├── .gitignore ├── .gitmodules ├── .metadata ├── .nojekyll ├── .taskcat.yml ├── CODEOWNERS ├── LICENSE.txt ├── NOTICE.txt ├── README.md ├── ci ├── Template_1_AD_2012R2.json ├── Template_2_AD_2012R2.json ├── Template_3_AD_2012R2.json ├── ad-master-1-ssm.json ├── ad-master-1.json ├── ad-master-2.json ├── ad-master-3-Ent.json ├── ad-master-3-Std.json ├── config.yml └── taskcat.yml ├── manifests └── app-manager │ └── app-manager-manifest.yaml ├── scripts ├── GPOs.zip ├── Modules │ └── Module-AD │ │ ├── Module-AD.psd1 │ │ └── Module-AD.psm1 ├── archive │ ├── AD2-NonPromoConfig.ps1 │ ├── AD2-Post-Config.ps1 │ ├── Add-DNSEntry.ps1 │ ├── AddDNSForward.ps1 │ ├── ConfigDC1-SSM.ps1 │ ├── ConfigDC1.ps1 │ ├── ConfigDC2-SSM.ps1 │ ├── ConfigDC2.ps1 │ ├── Configure-RDGW.ps1 │ ├── Configure-Sites.ps1 │ ├── ConvertTo-EnterpriseAdmin.ps1 │ ├── Create-AdminUser.ps1 │ ├── Disable-WindowsFirewall.ps1 │ ├── Dns-Config.ps1 │ ├── ExtendDC1.ps1 │ ├── ExtendDC2.ps1 │ ├── Install-ADDSDC.ps1 │ ├── Install-ADDSForest.ps1 │ ├── Install-Prereqs.ps1 │ ├── Invoke-EnterpriseCaConfig.ps1 │ ├── Invoke-EnterpriseCaPreConfig.ps1 │ ├── Invoke-MgmtInstanceConfig.ps1 │ ├── Invoke-MgmtInstancePostConfig.ps1 │ ├── Invoke-TwoTierOrCaConfig.ps1 │ ├── Invoke-TwoTierOrCaPreConfig.ps1 │ ├── Invoke-TwoTierSubCaCertIssue.ps1 │ ├── Invoke-TwoTierSubCaConfig.ps1 │ ├── Invoke-TwoTierSubCaInstall.ps1 │ ├── Invoke-TwoTierSubCaPreConfig.ps1 │ ├── LCM-Config.ps1 │ ├── New-CertificateAuthority.ps1 │ ├── New-LabADUser.ps1 │ ├── Post-Config.ps1 │ ├── Rename-Computer.ps1 │ ├── Update-DNSServers.ps1 │ ├── install-ad-modules.ps1 │ ├── users.csv │ └── xAdcsDeployment_0.1.0.0.zip ├── domainremove.mof └── winworkshop.mof └── templates ├── README.md ├── ad-1.template ├── ad-1.template.yaml ├── ad-2.template ├── ad-2.template.yaml ├── ad-3.template ├── ad-3.template.yaml ├── ad-main-1.template.yaml ├── ad-main-2.template.yaml ├── ad-main-3.template.yaml ├── ad-master-1.template ├── ad-master-2.template ├── ad-master-3.template ├── archive ├── Template_1_AD_2012R2.template ├── ad-1-old.template ├── ad-1-ssm.template ├── ad-1-yaml.template ├── ad-2012r2-1.template ├── ad-2012r2-2.template ├── ad-2012r2-3.template ├── ad-master-1-old.template ├── ad-master-1-ssm.template ├── ad-master-1-yaml.template ├── ca-1-two-tier.template └── ca-1.template ├── automationdocuments ├── AWSQuickstart-ActiveDirectoryDS.yaml └── AWSQuickstart-extendAD.yaml ├── mgmt-1.template.yaml └── workshop ├── Modules └── Module-AD │ ├── Module-AD.psd1 │ └── Module-AD.psm1 ├── SystemManagerLab.yaml ├── ad-workshop.template.yaml ├── ad-worskshop-main.template.yaml ├── asgparams.json ├── automation-docs.yaml ├── autoscaling-windows.yaml ├── aws-vpc.template.yaml ├── copy-mofs.yaml └── mgmt-1.template.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | taskcat_outputs/* 2 | .taskcat_overrides.yml 3 | .taskcat/* 4 | .taskcat-*.yml 5 | .DS_Store 6 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "submodules/quickstart-aws-vpc"] 2 | path = submodules/quickstart-aws-vpc 3 | url = ../../aws-quickstart/quickstart-aws-vpc.git 4 | branch = main 5 | [submodule "submodules/quickstart-microsoft-utilities"] 6 | path = submodules/quickstart-microsoft-utilities 7 | url = ../../aws-quickstart/quickstart-microsoft-utilities.git 8 | branch = main 9 | [submodule "submodules/quickstart-microsoft-rdgateway"] 10 | path = submodules/quickstart-microsoft-rdgateway 11 | url = ../../aws-quickstart/quickstart-microsoft-rdgateway.git 12 | branch = main 13 | [submodule "docs/boilerplate"] 14 | path = docs/boilerplate 15 | url = https://github.com/aws-quickstart/quickstart-documentation-base-common.git 16 | branch = main 17 | [submodule "submodules/quickstart-microsoft-pki"] 18 | path = submodules/quickstart-microsoft-pki 19 | url = https://github.com/aws-quickstart/quickstart-microsoft-pki.git 20 | branch = main -------------------------------------------------------------------------------- /.metadata: -------------------------------------------------------------------------------- 1 | language_type: cloudformation 2 | -------------------------------------------------------------------------------- /.nojekyll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-microsoft-activedirectory/bb64d5f3034b10b14137b6f0ff46e4fc79cd0a81/.nojekyll -------------------------------------------------------------------------------- /.taskcat.yml: -------------------------------------------------------------------------------- 1 | project: 2 | name: quickstart-microsoft-activedirectory 3 | owner: quickstart-eng@amazon.com 4 | package_lambda: false 5 | regions: 6 | - ap-northeast-1 7 | - ap-northeast-2 8 | - ap-south-1 9 | - ap-southeast-1 10 | - ap-southeast-2 11 | - ca-central-1 12 | - eu-central-1 13 | - eu-west-1 14 | - eu-west-2 15 | # - eu-west-3 16 | - sa-east-1 17 | - us-east-1 18 | - us-east-2 19 | - us-west-1 20 | - us-west-2 21 | tests: 22 | ad-1: 23 | parameters: 24 | ADServer1InstanceType: t3.large 25 | ADServer1NetBIOSName: DC1 26 | ADServer1PrivateIP: 10.0.0.10 27 | ADServer2NetBIOSName: DC2 28 | ADServer2PrivateIP: 10.0.32.10 29 | AvailabilityZones: $[taskcat_genaz_2] 30 | DomainAdminPassword: $[taskcat_genpass_16] 31 | DomainAdminUser: Admin 32 | DomainDNSName: example.com 33 | DomainNetBIOSName: example 34 | KeyPairName: $[taskcat_getkeypair] 35 | NumberOfRDGWHosts: '0' 36 | PrivateSubnet1CIDR: 10.0.0.0/19 37 | PrivateSubnet2CIDR: 10.0.32.0/19 38 | PublicSubnet1CIDR: 10.0.128.0/20 39 | PublicSubnet2CIDR: 10.0.144.0/20 40 | RDGWInstanceType: t2.large 41 | RDGWCIDR: 10.0.0.0/16 42 | VPCCIDR: 10.0.0.0/16 43 | QSS3BucketName: $[taskcat_autobucket] 44 | QSS3BucketRegion: $[taskcat_current_region] 45 | PKI: 'One-Tier' 46 | EntCaServerInstanceType: t3.large 47 | EntCaDataDriveSizeGiB: '2' 48 | EntCaServerNetBIOSName: 'EntCa1' 49 | EntCaKeyLength: '2048' 50 | EntCaHashAlgorithm: 'SHA256' 51 | EntCaValidityPeriodUnits: '5' 52 | CreateDefaultOUs: 'Yes' 53 | TombstoneLifetime: '60' 54 | DeletedObjectLifetime: '60' 55 | DHCPOptionSet: 'Yes' 56 | regions: 57 | # - eu-west-3 58 | - sa-east-1 59 | - us-east-1 60 | - us-east-2 61 | template: templates/ad-main-1.template.yaml 62 | ad-2: 63 | parameters: 64 | ADServer1NetBIOSName: DC1 65 | ADServer1PrivateIP: 10.0.0.10 66 | ADServer2NetBIOSName: DC2 67 | ADServer2PrivateIP: 10.0.32.10 68 | AdminPassword: $[taskcat_genpass_16] 69 | AdminUser: StackAdmin 70 | AvailabilityZones: $[taskcat_genaz_2] 71 | DomainDNSName: example.com 72 | KeyPairName: $[taskcat_getkeypair] 73 | NumberOfRDGWHosts: '0' 74 | PrivateSubnet1CIDR: 10.0.0.0/19 75 | PrivateSubnet2CIDR: 10.0.32.0/19 76 | PublicSubnet1CIDR: 10.0.128.0/20 77 | PublicSubnet2CIDR: 10.0.144.0/20 78 | RDGWInstanceType: t2.large 79 | RDGWCIDR: 10.0.0.0/16 80 | VPCCIDR: 10.0.0.0/16 81 | QSS3BucketName: $[taskcat_autobucket] 82 | QSS3BucketRegion: $[taskcat_current_region] 83 | regions: 84 | - ap-northeast-1 85 | - ca-central-1 86 | - eu-central-1 87 | template: templates/ad-main-2.template.yaml 88 | ad-3: 89 | parameters: 90 | AvailabilityZones: $[taskcat_genaz_2] 91 | DomainAdminPassword: $[taskcat_genpass_16] 92 | DomainDNSName: example.com 93 | DomainNetBIOSName: example 94 | ADEdition: Standard 95 | KeyPairName: $[taskcat_getkeypair] 96 | NumberOfRDGWHosts: '0' 97 | PrivateSubnet1CIDR: 10.0.0.0/19 98 | PrivateSubnet2CIDR: 10.0.32.0/19 99 | PublicSubnet1CIDR: 10.0.128.0/20 100 | PublicSubnet2CIDR: 10.0.144.0/20 101 | PKI: 'Two-Tier' 102 | RDGWInstanceType: t2.large 103 | RDGWCIDR: 10.0.0.0/16 104 | VPCCIDR: 10.0.0.0/16 105 | QSS3BucketName: $[taskcat_autobucket] 106 | QSS3BucketRegion: $[taskcat_current_region] 107 | MgmtServer: 'false' 108 | MgMtServerInstanceType: t3.medium 109 | MgmtDataDriveSizeGiB: '2' 110 | MgmtServerNetBIOSName: 'Mgmt01' 111 | NonWindowsDomainJoin: 'false' 112 | DHCPOptionSet: 'No' 113 | regions: 114 | # - us-west-1 115 | - us-west-2 116 | - eu-west-1 117 | - eu-west-2 118 | template: templates/ad-main-3.template.yaml 119 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @davmayd @aws-quickstart/aws_quickstart_team 2 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | Copyright 2015-2016 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | 5 | http://aws.amazon.com/apache2.0/ 6 | 7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # quickstart-microsoft-activedirectory 2 | ## Deprecation Notice 3 | 4 | :x: This repository is subject to deprecation in Q4 2024. For more details, [please review this announcement](https://github.com/aws-ia/.announcements/issues/1). 5 | 6 | ## This repository has been deprecated in favor of https://github.com/aws-ia/cfn-ps-microsoft-activedirectory. 7 | ***We will archive this repository and keep it publicly available until May 1, 2024.*** 8 | -------------------------------------------------------------------------------- /ci/Template_1_AD_2012R2.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "KeyPairName", 4 | "ParameterValue": "cikey" 5 | }, 6 | { 7 | "ParameterKey": "ADServer1InstanceType", 8 | "ParameterValue": "m4.xlarge" 9 | }, 10 | { 11 | "ParameterKey": "ADServer2InstanceType", 12 | "ParameterValue": "m4.xlarge" 13 | }, 14 | { 15 | "ParameterKey": "RDGWInstanceType", 16 | "ParameterValue": "m4.xlarge" 17 | }, 18 | { 19 | "ParameterKey": "DomainDNSName", 20 | "ParameterValue": "example.com" 21 | }, 22 | { 23 | "ParameterKey": "DomainNetBIOSName", 24 | "ParameterValue": "example" 25 | }, 26 | { 27 | "ParameterKey": "ADServer1NetBIOSName", 28 | "ParameterValue": "DC1" 29 | }, 30 | { 31 | "ParameterKey": "ADServer2NetBIOSName", 32 | "ParameterValue": "DC2" 33 | }, 34 | { 35 | "ParameterKey": "RestoreModePassword", 36 | "ParameterValue": "$[alfred_genpass_32]" 37 | }, 38 | { 39 | "ParameterKey": "DomainAdminUser", 40 | "ParameterValue": "StackAdmin" 41 | }, 42 | { 43 | "ParameterKey": "DomainAdminPassword", 44 | "ParameterValue": "$[alfred_genpass_32]" 45 | }, 46 | { 47 | "ParameterKey": "PublicSubnet1CIDR", 48 | "ParameterValue": "10.0.32.0/20" 49 | }, 50 | { 51 | "ParameterKey": "PublicSubnet2CIDR", 52 | "ParameterValue": "10.0.96.0/20" 53 | }, 54 | { 55 | "ParameterKey": "PrivateSubnet1CIDR", 56 | "ParameterValue": "10.0.0.0/19" 57 | }, 58 | { 59 | "ParameterKey": "PrivateSubnet2CIDR", 60 | "ParameterValue": "10.0.64.0/19" 61 | }, 62 | { 63 | "ParameterKey": "VPCCIDR", 64 | "ParameterValue": "10.0.0.0/16" 65 | }, 66 | { 67 | "ParameterKey": "ADServer1PrivateIP", 68 | "ParameterValue": "10.0.0.10" 69 | }, 70 | { 71 | "ParameterKey": "ADServer2PrivateIP", 72 | "ParameterValue": "10.0.64.10" 73 | } 74 | ] 75 | -------------------------------------------------------------------------------- /ci/Template_2_AD_2012R2.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "KeyPairName", 4 | "ParameterValue": "cikey" 5 | }, 6 | { 7 | "ParameterKey": "ADServer1InstanceType", 8 | "ParameterValue": "m4.xlarge" 9 | }, 10 | { 11 | "ParameterKey": "ADServer2InstanceType", 12 | "ParameterValue": "m4.xlarge" 13 | }, 14 | { 15 | "ParameterKey": "RDGWInstanceType", 16 | "ParameterValue": "m4.xlarge" 17 | }, 18 | { 19 | "ParameterKey": "ADServer1NetBIOSName", 20 | "ParameterValue": "DC1" 21 | }, 22 | { 23 | "ParameterKey": "ADServer2NetBIOSName", 24 | "ParameterValue": "DC2" 25 | }, 26 | { 27 | "ParameterKey": "PublicSubnet1CIDR", 28 | "ParameterValue": "10.0.32.0/20" 29 | }, 30 | { 31 | "ParameterKey": "PublicSubnet2CIDR", 32 | "ParameterValue": "10.0.96.0/20" 33 | }, 34 | { 35 | "ParameterKey": "PrivateSubnet1CIDR", 36 | "ParameterValue": "10.0.0.0/19" 37 | }, 38 | { 39 | "ParameterKey": "PrivateSubnet2CIDR", 40 | "ParameterValue": "10.0.64.0/19" 41 | }, 42 | { 43 | "ParameterKey": "VPCCIDR", 44 | "ParameterValue": "10.0.0.0/16" 45 | }, 46 | { 47 | "ParameterKey": "ADServer1PrivateIP", 48 | "ParameterValue": "10.0.0.10" 49 | }, 50 | { 51 | "ParameterKey": "ADServer2PrivateIP", 52 | "ParameterValue": "10.0.64.10" 53 | } 54 | ] 55 | -------------------------------------------------------------------------------- /ci/Template_3_AD_2012R2.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "KeyPairName", 4 | "ParameterValue": "cikey" 5 | }, 6 | { 7 | "ParameterKey": "RDGWInstanceType", 8 | "ParameterValue": "m4.xlarge" 9 | }, 10 | { 11 | "ParameterKey": "DomainDNSName", 12 | "ParameterValue": "example.com" 13 | }, 14 | { 15 | "ParameterKey": "DomainNetBIOSName", 16 | "ParameterValue": "example" 17 | }, 18 | { 19 | "ParameterKey": "DomainAdminPassword", 20 | "ParameterValue": "$[alfred_genpass_32]" 21 | }, 22 | { 23 | "ParameterKey": "PublicSubnet1CIDR", 24 | "ParameterValue": "10.0.32.0/20" 25 | }, 26 | { 27 | "ParameterKey": "PublicSubnet2CIDR", 28 | "ParameterValue": "10.0.96.0/20" 29 | }, 30 | { 31 | "ParameterKey": "PrivateSubnet1CIDR", 32 | "ParameterValue": "10.0.0.0/19" 33 | }, 34 | { 35 | "ParameterKey": "PrivateSubnet2CIDR", 36 | "ParameterValue": "10.0.64.0/19" 37 | }, 38 | { 39 | "ParameterKey": "VPCCIDR", 40 | "ParameterValue": "10.0.0.0/16" 41 | } 42 | ] 43 | -------------------------------------------------------------------------------- /ci/ad-master-1-ssm.