# AWS Launch Wizard for Active Directory Active DirectoryAWS Launch Wizard for Active Directory You can set up a new Active Directory infrastructure or add domain controllers to an existing AWS infrastructure using AWS Launch Wizard for Active Directory. AWS Launch Wizard for Active Directory is a service that applies [AWS cloud application best practices](https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html) to guide you through setting up a new Active Directory infrastructure, or adding domain controllers to an existing infrastructure either in the AWS Cloud or on premises. The deployment environment includes various resources such as a new or existing VPC, security groups, and AWS Identity and Access Management (IAM) roles. You can set up a new Active Directory infrastructure with domain controllers on Amazon EC2 instances, add domain controllers on Amazon EC2 instances to extend your existing Active Directory infrastructure, or use AWS Directory Service for Microsoft Active Directory for a managed service experience. Launch Wizard reduces the time that it takes to set up an Active Directory infrastructure and deploy self-managed domain controllers to the cloud or on premises. You input your domain controller requirements, including number of nodes and connectivity, on the service console, and AWS Launch Wizard identifies the right AWS resources to deploy your self-managed domain controllers. AWS Launch Wizard provides an estimated cost of deployment, and gives you the ability to modify your resources and instantly view the updated cost assessment. When you approve, AWS Launch Wizard provisions and configures the selected resources in a few hours to create fully-functioning, production-ready domain controllers. After you deploy your self-managed domain controllers, they are ready to use and can be accessed on the Amazon Elastic Compute Cloud (Amazon EC2) console. ## Supported operating systems Supported versions AWS Launch Wizard for Active Directory supports the Windows Server 2022 operating system. ## Features of AWS Launch Wizard Features **Topics** + [ ### Simple application deployment ](#launch-wizard-ad-features-app-deployment) + [ ### AWS resource selection ](#launch-wizard-ad-features-resource-selection) + [ ### Cost estimation ](#launch-wizard-ad-features-cost) + [ ### SNS notification ](#launch-wizard-ad-features-sns) + [ ### Early input validation ](#launch-wizard-ad-features-input-validation) + [ ### Application resource groups for easy discoverability ](#launch-wizard-ad-features-resource-groups) ### Simple application deployment AWS Launch Wizard makes it efficient for you to deploy self-managed domain controllers and AWS Directory Service for Microsoft Active Directory on AWS. When you enter the domain controller requirements, AWS Launch Wizard deploys the necessary AWS resources for a production-ready environment. This means that you do not have to manage separate infrastructure pieces or spend time provisioning and configuring your domain controllers. ### AWS resource selection Launch Wizard considers the number of Active Directory users to determine the best instance type, EBS volumes, and other resources for your domain controllers. You can modify the recommended defaults. ### Cost estimation Launch Wizard provides a cost estimate for the complete deployment that is itemized for each individual resource being deployed. The estimated cost automatically updates each time you change a resource type configuration in the wizard. However, the provided estimates are only for general comparisons. They are based on on-Demand costs and actual costs may be lower. ### SNS notification You can provide an [ SNS topic](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) that allows Launch Wizard to send you notifications and alerts about the status of a deployment. ### Early input validation You can take advantage of your existing infrastructure, such as VPC or security groups, with Launch Wizard. This may lead to deployment failures if your existing infrastructure does not meet certain deployment prerequisites. If these requirements are not met, the deployment will fail. If you are in a later stage of a deployment, this failure can take more than an hour to detect. To detect these types of issues early in the application deployment process, Launch Wizard's validation framework verifies key infrastructure specifications before provisioning. Verification takes approximately 15 minutes. If necessary, you can take appropriate actions to adjust your VPC configuration. **Note** Some validations, such as for Active Directory credentials, require Application Wizard to launch a t2.large EC2 instance in your account for a few minutes. After it runs the necessary validations, Launch Wizard terminates the instance. ### Application resource groups for easy discoverability Launch Wizard creates a resource group for all of the AWS resources created for your domain controllers. You can manage the resources through the Amazon EC2 console or with Systems Manager. When you access Systems Manager through Launch Wizard, the resources are automatically filtered for you based on your resource group. ## Components Components Self-managed domain controllers deployed with Launch Wizard include the following components: + A **virtual private cloud (VPC)** configured with [public and private subnets](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html#what-is-vpc-subnet) across two Availability Zones. A public subnet is a subnet whose traffic is routed to an internet gateway. If a subnet does not have a route to the internet gateway, then it is a private subnet. The VPC provides the network infrastructure for your domain controller environment. + **Amazon EC2 instances** on which to provision your domain controllers. + An **internet gateway** to provide access to the internet. + In the public subnets, **network address translation (NAT) gateways** for outbound internet access. If you are deploying in your preexisting VPC, Launch Wizard uses the existing NAT gateway in your VPC. For more information about NAT gateways, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html). + **Elastic IP addresses** associated with the NAT gateway and RDGW instances. For more information about Elastic IP addresses, see [Elastic IP Addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html). + **CloudFormation** templates and **PowerShell** configuration scripts to perform the domain controller configuration steps. + **Security groups** to ensure the secure flow of traffic between the instances deployed in the VPC. For more information, see [Security Groups for Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html). + **AWS Secrets Manager** to protect secrets required to generate and store your Active Directory Administrator credentials. + **Amazon CloudWatch Logs** to monitor, store, and access your log files produced by CloudFormation. + Amazon Kinesis Agent for Microsoft Windows to gather, parse, transform, and stream logs, events, and metrics to Amazon CloudWatch Logs. For more information, see [What Is Amazon Kinesis Agent for Microsoft Windows?](https://docs.aws.amazon.com/kinesis-agent-windows/latest/userguide/what-is-kinesis-agent-windows.html) ## Requirements Your account must be configured as specified in the following table to deploy self-managed domain controllers using Launch Wizard. To add domain controllers to an existing infrastructure, you must create a [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) connection between the two VPCs for an existing Active Directory in AWS. If you are using an existing Active Directory on premises, you must use [AWS Direct Connect](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html). To ensure that instances in the VPCs can communicate with each other, you can use either Direct Connect or [VPC Private Link](https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-overview.html). For more information about VPC connectivity, see [VPN connections](https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html). [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-active-directory-landing.html) If you have an existing environment that uses these resources and you think that deploying domain controllers in this environment using Launch Wizard may exceed your default quotas, you can [request service quota increases](https://console.aws.amazon.com/servicequotas) for these resources. For default quotas, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). ## Related services **Topics** + [ ### CloudFormation ](#launch-wizard-ad-related-services-cloudformation) + [ ### Amazon Simple Notification Service (SNS) ](#launch-wizard-ad-related-services-sns) + [ ### Amazon CloudWatch Logs ](#launch-wizard-ad-related-services-cloudwatch-logs) + [ ### AWS Secrets Manager ](#launch-wizard-ad-related-services-secrets-manager) ### CloudFormation [CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) is a service for modeling and setting up your AWS resources, enabling you to spend more time focusing on your applications that run in AWS . You create a template that describes all of the AWS resources that you want to use (for example, EC2 instances), and CloudFormation provisions and configures those resources for you. With Launch Wizard, you don’t have to sift through CloudFormation templates to deploy your application. Instead, Launch Wizard combines infrastructure provisioning and configuration (with an CloudFormation template and PowerShell scripts) to provision a new Active Directory