# Share your AWS Managed Microsoft AD Share your directory AWS Managed Microsoft AD integrates tightly with AWS Organizations to allow seamless directory sharing across multiple AWS accounts. You can share a single directory with other trusted AWS accounts within the same organization or share the directory with other AWS accounts that are outside your organization. You can also share your directory when your AWS account is not currently a member of an organization. ## Key directory sharing concepts Key concepts You will get more out of the directory sharing feature if you become familiar with the following key concepts. ![\[Two AWS Managed Microsoft AD with directory sharing, domain joins, and Amazon VPC peering.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/directory_sharing_concepts.png) ### Directory owner account A directory owner is the AWS account holder that owns the originating directory in the shared directory relationship. An administrator in this account initiates the directory sharing workflow by specifying which AWS accounts to share their directory with. Directory owners can see who they've shared a directory with using the **Scale & Share** tab for a given directory in the Directory Service console. ### Directory consumer account In a shared directory relationship, a directory consumer represents the AWS account to which the directory owner shared the directory with. Depending on the sharing method used, an administrator in this account may need to accept an invite sent from the directory owner before they can start using the shared directory. The directory sharing process creates a shared directory in the directory consumer account. This shared directory contains the metadata that enables the EC2 instance to seamlessly join the domain, which locates the originating directory in the directory owner account. Each shared directory in the directory consumer account has a unique identifier (**Shared directory ID**). ### Sharing methods AWS Managed Microsoft AD provides the following two directory sharing methods: + **AWS Organizations** – This method makes it easier to share the directory within your organization because you can browse and validate the directory consumer accounts. To use this option, your organization must have **All features** enabled, and your directory must be in the organization management account. This method of sharing simplifies your setup because it doesn't require the directory consumer accounts to accept your directory sharing request. In the console, this method is referred to as **Share this directory with AWS accounts inside your organization**. + **Handshake** – This method enables directory sharing when you aren't using AWS Organizations. The handshake method requires the directory consumer account to accept the directory sharing request. In the console, this method is referred to as **Share this directory with other AWS accounts**. ### Network connectivity Network connectivity is a prerequisite to use a directory sharing relationship across AWS accounts. AWS supports many solutions to connect your VPCs, some of these include [VPC peering](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html), [Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html), and [VPN](https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html). To get started, see [Tutorial: Sharing your AWS Managed Microsoft AD directory for seamless EC2 domain-join](ms_ad_tutorial_directory_sharing.md). ## Considerations The following are some considerations when using directory share with your AWS Managed Microsoft AD: **Pricing** + AWS charges an additional fee for directory sharing. The AWS account that is using the shared AWS Managed Microsoft AD is the account charged the sharing fees. To learn more, see the [Pricing](https://aws.amazon.com/directoryservice/pricing/) page on the Directory Service website. + Directory sharing makes AWS Managed Microsoft AD a more cost-effective way of integrating with Amazon EC2 in multiple accounts and VPCs. **Region availability** + Directory sharing is available in all [AWS regions where AWS Managed Microsoft AD](regions.md) is offered. + In the AWS China (Ningxia), this feature is available only when using [AWS Systems Manager](https://aws.amazon.com/systems-manager/) (SSM) to seamlessly join your Amazon EC2 instances. For more information about directory sharing and how to extend the reach of your AWS Managed Microsoft AD directory across AWS account boundaries, see the following topics. **Topics** + [ ## Key directory sharing concepts ](#ms_ad_directory_sharing_key_concepts) + [ ## Considerations ](#ms_ad_directory_sharing_considerations) + [ # Tutorial: Sharing your AWS Managed Microsoft AD directory for seamless EC2 domain-join ](ms_ad_tutorial_directory_sharing.md) + [ # Unsharing your directory ](ms_ad_directory_sharing_unshare.md) # Tutorial: Sharing your AWS Managed Microsoft AD directory for seamless EC2 domain-join Tutorial: Share your AWS Managed Microsoft AD directory This tutorial shows you how to share your AWS Managed Microsoft AD directory (the directory owner account) with another AWS account (the directory consumer account). Once the networking prerequisites have been completed, you will share a directory between two AWS accounts. Then you will learn how to seamlessly join an EC2 instance to a domain in the directory consumer account. We recommend that you first review directory sharing key concepts and use case content before you start work on this tutorial. For more information, see [Key directory sharing concepts](ms_ad_directory_sharing.md#ms_ad_directory_sharing_key_concepts). The process for sharing your directory differs depending on whether you share the directory with another AWS account in the same AWS organization or with an account that is outside of the AWS organization. For more information about how sharing works, see [Sharing methods](ms_ad_directory_sharing.md#sharing_methods). This workflow has four basic steps. ![\[Steps to share AWS Managed Microsoft AD: Set up your networking environment, share your directory, accept shared directory invite, and test seamlessly join an Amazon EC2 instance for Windows Server to a domain.