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "ADServer1InstanceType", 4 | "ParameterValue": "t3.large" 5 | }, 6 | { 7 | "ParameterKey": "ADServer1NetBIOSName", 8 | "ParameterValue": "DCMaster1" 9 | }, 10 | { 11 | "ParameterKey": "ADServer1PrivateIP", 12 | "ParameterValue": "10.0.0.10" 13 | }, 14 | { 15 | "ParameterKey": "ADServer2InstanceType", 16 | "ParameterValue": "t3.large" 17 | }, 18 | { 19 | "ParameterKey": "ADServer2NetBIOSName", 20 | "ParameterValue": "DCMaster2" 21 | }, 22 | { 23 | "ParameterKey": "ADServer2PrivateIP", 24 | "ParameterValue": "10.0.32.10" 25 | }, 26 | { 27 | "ParameterKey": "AvailabilityZones", 28 | "ParameterValue": "$[taskcat_genaz_2]" 29 | }, 30 | { 31 | "ParameterKey": "DomainAdminPassword", 32 | "ParameterValue": "$[taskcat_genpass_16]" 33 | }, 34 | { 35 | "ParameterKey": "RestoreModePassword", 36 | "ParameterValue": "$[taskcat_genpass_16]" 37 | }, 38 | { 39 | "ParameterKey": "AdministratorPassword", 40 | "ParameterValue": "$[taskcat_genpass_16]" 41 | }, 42 | { 43 | "ParameterKey": "DomainAdminUser", 44 | "ParameterValue": "StackAdmin" 45 | }, 46 | { 47 | "ParameterKey": "DomainDNSName", 48 | "ParameterValue": "example.com" 49 | }, 50 | { 51 | "ParameterKey": "DomainNetBIOSName", 52 | "ParameterValue": "example" 53 | }, 54 | { 55 | "ParameterKey": "KeyPairName", 56 | "ParameterValue": "$[taskcat_getkeypair]" 57 | }, 58 | { 59 | "ParameterKey": "NumberOfRDGWHosts", 60 | "ParameterValue": "1" 61 | }, 62 | { 63 | "ParameterKey": "PrivateSubnet1CIDR", 64 | "ParameterValue": "10.0.0.0/19" 65 | }, 66 | { 67 | "ParameterKey": "PrivateSubnet2CIDR", 68 | "ParameterValue": "10.0.32.0/19" 69 | }, 70 | { 71 | "ParameterKey": "PublicSubnet1CIDR", 72 | "ParameterValue": "10.0.128.0/20" 73 | }, 74 | { 75 | "ParameterKey": "PublicSubnet2CIDR", 76 | "ParameterValue": "10.0.144.0/20" 77 | }, 78 | { 79 | "ParameterKey": "RDGWInstanceType", 80 | "ParameterValue": "t2.large" 81 | }, 82 | { 83 | "ParameterKey": "RDGWCIDR", 84 | "ParameterValue": "10.0.0.0/16" 85 | }, 86 | { 87 | "ParameterKey": "VPCCIDR", 88 | "ParameterValue": "10.0.0.0/16" 89 | }, 90 | { 91 | "ParameterKey": "QSS3BucketName", 92 | "ParameterValue": "$[taskcat_autobucket]" 93 | } 94 | ] -------------------------------------------------------------------------------- /ci/ad-master-1.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "ADServer1InstanceType", 4 | "ParameterValue": "t3.large" 5 | }, 6 | { 7 | "ParameterKey": "ADServer1NetBIOSName", 8 | "ParameterValue": "DC1" 9 | }, 10 | { 11 | "ParameterKey": "ADServer1PrivateIP", 12 | "ParameterValue": "10.0.0.10" 13 | }, 14 | { 15 | "ParameterKey": "ADServer2NetBIOSName", 16 | "ParameterValue": "DC2" 17 | }, 18 | { 19 | "ParameterKey": "ADServer2PrivateIP", 20 | "ParameterValue": "10.0.32.10" 21 | }, 22 | { 23 | "ParameterKey": "AvailabilityZones", 24 | "ParameterValue": "$[taskcat_genaz_2]" 25 | }, 26 | { 27 | "ParameterKey": "DomainAdminPassword", 28 | "ParameterValue": "$[taskcat_genpass_16]" 29 | }, 30 | { 31 | "ParameterKey": "DomainAdminUser", 32 | "ParameterValue": "Admin" 33 | }, 34 | { 35 | "ParameterKey": "DomainDNSName", 36 | "ParameterValue": "example.com" 37 | }, 38 | { 39 | "ParameterKey": "DomainNetBIOSName", 40 | "ParameterValue": "example" 41 | }, 42 | { 43 | "ParameterKey": "KeyPairName", 44 | "ParameterValue": "$[taskcat_getkeypair]" 45 | }, 46 | { 47 | "ParameterKey": "NumberOfRDGWHosts", 48 | "ParameterValue": "1" 49 | }, 50 | { 51 | "ParameterKey": "PrivateSubnet1CIDR", 52 | "ParameterValue": "10.0.0.0/19" 53 | }, 54 | { 55 | "ParameterKey": "PrivateSubnet2CIDR", 56 | "ParameterValue": "10.0.32.0/19" 57 | }, 58 | { 59 | "ParameterKey": "PublicSubnet1CIDR", 60 | "ParameterValue": "10.0.128.0/20" 61 | }, 62 | { 63 | "ParameterKey": "PublicSubnet2CIDR", 64 | "ParameterValue": "10.0.144.0/20" 65 | }, 66 | { 67 | "ParameterKey": "RDGWInstanceType", 68 | "ParameterValue": "t2.large" 69 | }, 70 | { 71 | "ParameterKey": "RDGWCIDR", 72 | "ParameterValue": "10.0.0.0/16" 73 | }, 74 | { 75 | "ParameterKey": "VPCCIDR", 76 | "ParameterValue": "10.0.0.0/16" 77 | }, 78 | { 79 | "ParameterKey": "QSS3BucketName", 80 | "ParameterValue": "$[taskcat_autobucket]" 81 | } 82 | ] -------------------------------------------------------------------------------- /ci/ad-master-2.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "ADServer1NetBIOSName", 4 | "ParameterValue": "DC1" 5 | }, 6 | { 7 | "ParameterKey": "ADServer1PrivateIP", 8 | "ParameterValue": "10.0.0.10" 9 | }, 10 | { 11 | "ParameterKey": "ADServer2NetBIOSName", 12 | "ParameterValue": "DC2" 13 | }, 14 | { 15 | "ParameterKey": "ADServer2PrivateIP", 16 | "ParameterValue": "10.0.32.10" 17 | }, 18 | { 19 | "ParameterKey": "AdminPassword", 20 | "ParameterValue": "$[taskcat_genpass_16]" 21 | }, 22 | { 23 | "ParameterKey": "AdminUser", 24 | "ParameterValue": "StackAdmin" 25 | }, 26 | { 27 | "ParameterKey": "AvailabilityZones", 28 | "ParameterValue": "$[taskcat_genaz_2]" 29 | }, 30 | { 31 | "ParameterKey": "DomainDNSName", 32 | "ParameterValue": "example.com" 33 | }, 34 | { 35 | "ParameterKey": "KeyPairName", 36 | "ParameterValue": "$[taskcat_getkeypair]" 37 | }, 38 | { 39 | "ParameterKey": "NumberOfRDGWHosts", 40 | "ParameterValue": "1" 41 | }, 42 | { 43 | "ParameterKey": "PrivateSubnet1CIDR", 44 | "ParameterValue": "10.0.0.0/19" 45 | }, 46 | { 47 | "ParameterKey": "PrivateSubnet2CIDR", 48 | "ParameterValue": "10.0.32.0/19" 49 | }, 50 | { 51 | "ParameterKey": "PublicSubnet1CIDR", 52 | "ParameterValue": "10.0.128.0/20" 53 | }, 54 | { 55 | "ParameterKey": "PublicSubnet2CIDR", 56 | "ParameterValue": "10.0.144.0/20" 57 | }, 58 | { 59 | "ParameterKey": "RDGWInstanceType", 60 | "ParameterValue": "t2.large" 61 | }, 62 | { 63 | "ParameterKey": "RDGWCIDR", 64 | "ParameterValue": "10.0.0.0/16" 65 | }, 66 | { 67 | "ParameterKey": "VPCCIDR", 68 | "ParameterValue": "10.0.0.0/16" 69 | }, 70 | { 71 | "ParameterKey": "QSS3BucketName", 72 | "ParameterValue": "aws-quickstart" 73 | } 74 | ] 75 | -------------------------------------------------------------------------------- /ci/ad-master-3-Ent.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "AvailabilityZones", 4 | "ParameterValue": "$[taskcat_genaz_2]" 5 | }, 6 | { 7 | "ParameterKey": "DomainAdminPassword", 8 | "ParameterValue": "$[taskcat_genpass_16]" 9 | }, 10 | { 11 | "ParameterKey": "DomainDNSName", 12 | "ParameterValue": "example.com" 13 | }, 14 | { 15 | "ParameterKey": "DomainNetBIOSName", 16 | "ParameterValue": "example" 17 | }, 18 | { 19 | "ParameterKey": "ADEdition", 20 | "ParameterValue": "Enterprise" 21 | }, 22 | { 23 | "ParameterKey": "KeyPairName", 24 | "ParameterValue": "$[taskcat_getkeypair]" 25 | }, 26 | { 27 | "ParameterKey": "NumberOfRDGWHosts", 28 | "ParameterValue": "1" 29 | }, 30 | { 31 | "ParameterKey": "PrivateSubnet1CIDR", 32 | "ParameterValue": "10.0.0.0/19" 33 | }, 34 | { 35 | "ParameterKey": "PrivateSubnet2CIDR", 36 | "ParameterValue": "10.0.32.0/19" 37 | }, 38 | { 39 | "ParameterKey": "PublicSubnet1CIDR", 40 | "ParameterValue": "10.0.128.0/20" 41 | }, 42 | { 43 | "ParameterKey": "PublicSubnet2CIDR", 44 | "ParameterValue": "10.0.144.0/20" 45 | }, 46 | { 47 | "ParameterKey": "RDGWInstanceType", 48 | "ParameterValue": "t2.large" 49 | }, 50 | { 51 | "ParameterKey": "RDGWCIDR", 52 | "ParameterValue": "10.0.0.0/16" 53 | }, 54 | { 55 | "ParameterKey": "VPCCIDR", 56 | "ParameterValue": "10.0.0.0/16" 57 | }, 58 | { 59 | "ParameterKey": "QSS3BucketName", 60 | "ParameterValue": "aws-quickstart" 61 | } 62 | ] 63 | -------------------------------------------------------------------------------- /ci/ad-master-3-Std.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "AvailabilityZones", 4 | "ParameterValue": "$[taskcat_genaz_2]" 5 | }, 6 | { 7 | "ParameterKey": "DomainAdminPassword", 8 | "ParameterValue": "$[taskcat_genpass_16]" 9 | }, 10 | { 11 | "ParameterKey": "DomainDNSName", 12 | "ParameterValue": "example.com" 13 | }, 14 | { 15 | "ParameterKey": "DomainNetBIOSName", 16 | "ParameterValue": "example" 17 | }, 18 | { 19 | "ParameterKey": "ADEdition", 20 | "ParameterValue": "Standard" 21 | }, 22 | { 23 | "ParameterKey": "KeyPairName", 24 | "ParameterValue": "$[taskcat_getkeypair]" 25 | }, 26 | { 27 | "ParameterKey": "NumberOfRDGWHosts", 28 | "ParameterValue": "1" 29 | }, 30 | { 31 | "ParameterKey": "PrivateSubnet1CIDR", 32 | "ParameterValue": "10.0.0.0/19" 33 | }, 34 | { 35 | "ParameterKey": "PrivateSubnet2CIDR", 36 | "ParameterValue": "10.0.32.0/19" 37 | }, 38 | { 39 | "ParameterKey": "PublicSubnet1CIDR", 40 | "ParameterValue": "10.0.128.0/20" 41 | }, 42 | { 43 | "ParameterKey": "PublicSubnet2CIDR", 44 | "ParameterValue": "10.0.144.0/20" 45 | }, 46 | { 47 | "ParameterKey": "RDGWInstanceType", 48 | "ParameterValue": "t2.large" 49 | }, 50 | { 51 | "ParameterKey": "RDGWCIDR", 52 | "ParameterValue": "10.0.0.0/16" 53 | }, 54 | { 55 | "ParameterKey": "VPCCIDR", 56 | "ParameterValue": "10.0.0.0/16" 57 | }, 58 | { 59 | "ParameterKey": "QSS3BucketName", 60 | "ParameterValue": "aws-quickstart" 61 | } 62 | ] 63 | -------------------------------------------------------------------------------- /ci/config.yml: -------------------------------------------------------------------------------- 1 | global: 2 | marketplace-ami: false 3 | owner: quickstart-eng@amazon.com 4 | qsname: quickstart-microsoft-activedirectory 5 | regions: 6 | # - ap-northeast-1 7 | # - ap-northeast-2 8 | # - ap-south-1 9 | # - ap-southeast-1 10 | # - ap-southeast-2 11 | # - ca-central-1 12 | # - eu-central-1 13 | # - eu-west-1 14 | # - eu-west-2 15 | # - us-east-1 16 | # - us-east-2 17 | # - us-west-1 18 | # - us-west-2 19 | reporting: true 20 | tests: 21 | master1: 22 | parameter_input: ad-master-1.json 23 | regions: 24 | # - ap-northeast-2 25 | # - ap-southeast-1 26 | # - ca-central-1 27 | # - eu-west-1 28 | # - eu-west-3 29 | # - sa-east-1 30 | - us-east-1 31 | # - us-west-2 32 | template_file: ad-master-1.template 33 | # master2: 34 | # parameter_input: ad-master-2.json 35 | # regions: 36 | # - ap-northeast-1 37 | # - ap-south-1 38 | # - ap-southeast-2 39 | # - eu-central-1 40 | # - eu-west-2 41 | # - us-east-1 42 | # - us-west-1 43 | # template_file: ad-master-2.template 44 | # master3: 45 | # parameter_input: ad-master-3.json 46 | # regions: 47 | # - us-east-1 48 | # template_file: ad-master-3.template 49 | # 50 | -------------------------------------------------------------------------------- /ci/taskcat.yml: -------------------------------------------------------------------------------- 1 | global: 2 | marketplace-ami: false 3 | owner: quickstart-eng@amazon.com 4 | qsname: quickstart-microsoft-activedirectory 5 | regions: 6 | - ap-northeast-1 7 | - ap-northeast-2 8 | - ap-south-1 9 | - ap-southeast-1 10 | - ap-southeast-2 11 | - ca-central-1 12 | - eu-central-1 13 | - eu-west-1 14 | - eu-west-2 15 | - eu-west-3 16 | - sa-east-1 17 | - us-east-1 18 | - us-east-2 19 | - us-west-1 20 | - us-west-2 21 | reporting: true 22 | tests: 23 | master1-ad: 24 | parameter_input: ad-master-1.json 25 | regions: 26 | - ap-northeast-2 27 | # - ca-central-1 28 | - eu-west-1 29 | - ap-south-1 30 | - us-east-2 31 | - ap-northeast-1 32 | - eu-west-2 33 | - eu-central-1 34 | - us-east-1 35 | - us-west-2 36 | template_file: ad-master-1.template 37 | master2-ad: 38 | parameter_input: ad-master-2.json 39 | regions: 40 | - ap-northeast-1 41 | - ap-south-1 42 | - ap-southeast-2 43 | - eu-central-1 44 | - eu-west-2 45 | - us-east-1 46 | - us-west-1 47 | template_file: ad-master-2.template 48 | master3-ad-ent: 49 | parameter_input: ad-master-3-Ent.json 50 | regions: 51 | - us-east-1 52 | # - ca-central-1 53 | # - eu-west-2 54 | - ap-southeast-2 55 | template_file: ad-master-3.template 56 | master3-ad-std: 57 | parameter_input: ad-master-3-Std.json 58 | regions: 59 | - us-east-2 60 | - ap-south-1 61 | - eu-west-1 62 | - ap-southeast-1 63 | template_file: ad-master-3.template 64 | # master1-ad-ssm: 65 | # parameter_input: ad-master-1-ssm.json 66 | # regions: 67 | # - eu-west-3 68 | # - us-east-1 69 | # template_file: ad-master-1-ssm.template 70 | -------------------------------------------------------------------------------- /manifests/app-manager/app-manager-manifest.yaml: -------------------------------------------------------------------------------- 1 | ssm_app_manager: 2 | should_upload: true 3 | documents_list: 4 | - document_name: AWSQuickStarts-Microsoft-AD-SelfManaged-Existing-VPC 5 | template_name: ad-1.template.yaml 6 | - document_name: AWSQuickStarts-Microsoft-AD-SelfManaged 7 | template_name: ad-main-1.template.yaml 8 | has_nested_stacks: true 9 | nested_documents: 10 | - resource_name: VPCStack 11 | document_name: AWSQuickStarts-AWS-VPC 12 | - resource_name: ADStack 13 | document_name: AWSQuickStarts-Microsoft-AD-SelfManaged-Existing-VPC 14 | - resource_name: RDGWStack 15 | document_name: AWSQuickStarts-Microsoft-RdGateway-Domain-Joined 16 | - document_name: AWSQuickStarts-Microsoft-AD-Extend-OnPrem-Existing-VPC 17 | template_name: ad-2.template.yaml 18 | - document_name: AWSQuickStarts-Microsoft-AD-Extend-OnPrem 19 | template_name: ad-main-2.template.yaml 20 | has_nested_stacks: true 21 | nested_documents: 22 | - resource_name: VPCStack 23 | document_name: AWSQuickStarts-AWS-VPC 24 | - resource_name: ADStack 25 | document_name: AWSQuickStarts-Microsoft-AD-Extend-OnPrem-Existing-VPC 26 | - resource_name: RDGWStack 27 | document_name: AWSQuickStarts-Microsoft-RdGateway-Existing-VPC 28 | - document_name: AWSQuickStarts-AWS-Managed-Microsoft-AD-Existing-VPC 29 | template_name: ad-3.template.yaml 30 | - document_name: AWSQuickStarts-AWS-Managed-Microsoft-AD 31 | template_name: ad-main-3.template.yaml 32 | has_nested_stacks: true 33 | nested_documents: 34 | - resource_name: VPCStack 35 | document_name: AWSQuickStarts-AWS-VPC 36 | - resource_name: ADStack 37 | document_name: AWSQuickStarts-AWS-Managed-Microsoft-AD-Existing-VPC 38 | - resource_name: RDGWStack 39 | document_name: AWSQuickStarts-Microsoft-RdGateway-Domain-Joined -------------------------------------------------------------------------------- /scripts/GPOs.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-microsoft-activedirectory/bb64d5f3034b10b14137b6f0ff46e4fc79cd0a81/scripts/GPOs.zip -------------------------------------------------------------------------------- /scripts/Modules/Module-AD/Module-AD.psd1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-microsoft-activedirectory/bb64d5f3034b10b14137b6f0ff46e4fc79cd0a81/scripts/Modules/Module-AD/Module-AD.psd1 -------------------------------------------------------------------------------- /scripts/archive/AD2-NonPromoConfig.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | AD2-NonPromoConfig.ps1 4 | 5 | .DESCRIPTION 6 | This script installs the active directory binaries but does not promote the server to a domain controller. 7 | 8 | .EXAMPLE 9 | .