“Setting up environment for new employee Shez”

 Active Directory

In this Lab I will setting up Active directory to onboard a new employee named Shez into an environment where she will have Single Sign On to all of her resources with the right Authentication Authorisation Accounting and Audit. This will include an email as her identity, her AD SSO, virtual desktop, access to employee portal to access Document repositories through NAS. She will have Chat capabilities, as well as audio/video conferencing. VPN access to log onto remote network and Microsoft SQL. This lab had to be done in N Virginia region to function.

Staring with Active Directory

There are 2 types of AD roles, the first is AD Administrator.  Someone who will set up a windows machine, set up active directory, create master controller, slave controller and a whole lot of circus before handing over to production who will consume to AD be it 2000 5000 employees. Any issues arises he will resolve them. This is all automated on AWS. The other role which is still in use is Active Directory Functional. Creating users, removing users, migrating users, creating polices, changing permissions.

Directory Services

Microsoft ad

I will be using AWS Managed Microsoft AD and supplying a FQDN to resolve inside my VPC corp.wayengela.com. For my VPC I will be using availability zones a and b of North Virginia and it is only those zone which will work with Microsoft Workspace Lab (Virtual Desktops).

windows machine

As the AD is a fully managed Active Directory service, there is no way we cannot log into it. So instead I shall set up a windows machine to do my Administrative work. To do this I will need to create a IAM role that will allow me to log in from AD machine to Windows machine. And then I will create a user.

When create the windows machine I had to ensure 2 things. One is that I select the shez-ec2domainjoin role and two is select the domain join directory which is my corp DNS. I had to wait for 45 minutes for my AD to create before I could create this instance.

Remote admin tools

I could not log into Active Directory Domain right away. So I had to first log in as a local user, enable the remote services inside the machine and then I will connect to Active directory. Here is where I am installing the Remote Server Administrative Tools

Jillian Scott

While waiting for the installation. As stated in the System Properties, this window machine is connected to the Domain created in the first stage.  

\dsa.msc test

The installation is now complete. Open the cmd and enter the command \dsa.msc Enter. This then brings up a window which shows that my AD is connected to the instance. Its successful. So all the necessary tools I need to administer AD in installed on this machine including the remote tools that I need. This time I will log out and log back in not as a local user but as an Active Directory user.

 

ad login

Now logging into the Windows machine via RDP using the AD account credentials. Note the slash between the corp and admin should be a back slash. 

To log in as an AD user. The password is not the one decrypted from the ec2 instance. It is the one you created when you created the AD.

AD default user

Now we are up we can see our Active Directory users. there is only a default admin user which should not be deleted. 

 

Shez Veranda user

Here is where I add Shez Veranda as a new user with credentials and an Email ID.

Shez is listed

Now we have our new user Shez Veranda

user profile

You can see her details and that she has a profile; a username, display name, name and email ID. 

Now a new user Shez Veranda has been created with an email ID SVeranda@wayaengela.com. Now we have a user, this user should have a Single Sign On and be able to log onto all the services we have here. She should be able to log into all the company assets with that Username ID. Let me start building the associated infrastructure that she needs.

Building associated infrastructure Shez needs.

Virtual desktop

We will start with the virtual desktop. I selected the first desktop service being Amazon Workspaces, gave her a Window 10 machine. A root vol of 80GB and user volume of 50GB. Enabled Auto Stop for 1 hour so the machine shuts down if not in use after that time. This takes 20 mins to build. This here just shows some organisational details we may use. 

email account

Amazon Workmail is the service I set up for Shez. I order to do this I had to configure Route 53. Create all the DNS records (TXT, MX and CNAMES) in order to associate the wayengela-corporation domain host names with aws hosted zone. I finally activated her email ID. Once the DNS records were verified I tested the email account by sending an email to Shez Veranda.

testing workmail

Shez’ Workmail is up and running. She received my test email. and was able to respond back. 

receiving workmail

Shez now has her email up and running. The next thing I set up is her WorkDocs. 

workdocs

I created a WorkDocs so she can sign into and user. I didn this by associating her profile with the configurations. With Single Sign On, Shez can log into her WorkDocs profile, manage documents and carry out clerical duties. 

connecting ad to ec2 console

permissions

The next thing to give Shez is access to an AWS console environment. In order to connect her AD credentials to the console a role had to be created grant this permission. However, with the default script comes a hack to enable a back door into the instance. Therefore I had to change the “ec2” part of the script. 

DS trusted relationship

Changing ec2 to ds which stands for Directory Service makes the connected a trusted relationship in regards to AD. 

AWS console SSO

Once this role was created Shez was now able to access the company AWS console portal and gain access by SSO. 

shez-sso-console

As you can see Shez is now logged on with her AD creds. As Shez has access to the whole eco-system of the company with a SSO, she will think twice about giving out her credentials. If she had various credentials for different services, she may feel tempted to place less importance on some credentials and may compromise by giving it to someone. 

Amazon workspaces

workspace

The virtual desktop which I initialised in the beginning is now available.  the first thing I have to do concerning this is download the client in the link contained in the listing below. 

client installed

The client has been downloaded and installed. 

register code

Enter the registration code contained in the workspace server. 

workspace sso

Shez is to sign in using her SSO credentials. 

logged onto workspace

Shez Veranda is now logged onto her Workspace and has been successfully onboarded to her new company Wayengela-Corporation. She can begin her duties as a new employee and commence her enrollment.    

 

Close Menu