How to Automatically Join EC2 to Active Directory?

Adding the servers to the Active Directory is a common scenario, especially when servers are running in an auto-scaling group; it becomes more critical as the server needs to be added to the domain as soon as they come up.

This blog will show how to automatically enable an EC2 Auto Scaling group to join newly launched instances to a target domain. We are using the Active Directory domain managed in AWS.

Step 1: Create an IAM policy.

1. Open IAM Console, click on Policies, and click on Create Policy.
2.  On the Create Policy page, click Import Managed Policy.
3.  In the Search Policies field, type AmazonEC2RoleforSSM. Select the Policy and click on import.
4.  Click on the JSON tab, and add the SSM: CreateAssociation permission.
5.  Click on Review Policy. Give the policy name as AmazonEC2RoleforSSM-ASGDomainJoin.
6.  Click on create Policy.

Step 2: Create an IAM role for EC2

1. Open the IAM console, click on it, and click Create New Role.
2.  On the Select Role Type page in the AWS Service Role section, choose Amazon EC2 and click on next.
3.  In the Filter box, type AmazonEC2RoleforSSM-ASGDomainJoin. Choose the checkbox next to your Policy, and click on Next.
4.  In the Role Name field, type EC2SSMRole-ASG, then type a role description.
5.  Review the role details, and then choose Create Role.

Step 3: Replace the default SSM document

If you previously used the launch wizard to launch the instances and join the domain, you will have a default SSM document. The following command will check whether the default SSM document exists for your domain.

aws ssm get-document –name \”awsconfig_Domain_<directoryId>_<directoryName>\”

If the default document exists:

You will get a JSON as an output, something similar to the following.

You can save this JSON for your reference.

Delete the existing default SSM document:

Delete the existing default document by running the following command.

aws ssm delete-document –name \”awsconfig_Domain_<directoryId>_<directoryName>\”

Create new document with new JSON:

Create a JSON file with the following content

1. directoryId is the ID of a directory (or AD Connector) you created in AWS Directory Service.
2. directoryName is the name of the domain (for example, example.com).
3. directoryOU is the organizational unit for the domain.
4. dnsIpAddresses includes the IP addresses for the DNS servers you specified when you created your directory (or AD Connector) in Directory Service.

Finally create the SSM document with the above JSON content. You can do that by running the following command.

aws ssm create-document –content file://path/to/new-ssm-doc.json –name \”awsconfig_Domain_<directoryId>_<directoryName>\”

Step 4: Create Auto Scaling group launch configuration

1. Go to the EC2 console and click on Launch Configurations.
2.  Click on Create Launch Configuration, choose the image, instance type, and proceed to configure details.
3.  For the IAM role, select EC2SSMRole-ASG (which we created earlier).
4.  Expand the Advanced Details section. Add a Windows PowerShell script which will be executed when new instances are launched as the Auto Scaling group.
5.  Customize the following script and paste it into the User data.

• Region: This is the region in which instance will be launched (Example: ap-south-1)
• ssmDocumentName: It is the name of SSM document that we have created.

1. Now, complete the launch configuration creation process by giving appropriate details.
2. Once the launch configuration is created, attach it to the Auto Scaling group and set the desired capacity to 1.

Step 5: Verify if the server is joined to the domain.

Follow this step to verify that the newly launched server has been joined to the domain.

1. Copy the instance ID of the server that has been launched by Auto Scaling group and wait until Status checks show 2/2 check passed.
2. Now, run the following command to check if the association has been successfully created.
   aws ssm list-associations –association-filter-list key=Name,value= \”awsconfig_Domain_<directoryId>_<directoryName>\”
3. The above command will give you the JSON output. Analyze the JSON and check if the instanceID, which the auto-scaling group launches, are present, and it should contain the sub-attribute named Status with a value of Success.