\AD2-NonPromoConfig -ADServerNetBIOSName 'DC3' -DomainNetBIOSName 'example' -DomainDNSName 'example.com' -ADServer1PrivateIP '10.0.0.10' -ADServer2PrivateIP '10.32.0.10' 10 | #> 11 | 12 | 13 | [CmdletBinding()] 14 | Param ( 15 | [Parameter(Mandatory = $true)][string]$ADServerNetBIOSName, 16 | [Parameter(Mandatory = $true)][string]$DomainNetBIOSName, 17 | [Parameter(Mandatory = $true)][string]$DomainDNSName, 18 | [Parameter(Mandatory = $true)][string]$ADServer1PrivateIP, 19 | [Parameter(Mandatory = $true)][string]$ADServer2PrivateIP 20 | ) 21 | 22 | #Requires -Modules PSDesiredStateConfiguration, NetworkingDsc, ComputerManagementDsc, xDnsServer, ActiveDirectoryDsc 23 | 24 | #================================================== 25 | # Main 26 | #================================================== 27 | 28 | Write-Output 'Getting network configuration' 29 | Try { 30 | $NetIpConfig = Get-NetIPConfiguration 31 | } Catch [System.Exception] { 32 | Write-Output "Failed to set network configuration $_" 33 | Exit 1 34 | } 35 | 36 | Write-Output 'Grabbing the Current Gateway Address in order to Static IP Correctly' 37 | $GatewayAddress = $NetIpConfig | Select-Object -ExpandProperty 'IPv4DefaultGateway' | Select-Object -ExpandProperty 'NextHop' 38 | 39 | Write-Output 'Formatting IP Address in format needed for IPAdress DSC Resource' 40 | $IP = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'IpAddress' 41 | $Prefix = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'PrefixLength' 42 | $IPADDR = 'IP/CIDR' -replace 'IP', $IP -replace 'CIDR', $Prefix 43 | 44 | Write-Output 'Getting MAC address' 45 | Try { 46 | $MacAddress = Get-NetAdapter | Select-Object -ExpandProperty 'MacAddress' 47 | } Catch [System.Exception] { 48 | Write-Output "Failed to get MAC address $_" 49 | Exit 1 50 | } 51 | 52 | Write-Output 'Getting the DSC Cert Encryption Thumbprint to Secure the MOF File' 53 | Try { 54 | $DscCertThumbprint = Get-ChildItem -Path 'cert:\LocalMachine\My' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 55 | } Catch [System.Exception] { 56 | Write-Output "Failed to get DSC Cert Encryption Thumbprint $_" 57 | Exit 1 58 | } 59 | 60 | Write-Output 'Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing' 61 | $ConfigurationData = @{ 62 | AllNodes = @( 63 | @{ 64 | NodeName = '*' 65 | CertificateFile = 'C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer' 66 | Thumbprint = $DscCertThumbprint 67 | PSDscAllowDomainUser = $true 68 | }, 69 | @{ 70 | NodeName = 'localhost' 71 | } 72 | ) 73 | } 74 | 75 | # PowerShell DSC Configuration Block for Domain Controller 2 76 | Configuration NonPromoConfig { 77 | # Importing All DSC Resources needed for Configuration 78 | Import-DscResource -ModuleName 'PSDesiredStateConfiguration', 'NetworkingDsc', 'ComputerManagementDsc', 'xDnsServer', 'ActiveDirectoryDsc' 79 | 80 | # Node Configuration block, since processing directly on DC using localhost 81 | Node LocalHost { 82 | NetAdapterName RenameNetAdapterPrimary { 83 | NewName = 'Primary' 84 | MacAddress = $MacAddress 85 | } 86 | NetIPInterface DisableDhcp { 87 | Dhcp = 'Disabled' 88 | InterfaceAlias = 'Primary' 89 | AddressFamily = 'IPv4' 90 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 91 | } 92 | IPAddress SetIP { 93 | IPAddress = $IPADDR 94 | InterfaceAlias = 'Primary' 95 | AddressFamily = 'IPv4' 96 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 97 | } 98 | DefaultGatewayAddress SetDefaultGateway { 99 | Address = $GatewayAddress 100 | InterfaceAlias = 'Primary' 101 | AddressFamily = 'IPv4' 102 | DependsOn = '[IPAddress]SetIP' 103 | } 104 | DnsServerAddress DnsServerAddress { 105 | Address = $ADServer1PrivateIP, $ADServer2PrivateIP, '169.254.169.253' 106 | InterfaceAlias = 'Primary' 107 | AddressFamily = 'IPv4' 108 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 109 | } 110 | DnsConnectionSuffix DnsConnectionSuffix { 111 | InterfaceAlias = 'Primary' 112 | ConnectionSpecificSuffix = $DomainDNSName 113 | RegisterThisConnectionsAddress = $True 114 | UseSuffixWhenRegistering = $False 115 | } 116 | Computer Rename { 117 | Name = $ADServerNetBIOSName 118 | DependsOn = '[DnsServerAddress]DnsServerAddress' 119 | } 120 | WindowsFeature DNS { 121 | Ensure = 'Present' 122 | Name = 'DNS' 123 | } 124 | WindowsFeature AD-Domain-Services { 125 | Ensure = 'Present' 126 | Name = 'AD-Domain-Services' 127 | DependsOn = '[WindowsFeature]DNS' 128 | } 129 | WindowsFeature DnsTools { 130 | Ensure = 'Present' 131 | Name = 'RSAT-DNS-Server' 132 | DependsOn = '[WindowsFeature]DNS' 133 | } 134 | WindowsFeature RSAT-AD-Tools { 135 | Ensure = 'Present' 136 | Name = 'RSAT-AD-Tools' 137 | DependsOn = '[WindowsFeature]AD-Domain-Services' 138 | } 139 | WindowsFeature RSAT-ADDS { 140 | Ensure = 'Present' 141 | Name = 'RSAT-ADDS' 142 | DependsOn = '[WindowsFeature]AD-Domain-Services' 143 | } 144 | Service ActiveDirectoryWebServices { 145 | Name = "ADWS" 146 | StartupType = "Automatic" 147 | State = "Running" 148 | DependsOn = "[WindowsFeature]AD-Domain-Services" 149 | } 150 | WindowsFeature GPMC { 151 | Ensure = 'Present' 152 | Name = 'GPMC' 153 | DependsOn = '[WindowsFeature]AD-Domain-Services' 154 | } 155 | } 156 | } 157 | 158 | Write-Output 'Generating MOF File' 159 | NonPromoConfig -OutputPath 'C:\AWSQuickstart\NonPromoConfig' -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/AD2-Post-Config.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | AD2-Post-Config.ps1 4 | 5 | .DESCRIPTION 6 | This script installs the active directory binaries but does promote the server to a domain controller. 7 | It sets some minor settings and cleans up the DSC configuration 8 | 9 | .EXAMPLE 10 | .\AD2-Post-Config -VPCCIDR '10.0.0.0/16' 11 | #> 12 | 13 | [CmdletBinding()] 14 | Param( 15 | [Parameter(Mandatory = $true)][string]$VPCCIDR 16 | ) 17 | 18 | #================================================== 19 | # Main 20 | #================================================== 21 | 22 | Write-Output 'Enabling Certificate Auto-Enrollment Policy' 23 | Try { 24 | Set-CertificateAutoEnrollmentPolicy -ExpirationPercentage 10 -PolicyState 'Enabled' -EnableTemplateCheck -EnableMyStoreManagement -StoreName 'MY' -Context 'Machine' -ErrorAction Stop 25 | } Catch [System.Exception] { 26 | Write-Output "Failed to enable Certificate Auto-Enrollment Policy $_" 27 | } 28 | 29 | Write-Output 'Enabling SMBv1 Auditing' 30 | Try { 31 | Set-SmbServerConfiguration -AuditSmb1Access $true -Force -ErrorAction Stop 32 | } Catch [System.Exception] { 33 | Write-Output "Failed to enable SMBv1 Audit log $_" 34 | } 35 | 36 | Write-Output 'Re-enabling Windows Firewall' 37 | Try { 38 | Get-NetFirewallProfile -ErrorAction Stop | Set-NetFirewallProfile -Enabled 'True' -ErrorAction Stop 39 | } Catch [System.Exception] { 40 | Write-Output "Failed to re-enable firewall $_" 41 | } 42 | 43 | Write-Output 'Setting Windows Firewall WinRM Public rule to allow VPC CIDR traffic' 44 | Try { 45 | Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP-PUBLIC' -RemoteAddress $VPCCIDR 46 | } Catch [System.Exception] { 47 | Write-Output "Failed allow WinRM Traffic from VPC CIDR $_" 48 | } 49 | 50 | Write-Output 'Removing DSC Configuration' 51 | Try { 52 | Remove-DscConfigurationDocument -Stage 'Current' -ErrorAction Stop 53 | } Catch [System.Exception] { 54 | Write-Output "Failed to remove DSC Configuration $_" 55 | } 56 | 57 | Write-Output 'Removing QuickStart build files' 58 | Try { 59 | Remove-Item -Path 'C:\AWSQuickstart' -Recurse -Force -ErrorAction Stop 60 | } Catch [System.Exception] { 61 | Write-Output "Failed remove QuickStart build files $_" 62 | } 63 | 64 | Write-Output 'Removing self signed cert' 65 | Try { 66 | $SelfSignedThumb = Get-ChildItem -Path 'cert:\LocalMachine\My\' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 67 | Remove-Item -Path "cert:\LocalMachine\My\$SelfSignedThumb" -DeleteKey 68 | } Catch [System.Exception] { 69 | Write-Output "Failed remove self signed cert $_" 70 | } 71 | 72 | Write-Output 'Checking domain membership' 73 | Try { 74 | $AmIDomainMember = Get-CimInstance -ClassName 'Win32_ComputerSystem' -ErrorAction Stop | Select-Object -ExpandProperty 'PartOfDomain' 75 | } Catch [System.Exception] { 76 | Write-Output "Failed checking domain membership $_" 77 | } 78 | 79 | If ($AmIDomainMember) { 80 | Write-Output 'Running Group Policy update' 81 | Invoke-GPUpdate -RandomDelayInMinutes '0' -Force 82 | } -------------------------------------------------------------------------------- /scripts/archive/Add-DNSEntry.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [Parameter(Mandatory=$true)] 4 | [string]$DomainAdminUser, 5 | 6 | [Parameter(Mandatory=$true)] 7 | [string]$DomainNetBIOSName, 8 | 9 | [Parameter(Mandatory=$true)] 10 | [string]$DomainDNSName, 11 | 12 | [Parameter(Mandatory=$true)] 13 | [string]$ADServer1NetBIOSName, 14 | 15 | [Parameter(Mandatory=$true)] 16 | [string]$ADServer1PrivateIP, 17 | 18 | [Parameter(Mandatory=$true)] 19 | [string]$ADServer2PrivateIP, 20 | 21 | [Parameter(Mandatory=$true)] 22 | [string]$SSMParamName 23 | ) 24 | try { 25 | $ErrorActionPreference = "Stop" 26 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 27 | 28 | $DomainAdminPassword = (Get-SSMParameterValue -Names $SSMParamName -WithDecryption $True).Parameters[0].Value 29 | $DomainAdmin = $DomainNetBIOSName + "\" + $DomainAdminUser 30 | $FQDN = $ADServer1NetBIOSName+"."+$DomainDNSName 31 | Invoke-Command -ComputerName $FQDN -Credential (New-Object System.Management.Automation.PSCredential($DomainAdmin,(ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force))) -Scriptblock { 32 | Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $ADServer2PrivateIP, $ADServer1PrivateIP 33 | } 34 | } 35 | 36 | catch { 37 | $_ | Write-AWSQuickStartException 38 | } -------------------------------------------------------------------------------- /scripts/archive/AddDNSForward.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | AddDNSForward.ps1 4 | 5 | .DESCRIPTION 6 | This script creates and AD integrated DS Conditional Forwarder for amazonaws.com pointing to the customer’s .2. 7 | 8 | .EXAMPLE 9 | .\AddDNSForward.ps1 -DirectoryID 'd-926708edcb' -VPCCIDR '10.255.0.0/24' 10 | 11 | #> 12 | 13 | [CmdletBinding()] 14 | param( 15 | [Parameter(Mandatory=$true)] 16 | [string] 17 | $DirectoryID, 18 | 19 | [Parameter(Mandatory=$true)] 20 | [string] 21 | $VPCCIDR 22 | ) 23 | 24 | $Ip = $VPCCIDR.Split('/')[0] 25 | [System.Collections.ArrayList]$IPArray = $IP -Split "\." 26 | $IPArray[3] = 2 27 | $VPCDNS = $IPArray -Join "." 28 | 29 | Try { 30 | New-DSConditionalForwarder -DirectoryId $DirectoryID -DnsIpAddr $VPCDNS -RemoteDomainName 'amazonaws.com' -ErrorAction Stop 31 | } Catch [System.Exception] { 32 | Write-Output "Failed to create DNS Conditional Forwarder for amazonaws.com $_" 33 | } -------------------------------------------------------------------------------- /scripts/archive/ConfigDC2-SSM.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | # Incoming Parameters for Script, CloudFormation\SSM Parameters being passed in 3 | param( 4 | [Parameter(Mandatory=$true)] 5 | [string]$ADServer2NetBIOSName, 6 | 7 | [Parameter(Mandatory=$true)] 8 | [string]$DomainNetBIOSName, 9 | 10 | [Parameter(Mandatory=$true)] 11 | [string]$DomainDNSName, 12 | 13 | [Parameter(Mandatory=$true)] 14 | [string]$ADServer1PrivateIP, 15 | 16 | [Parameter(Mandatory=$true)] 17 | [string]$ADAdminSSMParam 18 | ) 19 | 20 | # Grabbing the Current Gateway Address in order to Static IP Correctly 21 | $GatewayAddress = (Get-NetIPConfiguration).IPv4DefaultGateway.NextHop 22 | # Formatting IP Address in format needed for IPAdress DSC Resource 23 | $IPADDR = 'IP/CIDR' -replace 'IP',(Get-NetIPConfiguration).IPv4Address.IpAddress -replace 'CIDR',(Get-NetIPConfiguration).IPv4Address.PrefixLength 24 | # Grabbing Mac Address for Primary Interface to Rename Interface 25 | $MacAddress = (Get-NetAdapter).MacAddress 26 | # Getting Secrets Information for Domain Administrator 27 | $ADAdminPassword = ConvertFrom-Json -InputObject (Get-SSMParameterValue -Names $ADAdminSSMParam -WithDecryption $True).Parameters[0].Value 28 | # Formatting AD Admin User to proper format for JoinDomain DSC Resources in this Script 29 | $DomainAdmin = 'Domain\User' -replace 'Domain',$DomainNetBIOSName -replace 'User',$ADAdminPassword.UserName 30 | # Creating Credential Object for Domain Admin User 31 | $Credentials = (New-Object PSCredential($DomainAdmin,(ConvertTo-SecureString $ADAdminPassword.Password -AsPlainText -Force))) 32 | # Getting the DSC Cert Encryption Thumbprint to Secure the MOF File 33 | $DscCertThumbprint = (get-childitem -path cert:\LocalMachine\My | where { $_.subject -eq "CN=AWSQSDscEncryptCert" }).Thumbprint 34 | 35 | # Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing 36 | $ConfigurationData = @{ 37 | AllNodes = @( 38 | @{ 39 | NodeName="*" 40 | CertificateFile = "C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer" 41 | Thumbprint = $DscCertThumbprint 42 | PSDscAllowDomainUser = $true 43 | }, 44 | @{ 45 | NodeName = 'localhost' 46 | } 47 | ) 48 | } 49 | 50 | # PowerShell DSC Configuration Block for Domain Controller 2 51 | Configuration ConfigDC2 { 52 | # Credential Objects being passed in 53 | param 54 | ( 55 | [PSCredential] $Credentials 56 | ) 57 | 58 | # Importing DSC Modules needed for Configuration 59 | Import-Module -Name PSDesiredStateConfiguration 60 | Import-Module -Name xActiveDirectory 61 | Import-Module -Name NetworkingDsc 62 | Import-Module -Name ActiveDirectoryCSDsc 63 | Import-Module -Name ComputerManagementDsc 64 | Import-Module -Name xDnsServer 65 | 66 | # Importing All DSC Resources needed for Configuration 67 | Import-DscResource -Module PSDesiredStateConfiguration 68 | Import-DscResource -Module NetworkingDsc 69 | Import-DscResource -Module xActiveDirectory 70 | Import-DscResource -Module ActiveDirectoryCSDsc 71 | Import-DscResource -Module ComputerManagementDsc 72 | Import-DscResource -Module xDnsServer 73 | 74 | # Node Configuration block, since processing directly on DC using localhost 75 | Node 'localhost' { 76 | 77 | # Renaming Primary Adapter in order to Static the IP for AD installation 78 | NetAdapterName RenameNetAdapterPrimary { 79 | NewName = 'Primary' 80 | MacAddress = $MacAddress 81 | } 82 | 83 | # Disabling DHCP on the Primary Interface 84 | NetIPInterface DisableDhcp { 85 | Dhcp = 'Disabled' 86 | InterfaceAlias = 'Primary' 87 | AddressFamily = 'IPv4' 88 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 89 | } 90 | 91 | # Setting the IP Address on the Primary Interface 92 | IPAddress SetIP { 93 | IPAddress = $IPADDR 94 | InterfaceAlias = 'Primary' 