# AWS Directory Service
AWS Systems Manager Automation provides predefined runbooks for AWS Directory Service. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json).
**Topics**
+ [`AWS-CreateDSManagementInstance`](automation-awssupport-create-ds-management-instance.md)
+ [`AWSSupport-TroubleshootADConnectorConnectivity`](automation-awssupport-troubleshootadconnectorconnectivity.md)
+ [`AWSSupport-TroubleshootDirectoryTrust`](automation-awssupport-troubleshootdirectorytrust.md)
# `AWS-CreateDSManagementInstance`
**Description**
The `AWS-CreateDSManagementInstance` runbook creates an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance that you can use to manage your AWS Directory Service directory. The management instance can't be used to manage AD Connector directories.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWS-CreateDSManagementInstance)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ AmiID
Type: String
Default: `{{ ssm:/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base }}`
Description: (Optional) Amazon Machine Image (AMI) id to use for launching the instance. By Default the instance will launch with the latest Microsoft Windows Server 2019 Base AMI.
+ DirectoryId
Type: String
Description: (Required) The Directory Id of your Directory Service directory.
+ IamInstanceProfileName
Type: String
Description: (Optional) IAM instance profile name. By Default, if no instance profile exists with the name AmazonSSMDirectoryServiceInstanceProfileRole, an instance profile with the name AmazonSSMDirectoryServiceInstanceProfileRole will be created.
Default: AmazonSSMDirectoryServiceInstanceProfileRole
+ InstanceType
Type: String
Default: t3.medium
Allowed values:
+ t2.nano
+ t2.micro
+ t2.small
+ t2.medium
+ t2.large
+ t2.xlarge
+ t2.2xlarge
+ t3.nano
+ t3.micro
+ t3.small
+ t3.medium
+ t3.large
+ t3.xlarge
+ t3.2xlarge
Description: (Optional) Type of instance to launch. Default is t3.medium.
+ KeyPairName
Type: String
Description: (Optional) Key pair to use when launching instance. Windows does not support ED25519 key pairs. By Default the instance is launched without a key pair (NoKeyPair).
Default: NoKeyPair
+ RemoteAccessCidr
Type: String
Description: (Optional) Creates Security group with port for RDP (Port range 3389) open to IPs specified by CIDR (default is 0.0.0.0/0). If the security group already exists it will not be modified and rules will not be changed.
Default: 0.0.0.0/0
+ SecurityGroupName
Type: String
Description: (Optional) Security group name. By Default, if no security group exists with the name AmazonSSMDirectoryServiceSecurityGroup, a security group with the name AmazonSSMDirectoryServiceSecurityGroup will be created.
Default: AmazonSSMDirectoryServiceSecurityGroup
+ Tags
Type: MapList
Description: (Optional) A key-value pair you want to apply to the resources created by the automation.
Default: ` [ {"Key":"Description","Value":"Created by AWS Systems Manager Automation"}, {"Key":"Created By","Value":"AWS Systems Manager Automation"} ]`
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ds:DescribeDirectories`
+ `ec2:AuthorizeSecurityGroupIngress`
+ `ec2:CreateSecurityGroup`
+ `ec2:CreateTags`
+ `ec2:DeleteSecurityGroup`
+ `ec2:DescribeInstances`
+ `ec2:DescribeInstanceStatus`
+ `ec2:DescribeKeyPairs`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeVpcs`
+ `ec2:RunInstances`
+ `ec2:TerminateInstances`
+ `iam:AddRoleToInstanceProfile`
+ `iam:AttachRolePolicy`
+ `iam:CreateInstanceProfile`
+ `iam:CreateRole`
+ `iam:DeleteInstanceProfile`
+ `iam:DeleteRole`
+ `iam:DetachRolePolicy`
+ `iam:GetInstanceProfile`
+ `iam:GetRole`
+ `iam:ListAttachedRolePolicies`
+ `iam:ListInstanceProfiles`
+ `iam:ListInstanceProfilesForRole`
+ `iam:PassRole`
+ `iam:RemoveRoleFromInstanceProfile`
+ `iam:TagInstanceProfile`
+ `iam:TagRole`
+ `ssm:CreateDocument`
+ `ssm:DeleteDocument`
+ `ssm:DescribeInstanceInformation`
+ `ssm:GetAutomationExecution`
+ `ssm:GetParameters`
+ `ssm:ListCommandInvocations`
+ `ssm:ListCommands`
+ `ssm:ListDocuments`
+ `ssm:SendCommand`
+ `ssm:StartAutomationExecution`
**Document Steps**
+ `aws:executeAwsApi` - Gathers details about the directory you specify in the `DirectoryId` parameter.
+ `aws:executeAwsApi` - Gets the CIDR block of the virtual private cloud (VPC) where the directory was launched.
+ `aws:executeAwsApi` - Creates a security group using the value you specify in the `SecurityGroupName` parameter.
+ `aws:executeAwsApi` - Creates an inbound rule for the newly created security group that allows RDP traffic from the CIDR you specify in the `RemoteAccessCidr` parameter.
