AWS Launch Wizard

(1)

AWS Launch Wizard

User Guide

(2)

AWS Launch Wizard: User Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

AWS Launch Wizard for Active Directory

This section of the AWS Launch Wizard documentation provides guidance for deploying self-managed domain controllers using the Launch Wizard service.

Topics

• What is AWS Launch Wizard for Active Directory? (p. 1)

• Get started with AWS Launch Wizard for Active Directory (p. 10)

• Manage application resources with AWS Launch Wizard for Active Directory (p. 20)

• High availability and security best practices for AWS Launch Wizard for Active Directory (p. 21)

• Troubleshoot AWS Launch Wizard for Active Directory (p. 22)

What is AWS Launch Wizard for Active Directory?

AWS Launch Wizard for Active Directory is a service that applies AWS cloud application best practices to guide you through setting up a new Active Directory infrastructure, or adding domain controllers to an existing infrastructure, either in the AWS Cloud or on premises. The deployment environment includes existing VPCs, security groups, and AWS Identity and Access Management (IAM) roles. You can set up a new Active Directory infrastructure with two to three domain controllers, or you can add up to three domain controllers to your existing Active Directory infrastructure for each AWS Region.

Launch Wizard reduces the time that it takes to set up an Active Directory infrastructure and deploy self-managed domain controllers to the cloud or on premises. You input your domain controller requirements, including number of nodes and connectivity, on the service console, and AWS Launch Wizard identiﬁes the right AWS resources to deploy your self-managed domain controllers. AWS Launch Wizard provides an estimated cost of deployment, and gives you the ability to modify your resources and instantly view the updated cost assessment. When you approve, AWS Launch Wizard provisions and conﬁgures the selected resources in a few hours to create fully-functioning, production-ready domain controllers.

After you deploy your self-managed domain controllers, they are ready to use and can be accessed on the Amazon Elastic Compute Cloud (Amazon EC2) console.

Contents

• Supported operating systems (p. 1)

• Features of AWS Launch Wizard (p. 2)

• Components (p. 3)

• Requirements (p. 3)

• Related services (p. 4)

• How AWS Launch Wizard works (p. 5)

• Domain controller launch limits (p. 10)

• AWS Regions (p. 10)

Supported operating systems

AWS Launch Wizard supports the following operating systems:

(8)

Features

• Windows Server 2019

Features of AWS Launch Wizard

AWS Launch Wizard provides the following features:

• Simple application deployment (p. 2)

• AWS resource selection (p. 2)

• Cost estimation (p. 2)

• SNS notiﬁcation (p. 2)

• Early input validation (p. 2)

• Application resource groups for easy discoverability (p. 3)

Simple application deployment

AWS Launch Wizard makes it eﬃcient for you to deploy self-managed domain controllers on AWS. When you enter the domain controller requirements, AWS Launch Wizard deploys the necessary AWS resources for a production-ready environment. This means that you do not have to manage separate infrastructure pieces or spend time provisioning and conﬁguring your domain controllers.

AWS resource selection

Launch Wizard considers the number of Active Directory users to determine the best instance type, EBS volumes, and other resources for your domain controllers. You can modify the recommended defaults.

Cost estimation

Launch Wizard provides a cost estimate for the complete deployment that is itemized for each individual resource being deployed. The estimated cost automatically updates each time you change a resource type conﬁguration in the wizard. However, the provided estimates are only for general comparisons.

They are based on on-Demand costs and actual costs may be lower.

SNS notiﬁcation

You can provide an SNS topic that allows Launch Wizard to send you notiﬁcations and alerts about the status of a deployment.

Early input validation

You can take advantage of your existing infrastructure, such as VPC or security groups, with Launch Wizard. This may lead to deployment failures if your existing infrastructure does not meet certain deployment prerequisites. If these requirements are not met, the deployment will fail. If you are in a later stage of a deployment, this failure can take more than an hour to detect. To detect these types of issues early in the application deployment process, Launch Wizard's validation framework verifies key infrastructure specifications before provisioning. Verification takes approximately 15 minutes. If necessary, you can take appropriate actions to adjust your VPC configuration.

Note

Some validations, such as for Active Directory credentials, require Application Wizard to launch a t2.large EC2 instance in your account for a few minutes. After it runs the necessary validations, Launch Wizard terminates the instance.

(9)

Components

Application resource groups for easy discoverability

Launch Wizard creates a resource group for all of the AWS resources created for your domain controllers.

You can manage the resources through the Amazon EC2 console or with Systems Manager. When you access Systems Manager through Launch Wizard, the resources are automatically ﬁltered for you based on your resource group.

Components

Self-managed domain controllers deployed with Launch Wizard include the following components:

• A virtual private cloud (VPC) conﬁgured with public and private subnets across two Availability Zones.

A public subnet is a subnet whose traﬃc is routed to an internet gateway. If a subnet does not have a route to the internet gateway, then it is a private subnet. The VPC provides the network infrastructure for your domain controller environment.

• Amazon EC2 instances on which to provision your domain controllers.

• An internet gateway to provide access to the internet.

• In the public subnets, network address translation (NAT) gateways for outbound internet access. If you are deploying in your preexisting VPC, Launch Wizard uses the existing NAT gateway in your VPC.

For more information about NAT gateways, see NAT Gateways.

• Elastic IP addresses associated with the NAT gateway and RDGW instances. For more information about Elastic IP addresses, see Elastic IP Addresses.

• AWS CloudFormation templates and PowerShell conﬁguration scripts to perform the domain controller conﬁguration steps.

• Security groups to ensure the secure ﬂow of traﬃc between the instances deployed in the VPC. For more information, see Security Groups for Your VPC.

• AWS Secrets Manager to protect secrets required to generate and store your Active Directory Administrator credentials.

• Amazon CloudWatch Logs to monitor, store, and access your log ﬁles produced by AWS CloudFormation.

Requirements

Your account must be conﬁgured as speciﬁed in the following table to deploy self-managed domain controllers using Launch Wizard.

To add domain controllers to an existing infrastructure, you must create a VPC peering connection between the two VPCs for an existing Active Directory in AWS. If you are using an existing Active Directory on premises, you must use AWS Direct Connect. To ensure that instances in the VPCs can communicate with each other, you can use either Direct Connect or VPC Private Link. For more information about VPC connectivity, see VPN connections.

Resource Minimum number of resources required for

deployment

Virtual private clouds (VPCs) 1

VPC security groups 3

AWS Identity and Access Management (IAM) roles 2

General purpose EC2 instances Existing VPC: 1

(10)

Related services

Resource Minimum number of resources required for

deployment

New Active Directory infrastructure: 2

AWS Secrets Manager secrets 2

If you have an existing environment that uses these resources and you think that deploying domain controllers in this environment using Launch Wizard may exceed your default quotas, you can request service quota increases for these resources. For default quotas, see AWS service quotas.