95 | AddressFamily = 'IPv4' 96 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 97 | } 98 | 99 | # Setting Default Gateway on Primary Interface 100 | DefaultGatewayAddress SetDefaultGateway { 101 | Address = $GatewayAddress 102 | InterfaceAlias = 'Primary' 103 | AddressFamily = 'IPv4' 104 | DependsOn = '[IPAddress]SetIP' 105 | } 106 | 107 | # Setting DNS Server on Primary Interface to point to DC1 108 | DnsServerAddress DnsServerAddress { 109 | Address = $ADServer1PrivateIP 110 | InterfaceAlias = 'Primary' 111 | AddressFamily = 'IPv4' 112 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 113 | } 114 | 115 | # Wait for AD Domain to be up and running 116 | xWaitForADDomain WaitForPrimaryDC { 117 | DomainName = $DomainDnsName 118 | RetryCount = 600 119 | RetryIntervalSec = 30 120 | RebootRetryCount = 10 121 | DependsOn = '[DnsServerAddress]DnsServerAddress' 122 | } 123 | 124 | # Rename Computer and Join Domain 125 | Computer JoinDomain { 126 | Name = $ADServer2NetBIOSName 127 | DomainName = $DomainDnsName 128 | Credential = $Credentials 129 | DependsOn = "[xWaitForADDomain]WaitForPrimaryDC" 130 | } 131 | 132 | # Adding Needed Windows Features 133 | WindowsFeature DNS { 134 | Ensure = "Present" 135 | Name = "DNS" 136 | } 137 | 138 | WindowsFeature AD-Domain-Services { 139 | Ensure = "Present" 140 | Name = "AD-Domain-Services" 141 | DependsOn = "[WindowsFeature]DNS" 142 | } 143 | 144 | WindowsFeature DnsTools { 145 | Ensure = "Present" 146 | Name = "RSAT-DNS-Server" 147 | DependsOn = "[WindowsFeature]DNS" 148 | } 149 | 150 | WindowsFeature RSAT-AD-Tools { 151 | Name = 'RSAT-AD-Tools' 152 | Ensure = 'Present' 153 | DependsOn = "[WindowsFeature]AD-Domain-Services" 154 | } 155 | 156 | WindowsFeature RSAT-ADDS { 157 | Ensure = "Present" 158 | Name = "RSAT-ADDS" 159 | DependsOn = "[WindowsFeature]AD-Domain-Services" 160 | } 161 | 162 | WindowsFeature RSAT-ADDS-Tools { 163 | Name = 'RSAT-ADDS-Tools' 164 | Ensure = 'Present' 165 | DependsOn = "[WindowsFeature]RSAT-ADDS" 166 | } 167 | 168 | WindowsFeature RSAT-AD-AdminCenter { 169 | Name = 'RSAT-AD-AdminCenter' 170 | Ensure = 'Present' 171 | DependsOn = "[WindowsFeature]AD-Domain-Services" 172 | } 173 | 174 | WindowsFeature ADCS-Cert-Authority { 175 | Ensure = 'Present' 176 | Name = 'ADCS-Cert-Authority' 177 | DependsOn = '[xADDomainController]SecondaryDC' 178 | } 179 | 180 | ADCSCertificationAuthority ADCS { 181 | Ensure = 'Present' 182 | IsSingleInstance = 'Yes' 183 | Credential = $Credentials 184 | CAType = 'EnterpriseRootCA' 185 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 186 | } 187 | 188 | WindowsFeature ADCS-Web-Enrollment { 189 | Ensure = 'Present' 190 | Name = 'ADCS-Web-Enrollment' 191 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 192 | } 193 | 194 | WindowsFeature RSAT-ADCS { 195 | Ensure = 'Present' 196 | Name = 'RSAT-ADCS' 197 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 198 | } 199 | 200 | WindowsFeature RSAT-ADCS-Mgmt { 201 | Ensure = 'Present' 202 | Name = 'RSAT-ADCS-Mgmt' 203 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 204 | } 205 | 206 | # Promoting Node as Secondary DC 207 | xADDomainController SecondaryDC { 208 | DomainName = $DomainDnsName 209 | DomainAdministratorCredential = $Credentials 210 | SafemodeAdministratorPassword = $Credentials 211 | DependsOn = @("[WindowsFeature]AD-Domain-Services","[Computer]JoinDomain") 212 | } 213 | 214 | ADCSWebEnrollment CertSrv { 215 | Ensure = 'Present' 216 | IsSingleInstance = 'Yes' 217 | Credential = $Credentials 218 | DependsOn = '[WindowsFeature]ADCS-Web-Enrollment','[ADCSCertificationAuthority]ADCS' 219 | } 220 | } 221 | } 222 | 223 | # Generating MOF File 224 | ConfigDC2 -OutputPath 'C:\AWSQuickstart\ConfigDC2' -Credentials $Credentials -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/ConfigDC2.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | ConfigDC2.ps1 4 | 5 | .DESCRIPTION 6 | This script is run on an additional domain controller after the final restart of forest creation. 7 | 8 | .EXAMPLE 9 | .\ConfigDC2 -ADServer2NetBIOSName 'DC2' -DomainNetBIOSName 'example' -DomainDNSName 'example.com' -ADServer1PrivateIP '10.0.0.10' -ADAdminSecParam 'arn:aws:secretsmanager:us-west-2:############:secret:example' -RestoreModeSecParam 'arn:aws:secretsmanager:us-west-2:############:secret:example' 10 | #> 11 | 12 | [CmdletBinding()] 13 | Param ( 14 | [Parameter(Mandatory = $true)][string]$ADServer2NetBIOSName, 15 | [Parameter(Mandatory = $true)][string]$DomainNetBIOSName, 16 | [Parameter(Mandatory = $true)][string]$DomainDNSName, 17 | [Parameter(Mandatory = $true)][string]$ADServer1PrivateIP, 18 | [Parameter(Mandatory = $true)][string]$ADAdminSecParam, 19 | [Parameter(Mandatory = $true)][string]$RestoreModeSecParam 20 | ) 21 | 22 | #Requires -Modules PSDesiredStateConfiguration, NetworkingDsc, ComputerManagementDsc, xDnsServer, ActiveDirectoryDsc 23 | 24 | #================================================== 25 | # Main 26 | #================================================== 27 | 28 | Write-Output "Getting network configuration $_" 29 | Try { 30 | $NetIpConfig = Get-NetIPConfiguration 31 | } Catch [System.Exception] { 32 | Write-Output "Failed to set network configuration $_" 33 | Exit 1 34 | } 35 | 36 | Write-Output 'Grabbing the Current Gateway Address in order to Static IP Correctly' 37 | $GatewayAddress = $NetIpConfig | Select-Object -ExpandProperty 'IPv4DefaultGateway' | Select-Object -ExpandProperty 'NextHop' 38 | 39 | Write-Output 'Formatting IP Address in format needed for IPAdress DSC Resource' 40 | $IP = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'IpAddress' 41 | $Prefix = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'PrefixLength' 42 | $IPADDR = 'IP/CIDR' -replace 'IP', $IP -replace 'CIDR', $Prefix 43 | 44 | Write-Output 'Getting MAC address' 45 | Try { 46 | $MacAddress = Get-NetAdapter | Select-Object -ExpandProperty 'MacAddress' 47 | } Catch [System.Exception] { 48 | Write-Output "Failed to get MAC address $_" 49 | Exit 1 50 | } 51 | 52 | Write-Output "Getting $ADAdminSecParam Secret" 53 | Try { 54 | $AdminSecret = Get-SECSecretValue -SecretId $ADAdminSecParam -ErrorAction Stop | Select-Object -ExpandProperty 'SecretString' 55 | } Catch [System.Exception] { 56 | Write-Output "Failed to get $ADAdminSecParam Secret $_" 57 | Exit 1 58 | } 59 | 60 | Write-Output 'Converting AdminSecret from JSON' 61 | Try { 62 | $ADAdminPassword = ConvertFrom-Json -InputObject $AdminSecret -ErrorAction Stop 63 | } Catch [System.Exception] { 64 | Write-Output "Failed to convert $AdminSecret from JSON $_" 65 | Exit 1 66 | } 67 | 68 | Write-Output 'Creating Credential Object for Administrator' 69 | $AdminUserName = $ADAdminPassword.UserName 70 | $AdminUserPW = ConvertTo-SecureString ($ADAdminPassword.Password) -AsPlainText -Force 71 | $Credentials = New-Object -TypeName 'System.Management.Automation.PSCredential' ("$DomainNetBIOSName\$AdminUserName", $AdminUserPW) 72 | 73 | 74 | Write-Output "Getting $RestoreModeSecParam Secret" 75 | Try { 76 | $RestoreModeSecret = Get-SECSecretValue -SecretId $RestoreModeSecParam -ErrorAction Stop | Select-Object -ExpandProperty 'SecretString' 77 | } Catch [System.Exception] { 78 | Write-Output "Failed to get $RestoreModeSecParam Secret $_" 79 | Exit 1 80 | } 81 | 82 | Write-Output "Converting RestoreModeSecret from JSON" 83 | Try { 84 | $RestoreModePassword = ConvertFrom-Json -InputObject $RestoreModeSecret -ErrorAction Stop 85 | } Catch [System.Exception] { 86 | Write-Output "Failed to convert $RestoreModeSecret from JSON $_" 87 | Exit 1 88 | } 89 | 90 | Write-Output 'Creating Credential Object for Restore Mode Password' 91 | $RestoreUserName = $RestoreModePassword.UserName 92 | $RestoreUserPW = ConvertTo-SecureString ($ADAdminPassword.Password) -AsPlainText -Force 93 | $RestoreCredentials = New-Object -TypeName 'System.Management.Automation.PSCredential' ($RestoreUserName, $RestoreUserPW) 94 | 95 | Write-Output 'Getting the DSC Cert Encryption Thumbprint to Secure the MOF File' 96 | Try { 97 | $DscCertThumbprint = Get-ChildItem -Path 'cert:\LocalMachine\My' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 98 | } Catch [System.Exception] { 99 | Write-Output "Failed to get local machine certificates $_" 100 | Exit 1 101 | } 102 | 103 | Write-Output 'Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing' 104 | $ConfigurationData = @{ 105 | AllNodes = @( 106 | @{ 107 | NodeName = '*' 108 | CertificateFile = 'C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer' 109 | Thumbprint = $DscCertThumbprint 110 | PSDscAllowDomainUser = $true 111 | }, 112 | @{ 113 | NodeName = 'localhost' 114 | } 115 | ) 116 | } 117 | 118 | # PowerShell DSC Configuration Block for Domain Controller 2 119 | Configuration ConfigDC2 { 120 | # Credential Objects being passed in 121 | Param 122 | ( 123 | [Parameter(Mandatory = $true)][PSCredential]$Credentials, 124 | [Parameter(Mandatory = $true)][PSCredential]$RestoreCredentials 125 | ) 126 | 127 | # Importing All DSC Resources needed for Configuration 128 | Import-DscResource -ModuleName 'PSDesiredStateConfiguration', 'NetworkingDsc', 'ComputerManagementDsc', 'xDnsServer', 'ActiveDirectoryDsc' 129 | 130 | # Node Configuration block, since processing directly on DC using localhost 131 | Node LocalHost { 132 | NetAdapterName RenameNetAdapterPrimary { 133 | NewName = 'Primary' 134 | MacAddress = $MacAddress 135 | } 136 | NetIPInterface DisableDhcp { 137 | Dhcp = 'Disabled' 138 | InterfaceAlias = 'Primary' 139 | AddressFamily = 'IPv4' 140 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 141 | } 142 | IPAddress SetIP { 143 | IPAddress = $IPADDR 144 | InterfaceAlias = 'Primary' 145 | AddressFamily = 'IPv4' 146 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 147 | } 148 | DefaultGatewayAddress SetDefaultGateway { 149 | Address = $GatewayAddress 150 | InterfaceAlias = 'Primary' 151 | AddressFamily = 'IPv4' 152 | DependsOn = '[IPAddress]SetIP' 153 | } 154 | DnsServerAddress DnsServerAddress { 155 | Address = $ADServer1PrivateIP 156 | InterfaceAlias = 'Primary' 157 | AddressFamily = 'IPv4' 158 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 159 | } 160 | WaitForADDomain WaitForPrimaryDC { 161 | DomainName = $DomainDnsName 162 | Credential = $Credentials 163 | WaitTimeout = 600 164 | DependsOn = '[DnsServerAddress]DnsServerAddress' 165 | } 166 | Computer JoinDomain { 167 | Name = $ADServer2NetBIOSName 168 | DomainName = $DomainDnsName 169 | Credential = $Credentials 170 | DependsOn = '[WaitForADDomain]WaitForPrimaryDC' 171 | } 172 | WindowsFeature DNS { 173 | Ensure = 'Present' 174 | Name = 'DNS' 175 | } 176 | WindowsFeature AD-Domain-Services { 177 | Ensure = 'Present' 178 | Name = 'AD-Domain-Services' 179 | DependsOn = '[WindowsFeature]DNS' 180 | } 181 | WindowsFeature DnsTools { 182 | Ensure = 'Present' 183 | Name = 'RSAT-DNS-Server' 184 | DependsOn = '[WindowsFeature]DNS' 185 | } 186 | WindowsFeature RSAT-AD-Tools { 187 | Ensure = 'Present' 188 | Name = 'RSAT-AD-Tools' 189 | DependsOn = '[WindowsFeature]AD-Domain-Services' 190 | } 191 | WindowsFeature RSAT-ADDS { 192 | Ensure = 'Present' 193 | Name = 'RSAT-ADDS' 194 | DependsOn = '[WindowsFeature]AD-Domain-Services' 195 | } 196 | Service ActiveDirectoryWebServices { 197 | Name = "ADWS" 198 | StartupType = "Automatic" 199 | State = "Running" 200 | DependsOn = "[WindowsFeature]AD-Domain-Services" 201 | } 202 | WindowsFeature GPMC { 203 | Ensure = 'Present' 204 | Name = 'GPMC' 205 | DependsOn = '[WindowsFeature]AD-Domain-Services' 206 | } 207 | ADDomainController SecondaryDC { 208 | DomainName = $DomainDnsName 209 | Credential = $Credentials 210 | SafemodeAdministratorPassword = $RestoreCredentials 211 | DatabasePath = 'D:\NTDS' 212 | LogPath = 'D:\NTDS' 213 | SysvolPath = 'D:\SYSVOL' 214 | DependsOn = @('[WindowsFeature]AD-Domain-Services', '[Computer]JoinDomain', '[Service]ActiveDirectoryWebServices') 215 | } 216 | } 217 | } 218 | 219 | Write-Output 'Generating MOF File' 220 | ConfigDC2 -OutputPath 'C:\AWSQuickstart\ConfigDC2' -Credentials $Credentials -RestoreCredentials $RestoreCredentials -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/Configure-RDGW.ps1: -------------------------------------------------------------------------------- 1 | param( 2 | $ServerFQDN, 3 | $DomainNetBiosName, 4 | $GroupName, 5 | $UserName 6 | ) 7 | 8 | #https://s3.amazonaws.com/microsoft_windows/scripts/Configure-RDGW.ps1 9 | 10 | Import-Module remotedesktopservices 11 | 12 | $name = new-object -com "X509Enrollment.CX500DistinguishedName.1" 13 | $name.Encode("CN=$ServerFQDN", 0) 14 | 15 | $key = new-object -com "X509Enrollment.CX509PrivateKey.1" 16 | $key.ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 17 | $key.KeySpec = 1 18 | $key.Length = 1024 19 | $key.SecurityDescriptor = "D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)" 20 | $key.MachineContext = 1 21 | $key.Create() 22 | 23 | $serverauthoid = new-object -com "X509Enrollment.CObjectId.1" 24 | $serverauthoid.InitializeFromValue("1.3.6.1.5.5.7.3.1") 25 | $ekuoids = new-object -com "X509Enrollment.CObjectIds.1" 26 | $ekuoids.add($serverauthoid) 27 | $ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1" 28 | $ekuext.InitializeEncode($ekuoids) 29 | 30 | $cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1" 31 | $cert.InitializeFromPrivateKey(2, $key, "") 32 | $cert.Subject = $name 33 | $cert.Issuer = $cert.Subject 34 | $cert.NotBefore = get-date 35 | $cert.NotAfter = $cert.NotBefore.AddDays(730) 36 | $cert.X509Extensions.Add($ekuext) 37 | $cert.Encode() 38 | 39 | $enrollment = new-object -com "X509Enrollment.CX509Enrollment.1" 40 | $enrollment.InitializeFromRequest($cert) 41 | $certdata = $enrollment.CreateRequest(0) 42 | $enrollment.InstallResponse(2, $certdata, 0, "") 43 | 44 | dir cert:\localmachine\my | ? { $_.Subject -eq "CN=$ServerFQDN” } | % { [system.IO.file]::WriteAllBytes("c:\$env:computername.cer", ($_.Export('CERT', 'secret')) ) } 45 | 46 | new-item -path RDS:\GatewayServer\CAP -Name Default-CAP -UserGroups "$GroupName@$DomainNetBiosName" -AuthMethod 1 47 | 48 | new-item -Path RDS:\GatewayServer\RAP -Name Default-RAP -UserGroups "$GroupName@$DomainNetBiosName" -ComputerGroupType 2 49 | 50 | dir cert:\localmachine\my | where-object { $_.Subject -eq "CN=$ServerFQDN” } | ForEach-Object { Set-Item -Path RDS:\GatewayServer\SSLCertificate\Thumbprint -Value $_.Thumbprint } 51 | 52 | Restart-Service tsgateway 53 | 54 | -------------------------------------------------------------------------------- /scripts/archive/Configure-Sites.