By using AWS re:Post, you agree to the Terms of Use

How do I join a MS AD domain and still use SSM in a Private Subnet?

0

I am trying to set up SSM on Windows. I have an ASG in a private subnet (absolutely 0 internet access). I can not use NAT, only VPC endpoints. In the instance launch configuration, I have a PowerShell script that uses Set-DnsClientServerAddress so that the instance can find and join an AWS Managed MS AD service. I would also like to set up the instance so it can be fully managed with SSM.

The problem comes with the DNS Client Server Address. When I set it to match the address of the AD service SSM will not work. When I leave the DNS Client Server Address default, SSM works but I can not join the AD.

I tried forcing the SSM Agent to use the endpoints by creating a amazon-ssm-agent.json file and setting all three endpoints in there. This allowed the instance to show on the Managed Instance list, but its status never changed from pending and requests from within the instance still timed out.

I also tried adding a forward as described in this thread, however I'm either missing somethign or it is not working for my case:
https://forums.aws.amazon.com/thread.jspa?messageID=919331&#919331

Does anyone know the magic sauce to get these things all working at the same time?

Edited by: justinfueltravel on Jul 28, 2020 5:20 AM
Fixed incorrect hyperlink

1 Answers
0

It turns out that adding the forwarder as described in the link above worked. The part I was missing was joedaws comment, "I would also remove the existing 169.254.169.253 entry so that only the 10.201.0.2 ip address is in the list".

Of course, my IPs are different, but once I removed the preexisting forward so that my x.x.x.2 IP was the only one in the list (I did this for both of the AD DNS servers) the instance was discoverable by SSM.

So, I would make a minor change to the list that saugy wrote:

  1. On a domain joined windows instance, log in with AD domain Admin user
  2. Open DNS manager
  3. Connect to one of the DNS IP addresses for the AWS AD
  4. Select forwarders
  5. Add VPCs DNS IP
  6. Remove the existing IP (so you VPCs IP is the only one)
  7. Click Apply
  8. Repeat from step 3 with the other DNS IP address for the AWS AD

Also, as mentioned in the other post. This only has to be done once and the settings persist in the AD DNS.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions