AWS Launch Wizard的Active Directory部署进行了更新，增加了新选项和改进。本文涵盖了更新内容及可能对服务未来更新产生的影响，还介绍了如何使用该向导进行部署的步骤。

💻AWS Launch Wizard Active Directory的更新内容包括：可通过额外自动化安装AWS Managed Microsoft Active Directory，能将现有本地AD扩展到AWS的新VPC，使用AWS Systems Manager Automation文档进行现代OS级配置，为自管理AD域控制器场景和AWS Managed Microsoft AD场景中的管理实例启用高级审计和指标。

🎯使用AWS Launch Wizard进行Active Directory（AD）部署的步骤：登录AWS管理控制台，打开AWS Launch Wizard控制台，选择应用程序，进行一系列配置，包括填写部署名称、选择可用区、设置网络配置、填写Amazon EC2配置、Microsoft Active Directory配置等。

🔑在配置过程中，需注意多个细节，如在网络配置中选择可用区数量和具体区域，在Amazon EC2配置中选择密钥对名称，在Microsoft Active Directory配置中填写域DNS名称、NetBIOS名称和管理员账户密码等。

<section class="blog-post-content"><p>AWS recently refreshed the <a href="https://aws.amazon.com/launchwizard/&quot;&gt;AWS Launch Wizard</a> Active Directory (AD) deployment with improvements and new options. In this post, we will cover what has changed and also how these changes may influence future updates to the service.</p><p>In this refreshed release, we have updated the following:</p><ul><li>Option to install <a href="https://aws.amazon.com/directoryservice/active-directory/&quot;&gt;AWS Managed Microsoft Active Directory</a> with additional automation. This will reduce your effort when configuring an Amazon Virtual Private Cloud (VPC), deploying a management server, creating a Public Key Infrastructure (PKI), and setting up a Microsoft Remote Desktop Gateway (RDGW).</li><li>Ability to extend your existing on-premises AD to AWS via a new VPC.</li><li>Modern OS-level configurations using AWS Systems Manager (SSM) Automation documents.</li><li>Option to enable advanced auditing and metrics to the self-managed AD domain controller scenarios and the management instance in the AWS Managed Microsoft AD scenario.</li></ul><p>With the recently refreshed release, the <a href="https://aws.amazon.com/launchwizard/&quot;&gt;AWS Launch Wizard</a> for Active Directory will pull the latest updates from the <a href="https://github.com/aws-quickstart/quickstart-microsoft-activedirectory&quot;&gt;Microsoft Active Directory AWS QuickStart</a> GitHub repository. AWS QuickStarts are open source, which enables you to directly improve the product if you choose to contribute or provide feedback to the <a href="https://github.com/aws-quickstart/quickstart-microsoft-activedirectory&quot;&gt;Microsoft Active Directory AWS QuickStart</a>.</p><p>In the following walkthrough, we will demonstrate the use of the AWS Launch Wizard for Active Directory (AD) deployment.</p><p>After you successfully deploy AWS Managed Microsoft AD, you will modify the security group to allow the certificate auto-enrollment to take place.</p><p>Finally, once the LDAP over SSL PKI certificates have been issued via auto-enrollment, you will validate that the LDAP over SSL is functional.</p><p>While it is possible to deploy all of these features manually and separately, AWS Launch Wizard simplifies and unifies the deployment release with a graphical wizard-driven deployment.</p><h2>Launch AWS Managed Microsoft AD with Management and Microsoft Enterprise PKI Instances</h2><p>In this section, you will perform the following operations using the AWS Launch Wizard for Active Directory (AD):</p><ul><li>Create AWS Managed Microsoft AD</li><li>Create Management instance</li><li>Implement two-tier PKI into a new VPC</li></ul><p>To implement these steps, proceed as follows:</p><p>1. Sign into the AWS Management Console, open the AWS Launch Wizard console, and select <strong>Choose application</strong>.</p><p>2. In the Available applications drop down list, select <strong>Microsoft Active Directory</strong>.</p><p>3. For <strong>Deployment type</strong>, select <strong>AWS Managed Microsoft AD – new VPC</strong>, and then select <strong>Create deployment</strong>, as shown in Figure 1.</p><p><img class="alignnone size-full wp-image-3553 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture1-4.png&quot; alt="" width="573" height="671" /></p><p class="c4">Figure 1: Deployment Selection</p><p>4. In the displayed <strong><em>Review permission</em></strong> page, select <strong>Next</strong>.</p><p>5. This will bring you to the <strong><em>Configure application settings</em></strong> page.</p><p>6. In the <em><strong>General setting</strong></em> section of the page, fill in the following field:</p><ul><li><strong>Deployment name</strong>: Any name you wish.</li></ul><p>7. Scroll down to the <em><strong>Network configuration</strong></em> section of the page and fill in the following fields:</p><ul><li><strong>Number of Availability Zones</strong>: 2 or 3. In this example, I use 2, as shown in Figure 2.</li><li><strong>Availability Zones</strong>: Select 2 or 3 AZs. In this example, I use <strong>us-east-2a</strong> and <strong>us-east-2b</strong>, as shown in Figure 2.</li><li><strong>Uncheck</strong> the checkbox <em><strong>Select this option to create and associate a new DHCP options set for the VPC</strong></em>, as shown in Figure 2.