Regardless of whether an organization uses Amazon Web Services (AWS) Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) or Simple Active Directory (Simple AD) in their environment, management of the domain is left up to the organization. So, let’s discuss some options for managing your AWS Directory Services.
To manage a freshly created domain in AWS, an IT administrator would normally create an Amazon Elastic Compute Cloud (Amazon EC2) instance, install the necessary tools and then access that server for management. AWS has a quick start that helps with this called Remote Desktop Gateway on the AWS Cloud Quick Start Reference Deployment. Through the provided CloudFormation you can easily deploy an instance or instances in a robust, highly available solution for managing your directory. Setting up the Remote Desktop Gateway (RD Gateway) using the quick start is very straightforward.
RD Gateway management
Once the RD Gateway servers are set up, you can connect and load the tools on the instance and manage your AWS Directory Services environment. After configuring your management tools you’re good to go until…
Ahh, yes, Microsoft’s dreaded Patch Tuesday. Patching your new RD Gateway server(s) can cause some challenges. If you review the RD Gateway deployment, you will see that the solution deployed uses AWS Auto Scaling which is great for providing redundancy and high availability, but special precautions must be taken during the care and feeding of your RD Gateway instances.
Patching of the servers happens through Systems Manager or you can let the servers patch themselves. Either way, a reboot is often necessary after the server patches. When the server reboots, AWS Auto Scaling can detect this, terminate the instance, and spin up a fresh new instance. The problem is that AWS Auto Scaling will have spun up an instance based on the original Amazon Machine Image (AMI) that was used.
What does this mean?
- Your patching didn’t really happen.
- All the tools you installed are gone.
There are several ways to deal with this. You can suspend the AWS Auto Scaling actions, patch the servers, update the AMI, change the launch configuration to use the new AMI, and reenable AWS Auto Scaling actions each month. Now your AMI has all your customizations so you can build and patch and continue to maintain that instance. You now have a pet—a server image you must worry about, and backup and maintain.
What if you don’t want a pet server? That’s not an uncommon preference. In fact, many IT administrators would prefer:
- A server that will automatically set itself up and is ready to go once it’s deployed.
- An easy way to patch an instance.
- An easy way to update to a new version of Windows.
- An ephemeral instance, with nothing residing on the instance that they do not care about.
Customizations and settings are configured during instance deployment. Think of all the customizations you need on your RD Gateway instance, and incorporate them into the AWS Auto Scaling launch configuration.
Next, you’ll learn how to automatically set up your RD Gateway with some core management tools as part of the AWS Auto Scaling process.
Automatically install management tools
PowerShell is an easy-to-install software package on your instance. Administrators frequently install various tools on their Amazon EC2 instances post-deployment, but ideally that’s not what they should be doing. By following the steps below, administrators can incorporate almost any tool into the AWS Auto Scaling activities. And, when the server is deployed, you have an instance preconfigured with the tools you need.
The example below will show how to do this by installing Active Directory management tools and Domain Name System (DNS) management tools through AWS Auto Scaling into your RD Gateway instance(s). To find the tools you want to install, use the Get-WindowsFeature powershell applet to display all the available services and the name that you can use to install the various features. Notice below, the AD and DNS tools are found under Remote Server Administration Tools. The specific features you’ll want to install are:
Once you identify what to install, modify AWS Auto Scaling to install these features at startup.
- Open the EC2 Console and in the left column scroll to the bottom and select Auto Scaling groups.
- Click on the RDGWLaunchTemplate. You will be taken to the RDGW Launch Template settings. Click on Actions and select Modify Template (Create new version).
- Provide details for this modified template.
- Template version description (This is important.)
- Modify the instance type, if necessary
- Advanced details
- User Data – Add the information below in the User data field.
- User Data – Add the information below in the User data field.
- Click Create template version.
- Navigate to EC2\Auto Scaling Groups and click on RDGW. In the Launch template section, click Edit.
- Select the newly created/updated version of your Launch template and click the Update tab.
- To refresh your RD Gateway instances with this new template and validate your settings have applied, select the Instance refresh tab for your autoscaling group and then click the Start instance refresh button. AWS Auto Scaling will create new instances using the new launch template and terminate the old instances in a rolling fashion. Assuming everything worked as it should have, when you connect via a Remote Desktop connection to your RD Gateway, the Active Directory management tools and DNS management should be preconfigured on your instance.
As far as patching goes, AWS releases updated AMIs shortly after Patch Tuesday. These AMIs have the latest patches already incorporated. To update your RD Gateway, update the launch template with the latest AWS Windows AMI and let AWS Auto Scaling spin up new instances.
Keep in mind, this is not limited to instances behind AWS Auto Scaling. You can also use the User Data section in standalone Amazon EC2 instances or incorporate them into your CloudFormation to further automate deployments. Consider using the User Data section to pull down certificates, or files to an instance upon launch to help with the configuration. The possibilities are endless.
You now have an easy method to treat your RD Gateway servers as ephemeral instances, and learned how this can greatly simplify instance management. Hopefully, you’re now able to expand upon the example provided and configure many components of your server as part of the deployment.
Take advantage of Sirius AWS Managed Services so you can focus on driving your business forward
Sirius is a leading national IT solutions integrator and AWS Advanced Consulting Partner. For more information on how Sirius’ Cloud Managed Services powered by AWS Managed Services can help your organization deploy native and non-native workloads into Managed AWS, hybrid or heterogeneous environments so you can focus on achieving your business objectives, contact a Sirius expert today, or visit our website at siriuscom.com.