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [Parameter(Mandatory=$true)] 4 | [string]$PublicSubnet1CIDR, 5 | 6 | [Parameter(Mandatory=$true)] 7 | [string]$PublicSubnet2CIDR, 8 | 9 | [Parameter(Mandatory=$true)] 10 | [string]$PrivateSubnet1CIDR, 11 | 12 | [Parameter(Mandatory=$true)] 13 | [string]$PrivateSubnet2CIDR, 14 | 15 | [Parameter(Mandatory=$false)] 16 | [string]$PublicSubnet3CIDR, 17 | 18 | [Parameter(Mandatory=$false)] 19 | [string]$PrivateSubnet3CIDR, 20 | 21 | [Parameter(Mandatory=$true)] 22 | [string]$Region 23 | ) 24 | 25 | 26 | $timeoutInSeconds = 300 27 | $elapsedSeconds = 0 28 | $intervalSeconds = 1 29 | $startTime = Get-Date 30 | $running = $false 31 | 32 | try { 33 | While (($elapsedSeconds -lt $timeoutInSeconds )) { 34 | try { 35 | $adws = Get-Process -Name Microsoft.ActiveDirectory.WebServices 36 | if ($adws) { 37 | $ErrorActionPreference = "Stop" 38 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 39 | 40 | Get-ADObject -SearchBase (Get-ADRootDSE).ConfigurationNamingContext -filter {Name -eq 'Default-First-Site-Name'} | Rename-ADObject -NewName $Region 41 | New-ADReplicationSubnet -Name $PublicSubnet1CIDR -Site $Region 42 | New-ADReplicationSubnet -Name $PublicSubnet2CIDR -Site $Region 43 | New-ADReplicationSubnet -Name $PrivateSubnet1CIDR -Site $Region 44 | New-ADReplicationSubnet -Name $PrivateSubnet2CIDR -Site $Region 45 | 46 | # AZ3 scenarios only; add 3rd AZ subnets to site1 47 | if (!$PrivateSubnet3CIDR ) { 48 | echo "No 3rd Private AZ" 49 | } else { 50 | New-ADReplicationSubnet -Name $PrivateSubnet3CIDR -Site $Region 51 | } 52 | 53 | if (!$PrivateSubnet3CIDR ) { 54 | echo "No 3rd Private AZ" 55 | } else { 56 | New-ADReplicationSubnet -Name $PublicSubnet3CIDR -Site $Region 57 | } 58 | 59 | echo "Successfully Configured the AD Sites..." 60 | break 61 | } 62 | } 63 | catch { 64 | Start-Sleep -Seconds $intervalSeconds 65 | $elapsedSeconds = ($(Get-Date) - $startTime).TotalSeconds 66 | echo "Elapse Seconds" $elapsedSeconds 67 | 68 | } 69 | if ($elapsedSeconds -ge $timeoutInSeconds) { 70 | Throw "ADWS did not start or is unreachable in $timeoutInSeconds seconds..." 71 | } 72 | } 73 | 74 | } 75 | catch { 76 | $_ | Write-AWSQuickStartException 77 | } -------------------------------------------------------------------------------- /scripts/archive/ConvertTo-EnterpriseAdmin.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [string[]] 4 | [Parameter(Position=0)] 5 | $Groups = @('domain admins','schema admins','enterprise admins'), 6 | 7 | [string[]] 8 | [Parameter(Mandatory=$true, Position=1)] 9 | $Members 10 | ) 11 | 12 | $timeoutInSeconds = 300 13 | $elapsedSeconds = 0 14 | $intervalSeconds = 1 15 | $startTime = Get-Date 16 | $running = $false 17 | 18 | 19 | try { 20 | $ErrorActionPreference = "Stop" 21 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 22 | 23 | While (($elapsedSeconds -lt $timeoutInSeconds )) { 24 | try { 25 | $adws = Get-Process -Name Microsoft.ActiveDirectory.WebServices 26 | if ($adws) { 27 | $Groups | ForEach-Object{ 28 | Add-ADGroupMember -Identity $_ -Members $Members 29 | } 30 | break 31 | } 32 | } 33 | catch { 34 | Start-Sleep -Seconds $elapsedSeconds 35 | $elapsedSeconds = ($(Get-Date) - $startTime).TotalSeconds 36 | echo "Elapse Seconds" $elapsedSeconds 37 | 38 | } 39 | if ($elapsedSeconds -ge $timeoutInSeconds) { 40 | Throw "ADWS did not start or is unreachable in $timeoutInSeconds seconds..." 41 | } 42 | } 43 | 44 | } 45 | catch { 46 | $_ | Write-AWSQuickStartException 47 | } -------------------------------------------------------------------------------- /scripts/archive/Create-AdminUser.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [Parameter(Mandatory=$true)] 4 | [string]$DomainAdminUser, 5 | 6 | [Parameter(Mandatory=$true)] 7 | [string]$Server, 8 | 9 | [Parameter(Mandatory=$true)] 10 | [string]$DomainDNSName, 11 | 12 | [Parameter(Mandatory=$true)] 13 | [string]$SSMParamName 14 | ) 15 | 16 | $timeoutInSeconds = 600 17 | $elapsedSeconds = 0 18 | $intervalSeconds = 1 19 | $startTime = Get-Date 20 | $running = $false 21 | 22 | try { 23 | $ErrorActionPreference = "Stop" 24 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 25 | 26 | While (($elapsedSeconds -lt $timeoutInSeconds )) { 27 | try { 28 | $adws = Get-Process -Name Microsoft.ActiveDirectory.WebServices 29 | if ($adws) { 30 | $DomainAdminPassword = (Get-SSMParameterValue -Names $SSMParamName).Parameters[0].Value 31 | Write-SSMParameter -Name $SSMParamName -Type SecureString -Value $DomainAdminPassword -Overwrite $true 32 | $Admin = $DomainAdminUser+"@"+$DomainDNSName 33 | New-ADUser -Name $DomainAdminUser -UserPrincipalName $Admin -AccountPassword (ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force) -Enabled $true -PasswordNeverExpires $true -Server $Server 34 | echo "Successfully Created the Admin User..." 35 | break 36 | } 37 | } 38 | catch { 39 | Start-Sleep -Seconds $intervalSeconds 40 | $elapsedSeconds = ($(Get-Date) - $startTime).TotalSeconds 41 | echo "Elapse Seconds" $elapsedSeconds 42 | 43 | } 44 | if ($elapsedSeconds -ge $timeoutInSeconds) { 45 | Throw "ADWS did not start or is unreachable in $timeoutInSeconds seconds..." 46 | } 47 | } 48 | 49 | } 50 | catch { 51 | $_ | Write-AWSQuickStartException 52 | } 53 | -------------------------------------------------------------------------------- /scripts/archive/Disable-WindowsFirewall.ps1: -------------------------------------------------------------------------------- 1 | try { 2 | $ErrorActionPreference = "Stop" 3 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 4 | 5 | Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False 6 | } 7 | catch { 8 | $_ | Write-AWSQuickStartException 9 | } -------------------------------------------------------------------------------- /scripts/archive/Dns-Config.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Dns-Config.ps1 4 | 5 | .DESCRIPTION 6 | This script is run on a domain controller after the final restart of forest creation. 7 | It sets some minor settings and cleans up the DSC configuration 8 | 9 | .EXAMPLE 10 | .\Dns-Config -ADServer1NetBIOSName 'DC1' -ADServer2NetBIOSName 'DC2' -ADServer1PrivateIP '10.0.0.10' -ADServer2PrivateIP '10.32.0.10' -DomainDNSName 'example.com'-ADAdminSecParam 'arn:aws:secretsmanager:us-west-2:############:secret:example' 11 | #> 12 | 13 | [CmdletBinding()] 14 | param( 15 | [Parameter(Mandatory=$true)][string]$ADServer1NetBIOSName, 16 | [Parameter(Mandatory=$true)][string]$ADServer2NetBIOSName, 17 | [Parameter(Mandatory=$true)][string]$ADServer1PrivateIP, 18 | [Parameter(Mandatory=$true)][string]$ADServer2PrivateIP, 19 | [Parameter(Mandatory=$true)][string]$DomainDNSName, 20 | [Parameter(Mandatory=$true)][string]$ADAdminSecParam 21 | ) 22 | 23 | #Requires -Modules NetworkingDsc 24 | 25 | #================================================== 26 | # Main 27 | #================================================== 28 | 29 | # PowerShell DSC Configuration Block to config DNS Settings on DC1 and DC2 30 | Configuration DnsConfig { 31 | 32 | # Importing All DSC Resources needed for Configuration 33 | Import-DscResource -ModuleName 'NetworkingDsc' 34 | 35 | # DNS Settings for First Domain Controller 36 | Node $ADServer1 { 37 | 38 | DnsServerAddress DnsServerAddress { 39 | Address = $ADServer2PrivateIP, $ADServer1PrivateIP, '127.0.0.1' 40 | InterfaceAlias = 'Primary' 41 | AddressFamily = 'IPv4' 42 | } 43 | DnsConnectionSuffix DnsConnectionSuffix { 44 | InterfaceAlias = 'Primary' 45 | ConnectionSpecificSuffix = (Get-ADDomain | Select-Object -ExpandProperty 'DNSRoot') 46 | RegisterThisConnectionsAddress = $True 47 | UseSuffixWhenRegistering = $False 48 | } 49 | } 50 | 51 | # DNS Settings for Second Domain Controller 52 | Node $ADServer2 { 53 | 54 | DnsServerAddress DnsServerAddress { 55 | Address = $ADServer1PrivateIP, $ADServer2PrivateIP, '127.0.0.1' 56 | InterfaceAlias = 'Primary' 57 | AddressFamily = 'IPv4' 58 | } 59 | DnsConnectionSuffix DnsConnectionSuffix { 60 | InterfaceAlias = 'Primary' 61 | ConnectionSpecificSuffix = (Get-ADDomain | Select-Object -ExpandProperty 'DNSRoot') 62 | RegisterThisConnectionsAddress = $True 63 | UseSuffixWhenRegistering = $False 64 | } 65 | } 66 | } 67 | 68 | Write-Output 'Formatting Computer names as FQDN' 69 | $ADServer1 = "$ADServer1NetBIOSName.$DomainDNSName" 70 | $ADServer2 = "$ADServer2NetBIOSName.$DomainDNSName" 71 | 72 | Write-Output "Getting $ADAdminSecParam Secret" 73 | Try { 74 | $AdminSecret = Get-SECSecretValue -SecretId $ADAdminSecParam -ErrorAction Stop | Select-Object -ExpandProperty 'SecretString' 75 | } Catch [System.Exception] { 76 | Write-Output "Failed to get $ADAdminSecParam Secret $_" 77 | Exit 1 78 | } 79 | 80 | Write-Output 'Converting AdminSecret from JSON' 81 | Try { 82 | $ADAdminPassword = ConvertFrom-Json -InputObject $AdminSecret -ErrorAction Stop 83 | } Catch [System.Exception] { 84 | Write-Output "Failed to convert $AdminSecret from JSON $_" 85 | Exit 1 86 | } 87 | 88 | Write-Output 'Creating Credential Object for Administrator' 89 | $AdminUserName = $ADAdminPassword.UserName 90 | $AdminUserPW = ConvertTo-SecureString ($ADAdminPassword.Password) -AsPlainText -Force 91 | $Credentials = New-Object -TypeName 'System.Management.Automation.PSCredential' ($AdminUserName, $AdminUserPW) 92 | 93 | Write-Output 'Setting Cim Sessions for Each Host' 94 | Try { 95 | $VMSession1 = New-CimSession -Credential $Credentials -ComputerName $ADServer1 -Verbose -ErrorAction Stop 96 | $VMSession2 = New-CimSession -Credential $Credentials -ComputerName $ADServer2 -Verbose -ErrorAction Stop 97 | } Catch [System.Exception] { 98 | Write-Output "Failed to set Cim Sessions for Each Host $_" 99 | Exit 1 100 | } 101 | 102 | Write-Output 'Generating MOF File' 103 | DnsConfig -OutputPath 'C:\AWSQuickstart\DnsConfig' 104 | 105 | Write-Output 'Processing Configuration from Script utilizing pre-created Cim Sessions' 106 | Try { 107 | Start-DscConfiguration -Path 'C:\AWSQuickstart\DnsConfig' -CimSession $VMSession1 -Wait -Verbose -Force 108 | Start-DscConfiguration -Path 'C:\AWSQuickstart\DnsConfig' -CimSession $VMSession2 -wait -Verbose -Force 109 | } Catch [System.Exception] { 110 | Write-Output "Failed to set DSC $_" 111 | } -------------------------------------------------------------------------------- /scripts/archive/ExtendDC1.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | # Incoming Parameters for Script, CloudFormation\SSM Parameters being passed in 3 | param( 4 | [Parameter(Mandatory=$true)] 5 | [string]$ADServer1NetBIOSName, 6 | 7 | [Parameter(Mandatory=$true)] 8 | [string]$DomainNetBIOSName, 9 | 10 | [Parameter(Mandatory=$true)] 11 | [string]$DomainDNSName, 12 | 13 | [Parameter(Mandatory=$true)] 14 | [string]$ADAdminSecParam, 15 | 16 | [Parameter(Mandatory=$true)] 17 | [string]$ADAltUserSecParam, 18 | 19 | [Parameter(Mandatory=$true)] 20 | [string]$RestoreModeSecParam, 21 | 22 | [Parameter(Mandatory=$true)] 23 | [string]$SiteName, 24 | 25 | [Parameter(Mandatory=$true)] 26 | [string]$VPCCIDR 27 | ) 28 | 29 | # Grabbing VPC DNS IP in order to set DNS Forwarder for AD DNS 30 | $VPCDNS = (Get-NetIPConfiguration).DNSServer.ServerAddresses 31 | # Grabbing the Current Gateway Address in order to Static IP Correctly 32 | $GatewayAddress = (Get-NetIPConfiguration).IPv4DefaultGateway.NextHop 33 | # Formatting IP Address in format needed for IPAdress DSC Resource 34 | $IPADDR = 'IP/CIDR' -replace 'IP',(Get-NetIPConfiguration).IPv4Address.IpAddress -replace 'CIDR',(Get-NetIPConfiguration).IPv4Address.PrefixLength 35 | # Grabbing Mac Address for Primary Interface to Rename Interface 36 | $MacAddress = (Get-NetAdapter).MacAddress 37 | # Getting Password from Secrets Manager for AD Admin User 38 | $ADAdminPassword = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $ADAdminSecParam).SecretString 39 | # Getting Password from Secrets Manager for AD Alternate User 40 | $AltUserPassword = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $ADAltUserSecParam).SecretString 41 | # Getting Password from Secrets Manager for AD Admin User 42 | $RestoreModePassword = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $RestoreModeSecParam).SecretString 43 | # Creating Credential Object for Administrator 44 | $Credentials = (New-Object PSCredential($ADAdminPassword.UserName,(ConvertTo-SecureString $ADAdminPassword.Password -AsPlainText -Force))) 45 | # Creating Credential Object for Alternate Domain Admin 46 | $AltCredentials = (New-Object PSCredential($AltUserPassword.UserName,(ConvertTo-SecureString $AltUserPassword.Password -AsPlainText -Force))) 47 | # Creating Credential Object for Restore Mode Password 48 | $RestoreCredentials = (New-Object PSCredential($RestoreModePassword.UserName,(ConvertTo-SecureString $RestoreModePassword.Password -AsPlainText -Force))) 49 | # Getting the DSC Cert Encryption Thumbprint to Secure the MOF File 50 | $DscCertThumbprint = (get-childitem -path cert:\LocalMachine\My | where { $_.subject -eq "CN=AWSQSDscEncryptCert" }).Thumbprint 51 | 52 | # Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing 53 | $ConfigurationData = @{ 54 | AllNodes = @( 55 | @{ 56 | NodeName="*" 57 | CertificateFile = "C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer" 58 | Thumbprint = $DscCertThumbprint 59 | }, 60 | @{ 61 | NodeName = 'localhost' 62 | } 63 | ) 64 | } 65 | 66 | # PowerShell DSC Configuration Block for Domain Controller 1 67 | Configuration ConfigDC1 { 68 | # Credential Objects being passed in 69 | param 70 | ( 71 | [PSCredential] $Credentials, 72 | [PSCredential] $AltCredentials, 73 | [PSCredential] $RestoreCredentials 74 | ) 75 | 76 | # Importing DSC Modules needed for Configuration 77 | Import-Module -Name PSDesiredStateConfiguration 78 | Import-Module -Name xActiveDirectory 79 | Import-Module -Name