For additional prerequisites to deploy domain controllers using Launch Wizard, see Set up for AWS Launch Wizard for Active Directory (p. 11).

Related services

The following services are used when you deploy self-managed domain controllers with AWS Launch Wizard:

• AWS CloudFormation (p. 4)

• Amazon Simple Notiﬁcation Service (SNS) (p. 4)

• Amazon CloudWatch Logs (p. 4)

• AWS Secrets Manager (p. 5)

AWS CloudFormation

AWS CloudFormation is a service for modeling and setting up your AWS resources, enabling you to spend more time focusing on your applications that run in AWS . You create a template that describes all of the AWS resources that you want to use (for example, EC2 instances), and AWS CloudFormation provisions and conﬁgures those resources for you. With Launch Wizard, you don’t have to sift through CloudFormation templates to deploy your application. Instead, Launch Wizard combines infrastructure provisioning and conﬁguration (with an AWS CloudFormation template and PowerShell scripts) to provision a new Active Directory infrastructure or additional domain controllers in your account. For more information, see the AWS CloudFormation User Guide.

Amazon Simple Notiﬁcation Service (SNS)

Amazon Simple Notiﬁcation Service (Amazon SNS) is a highly available, durable, secure, fully managed publish/subscribe messaging service that provides topics for high-throughput, push-based, many-to- many messaging. Using Amazon SNS topics, your publisher systems can fan out messages to a large number of subscriber endpoints and send notiﬁcations to end users using mobile push, SMS, and email.

You can use Amazon SNS topics for your Launch Wizard deployments to stay up to date on deployment progress. For more information, see the Amazon Simple Notiﬁcation Service Developer Guide.

Amazon CloudWatch Logs

Amazon CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service. You can then easily view them, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis. Amazon CloudWatch Logs enables you to see all of your logs, regardless of their source, as a single and consistent flow of events ordered by time, and you can query them and sort them based on other dimensions, group them by specific fields, create custom computations with a powerful query language, and visualize log data in dashboards. Launch Wizard streams provisioning logs from all of the AWS log sources that you can view on the CloudWatch console.

(11)

How it works

AWS Secrets Manager

With AWS Secrets Manager you can replace hard-coded credentials in your code, including passwords, with an API call to Secrets Manager to programmatically retrieve the secret. This helps ensure the secret can't be compromised by someone examining your code. Also, you can conﬁgure Secrets Manager to automatically rotate the secret for you according to a speciﬁed schedule. Launch Wizard uses Secrets Manager to join your domain controllers to Active Directory and promote them.

How AWS Launch Wizard works

AWS Launch Wizard provides a complete solution to provision self-managed domain controllers on AWS.

You select Active Directory in the wizard and provide the speciﬁcations, such as number of users. Based on the infrastructure requirements that you enter, Launch Wizard automatically provisions the right AWS resources in the cloud. For example, Launch Wizard determines the best instance type and EBS volume for your number of users, then deploys and conﬁgures them.

Launch Wizard provides an estimated cost of deployment. You can modify your resources and instantly view an updated cost assessment. Once you approve, Launch Wizard validates the inputs and ﬂags inconsistencies. After you resolve the inconsistencies, Launch Wizard provisions the resources and conﬁgures them. The result is a ready-to-use Active Directory infrastructure and domain controllers.

AWS Launch Wizard performs the following tasks to provision self-managed domain controllers.

• Sets up the VPC, including private and public subnets in two Availability Zones.*

• Conﬁgures two NAT gateways in the public subnets.*

• Conﬁgures private and public routes.*

• Enables ingress traﬃc into the VPC for administrative access to Remote Desktop Gateway.

• Stores the trust administrator password in Secrets Manager .

• Uses Secrets Manager to generate Domain Administrator passwords.

• Launches instances using the speciﬁed version of Windows Server.

• Conﬁgures security groups and rules for traﬃc between instances.

• Sets up and conﬁgures Active Directory sites and subnets.

• For existing VPCs, optionally sets up forest trusts with other Active Directory forests. For the required prerequisites to set up forest trusts, see Trust relationships (p. 12). For information about creating forest trusts, see Conﬁgure forest trust relationships (p. 20).

• Sets up and deploys Active Directory Certiﬁcate Services with a new Active Directory infrastructure.

• For existing VPCs, adds up to three domain controllers to an existing Active Directory infrastructure.

For the required prerequisites to add domain controllers, see Set up for AWS Launch Wizard for Active Directory (p. 11).

* If you deploy Launch Wizard into an existing VPC, the tasks in this list marked by asterisks are skipped.

Topics

• Deployment path (p. 5)

• Implementation details (p. 6)

Deployment path

Launch Wizard supports the following deployment path for provisioning self-managed domain controllers.

(12)

How it works

Deploy and manage your own domain controllers on Amazon EC2 instances

Launch Wizard builds the AWS Cloud infrastructure, and sets up and conﬁgures Active Directory Domain Services (AD DS) and Active Directory-integrated DNS on the AWS Cloud. It does not include AWS Directory Service, so you handle all AD DS maintenance and monitoring tasks. You can deploy the domain controllers into a new or existing VPC infrastructure.

Implementation details

This section describes how Launch Wizard implements an Active Directory Domain Services (AD DS) deployment in the AWS Cloud. It includes details about how to use Amazon VPC to deﬁne your networks in the cloud, and information about domain controller placement, Active Directory Sites and Services conﬁguration, and how DNS and DHCP work in an Amazon Virtual Private Cloud (Amazon VPC).

Topics

• VPC (p. 6)

• Security groups (p. 7)

• Remote Desktop Gateway (p. 7)

• Active Directory (p. 7)

• Self-managed domain controller architecture (p. 10)

VPC

You can deﬁne a virtual network topology that closely resembles a traditional on-premises network using Amazon VPC. A VPC can span multiple Availability Zones place independent infrastructure in physically separate locations. A multi-Availability Zone deployment results in high availability and fault tolerance. Launch Wizard provisions domain controllers in two Availability Zones to provide highly available, low latency access to AD DS services in the AWS Cloud.

Launch Wizard can build a new VPC for the deployment, or deploy into an existing VPC. To accommodate highly available AD DS in the AWS Cloud, Launch Wizard builds (or requires, in the case of existing VPCs) a base Amazon VPC conﬁguration that complies with the following AWS best practices:

• Domain controllers must be placed in a minimum of two Availability Zones to provide high availability.

• Domain controllers and other non-internet facing servers must be placed in private subnets.

• Launched instances require internet access to connect to the AWS CloudFormation endpoint during the bootstrapping process. To support this conﬁguration, public subnets are used to host NAT gateways for outbound internet access. Remote Desktop Gateways are also deployed into the public subnets for remote administration. Other components such as reverse proxy servers can be placed into these public subnets, if needed.

