process.
For more information, read about joining a domain in the EC2 Documentation:
This feature will work with Windows AMI released on or after February 2015.
Joining a Domain for a Running Instance
The domain join functionality is implemented by the newest version (3.0 and above) of the EC2 Config Service (EC2Config for short). This service runs in the LocalSystem account and performs tasks on the instance to implement certain tasks that are best performed from within the instance.
You’ll need to upgrade your instances to the newest version of the service in order to be able to join them to domain. To do this, read the documentation on Installing the Latest Version of EC2Config. If you launched your instances using one of the most recent (February 2015 or newer) Windows AMIs the service is already installed and up to date.
Then you need to set some IAM permissions, create a configuration document (a very simple JSON file), and associate the configuration document with the desired instances. You can do this using the EC2 API or the Tools for Windows PowerShell.
To learn more, read the new documentation on Managing Windows Instance Configuration.
This feature is available now in the US East (N. Virginia) region and you can start using it today!
PS – Domain Join is just one of a number of features provided by the newest version of EC2Config. It can also run PowerShell scripts, and it can install, repair, or uninstall MSI packages. See the Simple Systems Manager documentation for more information.