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/directory_sharing_tutorial3.png) **[Step 1: Set up your networking environment](step1_setup_networking.md)** In the directory owner account, you set up all of the networking prerequisites necessary for the directory sharing process. **[Step 2: Share your directory](step2_share_directory.md)** While signed in with directory owner administrator credentials, you open the Directory Service console and start the share directory workflow, which sends an invitation to the directory consumer account. **[Step 3: Accept shared directory invite - Optional](step3_accept_invite.md)** While signed in with directory consumer administrator credentials, you open the Directory Service console and accept the directory sharing invite. **[Step 4: Test seamlessly joining an EC2 instance for Windows Server to a domain](step4_test_ec2_access.md)** Finally, as the directory consumer administrator, you attempt to join an EC2 instance to your domain and verify that it works. **Additional resources** + [Use case: Share your directory to seamlessly join Amazon EC2 instances to a domain across AWS accounts](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/usecase6.html) + [AWS Security Blog Article: How to Join Amazon EC2 Instances From Multiple Accounts and VPCs to a Single AWS Managed Microsoft AD Directory](https://aws.amazon.com/blogs/security/how-to-domain-join-amazon-ec2-instances-aws-managed-microsoft-ad-directory-multiple-accounts-vpcs/) # Step 1: Set up your networking environment You will need to establish an Amazon VPC peering connection to share your AWS Managed Microsoft AD directory (directory account owner) with another AWS account (directory consumer account). See the following procedures for steps to set up your networking environment for a shared AWS Managed Microsoft AD. ## Prerequisites Before you begin the steps in this tutorial, you must first do the following: + Create two new AWS accounts for testing purposes in the same Region. When you create an AWS account, it automatically creates a dedicated virtual private cloud (VPC) in each account. Take note of the VPC ID in each account. You will need this later. + [Create an AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_create_directory). + When creating a VPC peering connection, both the directory account owner and directory consumer account will need the necessary permissions to create and accept the peering connection. For more information, see [Example: Create a VPC peering connection](https://docs.aws.amazon.com//vpc/latest/peering/security-iam.html#vpc-peering-iam-create) and [Example: Accept a VPC peering connection](https://docs.aws.amazon.com//vpc/latest/peering/security-iam.html#vpc-peering-iam-accept). **Note** While there are many ways to connect Directory owner and Directory consumer account VPCs, this tutorial will use the VPC peering method. For additional VPC connectivity options, see [Network connectivity](ms_ad_directory_sharing.md#network_connectivity). ## Configure a VPC peering connection between the directory owner and the directory consumer account The VPC peering connection you will create is between the directory consumer and directory owner VPCs. Follow these steps to configure a VPC peering connection for connectivity with the directory consumer account. With this connection you can route traffic between both VPCs using private IP addresses. **To create a VPC peering connection between the directory owner and directory consumer account** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). Makes sure to sign in as a user with administrator credentials in the directory owner account with the necessary permissions to create a VPC peering connection. See [Prerequisites](#step1_setup_networking_prereqs) for more information. 1. In the navigation pane, choose **Peering Connections**. Then choose **Create Peering Connection**. 1. Configure the following information: + **Peering connection name tag**: Provide a name that clearly identifies this connection with the VPC in the directory consumer account. + **VPC (Requester)**: Select the VPC ID for the directory owner account. + Under **Select another VPC to peer with**, ensure that **My account** and **This region** are selected. + **VPC (Accepter)**: Select the VPC ID for the directory consumer account. 1. Choose **Create Peering Connection**. In the confirmation dialog box, choose **OK**. **To accept the peering request on behalf of the directory consumer account** 1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). Makes sure to sign in as a user with the necessary permissions to accept the peering request. See [Prerequisites](#step1_setup_networking_prereqs) for more information. 1. In the navigation pane, choose **Peering Connections**. 1. Select the pending VPC peering connection. (Its status is Pending Acceptance.) Choose **Actions**, **Accept Request**. 