This VPC architecture uses two Availability Zones, each with its own distinct public and private subnets.

We recommend that you leave plenty of unallocated address space to support the growth of your environment over time and to reduce the complexity of your VPC subnet design. Launch Wizard uses a default VPC conﬁguration that provides plenty of address space by using the minimum number of private and public subnets. By default, Launch Wizard uses the following CIDR ranges.

VPC 10.0.0.0/16

10.0.0.0/20

Availability Zone 1 10.0.0.0/20 Private subnets A

Availability Zone 2 10.0.16.0/20

(13)

How it works

VPC 10.0.0.0/16

Availability Zone 3 10.0.32.0/20

Public subnets Availability Zone 1 10.0.128.0/20

In addition, Launch Wizard provisions spare capacity for additional subnets to support your environment as it grows or changes over time. If you have sensitive workloads that must be completely isolated from the internet, you can create new VPC subnets using these optional address spaces.

Security groups

Amazon EC2 instances must be associated with a security group, which acts as a stateful firewall. You control the network traffic entering or leaving the security group, and you can create rules that are defined by protocol, port number, and source/destination IP address, or other security groups. By default, all egress traffic from a security group is permitted. However, ingress traffic must be configured to allow the desired traffic to reach your instances.

The Securing the Microsoft Platform on Amazon Web Services whitepaper explains the diﬀerent methods for securing your AWS infrastructure. Recommendations include providing isolation between application tiers by using security groups. We recommend that you tightly control ingress traﬃc in order to reduce the attack surface of your Amazon EC2 instances.

If you are deploying and managing your own AD DS installation, domain controllers and member servers will require several security group rules to allow traﬃc for services. These rules include AD DS replication, user authentication, Windows Time services, and Distributed File System (DFS). You should also consider restricting these rules to speciﬁc IP subnets that are used within your VPC.

For a detailed list of port mappings used by AWS CloudFormation, see the Security best practices (p. 21) in this guide.

For a complete list of ports, see Active Directory and Active Directory Domain Services Port Requirements in the Microsoft TechNet Library and How to conﬁgure a ﬁrewall for Active Directory domains and trusts for forest trusts. For guidance on implementing rules, see Adding Rules to a Security Group in the Amazon EC2 User Guide.

Remote Desktop Gateway

When you design your architecture for highly available AD DS, you should also design for highly available and secure remote access. Launch Wizard optionally allows for deployment of a Remote Desktop (RD) Gateway server to manage your AD DS instances.

RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote administrators on the internet and Windows-based Amazon EC2 instances, without the need for a virtual private network (VPN) connection. This conﬁguration reduces the attack surface of your Windows-based Amazon EC2 instances, while providing a remote administration solution for administrators.

Important

Never open up RDP to the entire internet even temporarily or for testing purposes. Always restrict ports and source traﬃc to the minimum necessary to support the functionality of the application.

Active Directory

This section provides information about key design considerations speciﬁc to a Launch Wizard deployment of Active Directory Domain Services (AD DS) domain controllers on AWS.

(14)

How it works

Active Directory deployment topics

• Highly available directory domain services (p. 8)

• Active Directory DNS and DHCP inside the VPC (p. 8)

• DNS settings on Windows Servers instances (p. 9)

• Active Directory Certiﬁcate Services (p. 10)

Highly available directory domain services

Launch Wizard deploys two domain controllers in your AWS environment in two Availability Zones.

This design provides fault tolerance and prevents a single domain controller failure from aﬀecting the availability of the AD DS.

To strengthen the high availability of your architecture and help mitigate the impact of a possible disaster, each domain controller deployed by Launch Wizard is a global catalog server and an Active Directory DNS server.

When you choose to deploy self-managed domain controllers to the AWS Cloud, Launch Wizard automatically builds out an Active Directory Sites and Services conﬁguration that supports a highly available AD DS architecture.

For information about creating sites, adding global catalog servers, and creating and managing site links, see the Microsoft Active Directory Sites and Services documentation.

Active Directory DNS and DHCP inside the VPC

Dynamic Host Conﬁguration Protocol (DHCP) services are provided by default for your instances within a VPC. DHCP scopes do not need to be managed; they are created for the VPC subnets you deﬁne when you deploy your solution. These DHCP services cannot be disabled, so you must use them rather than deploying your own DHCP server.

The VPC also provides an internal DNS server. This DNS provides instances with basic name

resolution services for internet access and is crucial for access to AWS service endpoints, such as AWS CloudFormation and Amazon S3 during bootstrapping.

Amazon-provided DNS server settings will be assigned to instances launched into the VPC based on a DHCP options set. DHCP options sets are used within an Amazon VPC to deﬁne scope options, such as the domain name or the name servers that should be handed to your instances via DHCP. Amazon- provided DNS is used only for public DNS resolution.

Because Amazon-provided DNS cannot be used to provide name resolution services for Active Directory, you must ensure that domain-joined Windows instances are conﬁgured to use Active Directory DNS.

Launch Wizard statically assigns Active Directory DNS server addresses on Windows instances. You can alternatively specify them using a custom DHCP options set. This allows you to assign your Active Directory DNS suﬃx and DNS server IP addresses as the name servers within the VPC through DHCP.

Note

The IP addresses in the domain-name-servers field are always returned in the same order. If the first DNS server in the list fails, instances should fall back to the second IP and continue to resolve host names successfully. However, during normal operations, the first DNS server listed will always handle DNS requests. If you want to ensure that DNS queries are distributed evenly across multiple servers, you should consider statically configuring DNS server settings on your instances.

For more information about creating a custom DHCP options set and associating it with your VPC, see Working with DHCP Options Sets in the Amazon VPC User Guide.

(15)

How it works

Note

If you choose to deploy self-managed domain controllers in the AWS Cloud, Launch Wizard adds the DNS suffix for your domain to the DNS suffixes list. The DNS settings on the local server point to the IP address of the first domain controller for all of the domain controllers in the infrastructure.

DNS settings on Windows Servers instances

To ensure that domain-joined Windows instances automatically register host (A) and reverse lookup (PTR) records with Active Directory-integrated DNS, set the properties of the network connection as shown in the following image.

The default conﬁguration for a network connection is set to automatically register the connections address in DNS. In other words, the Register this connection's addresses in DNS option is selected for you automatically. This takes care of host (A) record dynamic registration. However, if you do not also select the second option, Use this connection's DNS suﬃx in DNS registration, dynamic registration of PTR records will not occur.

