Windows Domain Join and Active Directory Groups Management

Overview

Turbot allows you to join new and existing Windows instances to your Active Directory (AD) domain to enable AD group syncing. This guide includes steps on getting started and the requirements to configure this feature.

Prerequisites

  • The instance should be launched using the turbot SSH key.
  • Turbot should be able to manage this Windows instance. 
  • Set DNS to auto-configure based on the VPC DNS settings.
  • Install the Remote Server Admin Tools on the instance.

Security Group Configurations

Network connectivity must exist between all three entities involved:

  • Turbot Master instances
  • Windows instance
  • Active Directory

Turbot Master Instances

Egress

Protocol(s) Port(s) Destination Purpose
TCP 5986 Managed Windows instances PowerShell Remoting
TCP/UDP 53 AD domain DNS
TCP/UDP 88 AD domain Kerberos
TCP 123 AD domain NTP
TCP/UDP 135 AD domain RPC
TCP/UDP 389 AD domain LDAP
TCP 445 AD domain Samba
TCP 636 AD domain LDAPS
TCP 3268-3269 AD domain Global Catalog
TCP/UDP 49152-65535 AD domain RPC High Ports

Windows Instance

Ingress

Protocol(s) Port(s) Source Purpose
TCP 3389 Intranet RDP
TCP 5986 Intranet PowerShell Remoting

Egress

Protocol(s) Port(s) Destination Purpose
TCP/UDP 53 AD domain DNS
TCP/UDP 88 AD domain Kerberos
TCP 123 AD domain NTP
TCP/UDP 135 AD domain RPC
TCP/UDP 389 AD domain LDAP
TCP 445 AD domain Samba
TCP 636 AD domain LDAPS
TCP 3268-3269 AD domain Global Catalog
TCP/UDP 49152-65535 AD domain RPC High Ports

Active Directory

Ingress

Protocol(s) Port(s) Source Purpose
TCP/UDP 53 Intranet DNS
TCP/UDP 88 Intranet Kerberos
TCP 123 Intranet NTP
TCP/UDP 135 Intranet RPC
TCP/UDP 389 Intranet LDAP
TCP 445 Intranet Samba
TCP 636 Intranet LDAPS
TCP 3268-3269 Intranet Global Catalog
TCP/UDP 49152-65535 Intranet RPC High Ports

Policy Settings

The following policies need to be configured at the EC2 instance level (or higher):

Windows Stacks

Turbot needs to be able to run the AWS > EC2 > Turbot Windows Environment playbooks against the instance in order to complete AD join activities. To enable these playbooks, the following policies need to be set:

  • Set AWS > EC2 > Windows Environment Management to Enabled.

Windows Active Directory Policies

The following policies need to be set based on your AD domain settings:

  • Set Windows > Active Directory Domain Join to Enabled.
  • Windows > Active Directory Domain Name - The short name of the AD domain to join Windows instances to, e.g., corp.company.com.
  • Windows > Active Directory Domain Short Name - The short name of the AD domain to join Windows instances to, e.g., corp.
  • Windows > Active Directory Domain Admin User - The sAMAccountName to use for AD domain operations which must have with domain admin rights, e.g., svc-corp-domain-admin.
  • Windows > Active Directory Domain Admin Password - The password for AD domain operations.
  • Windows > Active Directory Distinguished Name - The distinguished name of the AD OU to join Windows instances to, e.g., OU=Cloud,OU=Servers,DC=corp,DC=company,DC=com.

Windows Group Management

The following policies need to be set based on the AD groups you want to add:

  • Set Windows > Active Directory Groups Management to Enabled.
  • Windows > Active Directory Administrator Group Templates YAML list of AD groups to add to the local Administrators group, e.g.,

    - CorpDomainAdmins
    - ProjectServerAdmins
    
  • Windows > Active Directory User Group Templates YAML list of of AD groups to add to the local Users group, e.g.,

    - BackupServiceAccounts
    - ProjectAAA-LocalUsers
Was this article helpful?
0 out of 0 found this helpful