</li></ul><p><img class="alignnone size-full wp-image-3554 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture2-3.png&quot; alt="" width="639" height="653" /></p><p class="c4">Figure 2: Network Configuration</p><p>8. Scroll down to the <em><strong>Amazon EC2 configuration</strong></em> section of the page and fill in the following field:</p><ul><li><strong>Key pair name</strong>: Select a keypair from your account, in this example, I use <em><strong>Baseline</strong></em> as shown in Figure 3.</li></ul><p>9. Scroll down to the <em><strong>Microsoft Active Directory configuration</strong></em> section of the page and fill in the following fields:</p><ul><li><strong>Domain DNS name</strong>: Enter the DNS name of the AWS Managed Microsoft AD directory. In this example, I use <em><strong>corp.example.com</strong></em>, as shown in Figure 3.</li><li><strong>Domain NetBIOS name</strong>: enter the NetBIOS name of the AWS Managed Microsoft AD directory. In this example, I use <em><strong>CORP</strong></em>, as shown in Figure 3.</li><li><strong>Admin account password</strong>: Enter a password to set on the Admin account, as shown in Figure 3.</li></ul><p><img class="alignnone size-full wp-image-3555 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture3-3.png&quot; alt="" width="639" height="684" /></p><p class="c4">Figure 3: EC2 and Active Directory Configuration</p><p>10. Scroll down to the <em><strong>Microsoft Active Directory Certificate Services configuration</strong></em> section of the page and fill in the following field:</p><ul><li><strong>Certificate Authority deployment type</strong>: Select <em><strong>Two-Tier</strong></em>, as shown in Figure 4.</li></ul><p><img class="alignnone size-full wp-image-3556 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture4-2.png&quot; alt="" width="578" height="879" /></p><p class="c4">Figure 4: Active Directory Certificate Service Configuration</p><p>11. Scroll down to the <em><strong>Microsoft Remote Desktop Gateway configuration</strong></em> section of the page and fill in the following field:</p><ul><li><strong>Number of Remote Desktop Gateway host</strong>: Enter <em><strong>0</strong></em>, as shown in Figure 5.</li></ul><p><img class="alignnone size-full wp-image-3557 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture5-2.png&quot; alt="" width="639" height="153" /></p><p class="c4">Figure 5: RDGW Configuration</p><p>12. Leave the rest of the fields on this page to their defaults, and select <strong>Next</strong>. This will bring you to the <em><strong>Configure infrastructure settings</strong></em> page.</p><p>13. In the <em><strong>Configure infrastructure settings</strong></em> page configure the values in the following fields:</p><ul><li><strong>Define infrastructure requirements</strong>: <em><strong>Based on static values</strong></em></li><li><strong>Management Server Instance Type</strong>: <em><strong>t3.medium</strong></em></li><li><strong>CA Instance Type</strong>: <em><strong>t3.medium</strong></em></li></ul><p>14. Leave the rest of the fields on this page to their defaults and select Next. This will bring you to the <em><strong>Review post-deployment steps</strong></em> page.</p><p>15. In the <em><strong>Review post-deployment steps</strong></em> page, select <strong>Next</strong>. This will bring you to the <em><strong>Review and deploy</strong></em> page</p><p>16. On the <em><strong>Review and deploy</strong></em> page review your selections and select <strong>Deploy</strong>.</p><p>NOTE: it may take up to 2 hours for the deployment to complete.</p><h2>Preparing Your AWS Managed Microsoft AD Security Group for PKI</h2><p>Next, you need to adjust the outbound Security Group of our AWS Managed Microsoft AD directory to allow the domain controllers outbound access to the Microsoft Enterprise Certificate Authority for certificate auto-enrollment.</p><p>1. In the <a href="https://console.aws.amazon.com/directoryservicev2/&quot;&gt;AWS Directory Service console</a> navigation pane, choose <strong>Directories</strong>.</p><p>2. Take note of the <strong>Directory ID</strong> of the directory you deployed in the previous steps.</p><p>3. Navigate to the <a href="https://console.aws.amazon.com/ec2/&quot;&gt;AWS EC2 console</a>.</p><p>4. In the left navigation pane, select <strong>Network &amp; Security</strong> &gt; <strong>Security Groups</strong>.</p><p>5. In the <strong>Filter security groups</strong> dialog (at the top) enter the <strong>Directory ID</strong> from step 2 and hit <strong>Enter</strong> on your keyboard.</p><p>6. You should only see one Security Group returned in the console. Select the Security Group, switch to the <strong>Outbound rules</strong> tab, and choose <strong>Edit outbound rules</strong>, as shown in Figure 6.</p><p><img class="alignnone size-full wp-image-3558 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture6-2.png&quot; alt="" width="639" height="376" /></p><p class="c4">Figure 6: AWS Managed Microsoft AD Security Group</p><p>7. Select <strong>Add rule</strong>.