AWS Cloud Operations Blog
Automate migrated servers to automatically join an Active Directory domain using AWS Application Migration service and AWS Systems Manager
AWS Application Migration Service (MGN) simplifies and expedites your migration to AWS by automatically converting your source servers from physical, virtual, or cloud infrastructure to run natively on AWS. The post-launch actions feature in MGN allow you to control and automate actions performed after your servers have been launched in AWS. You can use predefined or use custom post-launch actions.
AWS Systems Manager (SSM) is the operations hub for your AWS applications and resources and a secure end to-end management solution for hybrid cloud environments that enables secure operations at scale. Systems Manager documents define the actions that Systems Manager performs on your managed instances. You can use predefined SSM documents or build and use custom documents.
Our solution removes the manual overhead of joining your migrated servers (Linux or Windows) to an existing Microsoft Active Directory (AD) domain for each migrated server using Systems Manager and the recently launched post-launch actions feature in Application Migration service (MGN). The solution dynamically automates domain join activities with Microsoft Active Directory Domain Services (AD DS) for your Amazon EC2 Linux and Windows instances once the server has been launched in AWS. The automation is flexible to support any deployment mode for Active Directory- both self-managed AD DS running on Windows EC2 instances, and AWS Managed Microsoft Active Directory.
Prerequisites
You must first complete the following pre-requisites to set up Application Migration Service replication and Active Directory in your AWS environment. We will use the us-west-2 region to demonstrate our solution.
- Install AWS Managed Active Directory – From the AWS CloudFormation console in the us-west-2 region, create a stack by launching the AD-Immersionday_Template.yaml template.
- This template automates the installation of AWS Managed Microsoft AD which is a fully managed Active Directory service.
- As a managed service, AWS is responsible for maintaining the AD domain controllers (security, patching, and backup). When you launch AWS Managed Microsoft AD, AWS creates a pair of domain controllers in a new AD forest. The domain controllers operate in a dedicated single tenant AWS Managed VPC and elastic network interfaces (ENIs) placed in two Availability Zones (AZs) in your VPC.
- This template automates the installation of AWS Managed Microsoft AD which is a fully managed Active Directory service.
- Follow instructions to login to the bastion host to access AWS Managed Active Directory and then create a new domain user and password with administrator privileges.
- Create an AWS Systems Manager Parameter store parameter to store the credentials of the domain user that you just created in Step 2 of the prerequisites. From the AWS CloudFormation console in the us-west-2 region, create a stack by launching the ssm-parameters.yaml template. Provide the following parameters for your Systems Manager document:
- DomainJoinUserName – Provide the name of the domain user with administrator privileges to AWS Managed Active Directory. This was setup in Step 2 of this prerequisites section
- DomainJoinPassword – Provide the password of the domain user with administrator privileges to AWS Managed Active Directory. This was setup in Step 2 of this prerequisites section
- Create an instance profile AWS Identity and Access Management (IAM) role – The migrated server when launched by MGN will need an IAM role that has the required permissions needed for actions defined in our post-launch run SSM document. From the AWS CloudFormation console in the us-west-2 region, create a stack by launching the domain-join-automation-role.yaml template. Provide the following parameters for your Systems Manager document:
- DomainJoinAutomationEC2Role – Provide a name for the IAM role or accept the default
- Setup Application Migration Service and replicate a source server
- From the AWS CloudFormation console in the us-west-2 region, create a stack by launching the MGN-sourceserver-replication.yml template
- Follow instructions under Getting Started->Running the workshop on your own->Option 1. This installs a source AWS Environment in your us-west-2 region (consisting of a three-tier e-commerce application including a webserver and a database) and a target AWS environment in another region (us-east-1). We will use MGN to migrate the source web server from us-west-2 to the target AWS environment in us-east-1.
- Enable Migration Hub in us-west-2.
- Follow instructions under AWS->Server Migration->Re-host with Application Migration Service to replicate the source server and update server details.
- In the Modify EC2 Launch Template section select the IAM role created in step 4 as the instance profile and ensure that Auto-assign Public IP is enabled
Setup
- Install the Systems Manager Document – From the CloudFormation console in us-west-2, create a stack by launching the domainJoin_RunDocument_yaml.yaml template. Provide the following parameters for your Systems Manager document:
- DomainJoinSSMDocumentName – Provide a name for the SSM document or accept the default
- Configure MGN post launch settings – Follow the MGN post launch setting steps here to configure an MGN custom action that executes your Systems Manager document created in the previous step. Provide the following parameters for your Systems Manager document:
- DomainName – Fully Qualified Domain Name (FQDN) of your AD domain (for e.g. corp.example.com) based on our AD install from Step 1 of the prerequisites section
- DomainJoinUserName – Domain username from the Systems Manager Parameter Store Parameter in Step 3 of the prerequisites section
- DomainJoinPassword – Domain password from the Systems Manager Parameter Store Parameter in Step 3 of the prerequisites section
How it works
The solution uses an MGN post launch action configured within the MGN post launch settings template that is applied to every newly added server. You can change the settings for existing and newly added servers individually within the server details view. The MGN post launch action invokes a custom Systems Manager document that automatically joins your migrated servers (Linux or Windows) to a specified AD domain. The document uses the Systems Manager precondition feature to determine the OS platform and executes the domain join operation based on the identified platform type. The following diagram illustrates the end to end architecture for our solution.
Figure 1: Solution architecture depicting the end to end flow for automating join of migrated servers to an Active Directory domain using Application Migration Service and Systems Manager
Validate
- Follow instructions under AWS->Server Migration->Re-host with Application Migration Service to test your server and launch cutover
- Follow steps 2, 3 and 4 here that use the parameters – SSHKeyURL, WebServerDNSName, WebServerUsername from the output section of your deployed MGN-sourceserver-replication.yml template to SSH to the launched server
- For Linux OS, Run ‘realm list’. The command will list the AD realms that your instance is joined to and validate that the instance is joined to your ‘corp.example.com’ AD realm
- For Windows OS, Run ‘get-computerinfo’. The command will get a consolidated object of system and operating system properties. Look for the ‘csdomain’ property which is the domain system is joined to.
Cleanup
To avoid recurring charges, and to clean up your account after deploying the solution outlined in this post, perform the following:
- Delete the cloudformation stacks in the following sequence for these templates from the solution:
- Follow the steps here to delete the custom Systems Manager document – domainJoin_RunDocument.yaml