Step 2: Enable Identity modules - Modular Cloud Studio on AWS
Option 2.a: Create AWS Managed Microsoft Active DirectoryOption 2.b: Import Custom Microsoft Active DirectoryPre-deployment requirementsDeploying the MCS Unmanaged Active Directory Module

Step 2: Enable Identity modules

Follow these steps to enable the Identity module.

  1. Navigate to the MCS web console (see Launch the stack for details).

  2. Select Identity from the left navigation pane.

  3. Choose Deploy New Module.

  4. Based on your use cases, follow the steps in Create AWS Managed Microsoft Active Directory for creating a new AWS Directory Service instance, or follow the steps in Import Custom Microsoft Active Directory to import an existing Active Directory by providing the required attributes.

Option 2.a: Create AWS Managed Microsoft Active Directory

  1. For Select Region, select the Region where you want the Directory Service to be created. There should be only one hub Region option if you have not deployed any spoke Regions.

  2. For Select Identity module, select Create AWS Managed Microsoft Active Directory and choose Next.

  3. For Configure AD settings, review the parameters for this module and modify them as necessary. This module uses the following default values.

    Parameter Default Description

    Domain name

    studio.mcs.internal

    Domain name for the AWS Managed Microsoft AD.

  4. For Configure Tag Settings, review the tags for this module and modify them as necessary. By default, this module uses tags defined in the main solution stack.

  5. For Review and deploy module, choose Deploy Module.

  6. The status of the Identity module shows as Enabling in progress. The deployment of this module takes approximately 30 minutes. After the deployment is complete, the status of the Identity module shows as Enabled.

  7. An AWS Managed Microsoft AD will be created under Standard Edition using mad.mcs.int as the DNS name. To retrieve the StudioAdmin credentials, navigate to the AWS Secrets Manager console and locate the secret at /[MCSDeploymentId]/Identity/StudioAdminActiveDirectoryLoginCredentials. Select the Overview tab and click the Retrieve secret value button to display both the StudioAdmin username and password. Alternatively, you can access the credentials directly by clicking the View button on the MCS Web UI and following the direct link to the secret.

    Note

    When modifying the StudioAdmin password through AWS Directory Service console, ensure you manually update the corresponding secret in AWS Secrets Manager to maintain synchronization. Follow the steps to reset the user password.

  8. Sign in to the AWS Directory Service console, and follow the steps for Creating an AWS Managed Microsoft AD user if additional users are needed.

Important

In addition to the StudioAdmin user, three additional users are created by the managed AD module:

  1. Admin

    • Required user created by the directory service

    • Password location in Secret Manager: /[MCSDeploymentId]/Identity/DefaultAdminActiveDirectoryLoginCredentials

  2. SA_AdConnectorUser

    • Created by the MCS Managed AD module

    • Service account used by AD Connectors in the spoke regions

    • Password location in Secret Manager: /[MCSDeploymentId]/Identity/AdConnectorServiceAccountActiveDirectoryLoginCredentials

    • Follow the steps in Password Rotation to update the password

  3. SA_McsModulesUser

    • Created by the MCS Managed AD module

    • Service account used by modules for AD configuration setup

    • Password location in Secret Manager: /[MCSDeploymentId]/Identity/McsModulesServiceAccountActiveDirectoryLoginCredentials

    • Follow the steps in Password Rotation to update the password

Option 2.b: Import Custom Microsoft Active Directory

Pre-deployment requirements

  1. DNS Resolver Security Group

    1. Ensure a security group exists for the Route 53 resolver endpoint in your target VPC

    2. Verify the security group has two outbound rules configured to allow DNS traffic:

      1. Type: DNS (TCP), Destination: 0.0.0.0/0, Port: 53

      2. Type: DNS (UDP), Destination: 0.0.0.0/0, Port: 53

  2. Route 53 Outbound Endpoint

    1. Ensure a Route 53 outbound endpoint exists in the VPC where your Active Directory domain controllers are located

    2. Verify the endpoint is configured with appropriate IP addresses in private subnets across different Availability Zones

    3. Confirm the endpoint is associated with the DNS Resolver Security Group

  3. Route 53 Resolver Rule

    1. Ensure a resolver rule exists for your Active Directory domain name

    2. Verify the rule is associated with the target VPC and the outbound endpoint

    3. Confirm the rule forwards DNS queries to your Active Directory domain controllers

Deploying the MCS Unmanaged Active Directory Module

  1. For Select Region, select the Region where you want the Directory Service to be created. There should be only one hub Region option if you have not deployed any spoke Regions.

  2. For Select Identity module, select Import Custom Microsoft Active Directory and choose Next.

  3. For Configure AD settings, review the parameters for this module and modify them as necessary. This module uses the following default values.

    Parameter Default Description

    Domain Name

    <_Requires input_>

    The domain name of MCS unmanaged Active Directory module.

    IP Address1

    <_Requires input_>

    The first IP address of MCS unmanaged Active Directory module.

    IP Address2

    <_Requires input_>

    The second IP address of MCS unmanaged Active Directory module.

    Region

    <_Requires input_>

    The Region where the existing directory resides.

  4. For Configure Tag Settings, review the tags for this module and modify them as necessary. By default, this module uses tags defined in the main solution stack.

  5. Choose Next.

  6. On the Review page, verify all the parameters that you provided and choose Deploy Module if you confirm that they are correct.

  7. The status of the Identity module shows as Enabling in progress. The deployment of this module takes approximately five minutes. After the deployment is complete, the status of the network module shows as Enabled.

  8. Required manual configuration: navigate to /[MCSDeploymentId]/Identity/McsModulesServiceAccountActiveDirectoryLoginCredentials in the secret manager, update the credentials with your Active Directory service by replacing the username and password fields.

Important

The service account is essential for MCS modules configuration, such as Amazon FSx for Windows and Leostream broker module. Failed to update the credentials before deployment will cause module deployment failure and prevent proper service configuration.