If you have a small number of instances in the VPC, you may choose to manually conﬁgure the network connection. For larger ﬂeets, you can push this setting out to all of your Windows instances by using

(16)

Domain controller launch limits

Active Directory Group Policy. For instructions about how to do this, see IPv4 and IPv6 Advanced DNS Tab in the Microsoft TechNet Library.

Active Directory Certiﬁcate Services

Launch Wizard sets up and deploys Active Directory Certiﬁcate Services (AD CS) with a new Active Directory infrastructure to issue and manage digital certiﬁcates in systems that use public key technologies. For more information about AD CS, see the Microsoft documentation.

Self-managed domain controller architecture

The Launch Wizard self-managed domain controller deployment sets up the following architecture.

• Domain controllers are deployed into two private VPC subnets in separate Availability Zones, which makes AD DS highly available.

• NAT gateways are deployed to public subnets, providing outbound internet access for instances in private subnets.

• Remote Desktop gateways are deployed in an Auto Scaling group in one Availability Zone to allow access to the domain controllers.

The speciﬁed version of Windows Server is used for the Remote Desktop Gateway instances and the domain controller instances. Launch Wizard deploys AWS resources, including a Systems Manager Automation document. When the second node is deployed, it initiates running the Automation

document through Amazon EC2 user data. The automation workflow deploys the required components, finalizes the configuration to create a new AD forest, and promotes instances in two Availability Zones to Active Directory domain controllers.

To view architectural diagrams showing best practices for setting up an AD DS environment, see Active Directory Domain Services on AWS.

Domain controller launch limits

You can launch up to three domain controllers from a single Launch Wizard deployment per each AWS Region. If you want to add more domain controllers, you can launch additional stacks and add them to the same Active Directory Domain Services infrastructure.

AWS Regions

Launch Wizard uses AWS Secrets Manager during the provisioning of self-managed domain controllers into an environment. These services are not supported in all AWS Regions. For a current list of supported Regions, see the Service endpoints and quotas.

Get started with AWS Launch Wizard for Active Directory

This section contains information to set up your environment for Launch Wizard to deploy domain controllers.

Topics include:

• Access AWS Launch Wizard (p. 11)

• Set up for AWS Launch Wizard for Active Directory (p. 11)

• Deploy an application with AWS Launch Wizard for Active Directory (p. 15)

• Conﬁgure forest trust relationships (p. 20)

(17)

Access

Access AWS Launch Wizard

You can launch AWS Launch Wizard from the AWS Launch Wizard console located at https://

console.aws.amazon.com/launchwizard.

Set up for AWS Launch Wizard for Active Directory

Verify the following prerequisites to deploy self-managed domain controllers with AWS Launch Wizard.

Contents

• Active Directory (p. 11)

• AWS Identity and Access Management (IAM) (p. 12)

• Requirements for using custom AMIs (p. 13)

• Conﬁguration settings (p. 14)

Active Directory

This section contains information to set up for deployment of domain controllers into an existing VPC and for deployment into an existing, on-premises Active Directory. It also contains information for setting up forest trusts.

Active Directory on EC2

If you deploy domain controllers into an existing VPC with an existing Active Directory, Launch Wizard requires domain administrator credentials to be added to Secrets Manager to join your domain controllers to Active Directory and promote them. In addition, a resource policy must be attached to the secret so that Launch Wizard can access the secret. Launch Wizard guides you through the following process of attaching the required policy to your secret.

How to attach the resource policy to your secret so that Launch Wizard can access the secret

1. Navigate to the Secrets Manager console.

2. Under Secret name, choose the name of your secret.

3. Under Resource permissions, choose Edit permissions.

4. Copy the following policy and paste it into the Resource permissions box, entering your account ID in the path of the IAM ARN.

{

"Version" : "2012-10-17", "Statement" : [ {

"Effect" : "Allow", "Principal" : { "AWS" :

"arn:aws:iam::<account-id>:role/service-role/AmazonEC2RoleForLaunchWizard"

},

"Action" : [

"secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:GetRandomPassword"

],

"Resource" : "*"

} ] }

5. Choose Save.

(18)

Set Up

6. Resume your Launch Wizard deployment.

The following key operations are performed against your Active Directory by Launch Wizard. These operations result in the creation of new records or entries in Active Directory.

• Creates a new Amazon EC2 instance and joins it to the domain.

• Creates ingress and egress rules to communicate with your domain controllers.

• Promotes the server to a domain controller in your domain.

• Updates local DNS on the new domain controllers to point to your DNS server.

On-premises Active Directory through AWS Direct Connect

If you are deploying domain controllers into an existing VPC and connecting to an on-premises Active Directory, ensure that the following prerequisites are in place.

• Make sure that you have connectivity between your AWS account and your on-premises network. You can establish a dedicated network connection from your on-premises network to your AWS account with AWS Direct Connect. For more information, see the AWS Direct Connect documentation.

• The domain functional level of your Active Directory domain controller must be Windows Server 2012 or later.

• The IP addresses of your DNS server must be either in the same VPC CIDR range as the one in which your Launch Wizard domain controllers will be created, or in the private IP address range.

• The firewall on the Active Directory domain controllers should allow the connections from the Amazon VPC from which you will create the Launch Wizard deployment. At a minimum, your configuration should include the ports mentioned in How to configure a firewall for Active Directory domains and trusts.

You can optionally perform the following step.

• Establish DNS resolution across your environments. For options on how to set this up, see How to Set Up DNS Resolution Between On-Premises Networks and AWS using AWS Directory Service and Amazon Route 53 or How to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Microsoft Active Directory.

Trust relationships

If you are creating a forest trust relationship, you must complete the prerequisites forAWS Managed Active Directory (p. 11) before you set up the trust. For more information about creating forest trust relationships, see Conﬁgure forest trust relationships (p. 20).

AWS Identity and Access Management (IAM)

The following steps establish the required AWS Identity and Access Management (IAM) role and set up the IAM user for permissions.

One-time creation of IAM Role

On the Choose Application page of Launch Wizard, under Permissions, Launch Wizard displays the IAM role required for the Amazon EC2 instances that have been created by Launch Wizard to access other AWS services on your behalf. When you select Next, Launch Wizard attempts to discover the IAM role in your account. If the role exists, the role is attached to the instance proﬁle for the Amazon EC2 instances that Launch Wizard will launch into your account. If the role does not exist, Launch Wizard attempts to create the role with the same name, AmazonEC2RoleForLaunchWizard.

This role is comprised of two IAM managed policies: AmazonSSMManagedInstanceCore and

(19)

Set Up

AmazonEC2RolePolicyForLaunchWizard. After the role is created, the IAM Administrator can delegate the application deployment process to another IAM user who, in turn, must have the Launch Wizard IAM managed policy described in the following section.

