Seemless AD join with AWS AD Connector in private subnet - amazon-web-services

I have the following network setup and try to join EC2 instances with an on-prem active directory.
Ec2 running inside a private non-routable subnet
Ad connector runs in a on-prem connected subnet
the domain is dns resolvable throughout the whole VPC
In this setup is it possible to join the ec2 instance through the AD connector without having the instance a direct connection to the on-prem AD?
When the AD Connector is up and running with status active, should it show up in the on-prem directory as domain controller?
Anyone experience which Windows Server versions are supported for the AD connector? Server 2019?

After a dive deep in this topic i have answers, which might help others looking into topics arround AD on AWS.
The AD Connector only helps with joining an instance to your AD
The wording proxy is meant literally (not a technical proxy server), it is the proxy which creates the computer object inside your AD for you, afterwards you need to join the instance (mostly done using a AWS Systems Manager AWS-JoinDirectoryServiceDomain document.
The Ec2 instance in fact needs direct network connectivity with the domain controller, of course the domain (fully qualified) needs to be resolvable as well.
Details on the plugin for joining can be found here: https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html#aws-domainJoin
One important feature for me is, you can define a OU were the computer object should be created!

Related

GCP - issues with connecting Vertex.AI to shared VPC

We are trying to create training job in Vertex.AI and we need to connect with resources in our shared VPC. Project in which we are creating this job is service project. We have VPC with private services access configured already. (as described in https://cloud.google.com/vertex-ai/docs/general/vpc-peering)
When we are trying to create a job and use this host network, we get a very generic error message:
Unable to start training due to the following error: Internal error encountered.
Everything seems alright and peering connection with private services (servicenetworking) is in an active state.
Does anyone maybe have an idea where can we look for more information about this problem or maybe some guides or pointers that could help us?
A few points should be verified in this particular setup:
The Compute Engine and Service Networking APIs should be enabled for host and service projects, and the Vertex AI API should be enabled for the service project.
The VPC peering connection within your VPC and Google Services should be created in the host project.
You must specify the name of the network that you want Vertex AI to have access to (shared VPC), as stated in the following document 1.
Verify that the service/user account used has the proper role (Compute Network user).

AWS EC2 for QuickBooks

AWS and network noob. I've been asked to migrate QuickBooks Desktop Enterprise to AWS. This seems easy in principle but I'm finding a lot of conflicting and confusing information on how best to do it. The requirements are:
Setup a Windows Server using AWS EC2
QuickBooks will be installed on the server, including a file share that users will map to.
Configure VPN connectivity so that the EC2 instance appears and behaves as if it were on prem.
Allow additional off site VPN connectivity as needed for ad hoc remote access
Cost is a major consideration, which is why I am doing this instead of getting someone who knows this stuff.
The on-prem network is very small - one Win2008R2 server (I know...) that hosts QB now and acts as a file server, 10-15 PCs/printers and a Netgear Nighthawk router with a static IP.
My approach was to first create a new VPC with a private subnet that will contain the EC2 instance and setup a site-to-site VPN connection with the Nighthawk for the on-prem users. I'm unclear as to if I also need to create security group rules to only allow inbound traffic (UDP,TCP file sharing ports) from the static IP or if the VPN negates that need.
I'm trying to test this one step at a time and have an instance setup now. I am remote and am using my current IP address in the security group rules for the test (no VPN yet). I setup the file share but I am unable to access it from my computer. I can RDP and ping it and have turned on the firewall rules to allow NB and SMB but still nothing. I just read another thread that says I need to setup a storage gateway but before I do that, I wanted to see if that is really required or if there's another/better approach. I have to believe this is a common requirement but I seem to be missing something.
This is a bad approach for QuickBooks. Intuit explicitly recommends against using QuickBooks with a file share via VPN:
Networks that are NOT recommended
Virtual Private Network (VPN) Connects computers over long distances via the Internet using an encrypted tunnel.
From here: https://quickbooks.intuit.com/learn-support/en-us/configure-for-multiple-users/recommended-networks-for-quickbooks/00/203276
The correct approach here is to host QuickBooks on the EC2 instance, and let people RDP (remote desktop) into the EC2 Windows server to use QuickBooks. Do not let them install QuickBooks on their client machines and access the QuickBooks data file over the VPN link. Make them RDP directly to the QuickBooks server and access it from there.