+ `aws:executeAwsApi` - Creates an IAM role and instance profile using the value you specify in the `IamInstanceProfileName` parameter.
+ `aws:executeAwsApi` - Launches an Amazon EC2 instance based on the values you specify in the runbook parameters.
+ `aws:executeAwsApi` - Creates an AWS Systems Manager document to join the newly launched instance to your directory.
+ `aws:runCommand` - Joins the new instance to your directory.
+ `aws:runCommand` - Installs remote server administration tools on the new instance.
# `AWSSupport-TroubleshootADConnectorConnectivity`
**Description**
The `AWSSupport-TroubleshootADConnectorConnectivity` runbook verifies the following prerequisites for an AD Connector:
+ Checks if the required traffic is allowed by the security group and network access control list (ACL) rules associated with your AD Connector.
+ Checks if the AWS Systems Manager, AWS Security Token Service, and Amazon CloudWatch interface VPC endpoints exist in the same virtual private cloud (VPC) as the AD Connector.
When the prerequisite checks complete successfully, the runbook launches two Amazon Elastic Compute Cloud (Amazon EC2) Linux t2.micro instances in the same subnets as your AD Connector. Network connectivity tests are then performed using the `netcat` and `nslookup` utilities.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootADConnectorConnectivity)
**Important**
Using this runbook might incur extra charges to your AWS account for the Amazon EC2 instances, Amazon Elastic Block Store volumes and Amazon Machine Image (AMI) created during the automation. For more information, see [Amazon Elastic Compute Cloud Pricing](https://aws.amazon.com/ec2/pricing/) and [Amazon Elastic Block Store Pricing](https://aws.amazon.com/ebs/pricing/).
If the `aws:deletestack` step fails, go to the AWS CloudFormation console to manually delete the stack. The stack name created by this runbook begins with `AWSSupport-TroubleshootADConnectorConnectivity`. For information about deleting CloudFormation stacks, see [Deleting a stack](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) in the *AWS CloudFormation User Guide*.
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ DirectoryId
Type: String
Description: (Required) The ID of the AD Connector directory you want to troubleshoot connectivity to.
+ Ec2InstanceProfile
Type: String
Maximum characters: 128
Description: (Required) The name of the instance profile you want to assign to the instances that are launched to perform connectivity tests. The instance profile you specify must have the `AmazonSSMManagedInstanceCore` policy or equivalent permissions attached.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ec2:DescribeInstances`
+ `ec2:DescribeImages`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeVpcEndpoints`
+ `ec2:CreateTags`
+ `ec2:RunInstances`
+ `ec2:StopInstances`
+ `ec2:TerminateInstances`
+ `cloudformation:CreateStack`
+ `cloudformation:DescribeStacks`
+ `cloudformation:ListStackResources`
+ `cloudformation:DeleteStack`
+ `ds:DescribeDirectories`
+ `ssm:SendCommand`
+ `ssm:ListCommands`
+ `ssm:ListCommandInvocations`
+ `ssm:GetParameters`
+ `ssm:DescribeInstanceInformation`
+ `iam:PassRole`
**Document Steps**
+ `aws:assertAwsResourceProperty` - Confirms the directory specified in the `DirectoryId` parameter is an AD Connector.
+ `aws:executeAwsApi` - Gathers information about the AD Connector.
+ `aws:executeAwsApi` - Gathers information about the security groups that are associated with the AD Connector.
+ `aws:executeAwsApi` - Gathers information about the network ACL rules that are associated with the subnets for the AD Connector.
+ `aws:executeScript` - Evalutes the AD Connector security group rules to verify that the required outbound traffic is allowed.
+ `aws:executeScript` - Evalutes the AD Connector network ACL rules to verify that the required outbound and inbound network traffic is allowed.
+ `aws:executeScript` - Checks if the AWS Systems Manager, AWS Security Token Service and Amazon CloudWatch interface endpoints exist in the same VPC as the AD Connector.
+ `aws:executeScript` - Compiles the outputs of the checks performed in the previous steps.
+ `aws:branch` - Branches the automation depending on the output of previous steps. The automation stops here if the required outbound and inbound rules are missing for the security groups and network ACLs.
+ `aws:createStack` - Creates an CloudFormation stack to launch Amazon EC2 instances to perform connectivity tests.
+ `aws:executeAwsApi` - Gathers the IDs of newly launched Amazon EC2 instances.
+ `aws:waitForAwsResourceProperty` - Waits for the first newly launched Amazon EC2 instance to report as managed by AWS Systems Manager.
+ `aws:waitForAwsResourceProperty` - Waits for the second newly launched Amazon EC2 instance to report as managed by AWS Systems Manager.
+ `aws:runCommand` - Performs network connectivity tests to the on-premises DNS server IP addresses from the first Amazon EC2 instance.
+ `aws:runCommand` - Performs network connectivity tests to the on-premises DNS server IP addresses from the second Amazon EC2 instance.
+ `aws:changeInstanceState` - Stops the Amazon EC2 instances used for the connectivity tests.