1. In the confirmation dialog, choose **Yes, Accept**. In the next confirmation dialog box, choose **Modify my route tables now** to go directly to the route tables page. Now that your VPC peering connection is active, you must add an entry to your VPC route table in the directory owner account. Doing so enables traffic to be directed to the VPC in the directory consumer account. **To add an entry to the VPC route table in the directory owner account** 1. While in the **Route Tables** section of the Amazon VPC console, select the route table for the directory owner VPC. 1. Choose the **Routes** tab, choose **Edit routes**, and then choose **Add route**. 1. In the **Destination** column, enter the CIDR block for the directory consumer VPC. 1. In the **Target** column, enter the VPC peering connection ID (such as **pcx-123456789abcde000**) for the peering connection that you created earlier in the directory owner account. 1. Choose **Save changes**. **To add an entry to the VPC route table in the directory consumer account** 1. While in the **Route Tables** section of the Amazon VPC console, select the route table for the directory consumer VPC. 1. Choose the **Routes** tab, choose **Edit routes**, and then choose **Add route**. 1. In the **Destination** column, enter the CIDR block for the directory owner VPC. 1. In the **Target** column, type in the VPC peering connection ID (such as **pcx-123456789abcde001**) for the peering connection that you created earlier in the directory consumer account. 1. Choose **Save changes**. Add Active Directory protocols and ports to the outbound rules for security groups in directory consumer VPCs. For more information, see [Security groups for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) and [AWS Managed Microsoft AD prerequisites](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_prereqs.html). **Next Step** [Step 2: Share your directory](step2_share_directory.md) # Step 2: Share your directory Use the following procedures to begin the directory sharing workflow from within the directory owner account. **Note** Directory sharing is a Regional feature of AWS Managed Microsoft AD. If you are using [Multi-Region replication](ms_ad_configure_multi_region_replication.md), the following procedures must be applied separately in each Region. For more information, see [Global vs Regional features](multi-region-global-region-features.md). **To share your directory from the directory owner account** 1. Sign into the AWS Management Console with administrator credentials in the directory owner account and open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) at https://console.aws.amazon.com/directoryservicev2/. 1. In the navigation pane, choose **Directories**. 1. Choose the directory ID of the AWS Managed Microsoft AD directory that you want to share. 1. On the **Directory details** page, do one of the following: + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to share your directory, and then choose the **Scale & share** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md). + If you do not have any Regions showing under **Multi-Region replication**, choose the **Scale & share** tab. 1. In the **Shared directories** section, choose **Actions**, and then choose **Create new shared directory**. 1. On the **Choose which AWS accounts to share with** page, choose one of the following sharing methods depending on your business needs: 1. **Share this directory with AWS accounts inside your organization** – With this option you can select the AWS accounts you want to share your directory with from a list showing all the AWS accounts inside your AWS organization. You must enable trusted access with Directory Service before you share a directory. For more information, see [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access). **Note** To use this option, your organization must have **All features** enabled, and your directory must be in the organization management account. 1. Under **AWS accounts in your organization**, select the AWS accounts that you want to share the directory with and click **Add**. 1. Review the pricing details, and then choose **Share**. 1. Proceed to [Step 4](step4_test_ec2_access.md) in this guide. Because all AWS accounts are in the same organization, you do not need to follow Step 3. 1. **Share this directory with other AWS accounts** - With this option, you can share a directory with accounts inside or outside your AWS organization. You can also use this option when your directory is not a member of an AWS organization and you want to share with another AWS account. 1. In **AWS account ID(s)**, enter all the AWS account IDs that you want to share the directory with, and then click **Add**. 1. In **Send a note**, type a message to the administrator in the other AWS account. 1. Review the pricing details, and then choose **Share**. 1. Proceed to Step 3. **Next Step** [Step 3: Accept shared directory invite - Optional](step3_accept_invite.md) # Step 3: Accept shared directory invite - Optional If you chose the **Share this directory with other AWS accounts** (handshake method) option in the previous procedure, you should use this procedure to finish the shared directory workflow. If you chose the **Share this directory with AWS accounts inside your organization** option, skip this step and proceed to Step 4. **To accept the shared directory invite** 1. Sign into the AWS Management Console with administrator credentials in the directory consumer account and open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) at https://console.aws.amazon.com/directoryservicev2/. 