IAM user setup

To deploy self-managed domain controllers with Launch Wizard, you must create an Identity and Access Management (IAM) policy and attach it to your IAM user identity. The IAM policy deﬁnes the user permissions. If you do not already have an IAM user in your account, follow the steps listed in Create an IAM User in Your AWS Account.

When you have an IAM user in your account, create an IAM policy.

1. Go to the IAM console at https://console.aws.amazon.com/iam/. In the left navigation pane, choose Policies.

2. Choose Users from the left navigation pane.

3. Select the User name of the user to which you want to attach the policy.

4. Select Add permissions.

5. Select Attach existing policies directly.

6. Search for the policy named AmazonLaunchWizard_Fullaccess, and select the check box to the left of the policy name.

7. Select Next: Review.

8. Verify that the correct policy is listed, and then select Add permissions.

Important

Make sure that you log in with the user associated with the policy described in this procedure when you use Launch Wizard.

Requirements for using custom AMIs

We recommend that you use license-included Windows AMIs whenever possible. There are scenarios for which you may want to use a custom Windows AMI. For example, you may have existing licenses (BYOL), or you may have made changes to one of our public images and re-imaged it.

If you use license-included Windows AMIs, you are not required to perform any pre-checks on the AMI to ensure that it meets Launch Wizard requirements.

Launch Wizard relies on user data to begin the process of conﬁguring domain controller instances that the service launches in your account. For more information, see User Data Scripts. By default, all Windows AMIs have user data execution enabled for the initial launch. To ensure that your custom AMIs are set up to run the User Data script at launch, follow the AWS-recommended method to prepare your AMIs using EC2Launch v2. For more information about how to prepare your custom AMI using the options to Shutdown with Sysprep or Shutdown without Sysprep, see Create a Standard Amazon Machine Image Using Sysprep or EC2Launch v2 and Sysprep. If you want to directly enable user data as part of the custom AMI creation process, follow the steps for Subsequent Reboots or Starts under Running Commands on Your Windows Instance at Launch.

If you use a custom AMI, the volume drive letter for the root partition should be C:, because EC2Launch v2 and EC2Conﬁg rely on this conﬁguration to install the components.

While not exhaustive, the following requirements cover most of the conﬁgurations whose alteration might impact the successful deployment of a domain controllers using Launch Wizard.

Windows Server 2016 Windows Server 2019

YES YES

(20)

Set Up

Windows Server 2016 Windows Server 2019

YES YES

Operating system requirements

• English language pack only

• The root volume drive for the custom AMI should be C:

AWS software and drivers

• AWS CloudFormation cfn-init script (See Bootstrapping AWS CloudFormation Windows stacks.

• EC2Launch (Windows Server 2016)

• AWS SSM (SSM agent must be installed)

• AWS Tools for Windows PowerShell

• Network drivers (SRIOV, ENA)

• Storage drivers (NVMe, AWS PV)

Conﬁguration settings

The following conﬁguration settings are applied when deploying self-managed domain controllers with Launch Wizard.

Setting Applies to

Current EC2Launch and SSM Agent Windows Server 2016 and Windows Server 2019 Current AWS PV, ENA, and NVMe drivers Windows Server 2016 and Windows Server 2019 Current SRIOV drivers Windows Server 2016 and Windows Server 2019 Allow ICMP traffic through the firewall Windows Server 2016 and Windows Server 2019 Allow RDP traffic through host firewall Windows Server 2016 and Windows Server 2019 RealTimeIsUniversal registry key set Windows Server 2016 and Windows Server 2019

The following AMI settings can impact the Launch Wizard deployment:

System Time

RealTimeIsUniversal. If disabled, Windows system time drifts when the time zone is set to a value other than UTC.

Windows Firewall

In most cases, Launch Wizard conﬁgures the correct protocols and ports. However, custom Windows Firewall rules could impact the cluster service. To ensure that your custom AMI works with Launch Wizard, see Service overview and network port requirements for Windows.

(21)

Deploy

Remote Desktop

Service Start. Remote Desktop service must be enabled.

Remote Desktop Connections. Must be enabled.

Network Interface

DHCP Service Startup. DHCP service should be enabled.

DHCP on Ethernet. DHCP should be enabled.

PowerShell

Execution Policy. The execution policy in all AWS license-included AMIs is set to Unrestricted.

We recommend that you set this policy to Unrestricted when you set up domain controllers using AWS Launch Wizard You can change the policy when setup is complete.

Deploy an application with AWS Launch Wizard for Active Directory

The following steps guide you through a domain controller deployment with AWS Launch Wizard after you have launched it from the console.

1. When you select Create deployment from the AWS Launch Wizard landing page, you are directed to the Choose application page where you are prompted to select the type of application that you want to deploy. Select Active Directory and choose Create deployment.

2. After you select the application to conﬁgure for deployment, under Permissions, Launch Wizard displays the AWS Identity and Access Management (IAM) role required for Launch Wizard to access other AWS services on your behalf. For more information about setting up the IAM role for Launch Wizard, see AWS Identity and Access Management (IAM) (p. 12). Choose Next .

3. On the Configure application settings page, enter specifications for the new deployment. The following tabs provide information about the specification fields.

General settings and Active Directory (AD) installation

General settings

• Deployment name. Enter a unique application name for your deployment.

• Simple Notification Service (SNS) topic ARN (Optional). Specify an Amazon SNS topic where AWS Launch Wizard can send notifications and alerts. For more information, see the Amazon Simple Notification Service Developer Guide.

• Enable rollback on failed deployment. By default, if a deployment fails, your provisioned resources will not be rolled back/deleted. This default conﬁguration helps you to

troubleshoot errors at the resource level as you debug deployment issues. If you want your provisioned resources to be immediately deleted if a deployment fails, select the check box.

Installation type

Choose whether you want to deploy Active Directory on Amazon EC2 instances or on premises.

When you deploy Active Directory on Amazon EC2, it is deployed in a VPC conﬁgured for high availability.

For the Domain settings that follow, choose the tab that applies to the AMI type you plan to use for the deployment: Domain settings — license-included AMI or Domain settings — custom AMI.

(22)

Deploy

Domain settings – license-included AMI

Enter the following speciﬁcations to conﬁgure your domain controllers on a license-include AMI.

Number of domain controllers

Select the number of servers on which you want to install Active Directory.

Domain controller details — optional For each domain controller, enter a name.

AMI installation type

Choose to use an AWS license-included AMI with Windows installed.

• License-included AMI. Choose the license-included AMI you want to use to launch your domain controller environment.

• Active Directory (AD) settings. Choose whether you want to add domain controllers to an existing Active Directory or you want to create a new Active Directory.

Add domain controllers to an existing Active Directory

• Active Directory DNS domain name. Enter the DNS domain name for your directory to connect to an existing Active Directory. For more information about DNS support of Active Directory, see the Microsoft Active Directory documentation.