NetworkingDsc 80 | Import-Module -Name ActiveDirectoryCSDsc 81 | Import-Module -Name ComputerManagementDsc 82 | Import-Module -Name xDnsServer 83 | 84 | # Importing All DSC Resources needed for Configuration 85 | Import-DscResource -Module PSDesiredStateConfiguration 86 | Import-DscResource -Module NetworkingDsc 87 | Import-DscResource -Module xActiveDirectory 88 | Import-DscResource -Module ActiveDirectoryCSDsc 89 | Import-DscResource -Module ComputerManagementDsc 90 | Import-DscResource -Module xDnsServer 91 | 92 | 93 | # Node Configuration block, since processing directly on DC using localhost 94 | Node 'localhost' { 95 | 96 | # Renaming Primary Adapter in order to Static the IP for AD installation 97 | NetAdapterName RenameNetAdapterPrimary { 98 | NewName = 'Primary' 99 | MacAddress = $MacAddress 100 | } 101 | 102 | # Changing the Local Administrator Password, this account will be a Domain Admin 103 | User AdministratorPassword { 104 | UserName = "Administrator" 105 | Password = $Credentials 106 | } 107 | 108 | # Renaming Computer to ADServer2NetBIOSName Parameter 109 | Computer NewName { 110 | Name = $ADServer1NetBIOSName 111 | } 112 | 113 | # Disabling DHCP on the Primary Interface 114 | NetIPInterface DisableDhcp { 115 | Dhcp = 'Disabled' 116 | InterfaceAlias = 'Primary' 117 | AddressFamily = 'IPv4' 118 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 119 | } 120 | 121 | # Setting the IP Address on the Primary Interface 122 | IPAddress SetIP { 123 | IPAddress = $IPADDR 124 | InterfaceAlias = 'Primary' 125 | AddressFamily = 'IPv4' 126 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 127 | } 128 | 129 | # Setting Default Gateway on Primary Interface 130 | DefaultGatewayAddress SetDefaultGateway { 131 | Address = $GatewayAddress 132 | InterfaceAlias = 'Primary' 133 | AddressFamily = 'IPv4' 134 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 135 | } 136 | 137 | # Setting DNS Server on Primary Interface to point to itself 138 | DnsServerAddress DnsServerAddress { 139 | Address = '127.0.0.1' 140 | InterfaceAlias = 'Primary' 141 | AddressFamily = 'IPv4' 142 | DependsOn = "[WindowsFeature]DNS" 143 | } 144 | 145 | # Adding Needed Windows Features 146 | WindowsFeature DNS { 147 | Ensure = "Present" 148 | Name = "DNS" 149 | } 150 | 151 | WindowsFeature AD-Domain-Services { 152 | Ensure = "Present" 153 | Name = "AD-Domain-Services" 154 | } 155 | 156 | WindowsFeature RSAT-DNS-Server { 157 | Ensure = "Present" 158 | Name = "RSAT-DNS-Server" 159 | DependsOn = "[WindowsFeature]DNS" 160 | } 161 | 162 | WindowsFeature RSAT-AD-Tools { 163 | Name = 'RSAT-AD-Tools' 164 | Ensure = 'Present' 165 | DependsOn = "[WindowsFeature]AD-Domain-Services" 166 | } 167 | 168 | WindowsFeature RSAT-ADDS { 169 | Ensure = "Present" 170 | Name = "RSAT-ADDS" 171 | DependsOn = "[WindowsFeature]AD-Domain-Services" 172 | } 173 | 174 | WindowsFeature RSAT-ADDS-Tools { 175 | Name = 'RSAT-ADDS-Tools' 176 | Ensure = 'Present' 177 | DependsOn = "[WindowsFeature]RSAT-ADDS" 178 | } 179 | 180 | WindowsFeature RSAT-AD-AdminCenter { 181 | Name = 'RSAT-AD-AdminCenter' 182 | Ensure = 'Present' 183 | DependsOn = "[WindowsFeature]AD-Domain-Services" 184 | } 185 | 186 | WindowsFeature ADCS-Cert-Authority { 187 | Ensure = 'Present' 188 | Name = 'ADCS-Cert-Authority' 189 | DependsOn = '[xADDomain]PrimaryDC' 190 | } 191 | 192 | ADCSCertificationAuthority ADCS { 193 | Ensure = 'Present' 194 | IsSingleInstance = 'Yes' 195 | Credential = $Credentials 196 | CAType = 'EnterpriseRootCA' 197 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 198 | } 199 | 200 | WindowsFeature ADCS-Web-Enrollment { 201 | Ensure = 'Present' 202 | Name = 'ADCS-Web-Enrollment' 203 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 204 | } 205 | 206 | WindowsFeature RSAT-ADCS { 207 | Ensure = 'Present' 208 | Name = 'RSAT-ADCS' 209 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 210 | } 211 | 212 | WindowsFeature RSAT-ADCS-Mgmt { 213 | Ensure = 'Present' 214 | Name = 'RSAT-ADCS-Mgmt' 215 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 216 | } 217 | 218 | # Promoting Node as Secondary DC 219 | ADDomainController SecondaryDC { 220 | DomainName = $DomainDnsName 221 | DomainAdministratorCredential = $Credentials 222 | SafemodeAdministratorPassword = $Credentials 223 | DependsOn = @("[WindowsFeature]AD-Domain-Services","[Computer]JoinDomain") 224 | } 225 | 226 | # Renaming Default AD Site to Region Name 227 | ADReplicationSite RegionSite { 228 | Name = $SiteName 229 | DependsOn = "[xADDomain]PrimaryDC" 230 | } 231 | 232 | # Adding AZ Subnets to AD Site 233 | ADReplicationSubnet VPCCIDR { 234 | Name = $VPCCIDR 235 | Site = $SiteName 236 | DependsOn = "[xADReplicationSite]RegionSite" 237 | } 238 | 239 | # Setting VPC DNS as a forwarder for AD DNS 240 | xDnsServerForwarder ForwardtoVPCDNS { 241 | IsSingleInstance = 'Yes' 242 | IPAddresses = $VPCDNS 243 | } 244 | } 245 | } 246 | 247 | # Generating MOF File 248 | ConfigDC1 -OutputPath 'C:\AWSQuickstart\ConfigDC1' -Credentials $Credentials -AltCredentials $AltCredentials -RestoreCredentials $RestoreCredentials -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/ExtendDC2.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | # Incoming Parameters for Script, CloudFormation\SSM Parameters being passed in 3 | param( 4 | [Parameter(Mandatory=$true)] 5 | [string]$ADServerNetBIOSName, 6 | 7 | [Parameter(Mandatory=$true)] 8 | [string]$DomainNetBIOSName, 9 | 10 | [Parameter(Mandatory=$true)] 11 | [string]$DomainDNSName, 12 | 13 | [Parameter(Mandatory=$true)] 14 | [string]$ADServerPrivateIP, 15 | 16 | [Parameter(Mandatory=$true)] 17 | [string]$DNSServer1, 18 | 19 | [Parameter(Mandatory=$true)] 20 | [string]$DNSServer2, 21 | 22 | [Parameter(Mandatory=$true)] 23 | [string]$ADAdminSecParam 24 | ) 25 | 26 | # Grabbing the Current Gateway Address in order to Static IP Correctly 27 | $GatewayAddress = (Get-NetIPConfiguration).IPv4DefaultGateway.NextHop 28 | # Formatting IP Address in format needed for IPAdress DSC Resource 29 | $IPADDR = 'IP/CIDR' -replace 'IP',(Get-NetIPConfiguration).IPv4Address.IpAddress -replace 'CIDR',(Get-NetIPConfiguration).IPv4Address.PrefixLength 30 | # Grabbing Mac Address for Primary Interface to Rename Interface 31 | $MacAddress = (Get-NetAdapter).MacAddress 32 | # Getting Secrets Information for Domain Administrator 33 | $ADAdminPassword = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $ADAdminSecParam).SecretString 34 | # Formatting AD Admin User to proper format for JoinDomain DSC Resources in this Script 35 | $DomainAdmin = 'Domain\User' -replace 'Domain',$DomainNetBIOSName -replace 'User',$ADAdminPassword.UserName 36 | # Creating Credential Object for Domain Admin User 37 | $Credentials = (New-Object PSCredential($DomainAdmin,(ConvertTo-SecureString $ADAdminPassword.Password -AsPlainText -Force))) 38 | # Getting the DSC Cert Encryption Thumbprint to Secure the MOF File 39 | $DscCertThumbprint = (get-childitem -path cert:\LocalMachine\My | where { $_.subject -eq "CN=AWSQSDscEncryptCert" }).Thumbprint 40 | 41 | # Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing 42 | $ConfigurationData = @{ 43 | AllNodes = @( 44 | @{ 45 | NodeName="*" 46 | CertificateFile = "C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer" 47 | Thumbprint = $DscCertThumbprint 48 | PSDscAllowDomainUser = $true 49 | }, 50 | @{ 51 | NodeName = 'localhost' 52 | } 53 | ) 54 | } 55 | 56 | # PowerShell DSC Configuration Block for Domain Controller 2 57 | Configuration ConfigDC { 58 | # Credential Objects being passed in 59 | param 60 | ( 61 | [PSCredential] $Credentials 62 | ) 63 | 64 | # Importing DSC Modules needed for Configuration 65 | Import-Module -Name PSDesiredStateConfiguration 66 | Import-Module -Name ActiveDirectoryDsc 67 | Import-Module -Name NetworkingDsc 68 | Import-Module -Name ComputerManagementDsc 69 | Import-Module -Name xDnsServer 70 | 71 | # Importing All DSC Resources needed for Configuration 72 | Import-DscResource -Module PSDesiredStateConfiguration 73 | Import-DscResource -Module NetworkingDsc 74 | Import-DscResource -Module ActiveDirectoryDsc 75 | Import-DscResource -Module ComputerManagementDsc 76 | Import-DscResource -Module xDnsServer 77 | 78 | # Node Configuration block, since processing directly on DC using localhost 79 | Node 'localhost' { 80 | 81 | # Renaming Primary Adapter in order to Static the IP for AD installation 82 | NetAdapterName RenameNetAdapterPrimary { 83 | NewName = 'Primary' 84 | MacAddress = $MacAddress 85 | } 86 | 87 | # Disabling DHCP on the Primary Interface 88 | NetIPInterface DisableDhcp { 89 | Dhcp = 'Disabled' 90 | InterfaceAlias = 'Primary' 91 | AddressFamily = 'IPv4' 92 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 93 | } 94 | 95 | # Setting the IP Address on the Primary Interface 96 | IPAddress SetIP { 97 | IPAddress = $IPADDR 98 | InterfaceAlias = 'Primary' 99 | AddressFamily = 'IPv4' 100 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 101 | } 102 | 103 | # Setting Default Gateway on Primary Interface 104 | DefaultGatewayAddress SetDefaultGateway { 105 | Address = $GatewayAddress 106 | InterfaceAlias = 'Primary' 107 | AddressFamily = 'IPv4' 108 | DependsOn = '[IPAddress]SetIP' 109 | } 110 | 111 | # Setting DNS Server on Primary Interface to point to DC1 112 | DnsServerAddress DnsServerAddress { 113 | Address = $ADServerPrivateIP 114 | InterfaceAlias = 'Primary' 115 | AddressFamily = 'IPv4' 116 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 117 | } 118 | 119 | # Wait for AD Domain to be up and running 120 | WaitForADDomain WaitForPrimaryDC { 121 | DomainName = $DomainDnsName 122 | Credential = $Credentials 123 | DependsOn = '[DnsServerAddress]DnsServerAddress' 124 | } 125 | 126 | # Rename Computer and Join Domain 127 | Computer JoinDomain { 128 | Name = $ADServerNetBIOSName 129 | DomainName = $DomainDnsName 130 | Credential = $Credentials 131 | DependsOn = "[xWaitForADDomain]WaitForPrimaryDC" 132 | } 133 | 134 | # Adding Needed Windows Features 135 | WindowsFeature DNS { 136 | Ensure = "Present" 137 | Name = "DNS" 138 | } 139 | 140 | WindowsFeature AD-Domain-Services { 141 | Ensure = "Present" 142 | Name = "AD-Domain-Services" 143 | DependsOn = "[WindowsFeature]DNS" 144 | } 145 | 146 | WindowsFeature DnsTools { 147 | Ensure = "Present" 148 | Name = "RSAT-DNS-Server" 149 | DependsOn = "[WindowsFeature]DNS" 150 | } 151 | 152 | WindowsFeature RSAT-AD-Tools { 153 | Name = 'RSAT-AD-Tools' 154 | Ensure = 'Present' 155 | DependsOn = "[WindowsFeature]AD-Domain-Services" 156 | } 157 | 158 | WindowsFeature RSAT-AD-PowerShell { 159 | Name = 'RSAT-AD-PowerShell' 160 | Ensure = 'Present' 161 | DependsOn = "[WindowsFeature]AD-Domain-Services" 162 | } 163 | 164 | WindowsFeature RSAT-ADDS { 165 | Ensure = "Present" 166 | Name = "RSAT-ADDS" 167 | DependsOn = "[WindowsFeature]AD-Domain-Services" 168 | } 169 | 170 | WindowsFeature RSAT-ADDS-Tools { 171 | Name = 'RSAT-ADDS-Tools' 172 | Ensure = 'Present' 173 | DependsOn = "[WindowsFeature]RSAT-ADDS" 174 | } 175 | 176 | WindowsFeature RSAT-AD-AdminCenter { 177 | Name = 'RSAT-AD-AdminCenter' 178 | Ensure = 'Present' 179 | DependsOn = "[WindowsFeature]AD-Domain-Services" 180 | } 181 | 182 | # Promoting Node as Secondary DC 183 | ADDomainController SecondaryDC { 184 | DomainName = $DomainDnsName 185 | DomainAdministratorCredential = $Credentials 186 | SafemodeAdministratorPassword = $Credentials 187 | DependsOn = @("[WindowsFeature]AD-Domain-Services","[Computer]JoinDomain") 188 | } 189 | } 190 | } 191 | 192 | # Generating MOF File 193 | ConfigDC -OutputPath 'C:\AWSQuickstart\ConfigDC' -Credentials $Credentials -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/Install-ADDSDC.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [Parameter(Mandatory=$true)] 4 | [string]$DomainAdminUser, 5 | 6 | [Parameter(Mandatory=$true)] 7 | [string]$DomainNetBIOSName, 8 | 9 | [Parameter(Mandatory=$true)] 10 | [string]$DomainDNSName, 11 | 12 | [Parameter(Mandatory=$true)] 13 | [string]$SSMParamName 14 | ) 15 | try { 16 | $ErrorActionPreference = "Stop" 17 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 18 | 19 | $DomainAdmin = $DomainNetBIOSName + "\" + $DomainAdminUser 20 | $DomainAdminPassword = (Get-SSMParameterValue -Names $SSMParamName -WithDecryption $True).Parameters[0].Value 21 | Install-ADDSDomainController -InstallDns -DomainName $DomainDNSName -Credential (New-Object System.Management.Automation.PSCredential($DomainAdmin,(ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force))) -SafeModeAdministratorPassword (ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force) -Confirm:$false -Force 22 | } 23 | catch { 24 | $_ | Write-AWSQuickStartException 25 | } -------------------------------------------------------------------------------- /scripts/archive/Install-ADDSForest.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [Parameter(Mandatory=$true)] 4 | [string]$DomainAdminUser, 5 | 6 | [Parameter(Mandatory=$true)] 7 | [string]$DomainDNSName, 8 | 9 | [Parameter(Mandatory=$true)] 10 | [string]$DomainNetBIOSName, 11 | 12 | [Parameter(Mandatory=$true)] 13 | [string]$SSMParamName 14 | ) 15 | try { 16 | $ErrorActionPreference = "Stop" 17 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 18 | 19 | $DomainAdminPassword = (Get-SSMParameterValue -Names $SSMParamName -WithDecryption $True).Parameters[0].Value 20 | Install-ADDSForest -DomainName $DomainDNSName -DomainNetbiosName $DomainNetBIOSName -SafeModeAdministratorPassword (ConvertTo-SecureString $DomainAdminPassword -AsPlainText -Force) -DomainMode Default -ForestMode Default -Confirm:$false -Force 21 | } 22 | catch { 23 | $_ | Write-AWSQuickStartException 24 | } -------------------------------------------------------------------------------- /scripts/archive/Install-Prereqs.ps1: -------------------------------------------------------------------------------- 1 | try { 2 | $ErrorActionPreference = "Stop" 3 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 4 | Install-WindowsFeature AD-Domain-Services, rsat-adds -IncludeAllSubFeature 5 | 6 | } 7 | catch { 8 | $_ | Write-AWSQuickStartException 9 | } -------------------------------------------------------------------------------- /scripts/archive/Invoke-EnterpriseCaPreConfig.