1. In the navigation pane, choose **Directories shared with me**. 1. In the **Shared directory ID** column, choose the directory ID that is in the **Pending acceptance** state. 1. On the **Shared directory details** page, choose **Review**. 1. In the **Pending shared directory invitation** dialog, review the note, directory owner details, and information about pricing. If you agree, choose **Accept** to start using the directory. **Next Step** [Step 4: Test seamlessly joining an EC2 instance for Windows Server to a domain](step4_test_ec2_access.md) # Step 4: Test seamlessly joining an EC2 instance for Windows Server to a domain You can use either of the following two methods to test seamlessly joining an EC2 instance to a domain. ## Method 1: Test domain join using the Amazon EC2 console Use these steps in the directory consumer account. 1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/). 1. In the navigation bar, choose the same AWS Region as the existing directory. 1. On the **EC2 Dashboard**, in the **Launch instance** section, choose **Launch instance**. 1. On the **Launch an instance** page, under the **Name and Tags** section, enter the name you would like to use for your Windows EC2 instance. 1. (Optional) Choose **Add additional tags** to add one or more tag key-value pairs to organize, track, or control access for this EC2 instance. 1. In the **Application and OS Image (Amazon Machine Image)** section, choose **Windows** in the **Quick Start** pane. You can change the Windows Amazon Machine Image (AMI) from the **Amazon Machine Image (AMI)** dropdown list. 1. In the **Instance type** section, choose the instance type you would like to use from **Instance type** dropdown list. 1. In the **Key pair (login)** section, you can either choose to create a new key pair or choose from an existing key pair. 1. To create a new key pair, choose **Create new key pair**. 1. Enter a name for the key pair and select an option for the **Key pair type** and **Private key file format**. 1. To save the private key in a format that can be used with OpenSSH, choose **.pem**. To save the private key in a format that can be used with PuTTY, choose **.ppk**. 1. Choose **create key pair**. 1. The private key file is automatically downloaded by your browser. Save the private key file in a safe place. **Important** This is the only chance for you to save the private key file. 1. On the **Launch an instance** page, under **Network settings** section, choose **Edit**. Choose the **VPC** that your directory was created in from the **VPC -* required*** dropdown list. 1. Choose one of the public subnets in your VPC from the **Subnet** dropdown list. The subnet you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely. For more information on how to connect to a internet gateway, see [Connect to the internet using an internet gateway](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_Internet_Gateway.html) in the *Amazon VPC User Guide*. 1. Under **Auto-assign public IP**, choose **Enable**. For more information about public and private IP addressing, see [Amazon EC2 instance IP addressing](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-instance-addressing.html) in the *Amazon EC2 User Guide*. 1. For **Firewall (security groups)** settings, you can use the default settings or make changes to meet your needs. 1. For **Configure storage** settings, you can use the default settings or make changes to meet your needs. 1. Select **Advanced details** section, choose your domain from the **Domain join directory** dropdown list. **Note** After choosing the Domain join directory, you may see: ![\[An error message when selecting your Domain join directory. There is an error with your existing SSM document.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/SSM-Error-Message.png) This error occurs if the EC2 launch wizard identifies an existing SSM document with unexpected properties. You can do one of the following: If you previously edited the SSM document and the properties are expected, choose close and proceed to launch the EC2 instance with no changes. Select the delete the existing SSM document here link to delete the SSM document. This will allow for the creation of an SSM document with the correct properties. The SSM document will automatically be created when you launch the EC2 instance. 1. For **IAM instance profile**, you can select an existing IAM instance profile or create a new one. Select an IAM instance profile that has the AWS managed policies **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess** attached to it from the **IAM instance profile** dropdown list. To create a new one, choose **Create new IAM profile** link, and then do the following: 1. Choose **Create role**. 1. Under **Select trusted entity**, choose **AWS service**. 1. Under **Use case**, choose **EC2**. 1. Under **Add permissions**, in the list of policies, select the **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess** policies. To filter the list, type **SSM** in the search box. Choose **Next**. **Note** **AmazonSSMDirectoryServiceAccess** provides the permissions to join instances to an Active Directory managed by Directory Service. **AmazonSSMManagedInstanceCore** provides the minimum permissions necessary to use the AWS Systems Manager service. For more information about creating a role with these permissions, and for information about other permissions and policies you can assign to your IAM role, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*. 