• Domain NetBIOS name. The NetBIOS name is the subdomain of the DNS domain name.

Enter the NetBIOS name to connect to Active Directory.

• Domain Administrator secret name. Enter the name of the AWS Secrets Manager name of the Domain Administrator to access stored credentials.

• Add permissions to AWS Secrets Manager — required. Follow the instructions to add the required resource policy for Launch Wizard to access Secrets Manager.

• Domain DNS IP address for resolution. Enter the IP address of the DNS server to which you are connecting.

Create a new Active Directory

• Active Directory DNS domain name. Enter a DNS domain name for your new Active Directory. For more information about DNS support of Active Directory, see the Microsoft Active Directory documentation.

• Domain NetBIOS name. The NetBIOS name is the sub-domain of the DNS domain name.

Enter a NetBIOS name to connect to Active Directory.

• Domain Administrator username. Launch Wizard applies the Administrator username by default.

• Additional settings — optional.

• AD Certiﬁcate Services (AD CS) installation. Select whether you want to install Active Directory Certiﬁcate Services. For more information about AD CS, see the Microsoft documentation.

• ADCS Certiﬁcate Server name (if selected). If you selected to install AD CS, enter the AD CS certiﬁcate server name to use.

• Key length. Select the key length of the encryption key.

• Key hash algorithm. Select the algorithm used for key encryption.

• Key validity. Select a key validity period in years. The key validity period determines the

(23)

Deploy

• Forest trust. Select whether you want to create a forest trust with another forest. A forest trust is a transitive trust between two forests that allows users in any domain in one forest to be authenticated by any domain in another forest. For more information, see the Microsoft Active Directory documentation.

• Fully qualiﬁed domain name of forest. If you selected to create a forest trust, enter the fully qualiﬁed domain name of the forest.

• Direction of trust. Select the direction of the trust. Trusts can be one-way or two-way.

• Conditional forwarder IP address. Enter the IP address of the conditional forwarder that is set up in your forest.

Domain settings – custom AMI

Enter the following speciﬁcations to conﬁgure your domain controllers on a custom AMI.

Number of domain controllers

Select the number of servers on which you want to install Active Directory.

Domain controller details — optional For each domain controller, enter a name.

AMI installation type

Choose to use a custom AMI. Verify that the AMI is conﬁgured to meet all of the required installation parameters described in Requirements for using custom AMIs (p. 13).

• Custom AMI ID. Select the custom AMI you want to use to launch your domain controller environment.

• Active Directory DNS domain name. Enter the DNS domain name for your directory to connect to an existing Active Directory. For more information about DNS support of Active Directory, see the Microsoft Active Directory documentation.

• Domain NetBIOS name. The NetBIOS name is the subdomain of the DNS domain name. Enter the NetBIOS name to connect to Active Directory.

• Domain Administrator secret name. Enter the name of the AWS Secrets Manager name of the Domain Administrator to access stored credentials.

• Add permissions to AWS Secrets Manager — required. Follow the instructions to add the required resource policy for Launch Wizard to access AWS Secrets Manager.

• Domain DNS IP address for resolution. Enter the IP address of the DNS server to which you are connecting.

Connectivity

Enter speciﬁcations for how you want to connect to your application instance and what kind of virtual private cloud (VPC) you want to set up.

Key pair name

• Select an existing key pair from the dropdown list or create a new one. If you select Create new key pair name to create a new key pair, you are directed to the Amazon EC2 console.

From there, under Network and Security, choose Key Pairs. Choose Create a new key pair, enter a name for the key pair, and then choose Download Key Pair.

(24)

Deploy

Important

This is the only chance for you to save the private key ﬁle, so be sure to download it and save it in a safe place. You must provide the name of your key pair when you launch an instance, and provide the corresponding private key each time that you connect to the instance.

Return to the Launch Wizard console and choose the refresh button next to the Key Pairs dropdown list. The newly created key pair appears in the dropdown list. For more information about key pairs, see Amazon EC2 Key Pairs and Windows Instances.

Virtual Private Cloud (VPC). Choose whether you want to use an existing VPC or create a new VPC.

Select Virtual Private Cloud (VPC)

• Select Virtual Private Cloud (VPC) option. Choose the VPC that you want to use from the dropdown list. Your VPC must contain one public subnet and, at least, two private subnets.

Your VPC must be associated with a DHCP Options Set to enable DNS translations to work.

The private subnets must have outbound connectivity to the internet and other AWS services (Amazon S3, AWS CloudFormation, SSM, CloudWatch Logs). We recommend that you enable this connectivity with a NAT Gateway. For more information about NAT Gateways, see NAT Gateways in the Amazon VPC User Guide.

• For deployment of a new Active Directory on Amazon EC2, choose your Remote Desktop Gateway (RDG) preferences. This option is not available when you add domain controllers to an existing infrastructure.

• Choose whether you want to set up Remote Desktop Gateway now, or set it up later.

• If you choose to set up RDG now, enter the Remote Desktop Gateway CIDR. Select Custom IP from the dropdown list and enter the CIDR block. If you do not specify any value for the Custom IP parameter, Launch Wizard does not set the inbound RDP access (Port 3389) from any IP. You can choose to do this later by modifying the security group settings by using the Amazon EC2 console. See Adding a Rule for Inbound RDP Traﬃc to a Windows Instance for instructions on adding a rule that allows inbound RDP traﬃc to your RDGW instance.

• Availability Zone conﬁguration. You must choose at least two Availability Zones, with one private subnet for each zone that you select. From the dropdown lists, select the Availability Zones within which you want to deploy the domain controllers. Depending on the number of domain controllers you plan to deploy, you may have to specify a private subnet for each of them. Cross-Region replication is not supported.

To create a private subnet

If a subnet doesn't have a route to an internet gateway, the subnet is known as a private subnet. To create a private subnet, you can use the following steps. We recommend that you enable the outbound connectivity for each of your selected private subnets using a NAT Gateway. To enable outbound connectivity from private subnets with public subnet, see the steps in Creating a NAT Gateway to create a NAT Gateway in your chosen public subnet. Then, follow the steps in Updating Your Route Table for each of your chosen private subnets.

• Follow the steps in Creating a Subnet in the Amazon VPC User Guide using the existing VPC you will use in AWS Launch Wizard.

• When you create a VPC, it includes a main route table by default. On the Route Tables page in the Amazon VPC console, you can view the main route table for a VPC by looking for Yes in the Main column. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. If the main route table for your VPC has an outbound route to an internet gateway, then any subnet created using the

(25)

Deploy

previous step, by default, becomes a public subnet. To ensure the subnets are private, you may need to create separate route tables for your private subnets. These route tables must not contain any routes to an internet gateway. Alternatively, you can create a custom route table for your public subnet and remove the internet gateway entry from the main route table.