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Invoke-EnterpriseCaPreConfig.ps1 4 | 5 | .DESCRIPTION 6 | This script installs the required Windows features to make the computer an Enterprise CA and joins the computer to the domain specified. 7 | 8 | .EXAMPLE 9 | .\Invoke-EnterpriseCaPreConfig -EntCaNetBIOSName 'CA01' -DomainNetBIOSName 'example' -DomainDNSName 'example.com' -DomainController1IP '10.20.30.40' DomainController2IP '10.20.30.41' -ADAdminSecParam 'arn:aws:secretsmanager:us-west-2:############:secret:example-VX5fcW' -UseS3ForCRL 'Yes' 10 | 11 | #> 12 | 13 | [CmdletBinding()] 14 | # Incoming Parameters for Script, CloudFormation\SSM Parameters being passed in 15 | param( 16 | [Parameter(Mandatory = $true)][String]$EntCaNetBIOSName, 17 | [Parameter(Mandatory = $true)][String]$DomainNetBIOSName, 18 | [Parameter(Mandatory = $true)][String]$DomainDNSName, 19 | [Parameter(Mandatory = $true)][String]$DomainController1IP, 20 | [Parameter(Mandatory = $true)][String]$DomainController2IP, 21 | [Parameter(Mandatory = $true)][String]$ADAdminSecParam, 22 | [Parameter(Mandatory = $true)][ValidateSet('Yes', 'No')][String]$UseS3ForCRL 23 | ) 24 | 25 | #Requires -Modules PSDesiredStateConfiguration, NetworkingDsc, ComputerManagementDsc, xDnsServer 26 | 27 | # Getting Network Configuration 28 | $NetIpConfig = Get-NetIPConfiguration 29 | 30 | # Grabbing the Current Gateway Address in order to Static IP Correctly 31 | $GatewayAddress = $NetIpConfig | Select-Object -ExpandProperty 'IPv4DefaultGateway' | Select-Object -ExpandProperty 'NextHop' 32 | 33 | # Formatting IP Address in format needed for IPAdress DSC Resource 34 | $IP = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'IpAddress' 35 | $Prefix = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'PrefixLength' 36 | $IPADDR = 'IP/CIDR' -replace 'IP', $IP -replace 'CIDR', $Prefix 37 | 38 | # Grabbing Mac Address for Primary Interface to Rename Interface 39 | $MacAddress = Get-NetAdapter | Select-Object -ExpandProperty 'MacAddress' 40 | 41 | # Getting Password from Secrets Manager for AD Admin User 42 | $ADAdminPassword = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $ADAdminSecParam | Select-Object -ExpandProperty 'SecretString') 43 | 44 | # Creating Credential Object for Domain Administrator 45 | $AdminUserName = $ADAdminPassword.UserName 46 | $AdminUserPW = ConvertTo-SecureString ($ADAdminPassword.Password) -AsPlainText -Force 47 | $Credentials = New-Object -TypeName 'System.Management.Automation.PSCredential' ("$DomainNetBIOSName\$AdminUserName", $AdminUserPW) 48 | 49 | # Getting the DSC Cert Encryption Thumbprint to Secure the MOF File 50 | $DscCertThumbprint = Get-ChildItem -Path 'cert:\LocalMachine\My' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 51 | 52 | # Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing 53 | $ConfigurationData = @{ 54 | AllNodes = @( 55 | @{ 56 | NodeName = '*' 57 | CertificateFile = 'C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer' 58 | Thumbprint = $DscCertThumbprint 59 | PSDscAllowDomainUser = $true 60 | }, 61 | @{ 62 | NodeName = 'localhost' 63 | } 64 | ) 65 | } 66 | 67 | # PowerShell DSC Configuration Block for Domain Controller 2 68 | Configuration ConfigEntCa { 69 | # Credential Objects being passed in 70 | param 71 | ( 72 | [PSCredential] $Credentials 73 | ) 74 | 75 | # Importing DSC Modules needed for Configuration 76 | Import-DscResource -ModuleName 'PSDesiredStateConfiguration', 'NetworkingDsc', 'ComputerManagementDsc' 77 | 78 | # Node Configuration block, since processing directly on DC using localhost 79 | Node LocalHost { 80 | # Renaming Primary Adapter in order to Static the IP for AD installation 81 | NetAdapterName RenameNetAdapterPrimary { 82 | NewName = 'Primary' 83 | MacAddress = $MacAddress 84 | } 85 | 86 | # Disabling DHCP on the Primary Interface 87 | NetIPInterface DisableDhcp { 88 | Dhcp = 'Disabled' 89 | InterfaceAlias = 'Primary' 90 | AddressFamily = 'IPv4' 91 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 92 | } 93 | 94 | # Setting the IP Address on the Primary Interface 95 | IPAddress SetIP { 96 | IPAddress = $IPADDR 97 | InterfaceAlias = 'Primary' 98 | AddressFamily = 'IPv4' 99 | DependsOn = '[NetIPInterface]DisableDhcp' 100 | } 101 | 102 | # Setting Default Gateway on Primary Interface 103 | DefaultGatewayAddress SetDefaultGateway { 104 | Address = $GatewayAddress 105 | InterfaceAlias = 'Primary' 106 | AddressFamily = 'IPv4' 107 | DependsOn = '[IPAddress]SetIP' 108 | } 109 | 110 | # Setting DNS Server IPs on Primary Interface 111 | DnsServerAddress DnsServerAddress { 112 | Address = $DomainController1IP, $DomainController2IP 113 | InterfaceAlias = 'Primary' 114 | AddressFamily = 'IPv4' 115 | DependsOn = '[DefaultGatewayAddress]SetDefaultGateway' 116 | } 117 | 118 | # Setting Connection Suffix Primary Interface to domain FQDN 119 | DnsConnectionSuffix DnsConnectionSuffix { 120 | InterfaceAlias = 'Primary' 121 | ConnectionSpecificSuffix = $DomainDNSName 122 | RegisterThisConnectionsAddress = $True 123 | UseSuffixWhenRegistering = $False 124 | } 125 | 126 | # Adding Required Windows Features 127 | WindowsFeature ADCSCA 128 | { 129 | Name = 'ADCS-Cert-Authority' 130 | Ensure = 'Present' 131 | DependsOn = '[DnsServerAddress]DnsServerAddress' 132 | } 133 | 134 | WindowsFeature RSAT-ADCS-ManagementTools 135 | { 136 | Name = 'RSAT-ADCS' 137 | Ensure = 'Present' 138 | DependsOn = '[WindowsFeature]ADCSCA' 139 | } 140 | 141 | WindowsFeature RSAT-AD-ManagementTools 142 | { 143 | Ensure = 'Present' 144 | Name = 'RSAT-AD-Tools' 145 | DependsOn = '[WindowsFeature]ADCSCA' 146 | } 147 | 148 | If ($UseS3ForCRL -eq 'No') { 149 | WindowsFeature IIS 150 | { 151 | Ensure = 'Present' 152 | Name = 'Web-WebServer' 153 | DependsOn = '[WindowsFeature]ADCSCA' 154 | } 155 | 156 | WindowsFeature IIS-ManagementTools 157 | { 158 | Ensure = 'Present' 159 | Name = 'Web-Mgmt-Console' 160 | DependsOn = '[WindowsFeature]ADCSCA' 161 | } 162 | 163 | WindowsFeature RSAT-DNS-ManagementTools 164 | { 165 | Ensure = 'Present' 166 | Name = 'RSAT-DNS-Server' 167 | DependsOn = '[WindowsFeature]ADCSCA' 168 | } 169 | } 170 | 171 | # Rename Computer and Join Domain 172 | Computer JoinDomain { 173 | Name = $EntCaNetBIOSName 174 | DomainName = $DomainDnsName 175 | Credential = $Credentials 176 | DependsOn = '[WindowsFeature]RSAT-ADCS-ManagementTools' 177 | } 178 | } 179 | } 180 | 181 | # Generating MOF File 182 | ConfigEntCa -OutputPath 'C:\AWSQuickstart\ConfigEntCa' -Credentials $Credentials -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/Invoke-MgmtInstanceConfig.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Invoke-MgmtInstanceConfig.ps1 4 | 5 | .DESCRIPTION 6 | This script installs the AD Management tool and joins the computer to the domain specified. 7 | 8 | .EXAMPLE 9 | .\Invoke-MgmtInstanceConfig -MgmtNetBIOSName 'Mgmt01' -DomainNetBIOSName 'example' -DomainDNSName 'example.com' -DomainController1IP '10.20.30.40' DomainController2IP '10.20.30.41' -ADAdminSecParam 'arn:aws:secretsmanager:us-west-2:############:secret:example-VX5fcW' 10 | #> 11 | 12 | [CmdletBinding()] 13 | param( 14 | [Parameter(Mandatory = $true)][string]$MgmtNetBIOSName, 15 | [Parameter(Mandatory = $true)][string]$DomainNetBIOSName, 16 | [Parameter(Mandatory = $true)][string]$DomainDNSName, 17 | [Parameter(Mandatory = $true)][string]$DomainController1IP, 18 | [Parameter(Mandatory = $true)][string]$DomainController2IP, 19 | [Parameter(Mandatory = $true)][string]$ADAdminSecParam 20 | ) 21 | 22 | #Requires -Modules PSDesiredStateConfiguration, NetworkingDsc, ComputerManagementDsc, xDnsServer 23 | 24 | #================================================== 25 | # Main 26 | #================================================== 27 | 28 | Write-Output 'Getting network configuration' 29 | Try { 30 | $NetIpConfig = Get-NetIPConfiguration -ErrorAction Stop 31 | } Catch [System.Exception] { 32 | Write-Output "Failed to get network configuration $_" 33 | Exit 1 34 | } 35 | 36 | Write-Output 'Grabbing the Current Gateway Address in order to Static IP Correctly' 37 | $GatewayAddress = $NetIpConfig | Select-Object -ExpandProperty 'IPv4DefaultGateway' | Select-Object -ExpandProperty 'NextHop' 38 | 39 | Write-Output 'Formatting IP Address in format needed for IPAdress DSC Resource' 40 | $IP = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'IpAddress' 41 | $Prefix = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'PrefixLength' 42 | $IPADDR = 'IP/CIDR' -replace 'IP', $IP -replace 'CIDR', $Prefix 43 | 44 | Write-Output 'Getting MAC address' 45 | Try { 46 | $MacAddress = Get-NetAdapter -ErrorAction Stop | Select-Object -ExpandProperty 'MacAddress' 47 | } Catch [System.Exception] { 48 | Write-Output "Failed to get MAC address $_" 49 | Exit 1 50 | } 51 | 52 | Write-Output "Getting $ADAdminSecParam Secret" 53 | Try { 54 | $AdminSecret = Get-SECSecretValue -SecretId $ADAdminSecParam -ErrorAction Stop | Select-Object -ExpandProperty 'SecretString' 55 | } Catch [System.Exception] { 56 | Write-Output "Failed to get $ADAdminSecParam Secret $_" 57 | Exit 1 58 | } 59 | 60 | Write-Output 'Converting AdminSecret from JSON' 61 | Try { 62 | $ADAdminPassword = ConvertFrom-Json -InputObject $AdminSecret -ErrorAction Stop 63 | } Catch [System.Exception] { 64 | Write-Output "Failed to convert $AdminSecret from JSON $_" 65 | Exit 1 66 | } 67 | 68 | Write-Output 'Creating Credential Object for Administrator' 69 | $AdminUserName = $ADAdminPassword.UserName 70 | $AdminUserPW = ConvertTo-SecureString ($ADAdminPassword.Password) -AsPlainText -Force 71 | $Credentials = New-Object -TypeName 'System.Management.Automation.PSCredential' ("$DomainNetBIOSName\$AdminUserName", $AdminUserPW) 72 | 73 | Write-Output 'Getting the DSC Cert Encryption Thumbprint to Secure the MOF File' 74 | Try { 75 | $DscCertThumbprint = Get-ChildItem -Path 'cert:\LocalMachine\My' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 76 | } Catch [System.Exception] { 77 | Write-Output "Failed to get DSC Cert Encryption Thumbprint $_" 78 | Exit 1 79 | } 80 | 81 | Write-Output 'Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing' 82 | $ConfigurationData = @{ 83 | AllNodes = @( 84 | @{ 85 | NodeName = '*' 86 | CertificateFile = 'C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer' 87 | Thumbprint = $DscCertThumbprint 88 | PSDscAllowDomainUser = $true 89 | }, 90 | @{ 91 | NodeName = 'localhost' 92 | } 93 | ) 94 | } 95 | 96 | # PowerShell DSC Configuration Block for Domain Controller 2 97 | Configuration ConfigMgmt { 98 | # Credential Objects being passed in 99 | param 100 | ( 101 | [PSCredential] $Credentials 102 | ) 103 | 104 | # Importing DSC Modules needed for Configuration 105 | Import-DscResource -ModuleName 'PSDesiredStateConfiguration', 'NetworkingDsc', 'ComputerManagementDsc' 106 | 107 | # Node Configuration block, since processing directly on DC using localhost 108 | Node LocalHost { 109 | NetAdapterName RenameNetAdapterPrimary { 110 | NewName = 'Primary' 111 | MacAddress = $MacAddress 112 | } 113 | NetIPInterface DisableDhcp { 114 | Dhcp = 'Disabled' 115 | InterfaceAlias = 'Primary' 116 | AddressFamily = 'IPv4' 117 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 118 | } 119 | IPAddress SetIP { 120 | IPAddress = $IPADDR 121 | InterfaceAlias = 'Primary' 122 | AddressFamily = 'IPv4' 123 | DependsOn = '[NetIPInterface]DisableDhcp' 124 | } 125 | DefaultGatewayAddress SetDefaultGateway { 126 | Address = $GatewayAddress 127 | InterfaceAlias = 'Primary' 128 | AddressFamily = 'IPv4' 129 | DependsOn = '[IPAddress]SetIP' 130 | } 131 | DnsServerAddress DnsServerAddress { 132 | Address = $DomainController1IP, $DomainController2IP 133 | InterfaceAlias = 'Primary' 134 | AddressFamily = 'IPv4' 135 | DependsOn = '[DefaultGatewayAddress]SetDefaultGateway' 136 | } 137 | DnsConnectionSuffix DnsConnectionSuffix { 138 | InterfaceAlias = 'Primary' 139 | ConnectionSpecificSuffix = $DomainDNSName 140 | RegisterThisConnectionsAddress = $True 141 | UseSuffixWhenRegistering = $False 142 | } 143 | WindowsFeature DnsTools { 144 | Ensure = 'Present' 145 | Name = 'RSAT-DNS-Server' 146 | } 147 | WindowsFeature RSAT-AD-Tools { 148 | Ensure = 'Present' 149 | Name = 'RSAT-AD-Tools' 150 | } 151 | WindowsFeature RSAT-ADDS { 152 | Ensure = 'Present' 153 | Name = 'RSAT-ADDS' 154 | } 155 | WindowsFeature GPMC { 156 | Ensure = 'Present' 157 | Name = 'GPMC' 158 | } 159 | Computer JoinDomain { 160 | Name = $MgmtNetBIOSName 161 | DomainName = $DomainDnsName 162 | Credential = $Credentials 163 | DependsOn = '[WindowsFeature]DnsTools' 164 | } 165 | } 166 | } 167 | 168 | Write-Output 'Generating MOF File' 169 | ConfigMgmt -OutputPath 'C:\AWSQuickstart\ConfigMgmt' -Credentials $Credentials -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/Invoke-MgmtInstancePostConfig.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Invoke-MgmtInstancePostConfig.ps1 4 | 5 | .DESCRIPTION 6 | This script cleans up the and prepares the instance for use 7 | 8 | .EXAMPLE 9 | .\Invoke-MgmtInstancePostConfig 10 | #> 11 | 12 | [CmdletBinding()] 13 | param( 14 | [Parameter(Mandatory = $true)][string]$DirectoryID, 15 | [Parameter(Mandatory = $true)][string]$VPCCIDR 16 | ) 17 | 18 | #================================================== 19 | # Variables 20 | #================================================== 21 | 22 | Write-Output 'Getting VPC DNS IP' 23 | $Ip = $VPCCIDR.Split('/')[0] 24 | [System.Collections.ArrayList]$IPArray = $IP -Split "\." 25 | $IPArray[3] = 2 26 | $VPCDNS = $IPArray -Join "." 