How connect a client to a remote Windows Server 2019 AWS EC2

We have a very difficult problem here, we have a Windows Server 2019 Base x64 on Amazon EC2, connected through RDP and setup-ed forest and activated AD DS , also activated DNS. But whenever we try to connect we are not allowed to.
We have opened all the relevant ports on inbound traffic rules.
We have added users.
We have tried searching internet and various tutorials.
In Server Manager=:
Added the public ipv4 address to our ipv4 settings of the adapter.
Went to the computer setting in computer domain entered the domain but no fun.
Disabled the firewall in server manager.
We want to connect our clients on different network to connect to the server hosted else-where on AWS.
We are really new into this can some one guide through this?
Please make sure there is network connectivity between your client and you DC which is set up on EC-2 Instance.
[1] In case your clients are on AWS (meaning different EC-2 Instances), and in a different network, you need to create VPC peering or use Transit Gateway, so that it has proper network connectivity.
[2] In case your clients are not on AWS, and in an On-prem Environment, you need to have a VPN connection between your client and your DC.
So in Summary, you need to have network connectivity between your client and DC so that clients can join your Domain.
What do you mean whenever we try to connect we are not allowed to?
What are you trying to connect to, the Windows EC2 instance?
Are you saying that the instance is joined to AWS Directory Service domain but you can't connect to the instance using one of the users in your AWS directory?
Edit: This should have been a comment but couldn't post comments at the time of answering.

How to Join Local Windows Machine to AWS Active Directory

Hi my goal is to create Active Directory in AWS. I used simple AD and used 2 public and 2 private subnets within the same VPC with the private ones being for the domain controllers. I created an EC2 instance within the same VPC with Windows Server so that I can manage the AD. My EC2 instance joins the domain with no problem. My problem however is I cannot get my local machines on my network to join the AD, as the DC's, are of course private IP's and I cant change the DNS on my machine to these IP's unless on the same network.
Im guessing I need a VPN to join my local network to the Network in the AWS cloud.
Is there a way to achieve having AD in AWS without a VPN such as using an elastic IP with NAT to communicate to the DC's? Or maybe even promoting my EC2 instance to a DC then connecting the local machines DNS to the EC2 instances elastic IP?
Any help is much appreciated and let me know if I am missing any information or not explaining the goal clear enough.
Your question mentions Simple AD. My comments will be for Active Directory in AWS.
Setting up Active Directory in AWS and on-premises is not as easy as I would like it to be. This topic can fill a small book or as Amazon does it, multiple hour long videos. Watch a few while thinking up your solution.
1) Simple AD is not real Active Directory. It is Samba 4, which is very good, but is an Active Directory clone.
2) Do not, and I repeat do not, think about putting Active Directory on a public IP address to serve your on-premises users. The number of ports that you need to open and the risk is just not worth it.
3) Most, if not all, real solutions for configuring Active Directory on-premises and in AWS involve VPNs. Either Direct Connect (DX), hardware routers (Cisco) or site to site VPNs built from OpenSwan or Windows Server.
Note: OpenSwan is very easy to setup, so this is the route I would recommend if cost is a factor. Otherwise look at Cisco ASA type routers (lots of vendors here) for your office and setup a VPN with IPSEC. If cost is not a factor, absolutely go with Direct Connect (DX).
Note: I also use OpenVPN to connect to AD in AWS from home. This setup routes my workstation to a VPC in AWS and is so easy to setup and use. You could start with this to get comfortable with networking to a VPC. There are preconfigured OpenVPN setups in AWS marketplace that are free (user limited).

Not able to connect to MySql on Amazon RDS free account from MacBook

I'm new to Amazonaws. created a Mysql DB instance on RDS. with a free account.
Now when trying to connect from local machine by MySqlWorkbench.
below is the endpoint of my db instance
XXXXXXXXXX.XXXXX.us-west-2.rds.amazonaws.com:3306
using the same as above as hostname and port on local still not able to connect.
Does it has anything to do with the region? I mistakenly selected Oregon(west) region whereas I'm in New Jersey(east)
There are two primary solution candidates.
Firewall
Go into VPC Security Groups (I guess that is where you control the firewall. My paid account uses Security Groups). Ensure that your public IP (and only your public IP) is allowed through the firewall.
MySQL Permissions
On the local machine, check that your remote machine is allowed to connect. It's also possible that MySQL is not running. You'll discover if that is the case while checking permissions locally.
Thanks a lot guys, Following are the steps to correct.
Go to MySQL instance. ]
click on security Icon.
Click on security Group
at bottom click on Inbound
Click Edit
Add your IP for MYSQL db or any DB instance you have.