• Outbound connectivity. Confirm that you have set up a public subnet and that each of the private subnets are configured to send traffic.

Create a new virtual private cloud (VPC)

AWS Launch Wizard creates your VPC. You can optionally enter a VPC name tag.

• Remote Desktop Gateway CIDR. Select Custom IP from the dropdown list. Enter the CIDR block. If you do not specify any value for the Custom IP parameter, Launch Wizard does not set the inbound RDP access (Port 3389) from any IP. You can choose to do this later by modifying the security group settings via the Amazon EC2 Console. See Adding a Rule for Inbound RDP Traﬃc to a Windows Instance for instructions on adding a rule that allows inbound RDP traﬃc to your RDGW instance.

4. When you are satisfied with your configuration selections, select Next. If you don't want to complete the configuration, select Cancel. When you select Cancel, all of the selections on the settings page are lost and you are returned to the landing page. To go to the previous screen, select Previous.

5. After configuring your application, you are prompted to define the infrastructure requirements for the new deployment on the Define infrastructure requirements page.

Storage and Compute

Enter your instance size preferences and view recommended resources.

• Instance sizing Choose whether you want to base the size of your deployed instances on infrastructure requirements or you want to select the instance type. If you choose to select the infrastructure requirements, enter the number of Active Directory users in the environment. If you choose to select the instance type, select the instance type from the dropdown.

• Recommended resources. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select diﬀerent infrastructure requirements.

6. When you are satisfied with your infrastructure selections, choose Next. If you don't want to complete the configuration, select Cancel. When you select Cancel, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select Previous.

7. On the Review page, review your conﬁguration details. If you want to make changes, select Edit or Previous. To stop, select Cancel. When you select Cancel, all of the selections on the speciﬁcation page are lost and you are returned to the landing page. If you are ready to deploy, read and select the check box next to the Acknowledgment. Then choose Deploy.

8. Launch Wizard validates the inputs and notiﬁes you if something must be addressed.

9. When validation is complete, Launch Wizard deploys your AWS resources and conﬁgures your domain controllers. Launch Wizard provides you with status updates about the progress of the deployment on the Deployments page. From the Deployments page, you can also view the list of current and previous deployments.

10. When your deployment is ready, you see notiﬁcation that your domain controllers are successfully deployed. If you have set up SNS notiﬁcation, you are also alerted through Amazon SNS. You can manage and access all of the resources related to your domain controllers by selecting Manage.

11. When the domain controllers are deployed, you can access your Amazon EC2 instances through the Amazon EC2 console. You can also use AWS SSM to manage your domain controllers for future updates and patches through built-in integration through resource groups.

(26)

Conﬁgure trusts

Conﬁgure forest trust relationships

For existing VPCs, you can optionally set up forest trusts with other Active Directory forests. For the required prerequisites to set up forest trusts, see Trust relationships (p. 12) in the Prerequisites section of this guide.

For more information about when to create a trust relationship with other Active Directory forests, see When to Create a Trust Relationship in the AWS Directory Service Administration Guide.

For information about how to add IP routes when the DNS servers for the networks of the other directories use public IP addresses, see Adding IP Routes When Using Public IP Addresses in the AWS Directory Service Administration Guide.

For steps to create a trust relationship, see Tutorial: Create a Trust Relationship Between Your AWS Managed Microsoft AD and Your On-Premises Domain in the AWS Directory Service Administration Guide.

Manage application resources with AWS Launch Wizard for Active Directory

After you deploy your self-managed domain controllers, you can manage them by following these steps.

1. From the navigation pane, choose Deployments.

2. From the Deployments page, select Actions. You can select to do the following:

1.Manage resources on the EC2 console. You are taken to the Amazon EC2 console, where you can view and manage your domain controller resources. For example, you can view and manage EC2, Amazon EBS, Active Directory, VPC, subnets, NAT Gateways, and Elastic IPs.

2.View resource group with SSM. You are taken to the Systems Manager console to view your resource groups.

3.View CloudWatch application logs. You are taken to CloudWatch Logs, where you can monitor, store, and access your SQL Server Always On application log ﬁles.

4.View your CloudFormation template. This is the CloudFormation template created by your most recent deployment, and it can be accessed through the CloudFormation console. For help with ﬁnding and using your CloudFormation template, see Viewing AWS CloudFormation Stack Data and Resources on the AWS Management Console.

3. To delete a deployment, select the application that you want to delete and select Delete. You are prompted to conﬁrm your action.

Important

You lose all speciﬁcation settings for the domain controllers when you delete a deployment.

AWS Launch Wizard attempts to delete only the AWS resources that it created in your account as part of the deployment. If you created resources outside of Launch Wizard, for example resources that reside in a VPC created by Launch Wizard, the deletion may fail.

Launch Wizard does not delete any Active Directory objects in your Active Directory, nor any of the records in your DNS server. Launch Wizard has no control over your Active Directory domain user password over time, which is required to clean up Active Directory objects or DNS records. We recommend that you remove these entries from your Active Directory after Launch Wizard deletes the deployment. For key operations performed against your Active Directory resulting in new records or entries, see Active Directory on EC2 (p. 11).

4. To further investigate details regarding your domain controller resources, select the Application name. You can then view the Deployment events and Summary details for your application by using the tabs at the top of the page.

(27)

Best practices

High availability and security best practices for AWS Launch Wizard for Active Directory

The domain controller architecture created by AWS Launch Wizard supports AWS best practices for high availability and security as promoted by the AWS Well-Architected Framework.

Topics

• High availability (p. 21)

• Security in Launch Wizard for Active Directory (p. 21)

High availability

With Amazon EC2, you can set the location of instances in multiple locations composed of AWS Regions and Availability Zones. Regions are dispersed and located in separate geographic areas. Availability Zones are distinct locations within a Region that are engineered to be isolated from failures in other Availability Zones. Availability Zones provide inexpensive, low-latency network connectivity to other Availability Zones in the same Region.

When you launch your instances in different Regions, you can set your domain controllers to be closer to specific customers, or to meet legal or other requirements. When you launch your instances in different Availability Zones, you can protect your domain controllers from the failure of a single location.

Security in Launch Wizard for Active Directory

Launch Wizard creates a number of security groups and rules for you. When Amazon EC2 instances are launched, they must be associated with a security group, which acts as a stateful ﬁrewall. You have complete control over the network traﬃc entering or leaving the security group. You can also build granular rules that are scoped by protocol, port number, and source or destination IP address or subnet.

By default, all outbound traffic from a security group is permitted. Inbound traffic, on the other hand, must be configured to allow the appropriate traffic to reach your instances.

