How do I use AWS Systems Manager to join a new EC2 Windows instance to my AWS Directory Service domain?
Last updated: 2020-05-14
I want to use AWS Systems Manager to join a new Amazon Elastic Compute Cloud (Amazon EC2) instance to an AWS Directory Service domain at launch. How can I do this?
You can use AWS Systems Manager to automatically join a new instance to the domain at launch. You can host the domain on AWS Directory Service using either AWS Directory Service for Microsoft Active Directory or Simple AD. The domain can also be located over an on-premises network using the AD Connector directory gateway.
Note: If you use VPC endpoints for Systems Manager, then requests to join an EC2 instance to an AWS Directory Service domain fail. For more information, see VPC endpoint restrictions and limitations.
You can seamlessly join new Windows EC2 instances to an AWS Directory Service directory at launch using the Amazon EC2 launch instance wizard.
- AWS Directory Service directory
- AWS Identity and Access Management (IAM) instance profile role configured for Systems Manager and directory join access
Configure and launch the EC2 instance
- Open the Amazon EC2 console, choose your Region, and then choose Launch Instance.
- For Choose an Amazon Machine Image (AMI), locate a Windows Amazon Machine Image (AMI) that includes the AWS Systems Manager Agent, and then choose Select.
Note: The agent is included in all AWS-provided AMIs for Windows Server 2016 and Windows Server 2019, and in Windows Server 2008-2012 R2 AMIs published in November 2016 or later. For more details, see Installing and configuring SSM Agent on Windows Server instances.
- For Choose an Instance Type, select the hardware configuration and size of the instance that you want to launch, and then choose Next: Configure Instance Details.
- For Configure Instance Details, enter the following:
For Domain join directory, choose the Directory ID of the AWS Directory Service directory.
For IAM role, choose an IAM instance profile role that is configured for Systems Manager and directory join access. For more details, see Create an IAM instance profile for Systems Manager.
- Review and update the remaining instance configuration details to meet your requirements, and then continue following the launch wizard steps. When you reach the Review Instance Launch page, choose Launch. For more information, see Launching an instance using the Launch Instance Wizard.
Verify that the instance successfully joined the domain
- Open the AWS Systems Manager console, choose your Region, and then choose Managed Instances from the navigation pane.
- Select the instance in the list, then choose Associations.
- Locate the association used to join the domain, which has a Document name in the following format: awsconfig_Domain_<DIRECTORYID>_<DOMAIN_NAME>.
- Verify that the Association status is Success.
If the instance fails to join the directory domain, verify that the instance is able to communicate with Directory Service using the DirectoryServicePortTest application.
For more information about working with the AWS Systems Manager agent and other troubleshooting steps, see AWS Systems Manager Managed Instances.
For more troubleshooting strategies, see How to troubleshoot errors that occur when you join Windows-based computers to a domain on the Microsoft website.