How do I use Amazon AWS Directory Service and Amazon Connect with Microsoft Active Directory?

Lesedauer: 9 Minute
0

I want to configure Amazon AWS Directory Service to manage users of Amazon Connect.

Resolution

Follow these steps to configure AWS Directory Service with Amazon Connect:

  1. Create an Active Directory in AWS Directory Service.
  2. Create an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance so that you can create and manage users for the directory.
  3. Create a new user in the directory.
  4. Create an Amazon Connect instance with the newly created directory.
  5. Add and manage new users in Amazon Connect.

AWS Directory Service offers three types of services. All three types work with Amazon Connect for user management. For more information on AWS Directory Services, see What is AWS Directory Service?

Prerequisites

Make sure that Amazon Virtual Private Cloud (Amazon VPC) is set up with these options:

  • There are at least two subnets, with both subnets in different Availability Zones.
  • The VPC is using default hardware tenancy.
  • The VPC is not using IP addresses in the 198.18.0/15 address space.

To configure the Amazon VPC, see Get started with Amazon VPC

Note: For more information on the earlier prerequisites, see AWS Managed Microsoft AD prerequisites. For information on the prerequisites related to the other AWS Directory Service types, see AD Connector prerequisites or Simple AD prerequisites.

Create an Active Directory in AWS Directory Service

Follow these steps to configure AWS Managed Microsoft AD:

  1. In the AWS Directory Service Management console, choose Set up directory.
  2. Complete the form as follows:
    For Directory type, select AWS Managed Microsoft AD.
    For Edition, select your edition, Standard or Enterprise.
    For Directory DNS name, enter any fully qualified domain name of your choice.
    For Directory NetBIOS name (optional), enter a short identifier for the domain.
    For Directory description (optional), provide a short description of the directory (no more than 128 words).
    For Admin password, enter a password. Save this password because you use it later to log in to the EC2 instance.
    For Confirm password, re-enter the password.
  3. Choose Next to continue.
  4. Select the VPC and subnets that you set up as prerequisites. Then, choose Next to continue.
  5. Choose Create directory. This might take some time to generate and initialize. For more information about [thing], see Create your AWS Managed Microsoft AD directory.
  6. Log in to the directory as an admin with your new credentials:
    User name: Admin
    Password: [The password that you created in Step 2.]

Create an Amazon EC2 instance for Microsoft Windows Server

To manage users in the new directory that you created, you must create an EC2 instance. Later you will use this EC2 instance to add, modify, or delete users.

Creating an instance is a three-step process:

Set up the IAM role for the instance

The EC2 instance requires an AWS Identity and Access Management (IAM) role so that it can communicate with the Directory Service. Follow these steps to create an IAM role for the instance:

  1. In the IAM console, choose Roles, Create role.
  2. For Trusted entity, select EC2. Then, choose Next.
  3. Configure permissions and service policies as follows:
  4. For Permissions policy, select both AWS managed policies:
    • AmazonSSMManagedInstanceCore
    • AmazonSSMDirectoryServiceAccess
  5. Then, choose Next.

Create a security group for the instance

You must create a security group for an EC2 instance. You use this security group later when you create the instance.

  1. In the EC2 console, choose Security groups, Create security group.
  2. Enter the name of the security group. For example, you might use AWSDirectoryEC2SecurityGroup.
  3. Select the same VPC where you created AWS Managed Microsoft AD.
  4. For Inbound rules, choose Add rule. Then, enter the IP range for Remote Desktop Protocol (RDP) traffic as follows:
    Type: RDP
    Source: IP_range_to_allow_the_RDP_traffic
    Note: Replace IP_range_to_allow_the_RDP_traffic with your required range.
  5. For Outbound rules, choose Add rule, and then enter as follows:
    Type: All traffic
    Destination: Choose Custom, Select the security group of the directory.
    Note: The directory's security group has the following name format by default:
    directoryid_controllers. For example, if the directory id is d-9x1234abcd, then the security group is d-9x1234abcd_controllers.
  6. Choose Create security group to create the security group.