1. On the **Name, review, and create** page, enter a **Role name**. You will need this role name to attach to the EC2 instance. 1. (Optional) You can provide a description of the IAM instance profile in the **Description** field. 1. Choose **Create role**. 1. Return to **Launch an instance** page and choose the refresh icon next to the **IAM instance profile**. Your new IAM instance profile should be visible in the **IAM instance profile** dropdown list. Choose the new profile and leave the rest of the settings with their default values. 1. Choose **Launch instance**. ## Method 2: Test domain join using AWS Systems Manager Use these steps in the directory consumer account. To complete this procedure, you will need some information about the directory owner account such as the Directory ID, directory name, and the DNS IP addresses. **Prerequisites** + Setup AWS Systems Manager. + For more information about Systems Manager, see [General setup for AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setting_up_prerequisites.html). + Instances you wish to join the AWS Managed Microsoft Active Directory domain must have an attached IAM role containing the **AmazonSSMManagedInstanceCore** and **AmazonSSMDirectoryServiceAccess** managed policies. + For more information about these managed policies and other policies you can attach to an IAM instance profile for Systems Manager, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*. For information about managed policies, see [AWS Managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*. For more information on using Systems Manager to join EC2 instances to a AWS Managed Microsoft Active Directory domain, see [ How do I use AWS Systems Manager to join a running EC2 Windows instance to my AWS Directory Service domain?](https://repost.aws/knowledge-center/ec2-systems-manager-dx-domain#). 1. Open the AWS Systems Manager console at [https://console.aws.amazon.com/systems-manager/](https://console.aws.amazon.com/systems-manager/). 1. In the navigation pane, under **Node Management**, choose **Run Command**. 1. Choose **Run command**. 1. On the **Run a command** page, search for `AWS-JoinDirectoryServiceDomain`. When it is displayed in the search results, select the `AWS-JoinDirectoryServiceDomain` option. 1. Scroll down to the **Command parameters** section. You must provide the following parameters: **Note** You can locate the **Directory ID**, **directory name**, and **DNS IP addresses** by going back to the Directory Service console, selecting **Directories shared with me**, and selecting your directory. Your **Directory ID** can be found under the **Shared directory details** section. You can locate the values for **Directory name** and **DNS IP addresses** under the **Owner directory details** section. + For **Directory ID**, enter the name of the AWS Managed Microsoft Active Directory. + For **Directory Name**, enter the name of the AWS Managed Microsoft Active Directory (for the directory owner account). + For **DNS IP Addresses**, enter the IP addresses of the DNS servers in the AWS Managed Microsoft Active Directory (for the directory owner account). 1. For **Targets**, choose **Choose instances manually**, and then select the instances that you want to join the domain. 1. Leave the remainder of the form set to their default values, scroll down the page, and then choose **Run**. 1. The command status will change from **Pending** to **Success** once the instances have successfully joined the domain. You can view the command output by selecting the **Instance ID** of the instance that joined the domain and **View output**. After completing either of these steps, you should now be able to join your EC2 instance to the domain. Once you do that, you can then log into your instance using a Remote Desktop Protocol (RDP) client with the credentials from your AWS Managed Microsoft AD user account. # Unsharing your directory Use the following procedure to unshare an AWS Managed Microsoft AD directory. **To unshare your directory** 1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, under **Active Directory**, select **Directories**. 1. Choose the directory ID of the AWS Managed Microsoft AD directory that you want to unshare. 1. On the **Directory details** page, do one of the following: + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to unshare your directory, and then choose the **Scale & share** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md). + If you do not have any Regions showing under **Multi-Region replication**, choose the **Scale & share** tab. 1. In the **Shared directories** section, select the shared directory you want to unshare, choose **Actions**, and then choose **Unshare**. 1. In the **Unshare directory** dialog box, choose **Unshare**. **Additional resources** + [Use case: Share your directory to seamlessly join amazon EC2 instances to a domain across AWS accounts](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/usecase6.html) + [AWS security blog article: How to join Amazon EC2 instances from multiple accounts and VPCs to a single AWS Managed Microsoft AD directory](https://aws.amazon.com/blogs/security/how-to-domain-join-amazon-ec2-instances-aws-managed-microsoft-ad-directory-multiple-accounts-vpcs/) + [Joining your Amazon RDS DB instances across accounts to a single shared domain](https://aws.amazon.com/blogs/database/joining-your-amazon-rds-instances-across-accounts-to-a-single-shared-domain/)