The Securing the Microsoft Platform on Amazon Web Services whitepaper discusses the diﬀerent methods for securing your AWS infrastructure. Recommendations include providing isolation between application tiers using security groups. We recommend that you tightly control inbound traﬃc to reduce the attack surface of your EC2 instances.

Launch Wizard conﬁgures the necessary security groups for you, which are listed in the following table.

Security group Associated with Inbound source Port(s)

VPCCIDR UDP53, TCP3389,

TCP445, All ICMP- IPV4, IpProtocol-1, FromPort-1, ToPort-1 DomainControllerSG IpProtocol-1,

FromPort-1, ToPort-1 DomainControllerSG DC1, DC2, DC3, CA

DomainMemberTCPSG TCP49152-65535, TCP445, ICMP-1, TCP135, TCP139, TCP3269, TCP464,

(28)

Troubleshoot

Security group Associated with Inbound source Port(s)

TCP5722, TCP389, TCP9389, TCP3268, TCP88, TCP636 DomainMemberUDPSG UDP49152-65535,

UDP53, UDP389, UDP445, UDP138, UDP5355, UDP123, UDP88

DomainMemberTCPSG RDGW ADServer1PrivateIp,

ADServer2PrivateIp, ADServer3PrivateIp

TCP464, TCP5722, TCP 49152-65535, TCP 389, TCP 445, TCP 3389, TCP9389, TCP3268, TCP123, TCP5985, TCP88, TCP139, TCP135, TCP636, TCP3269, TCP53

DomainMemberUDPSG RDGW ADServer1PrivateIp,

ADServer2PrivateIp, ADServer3PrivateIp

UDP445, UDP138, UDP49152-65535, UDP464, UDP5355, UDP137, UDP53, UDP389, UDP88

RDGWSecurityGroup RDGW1, RDGW2 RDGWCIDR TCP3389

Important

Always restrict ports and source traﬃc to the minimum necessary to support the functionality of the application.

Troubleshoot AWS Launch Wizard for Active Directory

Each deployment in your account in the same AWS Region can be uniquely identiﬁed by the name speciﬁed at the time of a deployment. The deployment name can be used to view the details related to the deployment on the Deployments page of the Launch Wizard console.

This section describes steps to help you troubleshoot deploying domain controllers with Launch Wizard for Active Directory.

Contents

• Launch Wizard provisioning events (p. 23)

• CloudWatch Logs (p. 23)

• AWS CloudFormation stack (p. 23)

• Errors (p. 23)

(29)

Launch Wizard provisioning events

Launch Wizard captures events from AWS CloudFormation to track the status of an ongoing application deployment. If an application deployment fails, you can view the deployment events for this application by selecting Deployments from the navigation pane. A failed event shows a status of Failed along with a failure message.

CloudWatch Logs

Launch Wizard streams provisioning logs from all of the AWS log sources, such as AWS

CloudFormation and PowerShell DSC scripts to CloudWatch Logs. You can view the CloudWatch Logs for a given application name on the CloudWatch console for the log group name

LaunchWizard-APPLICATION_NAME and log stream ApplicationLaunchLog.

AWS CloudFormation stack

Launch Wizard uses AWS CloudFormation to provision the infrastructure resources of an application.

CloudFormation stacks can be found in your account using the CloudFormation describe-stacks API.

Launch Wizard launches various stacks in your account for validation and application resource creation.

The following are the relevant ﬁlters for the describe-stacks API.

• Application Resources

• LaunchWizard-APPLICATION_NAME. This stack includes all of the resource creation events for resources created by the deployment.

• LaunchWizard-STACK_NAME-TEMPLATE_NAME. This log includes all of the logs from each PowerShell script run from within the instance.

You can view the status of these CloudFormation stacks. If any of them fail, you can view the cause of failure.

Errors

Failed to create Forest Trust

• Cause: Forest trust fails because of the lack of connectivity between the two domain controllers.

• Solution: Ensure connectivity between the VPCs and ensure the ports are open between them. See Conﬁgure forest trust relationships (p. 20) for more details about conﬁguring forest trusts.

The requested instance type is not supported in the requested Availability Zone

• Cause: This failure can occur when you launch either your RDGW instance or your Active Directory Server instance, or during the validation of the instances that Launch Wizard launches in your selected subnets.

• Solution: Choose a diﬀerent Availability Zone and retry the deployment from the initial page of the Launch Wizard console.

Instance stabilization error

• Cause: This failure can occur when the EC2 instance used for validation fails to stabilize. When this happens, the EC2 instance is unable to communicate to the CloudFormation service to signal completions, resulting in WaitCondition errors.

• Solution: Please contact AWS Support.

AWS Launch Wizard

AWS Launch Wizard

User Guide

AWS Launch Wizard: User Guide

Table of Contents

AWS Launch Wizard for Active Directory

What is AWS Launch Wizard for Active Directory?

Supported operating systems

Features of AWS Launch Wizard

Simple application deployment

AWS resource selection

Cost estimation

SNS notiﬁcation

Early input validation

Note

Application resource groups for easy discoverability

Components

Requirements

Related services

AWS CloudFormation

Amazon Simple Notiﬁcation Service (SNS)

Amazon CloudWatch Logs

AWS Secrets Manager

How AWS Launch Wizard works

Deployment path

Deploy and manage your own domain controllers on Amazon EC2 instances

Implementation details

VPC

Security groups

Remote Desktop Gateway

Important

Active Directory

Note

Note

Self-managed domain controller architecture

Domain controller launch limits

AWS Regions

Get started with AWS Launch Wizard for Active Directory

Access AWS Launch Wizard

Set up for AWS Launch Wizard for Active Directory

Active Directory

Active Directory on EC2

How to attach the resource policy to your secret so that Launch Wizard can access the secret

On-premises Active Directory through AWS Direct Connect

Trust relationships

AWS Identity and Access Management (IAM)

One-time creation of IAM Role

IAM user setup

Important

Requirements for using custom AMIs

Operating system requirements

AWS software and drivers

Conﬁguration settings

The following AMI settings can impact the Launch Wizard deployment:

Deploy an application with AWS Launch Wizard for Active Directory

General settings

AMI installation type

Add domain controllers to an existing Active Directory

Create a new Active Directory

AMI installation type

Important

Select Virtual Private Cloud (VPC)

Create a new virtual private cloud (VPC)

Storage and Compute

Conﬁgure forest trust relationships

Manage application resources with AWS Launch Wizard for Active Directory

Important

High availability and security best practices for AWS Launch Wizard for Active Directory

High availability

Security in Launch Wizard for Active Directory

Important

Troubleshoot AWS Launch Wizard for Active Directory

Launch Wizard provisioning events

CloudWatch Logs

AWS CloudFormation stack

Errors

Failed to create Forest Trust

The requested instance type is not supported in the requested Availability Zone

Instance stabilization error