+ `aws:deleteStack` - Deletes the CloudFormation stack.
+ `aws:executeScript` - Outputs instructions about how to manually delete the CloudFormation stack if the automation fails to delete the stack.
# `AWSSupport-TroubleshootDirectoryTrust`
**Description**
The `AWSSupport-TroubleshootDirectoryTrust` runbook diagnoses trust creation issues between an AWS Managed Microsoft AD and a Microsoft Active Directory. The automation ensures the directory type supports trusts, and then checks the associated security group rules, network access control lists (network ACLs), and route tables for potential connectivity issues.
[Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-TroubleshootDirectoryTrust)
**Document type**
Automation
**Owner**
Amazon
**Platforms**
Linux, macOS, Windows
**Parameters**
+ AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
+ DirectoryId
Type: String
Allowed pattern: ^d-[a-z0-9]\$110\$1\$1
Description: (Required) The ID of the AWS Managed Microsoft AD to troubleshoot.
+ RemoteDomainCidrs
Type: StringList
Allowed pattern: ^(([0-9]\$1[1-9][0-9]\$11[0-9]\$12\$1\$12[0-4][0-9]\$125[0-5])\$1.)\$13\$1([0-9]\$1[1-9][0-9]\$11[0-9]\$12\$1\$12[0-4][0-9]\$125[0-5])(\$1/(3[0-2]\$1[1-2][0-9]\$1[1-9]))\$1
Description: (Required) The CIDR(s) of the remote domain you are attempting to establish a trust relationship with. You can add multiple CIDRs using comma-separated values. For example, 172.31.48.0/20, 192.168.1.10/32.
+ RemoteDomainName
Type: String
Description: (Required) The fully qualified domain name of the remote domain you are establishing a trust relationship with.
+ RequiredTrafficACL
Type: String
Description: (Required) The default port requirements for AWS Managed Microsoft AD. In most cases, you should not modify the default value.
Default: \$1"inbound":\$1"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636],[1024,65535]],"udp":[[53,53],[88,88],[123.123],[138,138],[389,389],[445,445],[464,464]],"icmp":[[-1,-1]]\$1,"outbound":\$1"-1":[[0,65535]]\$1\$1
+ RequiredTrafficSG
Type: String
Description: (Required) The default port requirements for AWS Managed Microsoft AD. In most cases, you should not modify the default value.
Default: \$1"inbound":\$1"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636],[1024,65535]],"udp":[[53,53],[88,88],[123.123],[138,138],[389,389],[445,445],[464,464]],"icmp":[[-1,-1]]\$1,"outbound":\$1"-1":[[0,65535]]\$1\$1
+ TrustId
Type: String
Description: (Optional) The ID of the trust relationship to troubleshoot.
**Required IAM permissions**
The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully.
+ `ds:DescribeConditionalForwarders`
+ `ds:DescribeDirectories`
+ `ds:DescribeTrusts`
+ `ds:ListIpRoutes`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeSubnets`
**Document Steps**
+ `aws:assertAwsResourceProperty` - Confirms the directory type is AWS Managed Microsoft AD.
+ `aws:executeAwsApi` - Gets information about the AWS Managed Microsoft AD.
+ `aws:branch` - Branches automation if a value is provided for the `TrustId` input parameter.
+ `aws:executeAwsApi` - Gets information about the trust relationship.
+ `aws:executeAwsApi` - Gets the conditional forwarder DNS IP addresses for the `RemoteDomainName` .
+ `aws:executeAwsApi` - Gets information about IP routes that have been added to the AWS Managed Microsoft AD.
+ `aws:executeAwsApi` - Gets the CIDRs of the AWS Managed Microsoft AD subnets.
+ `aws:executeAwsApi` - Gets information about the security groups associated with the AWS Managed Microsoft AD.
+ `aws:executeAwsApi` - Gets information about the network ACLs associated with the AWS Managed Microsoft AD.
+ `aws:executeScript` - Confirms the `RemoteDomainCidrs` are valid values. Confirms that the AWS Managed Microsoft AD has conditional forwarders for the `RemoteDomainCidrs` , and that the requisite IP routes have been added to the AWS Managed Microsoft AD if the `RemoteDomainCidrs` are non-RFC 1918 IP addresses.
+ `aws:executeScript` - Evaluates security group rules.
+ `aws:executeScript` - Evaluates network ACLs.
**Outputs**
evalDirectorySecurityGroup.output - Results from evaluating whether the security group rules associated with the AWS Managed Microsoft AD allow the requisite traffic for trust creation.
evalAclEntries.output - Results from evaluating whether the network ACLs associated with the AWS Managed Microsoft AD allow the requisite traffic for trust creation.
evaluateRemoteDomainCidr.output - Results from evaluating whether the `RemoteDomainCidrs` are valid values. Confirms that the AWS Managed Microsoft AD has conditional forwarders for the `RemoteDomainCidrs` , and that the requisite IP routes have been added to the AWS Managed Microsoft AD if the `RemoteDomainCidrs` are non-RFC 1918 IP addresses.