</p><p>8. Select <em><strong>All traffic</strong></em> for the <em><strong>Type</strong></em> field and <em><strong>Custom</strong></em> for <em><strong>Destination</strong></em> field. In this example, I enter the CIDR of <em><strong>10.0.0.0/16</strong></em> in the Destination box. Choose <strong>Save rules</strong>, as shown in Figure 7.</p><p><img class="alignnone size-full wp-image-3559 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture7-2.png&quot; alt="" width="639" height="167" /></p><p class="c4">Figure 7: AWS Managed Microsoft AD Security Group Configuration</p><h2>Validate LDAP over SSL is working with AWS Managed Microsoft AD.</h2><p>Finally, using the <a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771022(v=ws.11)&quot;&gt;LDP.exe&lt;/a&gt; tool, you are going to validate that the certificates have been issued to the AWS Managed Microsoft AD domain controllers and that LDAP over SSL is functional.</p><p>1. Open the <a href="https://console.aws.amazon.com/systems-manager/managed-instances/rdp-connect&quot;&gt;AWS Systems Manager Fleet Manager – Remote Desktop console</a>.</p><p>2. Select <strong>Add new session</strong>, select the node named <strong>ENTCA1</strong>, and select <strong>Add</strong>.</p><p>3. Select <strong>User credentials</strong>, enter the following credentials, and select <strong>Connect</strong>.</p><p class="c5">a. <strong>Username</strong>: <em><strong>corp\admin</strong></em></p><p class="c5">b. <strong>Password</strong>: The password you set when you launched the directory.</p><p>4. On <strong>ENTCA1</strong>, go to the Start Menu and type <strong>pkiview.msc</strong> and select <strong>pkiview.msc</strong> to open the PKI View MMC.</p><p>5. In the PKI View MMC, expand the tree for <strong>ORCA1</strong> and select <strong>ENTCA1</strong>. The status for all items should be <strong>OK</strong>, as shown in Figure 8.</p><p><img class="alignnone size-full wp-image-3560 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture8-2.png&quot; alt="" width="639" height="123" /></p><p class="c4">Figure 8: PKI View MMC</p><p>6. Right click on <strong>ENTCA1</strong> and select <strong>Manage CA…</strong> to open the Certificate Manager MMC</p><p>7. In the Certificate Manager MMC, expand the tree for <strong>ENTCA1</strong> and select <strong>Issued Certificates</strong>.</p><p>8. You should see two certificates issued with the <strong>LdapOverSSL-QS</strong> certificate template, as shown in Figure 9.</p><p><img class="alignnone size-full wp-image-3561 aligncenter" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture9-2.png&quot; alt="" width="639" height="73" /></p><p class="c4">Figure 9: Certificate Manager Issued Certificates</p><p>Note, the certificate auto-enrollment process on the AWS Managed Microsoft Active Directory Domain Controllers run every 30 minutes. You may be waiting for up 30 minutes for the certificates to be issued.</p><p>9. Go to the Start Menu and type <strong>ldp.exe</strong> to open the LDAP tool.</p><p>10. In the LDP tool, select <strong>Connection</strong> &gt; <strong>Connect</strong>, as shown in Figure 10.</p><p><img class="aligncenter wp-image-3562" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture10-3-249x300.png&quot; alt="" width="260" height="313" /></p><p class="c4">Figure 10: LDP Connection</p><p>11. In the <strong>Connect</strong> section, do the following:</p><p class="c5">a. For <strong>Server</strong>, enter the DNS name of your domain. In this example, the server is <em><strong>corp.example.com</strong></em>.</p><p class="c5">b. <strong>Port</strong>: <em><strong>636</strong></em>.</p><p class="c5">c. <strong>SSL</strong>: <em><strong>Checked</strong></em>.</p><p class="c5">d. Select <strong>OK</strong> to connect to the directory through LDAPS, as shown in Figure 11.</p><p><img class="aligncenter wp-image-3563" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture11-3-300x161.png&quot; alt="" width="374" height="200" /></p><p class="c4">Figure 11: LDP Connection Dialog</p><p>12. You should see the following message to confirm that your LDAPS connection is now open, as shown in Figure 12.</p><p><img class="aligncenter wp-image-3564" src="https://d2908q01vomqb2.cloudfront.net/8effee409c625e1a2d8f5033631840e6ce1dcb64/2022/09/22/Picture12-3.png&quot; alt="" width="640" height="221" /></p><p class="c4">Figure 12: Successful LDAP over SSL Connection</p><p>In this post, you deployed a brand new AWS Managed Microsoft AD with a management instance and a two-tier PKI using the updated AWS Launch Wizard. Post completion, you validated that LDAP over SSL was functional using <strong>ldp.exe</strong>. This post covers just one of the six scenarios that AWS Launch Wizard provides. Other scenarios include standing up a self-managed AD or extending an exigent self-managed AD.</p></section>