Home » Automatically Join EC2 to Active directory

Automatically Join EC2 to Active directory

by Atin Mittal

Adding the servers to the Active Directory is a common scenario, especially when servers are running in an auto-scaling group, it becomes more critical as the server needs to be added to the domain as soon as they come up.

Automatically Join EC2 to Active directory

Automatically Join EC2 to Active directory

In this blog, we will show how to enable an EC2 Auto Scaling group to automatically join newly launched instances to a target domain. We are using the Active Directory domain managed in AWS.

Step 1: Create an IAM policy.

  1. Open IAM Console, click on Policies and click on Create Policy.
  2. On the Create Policy page, click Import Managed Policy.
  3. In the Search Policies field, type AmazonEC2RoleforSSM. Select the policy and click on import.
  4. Click on the JSON tab, and add the ssm: CreateAssociation permission.
  5. Click on Review Policy. Give the policy name as AmazonEC2RoleforSSM-ASGDomainJoin.
  6. Click on create Policy.

Step 2: Create an IAM role for EC2

  1. Open the IAM console, click on, and then click Create New Role.
  2. On the Select Role Type page in the AWS Service Role section, choose Amazon EC2 and click on next.
  3. In the Filter box, type AmazonEC2RoleforSSM-ASGDomainJoin. Choose the checkbox next to your policy, and click on Next.
  4. In the Role Name field, type EC2SSMRole-ASG, and then type a role description.
  5. Review the role details, and then choose Create Role.

Step3: Replace the default SSM document

If you have previously used launch wizard to launch the instances and join to the domain, you will be having a default SSM document. Check whether the default SSM document exists for your domain by running the following command.

aws ssm get-document –name “awsconfig_Domain_<directoryId>_<directoryName>”

If the default document exists:

You will get a JSON as an output, something similar to the following.

You can save this JSON for your reference.

Delete the existing default SSM document:

Delete the existing default document by running the following command.

aws ssm delete-document –name “awsconfig_Domain_<directoryId>_<directoryName>”

Create new document with new JSON:

Create a JSON file with the following content

  1. directoryIdis the ID of a directory (or AD Connector) you created in AWS Directory Service.
  2. directoryNameis the name of the domain (for example, example.com).
  3. directoryOUis the organizational unit for the domain.
  4. dnsIpAddressesincludes the IP addresses for the DNS servers you specified when you created your directory (or AD Connector) in Directory Service.

Finally create the SSM document with the above JSON content. You can do that by running the following command.

aws ssm create-document –content file://path/to/new-ssm-doc.json –name “awsconfig_Domain_<directoryId>_<directoryName>”

Step 4: Create Auto Scaling group launch configuration

  1. Go to EC2 console and click on Launch Configurations.
  2. Click on Create Launch Configuration, choose the image, instance type and proceed to configure details.
  3. For IAM role, select EC2SSMRole-ASG (which we have created earlier).
  4. Expand the Advanced Details section. Add a Windows PowerShell script which will be executed when new instances are launched as the Auto Scaling group.
  5. Customize the following script and paste it in the User data.

Set-DefaultAWSRegion -Region <region>

Set-Variable -name instance_id -value (Invoke-Restmethod -uri

New-SSMAssociation -InstanceId $instance_id -Name “<ssmDocumentName>”



  • Region: This is the region in which instance will be launched (Example: ap-south-1)
  • ssmDocumentName: It is the name of SSM document that we have created.
  1. Now, complete the launch configuration creation process by giving appropriate details.
  2. Once the launch configuration is created, attach it to the Auto Scaling group and set the desired capacity to 1.

Step 5: Verify if the server is joined to the domain.

Follow this step to verify that the newly launched server has been joined to the domain.

  1. Copy the instance ID of the server that has been launched by Auto Scaling group and wait until Status checks show 2/2 check passed.
  2. Now, run the following command to check if the association has been successfully created.

aws ssm list-associations –association-filter-list key=Name,value= “awsconfig_Domain_<directoryId>_<directoryName>”

  1. The above command will give you the JSON output. Analyze the JSON and check if the instanceID which is launched by auto scaling group is present and it should contain the sub attribute named Status with a value of Success

[Read Next: Benefits Of Using AWS Systems Manager Parameter Store ]

Written by – Atin Mittal

To get the latest insights, research and expert articles on AWS Services, Cloud Migration, DevOps and other technologies, subscribe to our Blog Newsletter here. For AWS Case studies and success stories, visit Case Study Section


 Atin Mittal Cloud Architects Experienced Solutions Specialist with a demonstrated history of working in the information technology and services industry. Skilled in AWS Cloud Consulting, Python. Developed custom solution around AWS.

Leave a Reply