How can i launch admin EC2 to manage managed directory in private environment
Hi,
we have our environment in Private subnets and we cant enable public access in any of our subnet/cant go public in our environment.
so, we want to launch managed directory to use LDAP for authentication for one of our application from this managed AD,
currently we are able to launch managed Directory in Private Subnet, but when we are trying to launch Administrator EC2 instance to manage AD, our execution is failing at Domain join instance, and we are getting the following error
It seems like it is trying to connect with ne public IP 51.95.35.27:443, but as i stated we cant allow the internet access in our environment and needs to be private only, we are in doubt how exactly can we to domain join while launching the Administrator EC2 from Managed directory console? Requesting help on to enable Admin ec2 in private environment or if there is any other way to connect with directory in private environment?
- 최신
- 최다 투표
- 가장 많은 댓글
Hello! Great question and thanks for posting! How are your EC2 instances discovering the Active Directory? Are they configured to use DNS (via DHCP options sets on the VPC) or are you using Route53 (the default) and forwarding to the AD DNS servers?
This blog will help guide you to configure and select the best option: https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/
Hope this helps you! Good Luck.
Could it be that you are trying to communicate with the AWS Directory Service endpoint? You will need a VPC interface endpoint for this. See: Access AWS Directory Service APIs using an interface endpoint (AWS PrivateLink)
You'll need to make sure that private DNS is configured so that EC2 instances launched look for the proper FQDN. You can test this by manually launching an instance in a private subnet, and ping the FQDN (domain.local) or whatever that might be. If that resolves to the Managed AD endpoints, you're halfway there.
You'll need the proper permissions attached to the instance profile as well. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html
Test a manual join to AD to ensure that connectivity is there as well. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html
