“Setting up environment for new employee Shez”
In this Lab I will setting up Active directory to onboard a new employee named Shez into an environment where she will have Single Sign On to all of her resources with the right Authentication Authorisation Accounting and Audit. This will include an email as her identity, her AD SSO, virtual desktop, access to employee portal to access Document repositories through NAS. She will have Chat capabilities, as well as audio/video conferencing. VPN access to log onto remote network and Microsoft SQL. This lab had to be done in N Virginia region to function.
Staring with Active Directory
There are 2 types of AD roles, the first is AD Administrator. Someone who will set up a windows machine, set up active directory, create master controller, slave controller and a whole lot of circus before handing over to production who will consume to AD be it 2000 5000 employees. Any issues arises he will resolve them. This is all automated on AWS. The other role which is still in use is Active Directory Functional. Creating users, removing users, migrating users, creating polices, changing permissions.
I will be using AWS Managed Microsoft AD and supplying a FQDN to resolve inside my VPC corp.wayengela.com. For my VPC I will be using availability zones a and b of North Virginia and it is only those zone which will work with Microsoft Workspace Lab (Virtual Desktops).
As the AD is a fully managed Active Directory service, there is no way we cannot log into it. So instead I shall set up a windows machine to do my Administrative work. To do this I will need to create a IAM role that will allow me to log in from AD machine to Windows machine. And then I will create a user.
When create the windows machine I had to ensure 2 things. One is that I select the shez-ec2domainjoin role and two is select the domain join directory which is my corp DNS. I had to wait for 45 minutes for my AD to create before I could create this instance.
Remote admin tools
I could not log into Active Directory Domain right away. So I had to first log in as a local user, enable the remote services inside the machine and then I will connect to Active directory. Here is where I am installing the Remote Server Administrative Tools
While waiting for the installation. As stated in the System Properties, this window machine is connected to the Domain created in the first stage.
The installation is now complete. Open the cmd and enter the command \dsa.msc Enter. This then brings up a window which shows that my AD is connected to the instance. Its successful. So all the necessary tools I need to administer AD in installed on this machine including the remote tools that I need. This time I will log out and log back in not as a local user but as an Active Directory user.
Now logging into the Windows machine via RDP using the AD account credentials. Note the slash between the corp and admin should be a back slash.
To log in as an AD user. The password is not the one decrypted from the ec2 instance. It is the one you created when you created the AD.
AD default user
Now we are up we can see our Active Directory users. there is only a default admin user which should not be deleted.
Shez Veranda user
Here is where I add Shez Veranda as a new user with credentials and an Email ID.
Shez is listed
Now we have our new user Shez Veranda
You can see her details and that she has a profile; a username, display name, name and email ID.
Now a new user Shez Veranda has been created with an email ID SVeranda@wayaengela.com. Now we have a user, this user should have a Single Sign On and be able to log onto all the services we have here. She should be able to log into all the company assets with that Username ID. Let me start building the associated infrastructure that she needs.
Building associated infrastructure Shez needs.
We will start with the virtual desktop. I selected the first desktop service being Amazon Workspaces, gave her a Window 10 machine. A root vol of 80GB and user volume of 50GB. Enabled Auto Stop for 1 hour so the machine shuts down if not in use after that time. This takes 20 mins to build. This here just shows some organisational details we may use.
Amazon Workmail is the service I set up for Shez. I order to do this I had to configure Route 53. Create all the DNS records (TXT, MX and CNAMES) in order to associate the wayengela-corporation domain host names with aws hosted zone. I finally activated her email ID. Once the DNS records were verified I tested the email account by sending an email to Shez Veranda.
Shez’ Workmail is up and running. She received my test email. and was able to respond back.
Shez now has her email up and running. The next thing I set up is her WorkDocs.
I created a WorkDocs so she can sign into and user. I didn this by associating her profile with the configurations. With Single Sign On, Shez can log into her WorkDocs profile, manage documents and carry out clerical duties.
connecting ad to ec2 console
The next thing to give Shez is access to an AWS console environment. In order to connect her AD credentials to the console a role had to be created grant this permission. However, with the default script comes a hack to enable a back door into the instance. Therefore I had to change the “ec2” part of the script.
DS trusted relationship
Changing ec2 to ds which stands for Directory Service makes the connected a trusted relationship in regards to AD.
AWS console SSO
Once this role was created Shez was now able to access the company AWS console portal and gain access by SSO.
As you can see Shez is now logged on with her AD creds. As Shez has access to the whole eco-system of the company with a SSO, she will think twice about giving out her credentials. If she had various credentials for different services, she may feel tempted to place less importance on some credentials and may compromise by giving it to someone.
The virtual desktop which I initialised in the beginning is now available. the first thing I have to do concerning this is download the client in the link contained in the listing below.
The client has been downloaded and installed.
Enter the registration code contained in the workspace server.
Shez is to sign in using her SSO credentials.
logged onto workspace
Shez Veranda is now logged onto her Workspace and has been successfully onboarded to her new company Wayengela-Corporation. She can begin her duties as a new employee and commence her enrollment.