Create an EC2 instance

Follow these steps to create an EC2 instance:

  1. In the EC2 console, choose Instances, Launch instances.
  2. Name the EC2 instance (optional).
  3. Then, configure the following:
    For Application and OS Images, select Windows.
    For Key pair, select the key pair from the dropdown list if it was already created, or create new key pair for the instance.
    For Network settings, select the same VPC where you created the AWS Managed Microsoft AD directory.
    For Subnets, choose one of the public subnets associated with the directory. Turn on Auto-assign public IP.
  4. For Firewall, (security group), select the security group that you created earlier.
    For example, AWSDirectoryEC2SecurityGroup.
    Important: You can select any security group. However, you must edit the security group associated with the directory so that the network can connect between the EC2 instance and the directory.
  5. Expand the Advanced details tab.
    For Domain join directory, select the directory that you created earlier.
    For the IAM role profile select AWSDirectoryEC2Role, the role that you created earlier.
  6. Leave the rest of the configuration as-is, and then choose Launch instance. See Join an EC2 instance to your AWS Managed Microsoft AD Directory for more information on creating an EC2 instance.

For more information on joining an EC2 instance with AD Connector, see Seamlessly join a Windows EC2 instance. For more information on joining an EC2 instance with Simple AD, see Seamlessly join a Windows EC2 instance.

Create a new user in the directory

Following the launch, open a remote session in the instance to configure the directory and create a user in it.

  1. Use your directory credentials to log in to the EC2 instance:
    User name: Admin@Domain.
    Note: For example, if the directory’s domain is article.awssupport.com, then:
    User name is Admin@article.awssupport.com.
    Password is the Admin password that you created earlier.
  2. Open a remote session. To open a remote session with your credentials:

After the session becomes active, follow these steps to create a new user:

  1. Install Active Directory tools using the steps described in Install the Active Directory Administration Tools on Windows Server 2012 through Windows Server 2019.
  2. To open the Windows Administrative Tools, on the Windows EC2 instance remote session, choose Start.
  3. Open Active Directory Users and Computers. The new window shows your directory domain.
  4. From the dropdown list, choose Domain, Organization Unit, Users. For example, if domain is article.awssupport.com, then choose article.awssupport.com, Article, Users.
    Note: The screen shows Admin as the user. Create a second user with a different name because Admin is a reserved word in Amazon Connect.
  5. From the dropdown list, choose Action, New, User
  6. Enter the First name, Last name, and the user’s Logon name. Then, choose Next to continue.
  7. Create a password, and then confirm it.
  8. Uncheck User must change password on next Logon and check Password never expires. Then, choose Next.
  9. Choose Finish.

See Create a user for more information on the steps for creating a new user in the directory. Now you’re ready to create an instance in Amazon Connect.

Create an Amazon Connect instance

Follow these steps to create the instance:

  1. Log in to the Amazon Connect console with your AWS credentials.
  2. Choose Add an instance.
    Note: Choose Get Started if this is the first instance in Amazon Connect.
  3. For identity management, select Link to existing directory. Select the directory that you set up earlier from the dropdown list.
  4. Enter the Access URL. Then, choose Next to continue.
  5. For Add administrator, enter a user name (for example, Jane). Don't enter the complete user’s login name, including the directory domain.
  6. Leave the rest of the configuration as-is, and then choose Create instance.
  7. To log in to the instance, use the user name and password.

Add and manage new users in Amazon Connect instance

Earlier you created a new user in the directory. Now add the user to the Amazon Connect instance::

  1. Launch your Connect instance dashboard with the Connect instance credentials.
  2. In the Amazon Connect instance dashboard, choose Users, User management.
  3. Choose Add new user from the top-right corner.
  4. Select the user that you created from the list of users.
  5. Select security profile, routing profile, and phone configuration for the new user. Choose Save from the top-right corner.
  6. Test the new user's credentials. Log in to the Amazon Connect instance with the user's selected security profile permissions. See Add users to Amazon Connect for more information.

Common issues during setup

This section provides guidelines to troubleshoot common problems that you might encounter during setup.

Can't sign in to the Windows EC2 instance with the directory’s Admin credentials.

Consider the following:

  • The subnets of the EC2 instance and the directory might not match. Make sure that the EC2 instance is in one of the subnets that belongs to the directory.
  • The security group of either the EC2 instance or the directory doesn't allow traffic. When you create a directory, the system creates a default security group associated with the directory to allow traffic. Use this security group to avoid any security group-related issue.
  • Sometimes credentials don't work if the EC2 seamless join doesn't work. Try manually joining the EC2 instance with the Directory

The Administrative tools aren't present in the EC2 instance.

The Directory domain in the Windows EC2 instance isn't available in the Active Directory’s Users and Computers screen.


AWS OFFICIAL
AWS OFFICIALAktualisiert vor einem Jahr
Keine Kommentare