Would you like to build a new Windows EC2 server in Amazon AWS, and then join it to Stanford’s Active Directory domain? You could do things like allow your users to log in using their SUNet IDs (i.e. WIN\[sunet]), or maybe you want to apply Group Policy Objects to your servers. University IT is very close to being able offer AD in the Cloud, a project being led by Stanford’s Windows Infrastructure team.
Our team, the Technology Consulting Group (TCG), helped with some testing. TCG’s testing was done in a non-production AD environment, so the details below are subject to change. However, here’s a quick overview for those that are interested. Simply stated, there are two key requirements…
First off, IPv6:
Traffic from your Windows server to the Domain Controllers is only allowed over IPv6, so you need to enable it within AWS. Plus, for security reasons the Windows Infrastructure group has firewall rules in place, so they will need to explicitly grant your server access. Here are the steps we used.
- Enable IPv6 at the VPC level (you will probably get assigned a /56 static range of IPs)
- Next, out of that new /56 IPv6 range, assign a smaller /64 range to the AWS subnet where your Windows server will live.
- Give this /64 range to the Windows team. They will add “permit” rules to their Domain Controller firewalls.
- Finally, go to your EC2 Windows instance and allow AWS to auto-assign an IPv6 address. (This IP will be in addition to the private, and possibly public, IPv4 address(es) already in use by your machine)
Next, IPSec Tunnel:
All traffic to/from the DCs must be encrypted. To do so, your EC2 instance needs to create an IPSec tunnel using a UIT provided certificate. Fortunately, the Windows Infrastructure team has a couple of PowerShell scripts to make this task very easy, and are located here: https://code.stanford.edu/winfra/aws-ad-client/tree/master/scripts
- First run this one:
./Get-VaultCertificate.ps1 -vault_role_id "xxxxxxxxxxxxxxxxxxxx" -vault_secret_id "yyyyyyyyyyyyyyyyyy"
This script reaches out to Stanford’s “Vault” system, and then using special ID values provided to you, it grabs a new certificate and installs it onto your EC2 machine in the Windows certificate store.
- Then run:
./New-MemberIPSecPolicy.ps1 -remote_ipscope "xyz:xyz:xyz:xyz::/56"
This one creates a new IPSec tunnel on your Windows EC2 instance. It uses the above certificate and sets up an IPSec rule for traffic to the DCs. (The specific /56 range for the DCs will be provided to you by the Windows team as well.)
Then you are done! At this point, you can simply join your Windows server to the Stanford AD domain like you normally would, and then you can log into your Windows sever using your AD account!