infrastructure or additional domain controllers in your account. For more information, see the * [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/)*. ### Amazon Simple Notification Service (SNS) [Amazon Simple Notification Service](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) (Amazon SNS) is a highly available, durable, secure, fully managed publish/subscribe messaging service that provides topics for high-throughput, push-based, many-to-many messaging. Using Amazon SNS topics, your publisher systems can fan out messages to a large number of subscriber endpoints and send notifications to end users using mobile push, SMS, and email. You can use Amazon SNS topics for your Launch Wizard deployments to stay up to date on deployment progress. For more information, see the [https://docs.aws.amazon.com/sns/latest/dg/welcome.html](https://docs.aws.amazon.com/sns/latest/dg/welcome.html). ### Amazon CloudWatch Logs [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service. You can then easily view them, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis. Amazon CloudWatch Logs enables you to see all of your logs, regardless of their source, as a single and consistent flow of events ordered by time, and you can query them and sort them based on other dimensions, group them by specific fields, create custom computations with a powerful query language, and visualize log data in dashboards. Launch Wizard streams provisioning logs from all of the AWS log sources that you can view on the CloudWatch console. ### AWS Secrets Manager With [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/) you can replace hard-coded credentials in your code, including passwords, with an API call to Secrets Manager to programmatically retrieve the secret. This helps ensure the secret can't be compromised by someone examining your code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. Launch Wizard uses Secrets Manager to join your domain controllers to Active Directory and promote them. # How AWS Launch Wizard Active Directory works How it works AWS Launch Wizard provides a complete solution to provision self-managed domain controllers on Amazon EC2 instances, or AWS Directory Service for Microsoft Active Directory, in the AWS Cloud. You select **Microsoft Active Directory** in the wizard and provide the specifications, such as the required number of vCPUs or memory. Based on the infrastructure requirements that you enter, Launch Wizard automatically provisions the appropriate AWS resources in the cloud. For example, Launch Wizard recommends an appropriate instance type from the amount of vCPUs that you specify, then deploys and configures the instances. Launch Wizard provides an estimated cost of deployment. You can modify your resources and instantly view an updated cost assessment. Once you approve, Launch Wizard validates the inputs and flags inconsistencies. After you resolve the inconsistencies, Launch Wizard provisions the resources and configures them. The result is a ready-to-use Active Directory infrastructure and domain controllers. AWS Launch Wizard performs the following tasks to provision Active Directory domain controllers. + Sets up the VPC, including private and public subnets in two Availability Zones.\$1 + Configures two NAT gateways in the public subnets.\$1 + Configures private and public routes.\$1 + Enables ingress traffic into the VPC for administrative access to Remote Desktop Gateway, if specified. + Uses Secrets Manager to store Domain Administrator credentials. + Configures security groups and rules for traffic between instances. + Sets up and configures Active Directory sites and subnets. + Sets up and deploys Active Directory Certificate Services with a new Active Directory infrastructure. \$1 If you deploy Launch Wizard into an existing VPC, the tasks in this list marked by asterisks are skipped. **Topics** + [ ## Deployment path ](#launch-wizard-ad-deployment-options) + [ ## Implementation details ](#launch-wizard-ad-implementation) + [ ## Domain controller launch limits ](#launch-wizard-ad-limits) + [ ## AWS Regions ](#launch-wizard-ad-regions) ## Deployment path Launch Wizard supports the following deployment path for provisioning self-managed domain controllers or AWS Managed Microsoft AD. ### Deploy and manage your own domain controllers on Amazon EC2 instances Launch Wizard builds the AWS Cloud infrastructure, and sets up and configures Active Directory Domain Services (AD DS) and Active Directory-integrated DNS on the AWS Cloud. For self-managed domain controllers, you handle all AD DS maintenance and monitoring tasks. You can deploy the domain controllers or AWS Managed Microsoft AD into a new or existing VPC infrastructure. ## Implementation details Implementation details This section describes how Launch Wizard implements an Active Directory Domain Services (AD DS) deployment in the AWS Cloud. It includes details about how to use Amazon Virtual Private Cloud (Amazon VPC) to define your networks in the cloud, and information about domain controller placement, Active Directory Sites and Services configuration, and how DNS and DHCP work in a VPC. **Topics** + [ ### VPC ](#launch-wizard-ad-implementation-vpc) + [ ### Security groups ](#launch-wizard-ad-implementation-sg) + [ ### Remote Desktop Gateway ](#launch-wizard-ad-implementation-rdg) + [ ### Active Directory ](#launch-wizard-ad-implementation-ad) + [ ### Self-managed domain controller architecture ](#launch-wizard-ad-architecture) ### VPC VPC You can define a virtual network topology that closely resembles a traditional on-premises network using Amazon VPC. A VPC can span multiple Availability Zones place independent infrastructure in physically separate locations. A multi-Availability Zone deployment results in high availability and fault tolerance. Launch Wizard provisions domain controllers in two Availability Zones to provide highly available, low latency access to AD DS services in the AWS Cloud. Launch Wizard can build a new VPC for the deployment, or deploy into an existing VPC. To accommodate highly available AD DS in the AWS Cloud, Launch Wizard builds (or requires, in the case of existing VPCs) a base Amazon VPC configuration that complies with the following AWS best practices: + Domain controllers must be placed in a minimum of two Availability Zones to provide high availability. + Domain controllers and other non-internet facing servers must be placed in private subnets. + Launched instances require internet access to connect to the CloudFormation endpoint during the bootstrapping process. To support this configuration, public subnets are used to host NAT gateways for outbound internet access. Remote Desktop Gateways are also deployed into the public subnets for remote administration. Other components such as reverse proxy servers can be placed into these public subnets, if needed. This VPC architecture uses two Availability Zones, each with its own distinct public and private subnets. We recommend that you leave plenty of unallocated address space to support the growth of your environment over time and to reduce the complexity of your VPC subnet design. Launch Wizard uses a default VPC configuration that provides plenty of address space by using the minimum number of private and public subnets. By default, Launch Wizard uses the following CIDR ranges. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/how-launch-wizard-ad-works.html) In addition, Launch Wizard provisions spare capacity for additional subnets to support your environment as it grows or changes over time. If you have sensitive workloads that must be completely isolated from the internet, you can create new VPC subnets using these optional address spaces. ### Security groups Security groups Amazon EC2 instances must be associated with a security group, which acts as a stateful firewall. You control the network traffic entering or leaving the security group, and you can create rules that are defined by protocol, port number, and source/destination IP address, or other security groups. By default, all egress traffic from a security group is permitted. However, ingress traffic must be configured to allow the desired traffic to reach your instances. The [Securing the Microsoft Platform on Amazon Web Services whitepaper](https://d1.awsstatic.com/whitepapers/aws-microsoft-platform-security.pdf?trk=wp_card) explains the different methods for securing your AWS infrastructure. Recommendations include providing isolation between application tiers by using security groups. We recommend that you tightly control ingress traffic in order to reduce the attack surface of your Amazon EC2 instances. If you are deploying and managing your own AD DS installation, domain controllers and member servers will require several security group rules to allow traffic for services. These rules include AD DS replication, user authentication, Windows Time services, and Distributed File System (DFS). You should also consider restricting these rules to specific IP subnets that are used within your VPC. For a detailed list of port mappings used by CloudFormation, see the [Security best practices ](launch-wizard-ad-best-practices.md#launch-wizard-ad-security) in this guide. For a complete list of ports, see [Active Directory and Active Directory Domain Services Port Requirements](http://technet.microsoft.com/library/dd772723(v=ws.10).aspx) in the Microsoft TechNet Library and [How to configure a firewall for Active Directory domains and trusts](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts) for forest trusts. For guidance on implementing rules, see [Adding Rules to a Security Group](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule) in the *Amazon EC2 User Guide*. ### Remote Desktop Gateway Remote Desktop Gateway When you design your architecture for highly available AD DS, you should also design for highly available and secure remote access. Launch Wizard optionally allows for deployment of a Remote Desktop (RD) Gateway server to manage your AD DS instances. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote administrators on the internet and Windows-based Amazon EC2 instances, without the need for a virtual private network (VPN) connection. This configuration reduces the attack surface of your Windows-based Amazon EC2 instances, while providing a remote administration solution for administrators. **Important** Never open up RDP to the entire internet even temporarily or for testing purposes. Always restrict ports and source traffic to the minimum necessary to support the functionality of the application. ### Active Directory Active Directory This section provides information about key design considerations specific to a Launch Wizard deployment of Active Directory Domain Services (AD DS) domain controllers on AWS. **Topics** + [ #### Highly available directory domain services ](#launch-wizard-ad-implementation-domain-controllers) + [ #### Active Directory DNS and DHCP inside the VPC ](#launch-wizard-ad-implementation-dns-dhcp) + [ #### DNS settings on Windows Servers instances ](#launch-wizard-ad-dns-settings) + [ #### Active Directory Certificate Services ](#launch-wizard-ad-adcs) #### Highly available directory domain services Launch Wizard deploys two domain controllers in your AWS environment in two Availability Zones. This design provides fault tolerance and prevents a single domain controller failure from affecting the availability of the AD DS. To strengthen the high availability of your architecture and help mitigate the impact of a possible disaster, each domain controller deployed by Launch Wizard is a global catalog server and an Active Directory DNS server. When you choose to deploy self-managed domain controllers to the AWS Cloud, Launch Wizard automatically builds out an Active Directory Sites and Services configuration that supports a highly available AD DS architecture. For information about creating sites, adding global catalog servers, and creating and managing site links, see the [Microsoft Active Directory Sites and Services](http://technet.microsoft.com/library/cc730868.aspx) documentation. #### Active Directory DNS and DHCP inside the VPC Dynamic Host Configuration Protocol (DHCP) services are provided by default for your instances within a VPC. DHCP scopes do not need to be managed; they are created for the VPC subnets you define when you deploy your solution. These DHCP services cannot be disabled, so you must use them rather than deploying your own DHCP server. The VPC also provides an internal DNS server. This DNS provides instances with basic name resolution services for internet access and is crucial for access to AWS service endpoints, such as CloudFormation and Amazon S3 during bootstrapping. Amazon-provided DNS server settings will be assigned to instances launched into the VPC based on a DHCP options set. DHCP options sets are used within an Amazon VPC to define scope options, such as the domain name or the name servers that should be handed to your instances via DHCP. Amazon-provided DNS is used only for public DNS resolution. Because Amazon-provided DNS cannot be used to provide name resolution services for Active Directory, you must ensure that domain-joined Windows instances are configured to use Active Directory DNS. Launch Wizard statically assigns Active Directory DNS server addresses on Windows instances. You can alternatively specify them using a custom DHCP options set. This allows you to assign your Active Directory DNS suffix and DNS server IP addresses as the name servers within the VPC through DHCP. **Note** The IP addresses in the `domain-name-servers` field are always returned in the same order. If the first DNS server in the list fails, instances should fall back to the second IP and continue to resolve host names successfully. However, during normal operations, the first DNS server listed will always handle DNS requests. If you want to ensure that DNS queries are distributed evenly across multiple servers, you should consider statically configuring DNS server settings on your instances. For more information about creating a custom DHCP options set and associating it with your VPC, see [Working with DHCP Options Sets](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html#DHCPOptionSet) in the *Amazon VPC User Guide*. **Note** If you choose to deploy self-managed domain controllers in the AWS Cloud, Launch Wizard adds the DNS suffix for your domain to the DNS suffixes list. The DNS settings on the local server point to the IP address of the first domain controller for all of the domain controllers in the infrastructure. #### DNS settings on Windows Servers instances To ensure that domain-joined Windows instances automatically register host (A) and reverse lookup (PTR) records with Active Directory-integrated DNS, set the properties of the network connection as shown in the following image. ![\[Advanced TCP/IP settings on a domain-joined Windows instance\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/tcp-ip.png) The default configuration for a network connection is set to automatically register the connections address in DNS. In other words, the **Register this connection's addresses in DNS** option is selected for you automatically. This takes care of host (A) record dynamic registration. However, if you do not also select the second option, **Use this connection's DNS suffix in DNS registration**, dynamic registration of PTR records will not occur. If you have a small number of instances in the VPC, you may choose to manually configure the network connection. For larger fleets, you can push this setting out to all of your Windows instances by using Active Directory Group Policy. For instructions about how to do this, see [IPv4 and IPv6 Advanced DNS Tab](http://technet.microsoft.com/library/cc754143.aspx) in the Microsoft TechNet Library. #### Active Directory Certificate Services Launch Wizard sets up and deploys Active Directory Certificate Services (AD CS) with a new Active Directory infrastructure to issue and manage digital certificates in systems that use public key technologies. For more information about AD CS, see the [Microsoft documentation](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831740(v=ws.11)#role-description). ### Self-managed domain controller architecture Architecture The Launch Wizard self-managed domain controller deployment sets up the following architecture. + Domain controllers are deployed into two private VPC subnets in separate Availability Zones, which makes AD DS highly available. + NAT gateways are deployed to public subnets, providing outbound internet access for instances in private subnets. + Remote Desktop gateways are deployed in an Auto Scaling group in one Availability Zone to allow access to the domain controllers. Launch Wizard deploys AWS resources, including a Systems Manager Automation document. When the second node is deployed, it initiates running the Automation document through Amazon EC2 user data. The automation workflow deploys the required components, finalizes the configuration to create a new AD forest, and promotes instances in two Availability Zones to Active Directory domain controllers. To view architectural diagrams showing best practices for setting up an AD DS environment, see [Active Directory Domain Services on AWS](https://aws.amazon.com/quickstart/architecture/active-directory-ds/). ## Domain controller launch limits A single Launch Wizard deployment for Active Directory launches two domain controllers per each AWS Region. If you want to add more domain controllers, you can create additional Launch Wizard for Active Directory deployments to add them to the same Active Directory infrastructure. For more information, see [Extend on-premises Active Directory to an existing VPC](launch-wizard-ad-deploying-existing-vpc-extend.md). ## AWS Regions Launch Wizard uses various AWS services during the provisioning of the application's environment. Not every workload is supported in all AWS Regions. For a current list of Regions where the workload can be provisioned, see [AWS Launch Wizard workload availability](launch-wizard-workload-availability.md). # Get started with AWS Launch Wizard for Active Directory Get startedAWS Launch Wizard for Active Directory support for no rollback on failure When you select "No rollback on failure" for your AWS Launch Wizard deployments, if a deployment fails, Launch Wizard does not delete the AWS resources that were created for the deployment. This section contains information to set up your environment for Launch Wizard to deploy domain controllers. **Topics** + [ ## Accessing AWS Launch Wizard Active Directory ](#accessing-launch-wizard-ad) + [ ## Specialized knowledge ](#launch-wizard-ad-specialized-knowledge) + [ ## Amazon Web Services account ](#launch-wizard-ad-aws-account) + [ ## Technical requirements ](#launch-wizard-ad-technical-requirements) + [ ## Service Quotas ](#launch-wizard-ad-resource-quotas) + [ ## IAM permissions ](#launch-wizard-ad-iam-permissions) + [ ## Active Directory deployment options ](#launch-wizard-ad-setup) ## Accessing AWS Launch Wizard Active Directory You can launch AWS Launch Wizard from the AWS Launch Wizard console located at [https://console.aws.amazon.com/launchwizard](https://console.aws.amazon.com/launchwizard). ## Specialized knowledge This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see [Getting Started Resource Center](https://aws.amazon.com/getting-started) and [AWS Training and Certification](https://aws.amazon.com/training). These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud. This Launch Wizard deployment assumes familiarity with Active Directory concepts and usage. ## Amazon Web Services account ### Sign up for an AWS account If you do not have an AWS account, complete the following steps to create one. **To sign up for an AWS account** 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. ### Create a user with administrative access After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. **Secure your AWS account root user** 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*. 1. Turn on multi-factor authentication (MFA) for your root user. For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*. **Create a user with administrative access** 1. Enable IAM Identity Center. For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*. 1. In IAM Identity Center, grant administrative access to a user. For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*. **Sign in as the user with administrative access** + To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. **Assign access to additional users** 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. 1. Assign users to a group, and then assign single sign-on access to the group. For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*. ## Technical requirements Before you start the Launch Wizard deployment, review the following information and make sure that your account is properly configured. Otherwise, deployment might fail. ## Service Quotas If necessary, [request service quota increases](https://console.aws.amazon.com/servicequotas/) for the resources deployed by Launch Wizard. You might need to request increases if your existing deployment currently uses these resources and if this Launch Wizard deployment could result in exceeding the default quotas. The [Service Quotas console](https://console.aws.amazon.com/servicequotas/) displays your usage and quotas for some aspects of some services. For more information, see [What is Service Quotas?](https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html) and [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). ## IAM permissions Before deploying the Launch Wizard application, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The *AdministratorAccess* managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html). ## Active Directory deployment options Active Directory This section contains information on what configuration is performed for deployment of domain controllers into a new or existing VPC. You can deploy a new Active Directory infrastructure on Amazon EC2, deploy a new AWS Managed Microsoft AD, or extend an existing on-premises Active Directory into the AWS Cloud. ### Active Directory configurations When you use Launch Wizard to deploy Active Directory, the following key operations are performed. These operations result in the creation of new records or entries in Active Directory. + When you create a new Active Directory domain, Launch Wizard creates two new Amazon EC2 instances and promotes the servers to domain controllers in your domain. + When you extend an existing Active Directory domain, Launch Wizard creates two new Amazon EC2 instances and optionally joins them to the domain. + When you create an AWS Managed Microsoft AD, Launch Wizard deploys the managed directory. + All deployment types create ingress and egress rules to communicate with your domain controllers. ### On-premises Active Directory through Direct Connect If you are deploying domain controllers to extend an on-premises Active Directory into an existing VPC, ensure that the following prerequisites are in place. + Make sure that you have connectivity between your AWS account and your on-premises network. You can establish a dedicated network connection from your on-premises network to your AWS account with Direct Connect. For more information, see [the AWS Direct Connect documentation](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html). + The domain functional level of your Active Directory domain controller must be Windows Server 2012 or later. + The IP addresses of your DNS server must be either in the same VPC CIDR range as the one in which your Launch Wizard domain controllers will be created, or in the private IP address range. + The firewall on the Active Directory domain controllers should allow the connections from the VPC from which you will create the Launch Wizard deployment. At a minimum, your configuration should include the ports mentioned in [How to configure a firewall for Active Directory domains and trusts](https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts). You can optionally perform the following step. + Establish DNS resolution across your environments. For options on how to set this up, see [ How to Set Up DNS Resolution Between On-Premises Networks and AWS using Directory Service and Amazon Route 53](https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/) or [How to Set Up DNS Resolution Between On-Premises Networks and AWS Using Directory Service and Microsoft Active Directory](https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-microsoft-active-directory/). # Deploy Active Directory to a new VPC (Console) Deploy to a new VPC (Console) You can use AWS Launch Wizard to deploy Active Directory to a new virtual private cloud (VPC) as a self-managed directory on Amazon Elastic Compute Cloud instances, extend your existing active directory into a new VPC with Amazon EC2 instances, or create an AWS Directory Service for Microsoft Active Directory directory in a new VPC. **Contents** + [ # Deploy self-managed Active Directory to a new VPC ](launch-wizard-ad-deploying-new-vpc-self-managed.md) + [ # Extend an existing Active Directory to a new VPC ](launch-wizard-ad-deploying-new-vpc-extend.md) + [ # Deploy AWS Directory Service for Microsoft Active Directory to a new VPC ](launch-wizard-ad-deploying-new-vpc-managed-ad.md) # Deploy self-managed Active Directory to a new VPC Deploy self-managed AD The following steps guide you through an Active Directory deployment with AWS Launch Wizard after you have launched it from the console for a new VPC. 1. On the Launch Wizard Console's landing page, use the **Choose application** button. This opens the Choose application wizard where you are prompted to select the type of application that you want to deploy. 1. Select **Active Directory**, select **Deploy self-managed AD into a new VPC**, then select **Create deployment.** 1. Review and acknowledge the required IAM permissions are met before proceeding. For more information, see [Identity and Access Management for AWS Launch Wizard](launch-wizard-security.md#identity-access-management). 1. On the **Configure application settings** page, you are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields of the deployment model. ------ #### [ General settings ] + **Deployment name**. Enter a unique application name for your deployment. + **Amazon Simple Notification Service (Amazon SNS) topic ARN — optional**. Specify an Amazon SNS topic where Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com//sns/latest/dg/welcome.html). + **Deactivate rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will be deleted. You can enable this setting during deployment to prevent this behavior. + **Tags - optional**. Enter a key and value to assign metadata to your deployment. For help with tagging, see [Tagging Your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ------ #### [ Network configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-self-managed.html) ------ #### [ Amazon EC2 configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-self-managed.html) ------ #### [ Microsoft Active Directory Domain Services configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-self-managed.html) ------ #### [ Microsoft Active Directory Certificate Services configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-self-managed.html) ------ #### [ Microsoft Remote Desktop Gateway configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-self-managed.html) ------ 1. When you are satisfied with your application settings, choose **Next**. If you don't want to complete the configuration, choose **Cancel**. When you choose **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To return to the previous screen, choose **Previous**. 1. On the **Configure infrastructure settings** page, you are prompted to define the infrastructure settings for the new deployment. The following tab provides information about the input fields. ------ #### [ Storage and compute ] You can choose to select your instances, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your performance needs. If you don't select either option, default values are assigned. Launch Wizard will display the estimated charges incurred to deploy the application based on suggested infrastructure and also based on static values. + **Based on infrastructure suggestion**. Launch Wizard displays the suggested resources for the deployment. You can specify your performance requirements of the resources to update the recommendation. + **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4. + **Network performance**. Choose your preferred network performance in Gbps. + **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB. + **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure settings. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. + **Based on static values**. You can specify specific instance types for the resources used in your deployment. If you don't select either option, default values are assigned. + **Instance type**. You can choose your instance type from the dropdown list, or you can use AWS recommended resources. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. ------ 1. When you are satisfied with your infrastructure settings, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**. Launch Wizard validates the inputs and notifies you if you need to address any issues. 1. When validation is complete, Launch Wizard deploys your AWS resources and configures your application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments. 1. When your deployment is ready, a notification informs you that your application is successfully deployed. If you have set up an Amazon SNS notification, you are also alerted through Amazon SNS. You can manage and access all of the resources related to your application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list. 1. When the application is deployed, you can access your EC2 instances through the Amazon EC2 console. # Extend an existing Active Directory to a new VPC Extend on-premises AD The following steps guide you through an Active Directory deployment with AWS Launch Wizard after you have launched it from the console for a new VPC. 1. On the Launch Wizard Console's landing page, use the **Choose application** button. This opens the Choose application wizard where you are prompted to select the type of application that you want to deploy. 1. Select **Active Directory**, select **Extend on-premises AD into a new VPC**, then select **Create deployment.** 1. Review and acknowledge the required IAM permissions are met before proceeding. For more information, see [Identity and Access Management for AWS Launch Wizard](launch-wizard-security.md#identity-access-management). 1. On the **Configure application settings** page, you are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields of the deployment model. ------ #### [ General settings ] + **Deployment name**. Enter a unique application name for your deployment. + **Amazon Simple Notification Service (Amazon SNS) topic ARN — optional**. Specify an Amazon SNS topic where Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com//sns/latest/dg/welcome.html). + **Deactivate rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will be deleted. You can enable this setting during deployment to prevent this behavior. + **Tags - optional**. Enter a key and value to assign metadata to your deployment. For help with tagging, see [Tagging Your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ------ #### [ Network configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-extend.html) ------ #### [ Amazon EC2 configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-extend.html) ------ #### [ Microsoft Active Directory Domain Services configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-extend.html) ------ #### [ Microsoft Remote Desktop Gateway configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-extend.html) ------ 1. When you are satisfied with your application settings, choose **Next**. If you don't want to complete the configuration, choose **Cancel**. When you choose **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To return to the previous screen, choose **Previous**. 1. On the **Configure infrastructure settings** page, you are prompted to define the infrastructure settings for the new deployment. The following tab provides information about the input fields. ------ #### [ Storage and compute ] You can choose to select your instances, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your performance needs. If you don't select either option, default values are assigned. Launch Wizard will display the estimated charges incurred to deploy the application based on suggested infrastructure and also based on static values. + **Based on infrastructure suggestion**. Launch Wizard displays the suggested resources for the deployment. You can specify your performance requirements of the resources to update the recommendation. + **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4. + **Network performance**. Choose your preferred network performance in Gbps. + **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB. + **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure settings. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. + **Based on static values**. You can specify specific instance types for the resources used in your deployment. If you don't select either option, default values are assigned. + **Instance type**. You can choose your instance type from the dropdown list, or you can use AWS recommended resources. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. ------ 1. When you are satisfied with your infrastructure settings, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**. Launch Wizard validates the inputs and notifies you if you need to address any issues. 1. When validation is complete, Launch Wizard deploys your AWS resources and configures your application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments. 1. When your deployment is ready, a notification informs you that your application is successfully deployed. If you have set up an Amazon SNS notification, you are also alerted through Amazon SNS. You can manage and access all of the resources related to your application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list. 1. When the application is deployed, you can access your EC2 instances through the Amazon EC2 console. # Deploy AWS Directory Service for Microsoft Active Directory to a new VPC Deploy AWS Managed Microsoft AD The following steps guide you through an Active Directory deployment with AWS Launch Wizard after you have launched it from the console for a new VPC. 1. On the Launch Wizard Console's landing page, use the **Choose application** button. This opens the Choose application wizard where you are prompted to select the type of application that you want to deploy. 1. Select **Active Directory**, select **Deploy AWS Managed Microsoft AD into a new VPC**, then select **Create deployment.** 1. Review and acknowledge the required IAM permissions are met before proceeding. For more information, see [Identity and Access Management for AWS Launch Wizard](launch-wizard-security.md#identity-access-management). 1. On the **Configure application settings** page, you are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields of the deployment model. ------ #### [ General settings ] + **Deployment name**. Enter a unique application name for your deployment. + **Amazon Simple Notification Service (Amazon SNS) topic ARN — optional**. Specify an Amazon SNS topic where Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com//sns/latest/dg/welcome.html). + **Deactivate rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will be deleted. You can enable this setting during deployment to prevent this behavior. + **Tags - optional**. Enter a key and value to assign metadata to your deployment. For help with tagging, see [Tagging Your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ------ #### [ Network configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-managed-ad.html) ------ #### [ Amazon EC2 configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-managed-ad.html) ------ #### [ Microsoft Active Directory configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-managed-ad.html) ------ #### [ Microsoft Windows Server management instance ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-managed-ad.html) ------ #### [ Microsoft Active Directory Certificate Services configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-managed-ad.html) ------ #### [ Microsoft Remote Desktop Gateway configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-new-vpc-managed-ad.html) ------ 1. When you are satisfied with your application settings, choose **Next**. If you don't want to complete the configuration, choose **Cancel**. When you choose **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To return to the previous screen, choose **Previous**. 1. On the **Configure infrastructure settings** page, you are prompted to define the infrastructure settings for the new deployment. The following tab provides information about the input fields. ------ #### [ Storage and compute ] You can choose to select your instances, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your performance needs. If you don't select either option, default values are assigned. Launch Wizard will display the estimated charges incurred to deploy the application based on suggested infrastructure and also based on static values. + **Based on infrastructure suggestion**. Launch Wizard displays the suggested resources for the deployment. You can specify your performance requirements of the resources to update the recommendation. + **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4. + **Network performance**. Choose your preferred network performance in Gbps. + **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB. + **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure settings. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. + **Based on static values**. You can specify specific instance types for the resources used in your deployment. If you don't select either option, default values are assigned. + **Instance type**. You can choose your instance type from the dropdown list, or you can use AWS recommended resources. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. ------ 1. When you are satisfied with your infrastructure settings, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**. Launch Wizard validates the inputs and notifies you if you need to address any issues. 1. When validation is complete, Launch Wizard deploys your AWS resources and configures your application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments. 1. When your deployment is ready, a notification informs you that your application is successfully deployed. If you have set up an Amazon SNS notification, you are also alerted through Amazon SNS. You can manage and access all of the resources related to your application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list. 1. When the application is deployed, you can access your EC2 instances through the Amazon EC2 console. # Deploy Active Directory to an existing VPC (Console) Deploy to an existing VPC (Console) You can use AWS Launch Wizard to deploy Active Directory to an existing virtual private cloud (VPC) as a self-managed directory on Amazon Elastic Compute Cloud instances, extend your existing active directory into an existing VPC with Amazon EC2 instances, or create an AWS Directory Service for Microsoft Active Directory directory in an existing VPC. **Contents** + [ # Deploy self-managed Active Directory to an existing VPC ](launch-wizard-ad-deploying-existing-vpc-self-managed.md) + [ # Extend on-premises Active Directory to an existing VPC ](launch-wizard-ad-deploying-existing-vpc-extend.md) + [ # Deploy AWS Directory Service for Microsoft Active Directory to an existing VPC ](launch-wizard-ad-deploying-existing-vpc-managed-ad.md) # Deploy self-managed Active Directory to an existing VPC Deploy self-managed AD The following steps guide you through an Active Directory deployment with AWS Launch Wizard after you have launched it from the console for an existing VPC. 1. On the Launch Wizard Console's landing page, use the **Choose application** button. This opens the Choose application wizard where you are prompted to select the type of application that you want to deploy. 1. Select **Active Directory**, select **Deploy self-managed AD into an existing VPC**, then select **Create deployment.** 1. Review and acknowledge the required IAM permissions are met before proceeding. For more information, see [Identity and Access Management for AWS Launch Wizard](launch-wizard-security.md#identity-access-management). 1. You are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields of the deployment model. ------ #### [ General settings ] + **Deployment name**. Enter a unique application name for your deployment. + **Amazon Simple Notification Service (Amazon SNS) topic ARN — optional**. Specify an Amazon SNS topic where Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com//sns/latest/dg/welcome.html). + **Deactivate rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will be deleted. You can enable this setting during deployment to prevent this behavior. + **Tags - optional**. Enter a key and value to assign metadata to your deployment. For help with tagging, see [Tagging Your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ------ #### [ Network configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-self-managed.html) ------ #### [ Amazon EC2 configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-self-managed.html) ------ #### [ Microsoft Active Directory Domain Services configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-self-managed.html) ------ #### [ Microsoft Active Directory Certificate Services configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-self-managed.html) ------ #### [ Microsoft Remote Desktop Gateway configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-self-managed.html) ------ 1. When you are satisfied with your application settings, choose **Next**. If you don't want to complete the configuration, choose **Cancel**. When you choose **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To return to the previous screen, choose **Previous**. 1. On the **Configure infrastructure settings** page, you are prompted to define the infrastructure settings for the new deployment. The following tab provides information about the input fields. ------ #### [ Storage and compute ] You can choose to select your instances, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your performance needs. If you don't select either option, default values are assigned. Launch Wizard will display the estimated charges incurred to deploy the application based on suggested infrastructure and also based on static values. + **Based on infrastructure suggestion**. Launch Wizard displays the suggested resources for the deployment. You can specify your performance requirements of the resources to update the recommendation. + **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4. + **Network performance**. Choose your preferred network performance in Gbps. + **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB. + **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure settings. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. + **Based on static values**. You can specify specific instance types for the resources used in your deployment. If you don't select either option, default values are assigned. + **Instance type**. You can choose your instance type from the dropdown list, or you can use AWS recommended resources. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. ------ 1. When you are satisfied with your infrastructure settings, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**. Launch Wizard validates the inputs and notifies you if you need to address any issues. 1. When validation is complete, Launch Wizard deploys your AWS resources and configures your application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments. 1. When your deployment is ready, a notification informs you that your application is successfully deployed. If you have set up an Amazon SNS notification, you are also alerted through Amazon SNS. You can manage and access all of the resources related to your application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list. 1. When the application is deployed, you can access your EC2 instances through the Amazon EC2 console. # Extend on-premises Active Directory to an existing VPC Extend on-premises AD The following steps guide you through an Active Directory deployment with AWS Launch Wizard after you have launched it from the console for an existing VPC. 1. On the Launch Wizard console's landing page, use the **Choose application** button. This opens the Choose application wizard where you are prompted to select the type of application that you want to deploy. 1. Select **Active Directory**, select **Extend on-premises AD into an existing VPC**, then select **Create deployment.** 1. Review and acknowledge that the required IAM permissions are met before proceeding. For more information, see [Identity and Access Management for AWS Launch Wizard](launch-wizard-security.md#identity-access-management). 1. When prompted, enter the specifications for the new deployment. The following tabs provide information about the specification fields of the deployment model. ------ #### [ General settings ] + **Deployment name**. Enter a unique application name for your deployment. + **Amazon Simple Notification Service (Amazon SNS) topic ARN — optional**. Specify an Amazon SNS topic where Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com//sns/latest/dg/welcome.html). + **Deactivate rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will be deleted. You can enable this setting during deployment to prevent this behavior. + **Tags - optional**. Enter a key and value to assign metadata to your deployment. For help with tagging, see [Tagging Your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ------ #### [ Network configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-extend.html) ------ #### [ Amazon EC2 configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-extend.html) ------ #### [ Microsoft Active Directory Domain Services configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-extend.html) ------ 1. When you are satisfied with your application settings, choose **Next**. If you don't want to complete the configuration, choose **Cancel**. When you choose **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To return to the previous screen, choose **Previous**. 1. On the **Configure infrastructure settings** page, you are prompted to define the infrastructure settings for the new deployment. The following tab provides information about the input fields. ------ #### [ Storage and compute ] You can choose to select your instances, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your performance needs. If you don't select either option, default values are assigned. Launch Wizard will display the estimated charges incurred to deploy the application based on suggested infrastructure and also based on static values. + **Based on infrastructure suggestion**. Launch Wizard displays the suggested resources for the deployment. You can specify your performance requirements of the resources to update the recommendation. + **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4. + **Network performance**. Choose your preferred network performance in Gbps. + **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB. + **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure settings. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. + **Based on static values**. You can specify specific instance types for the resources used in your deployment. If you don't select either option, default values are assigned. + **Instance type**. You can choose your instance type from the dropdown list, or you can use AWS recommended resources. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. ------ 1. When you are satisfied with your infrastructure settings, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**. Launch Wizard validates the inputs and notifies you if you need to address any issues. 1. When validation is complete, Launch Wizard deploys your AWS resources and configures your application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments. 1. When your deployment is ready, a notification informs you that your application is successfully deployed. If you have set up an Amazon SNS notification, you are also alerted through Amazon SNS. You can manage and access all of the resources related to your application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list. 1. When the application is deployed, you can access your EC2 instances through the Amazon EC2 console. # Deploy AWS Directory Service for Microsoft Active Directory to an existing VPC Deploy AWS Managed Microsoft AD The following steps guide you through an Active Directory deployment with AWS Launch Wizard after you have launched it from the console for an existing virtual private cloud (VPC). 1. On the Launch Wizard Console's landing page, use the **Choose application** button. This opens the Choose application wizard where you are prompted to select the type of application that you want to deploy. 1. Select **Active Directory**, select **Deploy AWS Managed Microsoft AD into an existing VPC**, then select **Create deployment.** 1. Review and acknowledge the required IAM permissions are met before proceeding. For more information, see [Identity and Access Management for AWS Launch Wizard](launch-wizard-security.md#identity-access-management). 1. You are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields of the deployment model. ------ #### [ General settings ] + **Deployment name**. Enter a unique application name for your deployment. + **Amazon Simple Notification Service (Amazon SNS) topic ARN — optional**. Specify an Amazon SNS topic where Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com//sns/latest/dg/welcome.html). + **Deactivate rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will be deleted. You can enable this setting during deployment to prevent this behavior. + **Tags - optional**. Enter a key and value to assign metadata to your deployment. For help with tagging, see [Tagging Your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ------ #### [ Network Configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-managed-ad.html) ------ #### [ AWS Managed Microsoft AD configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-managed-ad.html) ------ #### [ Management instance ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-managed-ad.html) ------ #### [ Microsoft Active Directory Certificate Services configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-ad-deploying-existing-vpc-managed-ad.html) ------ 1. When you are satisfied with your application settings, choose **Next**. If you don't want to complete the configuration, choose **Cancel**. When you choose **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To return to the previous screen, choose **Previous**. 1. On the **Configure infrastructure settings** page, you are prompted to define the infrastructure settings for the new deployment. The following tab provides information about the input fields. ------ #### [ Storage and compute ] You can choose to select your instances, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your performance needs. If you don't select either option, default values are assigned. Launch Wizard will display the estimated charges incurred to deploy the application based on suggested infrastructure and also based on static values. + **Based on infrastructure suggestion**. Launch Wizard displays the suggested resources for the deployment. You can specify your performance requirements of the resources to update the recommendation. + **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4. + **Network performance**. Choose your preferred network performance in Gbps. + **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB. + **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure settings. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. + **Based on static values**. You can specify specific instance types for the resources used in your deployment. If you don't select either option, default values are assigned. + **Instance type**. You can choose your instance type from the dropdown list, or you can use AWS recommended resources. + **Estimated on-demand cost to deploy additional resources**. Launch Wizard displays the estimated charges incurred to deploy the resources. ------ 1. When you are satisfied with your infrastructure settings, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**. Launch Wizard validates the inputs and notifies you if you need to address any issues. 1. When validation is complete, Launch Wizard deploys your AWS resources and configures your application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments. 1. When your deployment is ready, a notification informs you that your application is successfully deployed. If you have set up an Amazon SNS notification, you are also alerted through Amazon SNS. You can manage and access all of the resources related to your application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list. 1. When the application is deployed, you can access your EC2 instances through the Amazon EC2 console. # Deploy Active Directory to a new or existing VPC (AWS CLI) Deploy to a new or existing VPC (AWS CLI) You can use the AWS Launch Wizard [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_CreateDeployment.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_CreateDeployment.html) API operation to deploy Active Directory. To create a deployment, you must provide values for various *specifications*. Specifications are a collection of settings that define how your deployment should be created and configured. A workload will have one or more deployment patterns with differing required and optional specifications. If you want to use the **Clone deployment** action on your deployment, you must create your deployment using the Launch Wizard console. ## Prerequisites for deploying Active Directory with the AWS CLI Prerequisites for AWS CLI workload deployments Before deploying Active Directory with the AWS CLI, ensure you have met the following prerequisites: + Install and configure the AWS CLI. For more information, see [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). + Complete the steps in the previous section titled **Set up**. Some deployment patterns have requirements that must be met for a deployment to be successful. ## Create an Active Directory deployment with the AWS CLI You can create a deployment for your Active Directory application using the `CreateDeployment` Launch Wizard API operation. **To create a deployment for Active Directory using the AWS CLI** 1. List the available workload names using the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloads.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloads.html) Launch Wizard API operation. The following example shows listing the available workloads: ``` aws launchwizard list-workloads --region us-east-1 { "workloads": [ { "displayName": "Remote Desktop Gateway", "workloadName": "RDGW" }, { "displayName": "MS SQL Server", "workloadName": "SQL" }, { "displayName": "SAP", "workloadName": "SAP" }, { "displayName": "Microsoft Active Directory", "workloadName": "MicrosoftActiveDirectory" } ... ] } ``` 1. Specify the desired workload name with the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloadDeploymentPatterns.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloadDeploymentPatterns.html) operation to describe the supported values for the deployment pattern names. The following example lists the available workload patterns for a given workload: ``` aws launch-wizard list-workload-deployment-patterns --workload-name MicrosoftActiveDirectory --region us-east-1 { "workloadDeploymentPatterns": [ { "deploymentPatternName": "adAwsManagedExistingVpc", "description": "Example description.", "displayName": "ExampleDisplayName", "status": "ACTIVE", "workloadName": "MicrosoftActiveDirectory", "workloadVersionName": "2024-05-03-00-00-00" }, ... ] } ``` 1. Use the workload and deployment pattern names you discovered with the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkloadDeploymentPattern.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkloadDeploymentPattern.html) operation to list the specification details. The following example lists the workload specifications of a given workload and deployment pattern: ``` aws launchwizard get-workload-deployment-pattern --workload-name MicrosoftActiveDirectory --deployment-pattern-name adAwsManagedExistingVpc --region us-east-1 { "workloadDeploymentPattern": { "deploymentPatternName": "adAwsManagedExistingVpc", "description": "Example description.", "displayName": "ExampleDisplayName", "specifications": [ { "description": "Enter an SNS topic for AWS Launch Wizard to send notifications and alerts.", "name": "AWS:LaunchWizard:TopicArn", "required": "No" }, { "description": "When a deployment fails, your provisioned resources will be deleted/rolled back by default. If deactivated, the provisioned resources will be deleted when you delete your deployment from the Launch Wizard console.", "name": "AWS:LaunchWizard:DisableRollbackFlag", "required": "No" }, { "allowedValues": [ "true", "false" ], "description": "Cloud Watch Application Insights monitoring", "name": "SetupAppInsightsMonitoring", "required": "Yes" }, ... ] } } ``` 1. With the workload specifications retrieved, you must provide values for any specification `name` with a `required` value of `Yes`. You can also provide any optional specifications you require for your deployment. We recommend that you pass inputs to the `specifications` parameter for your deployment as a file for easier usage. Your JSON file's format should resemble the following: ``` { "ExampleName1": "ExampleValue1", "ExampleName2": "ExampleValue2", "ExampleName3": "ExampleValue3" } ``` 1. With the specifications file created, you can create a deployment for your chosen workload and deployment pattern. The following example creates a deployment with specifications defined in a file: ``` aws launch-wizard create-deployment --workload-name MicrosoftActiveDirectory --deployment-pattern-name adAwsManagedExistingVpc --name ExampleDeploymentName --region us-east-1 --specifications file://specifications.json ``` # Manage application resources with AWS Launch Wizard for Active Directory Manage application resources After you deploy your self-managed domain controllers, you can manage them by following these steps. 1. From the navigation pane, choose **Deployments**. 1. From the **Deployments** page, select **Actions**. You can select to do the following: 1. **Manage resources on the EC2 console**. You are taken to the Amazon EC2 console, where you can view and manage your domain controller resources. For example, you can view and manage EC2, Amazon EBS, Active Directory, VPC, subnets, NAT Gateways, and Elastic IPs. 1. **View resource group with SSM**. You are taken to the Systems Manager console to view your resource groups. 1. **View CloudWatch application logs**. You are taken to CloudWatch Logs, where you can monitor, store, and access your Active Directory application. 1. **View your CloudFormation template**. This is the CloudFormation template created by your most recent deployment, and it can be accessed through the CloudFormation console. For help with finding and using your CloudFormation template, see [Viewing CloudFormation Stack Data and Resources on the AWS Management Console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-view-stack-data-resources.html). 1. To delete a deployment, select the application that you want to delete and select **Delete**. You are prompted to confirm your action. **Important** You lose all specification settings for the domain controllers when you delete a deployment. AWS Launch Wizard attempts to delete only the AWS resources that it created in your account as part of the deployment. If you created resources outside of Launch Wizard, for example resources that reside in a VPC created by Launch Wizard, the deletion may fail. Launch Wizard does not delete any Active Directory objects in your Active Directory, nor any of the records in your DNS server. Launch Wizard has no control over your Active Directory domain user password over time, which is required to clean up Active Directory objects or DNS records. We recommend that you remove these entries from your Active Directory after Launch Wizard deletes the deployment. For key operations performed against your Active Directory resulting in new records or entries, see [Active Directory configurations](launch-wizard-ad-getting-started.md#launch-wizard-ad-setup-managed). 1. To further investigate details regarding your domain controller resources, select the **Application name**. You can then view the **Deployment events** and **Summary** details for your application by using the tabs at the top of the page. # Post-deployment steps for AWS Launch Wizard Active Directory Post-deployment steps Post-deployment steps for AWS Launch Wizard for Active Directory. ## Run Windows Updates **To ensure that the operating systems on deployed servers and installed applications have the latest Microsoft updates, run Windows Update on each server.** 1. For each deployed server, create an RDP session. 1. Open the **Settings** application. 1. Open **Update & Security**. 1. Click **Check for updates**. 1. Install any updates, and restart your server, if necessary. # High availability and security best practices for AWS Launch Wizard for Active Directory Best practices The domain controller architecture created by AWS Launch Wizard supports AWS best practices for high availability and security as promoted by the [AWS Well-Architected Framework](https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html). **Topics** + [ ## High availability ](#launch-wizard-ad-ha) + [ ## Security in Launch Wizard for Active Directory ](#launch-wizard-ad-security) ## High availability With Amazon EC2, you can set the location of instances in multiple locations composed of AWS Regions and Availability Zones. Regions are dispersed and located in separate geographic areas. Availability Zones are distinct locations within a Region that are engineered to be isolated from failures in other Availability Zones. Availability Zones provide inexpensive, low-latency network connectivity to other Availability Zones in the same Region. When you launch your instances in different Regions, you can set your domain controllers to be closer to specific customers, or to meet legal or other requirements. When you launch your instances in different Availability Zones, you can protect your domain controllers from the failure of a single location. ## Security in Launch Wizard for Active Directory Launch Wizard creates a number of security groups and rules for you. When your directory resources are launched, they must be associated with a security group, which acts as a stateful firewall. You have complete control over the network traffic entering or leaving the security group. You can also build granular rules that are scoped by protocol, port number, and source or destination IP address or subnet. By default, all outbound traffic from a security group is permitted. Inbound traffic, on the other hand, permits traffic from the VPC used for the deployment and resources that Launch Wizard deploys. You might require additional configuration to allow appropriate traffic to reach your resources. The [Securing the Microsoft Platform on Amazon Web Services](https://d1.awsstatic.com/whitepapers/aws-microsoft-platform-security.pdf) whitepaper discusses the different methods for securing your AWS infrastructure. Recommendations include providing isolation between application tiers using security groups. We recommend that you tightly control inbound traffic to reduce the attack surface of your EC2 instances. # Troubleshoot AWS Launch Wizard for Active Directory Troubleshoot Each deployment in your account in the same AWS Region can be uniquely identified by the name specified at the time of a deployment. The deployment name can be used to view the details related to the deployment on the **Deployments** page of the Launch Wizard console. This section describes steps to help you troubleshoot deploying domain controllers with Launch Wizard for Active Directory. **Topics** + [ ## Launch Wizard provisioning events ](#launch-wizard-ad-provisioning) + [ ## CloudWatch Logs ](#launch-wizard-ad-logs) + [ ## CloudFormation stack ](#launch-wizard-ad-cloudformation) ## Launch Wizard provisioning events Launch Wizard captures events from CloudFormation to track the status of an ongoing application deployment. If an application deployment fails, you can view the deployment events for this application by selecting **Deployments** from the navigation pane. A failed event shows a status of **Failed** along with a failure message. ## CloudWatch Logs Launch Wizard streams provisioning logs from all of the AWS log sources, such as CloudFormation and PowerShell DSC scripts to CloudWatch Logs. You can view the CloudWatch Logs for a given application name on the CloudWatch console for the log group name `LaunchWizard-APPLICATION_NAME` and log stream `ApplicationLaunchLog`. ## CloudFormation stack Launch Wizard uses CloudFormation to provision the infrastructure resources of an application. CloudFormation stacks can be found in your account using the CloudFormation `describe-stacks` API. Launch Wizard launches various stacks in your account for validation and application resource creation. The following are the relevant filters for the `describe-stacks` API. + Application Resources + `LaunchWizard-APPLICATION_NAME`. This stack includes all of the resource creation events for resources created by the deployment. + `LaunchWizard-STACK_NAME-TEMPLATE_NAME`. This log includes all of the logs from each PowerShell script run from within the instance. You can view the status of these CloudFormation stacks. If any of them fail, you can view the cause of failure.