Some environments will require you to join your Windows servers to a domain. The following will show the steps taken to automatically join a server to a Windows domain. This assumes the following:
An existing AWS VPC with access to S3 bucket
New instances are able to communicate to a domain controller.
NOTE: Amazon does offer its Directory Service with AD Connector that will connect your VPC to your ActiveDirectory, but this will show how you can do so without the AD Connector.
The steps:
- Create a PowerShell script to join a server to the domain
- Secure the credentials by converting the PowerShell script to an Exe executable using PS2exe
- Create an S3 bucket and upload the exe file
- Create an IAM role with a policy to allow Read access to the S3 bucket
- Launch a new instance, assigning the IAM role and providing User Data which will run the required scripts at first launch
1. Create the PowerShell script
The PowerShell script will join the server to the domain. We will use the Add-Computer function, and a user account that has permissions to join computers to the domain. Here is the full script, modify the username, password, and DomainName for your environment.
Save the file as JoinDomain.ps1
2. Convert the PowerShell script to an executable file
To help secure the credentials we will convert the PowerShell script using PS2exe to an executable file. Download PS2exe from: PS2exe download
Extract the zip file to a folder and then run PS2exe.ps1 on the JoinDomain.ps1 script to convert it to an exe file. From a command prompt run the following:
c:\> .\ps2exe.ps1 -inputfile JoinDomain.ps1 JoinDomain.exe
This will create the JoinDomain.exe file.
Create an IAM role in the AWS console, and Select Role Type: AWS Service Roles > Amazon EC2c:\> .\ps2exe.ps1 -inputfile JoinDomain.ps1 JoinDomain.exe
This will create the JoinDomain.exe file.
3. Create an S3 bucket and upload the exe file
Within the AWS console, create a new S3 bucket to store the JoinDomain.exe file.
For this example we will use, examplebucket for the bucket name, You will need to use your own unique bucket name.
With the bucket created, we can upload the JoinDomain.exe file to the bucket.
4. Create an IAM role with a policy to allow Read only access to the S3 bucket
By creating an IAM role and assigning the role to the instance we can eliminate the need to use an IAM user account with access keys. IAM roles utilize temporary credentials to grant access.
Follow the prompts through, clicking next until the Role is finally created. With the role created, we must now create a new Inline policy which will grant access to the S3 bucket.
Select the newly created Role and expand the 'Inline Policies' to create a new policy:
Choose the option to create a Custom Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::examplebucket/*"]
}
]
}
To join newly launched instances to a domain you need to make use of UserData, which allows you to run scripts during the initial startup of the launch.
By using the UserData you can run commands. For our case, we will be executinig an EXE to join to the domain.
<powershell>
Set-ExecutionPolicy unrestricted -Force
New-Item c:/temp -ItemType Directory -Force
set-location c:/temp
read-s3object -bucketname examplebucket -key JoinDomain.exe -file JoinDomain.exe
Invoke-Item C:/temp/JoinDomain.exe
</powershell>
Here's what it looks like in the AWS Console:
Follow the remaining steps to complete launching of the instance. The instance will launch, download the exe, execute it and restart.
For the policy, we grant ListBucket and GetObject restricted to the S3 bucket. Here is the policy, you must modify the bucket name :
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": ["arn:aws:s3:::examplebucket/*"]
}
]
}
5. Launch a new instace
Launch a new instance into the VPC. We need to attach the IAM Role to the instance as well as configure the Advanced > User Data
The User Data is used to run scripts when the instance is first launched. For our example, we will be downloading the JoinDomain.exe file from S3 and finally executing it.
First assign the IAM Role to the instance.
Next, expand the Advanced Details to show the User Data field. Here we can provide some PowerShell commands to download the exe file and execute it. Here is the UserData to include, modifying the S3 bucket location to your environment:
To join newly launched instances to a domain you need to make use of UserData, which allows you to run scripts during the initial startup of the launch.
By using the UserData you can run commands. For our case, we will be executinig an EXE to join to the domain.
<powershell>
Set-ExecutionPolicy unrestricted -Force
New-Item c:/temp -ItemType Directory -Force
set-location c:/temp
read-s3object -bucketname examplebucket -key JoinDomain.exe -file JoinDomain.exe
Invoke-Item C:/temp/JoinDomain.exe
</powershell>
Here's what it looks like in the AWS Console:
Follow the remaining steps to complete launching of the instance. The instance will launch, download the exe, execute it and restart.