27 | 28 | #================================================== 29 | # Main 30 | #================================================== 31 | 32 | Write-Output 'Creating Conditional Forwarder for amazonaws.com' 33 | Try { 34 | New-DSConditionalForwarder -DirectoryId $DirectoryID -DnsIpAddr $VPCDNS -RemoteDomainName 'amazonaws.com' -ErrorAction Stop 35 | } Catch [System.Exception] { 36 | Write-Output "Failed to create DNS Conditional Forwarder for amazonaws.com $_" 37 | } 38 | 39 | Write-Output 'Removing DSC Configuration' 40 | Try { 41 | Remove-DscConfigurationDocument -Stage 'Current' -ErrorAction Stop 42 | } Catch [System.Exception] { 43 | Write-Output "Failed build DSC Configuration $_" 44 | } 45 | 46 | Write-Output 'Re-enabling Windows Firewall' 47 | Try { 48 | Get-NetFirewallProfile -ErrorAction Stop | Set-NetFirewallProfile -Enabled 'True' -ErrorAction Stop 49 | } Catch [System.Exception] { 50 | Write-Output "Failed re-enable firewall $_" 51 | } 52 | 53 | Write-Output 'Removing QuickStart build files' 54 | Try { 55 | Remove-Item -Path 'C:\AWSQuickstart' -Recurse -Force -ErrorAction Stop 56 | } Catch [System.Exception] { 57 | Write-Output "Failed remove QuickStart build files $_" 58 | } 59 | 60 | Write-Output 'Removing self signed cert' 61 | Try { 62 | $SelfSignedThumb = Get-ChildItem -Path 'cert:\LocalMachine\My\' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 63 | Remove-Item -Path "cert:\LocalMachine\My\$SelfSignedThumb" -DeleteKey -ErrorAction Stop 64 | } Catch [System.Exception] { 65 | Write-Output "Failed remove self signed cert $_" 66 | } -------------------------------------------------------------------------------- /scripts/archive/Invoke-TwoTierOrCaPreConfig.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Invoke-TwoTierOrCaPreConfig.ps1 4 | 5 | .DESCRIPTION 6 | This script installs the required Windows features to make the computer an Offline Root CA and joins the computer to the domain specified. 7 | 8 | .EXAMPLE 9 | .\Invoke-TwoTierOrCaPreConfig -OrCaNetBIOSName 'CA01' -DomainController1IP '10.20.30.40' DomainController2IP '10.20.30.41 10 | 11 | #> 12 | 13 | [CmdletBinding()] 14 | # Incoming Parameters for Script, CloudFormation\SSM Parameters being passed in 15 | param( 16 | [Parameter(Mandatory = $true)][String]$OrCaNetBIOSName, 17 | [Parameter(Mandatory = $true)][String]$DomainController1IP, 18 | [Parameter(Mandatory = $true)][String]$DomainController2IP 19 | ) 20 | 21 | #Requires -Modules PSDesiredStateConfiguration, NetworkingDsc, ComputerManagementDsc 22 | 23 | # Getting Network Configuration 24 | $NetIpConfig = Get-NetIPConfiguration 25 | 26 | # Grabbing the Current Gateway Address in order to Static IP Correctly 27 | $GatewayAddress = $NetIpConfig | Select-Object -ExpandProperty 'IPv4DefaultGateway' | Select-Object -ExpandProperty 'NextHop' 28 | 29 | # Formatting IP Address in format needed for IPAdress DSC Resource 30 | $IP = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'IpAddress' 31 | $Prefix = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'PrefixLength' 32 | $IPADDR = 'IP/CIDR' -replace 'IP', $IP -replace 'CIDR', $Prefix 33 | 34 | # Grabbing Mac Address for Primary Interface to Rename Interface 35 | $MacAddress = Get-NetAdapter | Select-Object -ExpandProperty 'MacAddress' 36 | 37 | # Getting the DSC Cert Encryption Thumbprint to Secure the MOF File 38 | $DscCertThumbprint = Get-ChildItem -Path 'cert:\LocalMachine\My' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 39 | 40 | # Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing 41 | $ConfigurationData = @{ 42 | AllNodes = @( 43 | @{ 44 | NodeName = '*' 45 | CertificateFile = 'C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer' 46 | Thumbprint = $DscCertThumbprint 47 | PSDscAllowDomainUser = $true 48 | }, 49 | @{ 50 | NodeName = 'localhost' 51 | } 52 | ) 53 | } 54 | 55 | # PowerShell DSC Configuration Block for Domain Controller 2 56 | Configuration ConfigOrCa { 57 | # Importing DSC Modules needed for Configuration 58 | Import-DscResource -ModuleName 'PSDesiredStateConfiguration', 'NetworkingDsc', 'ComputerManagementDsc' 59 | 60 | # Node Configuration block, since processing directly on DC using localhost 61 | Node LocalHost { 62 | # Renaming Primary Adapter in order to Static the IP for AD installation 63 | NetAdapterName RenameNetAdapterPrimary { 64 | NewName = 'Primary' 65 | MacAddress = $MacAddress 66 | } 67 | 68 | # Disabling DHCP on the Primary Interface 69 | NetIPInterface DisableDhcp { 70 | Dhcp = 'Disabled' 71 | InterfaceAlias = 'Primary' 72 | AddressFamily = 'IPv4' 73 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 74 | } 75 | 76 | # Setting the IP Address on the Primary Interface 77 | IPAddress SetIP { 78 | IPAddress = $IPADDR 79 | InterfaceAlias = 'Primary' 80 | AddressFamily = 'IPv4' 81 | DependsOn = '[NetIPInterface]DisableDhcp' 82 | } 83 | 84 | # Setting Default Gateway on Primary Interface 85 | DefaultGatewayAddress SetDefaultGateway { 86 | Address = $GatewayAddress 87 | InterfaceAlias = 'Primary' 88 | AddressFamily = 'IPv4' 89 | DependsOn = '[IPAddress]SetIP' 90 | } 91 | 92 | # Setting DNS Server IPs on Primary Interface 93 | DnsServerAddress DnsServerAddress { 94 | Address = $DomainController1IP, $DomainController2IP 95 | InterfaceAlias = 'Primary' 96 | AddressFamily = 'IPv4' 97 | DependsOn = '[DefaultGatewayAddress]SetDefaultGateway' 98 | } 99 | 100 | # Adding Required Windows Features 101 | WindowsFeature ADCSCA 102 | { 103 | Name = 'ADCS-Cert-Authority' 104 | Ensure = 'Present' 105 | DependsOn = '[DnsServerAddress]DnsServerAddress' 106 | } 107 | 108 | WindowsFeature RSAT-ADCS-ManagementTools 109 | { 110 | Name = 'RSAT-ADCS' 111 | Ensure = 'Present' 112 | DependsOn = '[WindowsFeature]ADCSCA' 113 | } 114 | 115 | # Rename Computer and Join Domain 116 | Computer Rename { 117 | Name = $OrCaNetBIOSName 118 | DependsOn = '[WindowsFeature]RSAT-ADCS-ManagementTools' 119 | } 120 | } 121 | } 122 | 123 | # Generating MOF File 124 | ConfigOrCa -OutputPath 'C:\AWSQuickstart\ConfigOrCa' -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/Invoke-TwoTierSubCaCertIssue.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Invoke-TwoTierSubCaCertIssue.ps1 4 | 5 | .DESCRIPTION 6 | This script issues the the certificate to the Subordinate CA 7 | 8 | .EXAMPLE 9 | .\Invoke-TwoTierSubCaCertIssue -DomainDNSName 'example.com' -ADAdminSecParam 'arn:aws:secretsmanager:us-west-2:############:secret:example-VX5fcW' -UseS3ForCRL 'Yes' -DirectoryType 'AWSManaged' 10 | 11 | #> 12 | 13 | [CmdletBinding()] 14 | Param ( 15 | [Parameter(Mandatory = $true)][String]$ADAdminSecParam, 16 | [Parameter(Mandatory = $true)][String]$DomainDNSName, 17 | [Parameter(Mandatory = $true)][ValidateSet('Yes', 'No')][String]$UseS3ForCRL, 18 | [Parameter(Mandatory = $true)][ValidateSet('AWSManaged', 'SelfManaged')][String]$DirectoryType 19 | ) 20 | 21 | $CAComputerName = "$env:COMPUTERNAME\$env:COMPUTERNAME" 22 | 23 | Write-Output "Getting $ADAdminSecParam Secret" 24 | Try { 25 | $AdminSecret = Get-SECSecretValue -SecretId $ADAdminSecParam -ErrorAction Stop | Select-Object -ExpandProperty 'SecretString' 26 | } Catch [System.Exception] { 27 | Write-Output "Failed to get $ADAdminSecParam Secret $_" 28 | Exit 1 29 | } 30 | 31 | Write-Output "Converting $ADAdminSecParam Secret from JSON" 32 | Try { 33 | $ADAdminPassword = ConvertFrom-Json -InputObject $AdminSecret -ErrorAction Stop 34 | } Catch [System.Exception] { 35 | Write-Output "Failed to convert AdminSecret from JSON $_" 36 | Exit 1 37 | } 38 | 39 | Write-Output 'Creating Credential Object for Administrator' 40 | $AdminUserName = $ADAdminPassword.UserName 41 | $AdminUserPW = ConvertTo-SecureString ($ADAdminPassword.Password) -AsPlainText -Force 42 | $Credentials = New-Object -TypeName 'System.Management.Automation.PSCredential' ("$DomainDNSName\$AdminUserName", $AdminUserPW) 43 | 44 | Write-Output 'Creating IssuePkiSysvolPSDrive' 45 | If ($DirectoryType -eq 'SelfManaged') { 46 | $SysvolPath = "\\$DomainDNSName\SYSVOL\$DomainDNSName" 47 | } Else { 48 | $SysvolPath = "\\$DomainDNSName\SYSVOL\$DomainDNSName\Policies" 49 | } 50 | 51 | Try { 52 | $Null = New-PSDrive -Name 'IssuePkiSysvolPSDrive' -PSProvider 'FileSystem' -Root $SysvolPath -Credential $Credentials -ErrorAction Stop 53 | } Catch [System.Exception] { 54 | Write-Output "Failed to create IssuePkiSysvolPSDrive $_" 55 | Exit 1 56 | } 57 | 58 | Write-Output 'Copying SubCa.req from PkiSubCA SYSVOL folder' 59 | Try { 60 | Copy-Item -Path 'IssuePkiSysvolPSDrive:\PkiSubCA\SubCa.req' -Destination 'D:\Pki\SubCA\SubCa.req' -ErrorAction Stop 61 | } Catch [System.Exception] { 62 | Write-Output "Failed to copy SubCa.req from PkiSubCA SYSVOL folder $_" 63 | Exit 1 64 | } 65 | 66 | Write-Output 'Submitting, Issuing and Retrieving the SubCA certificate' 67 | $SubReq = 'D:\Pki\SubCA\SubCa.req' 68 | $Request = & Certreq.exe -f -q -config $CAComputerName -Submit $SubReq 'D:\Pki\SubCA\SubCa.cer' 69 | $RequestString = $Request | Select-String -Pattern 'RequestId:.\d$' 70 | $RequestId = $RequestString -replace ('RequestId: ', '') 71 | & Certutil.exe -config $CAComputerName -Resubmit $RequestId > $null 72 | & Certreq.exe -f -q -config $CAComputerName -Retrieve $RequestId 'D:\Pki\SubCA\SubCa.cer' > $null 73 | 74 | Write-Output 'Copying SubCa.cer to PkiSubCA SYSVOL folder' 75 | Try{ 76 | Copy-Item -Path 'D:\Pki\SubCA\SubCa.cer' -Destination 'IssuePkiSysvolPSDrive:\PkiSubCA\SubCa.cer' -ErrorAction Stop 77 | } Catch [System.Exception] { 78 | Write-Output "Failed to copy SubCa.req from PkiSubCA SYSVOL folder $_" 79 | Exit 1 80 | } 81 | 82 | Write-Output 'Removing IssuePkiSysvolPSDrive' 83 | Try { 84 | Remove-PSDrive -Name 'IssuePkiSysvolPSDrive' -ErrorAction Stop 85 | } Catch [System.Exception] { 86 | Write-Output "Failed to remove IssuePkiSysvolPSDrive $_" 87 | Exit 1 88 | } 89 | 90 | Write-Output 'Removing SubCA Cert request files' 91 | Try { 92 | Remove-Item -Path 'D:\Pki\SubCA' -Recurse -Force -ErrorAction Stop 93 | } Catch [System.Exception] { 94 | Write-Output "Failed remove QuickStart build files $_" 95 | } -------------------------------------------------------------------------------- /scripts/archive/Invoke-TwoTierSubCaPreConfig.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Invoke-TwoTierSubCaPreConfig.ps1 4 | 5 | .DESCRIPTION 6 | This script installs the required Windows features to make the computer an Subordinate Enterprise CA and joins the computer to the domain specified. 7 | 8 | .EXAMPLE 9 | .\Invoke-TwoTierSubCaPreConfig -SubCaNetBIOSName 'CA01' -DomainNetBIOSName 'example' -DomainDNSName 'example.com' -DomainController1IP '10.20.30.40' DomainController2IP '10.20.30.41' -ADAdminSecParam 'arn:aws:secretsmanager:us-west-2:############:secret:example-VX5fcW' -UseS3ForCRL 'Yes' 10 | 11 | #> 12 | 13 | [CmdletBinding()] 14 | # Incoming Parameters for Script, CloudFormation\SSM Parameters being passed in 15 | param( 16 | [Parameter(Mandatory = $true)][String]$SubCaNetBIOSName, 17 | [Parameter(Mandatory = $true)][String]$DomainNetBIOSName, 18 | [Parameter(Mandatory = $true)][String]$DomainDNSName, 19 | [Parameter(Mandatory = $true)][String]$DomainController1IP, 20 | [Parameter(Mandatory = $true)][String]$DomainController2IP, 21 | [Parameter(Mandatory = $true)][String]$ADAdminSecParam, 22 | [Parameter(Mandatory = $true)][ValidateSet('Yes', 'No')][String]$UseS3ForCRL 23 | ) 24 | 25 | #Requires -Modules PSDesiredStateConfiguration, NetworkingDsc, ComputerManagementDsc, ActiveDirectoryDsc 26 | 27 | $CompName = $env:COMPUTERNAME 28 | 29 | # Getting Network Configuration 30 | $NetIpConfig = Get-NetIPConfiguration 31 | 32 | # Grabbing the Current Gateway Address in order to Static IP Correctly 33 | $GatewayAddress = $NetIpConfig | Select-Object -ExpandProperty 'IPv4DefaultGateway' | Select-Object -ExpandProperty 'NextHop' 34 | 35 | # Formatting IP Address in format needed for IPAdress DSC Resource 36 | $IP = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'IpAddress' 37 | $Prefix = $NetIpConfig | Select-Object -ExpandProperty 'IPv4Address' | Select-Object -ExpandProperty 'PrefixLength' 38 | $IPADDR = 'IP/CIDR' -replace 'IP', $IP -replace 'CIDR', $Prefix 39 | 40 | # Grabbing Mac Address for Primary Interface to Rename Interface 41 | $MacAddress = Get-NetAdapter | Select-Object -ExpandProperty 'MacAddress' 42 | 43 | Write-Output "Getting $ADAdminSecParam Secret" 44 | Try { 45 | $AdminSecret = Get-SECSecretValue -SecretId $ADAdminSecParam -ErrorAction Stop | Select-Object -ExpandProperty 'SecretString' 46 | } Catch [System.Exception] { 47 | Write-Output "Failed to get $ADAdminSecParam Secret $_" 48 | Exit 1 49 | } 50 | 51 | Write-Output "Converting $ADAdminSecParam Secret from JSON" 52 | Try { 53 | $ADAdminPassword = ConvertFrom-Json -InputObject $AdminSecret -ErrorAction Stop 54 | } Catch [System.Exception] { 55 | Write-Output "Failed to convert AdminSecret from JSON $_" 56 | Exit 1 57 | } 58 | 59 | Write-Output 'Creating Credential Object for Administrator' 60 | $AdminUserName = $ADAdminPassword.UserName 61 | $AdminUserPW = ConvertTo-SecureString ($ADAdminPassword.Password) -AsPlainText -Force 62 | $Credentials = New-Object -TypeName 'System.Management.Automation.PSCredential' ("$DomainNetBIOSName\$AdminUserName", $AdminUserPW) 63 | 64 | # Getting the DSC Cert Encryption Thumbprint to Secure the MOF File 65 | $DscCertThumbprint = Get-ChildItem -Path 'cert:\LocalMachine\My' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 66 | 67 | # Creating Configuration Data Block that has the Certificate Information for DSC Configuration Processing 68 | $ConfigurationData = @{ 69 | AllNodes = @( 70 | @{ 71 | NodeName = '*' 72 | CertificateFile = 'C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer' 73 | Thumbprint = $DscCertThumbprint 74 | PSDscAllowDomainUser = $true 75 | }, 76 | @{ 77 | NodeName = 'localhost' 78 | } 79 | ) 80 | } 81 | 82 | # PowerShell DSC Configuration Block for Domain Controller 2 83 | Configuration ConfigSubCa { 84 | # Credential Objects being passed in 85 | param 86 | ( 87 | [PSCredential] $Credentials 88 | ) 89 | 90 | # Importing DSC Modules needed for Configuration 91 | Import-DscResource -ModuleName 'PSDesiredStateConfiguration', 'NetworkingDsc', 'ComputerManagementDsc', 'ActiveDirectoryDsc' 92 | 93 | # Node Configuration block, since processing directly on DC using localhost 94 | Node LocalHost { 95 | # Renaming Primary Adapter in order to Static the IP for AD installation 96 | NetAdapterName RenameNetAdapterPrimary { 97 | NewName = 'Primary' 98 | MacAddress = $MacAddress 99 | } 100 | 101 | # Disabling DHCP on the Primary Interface 102 | NetIPInterface DisableDhcp { 103 | Dhcp = 'Disabled' 104 | InterfaceAlias = 'Primary' 105 | AddressFamily = 'IPv4' 106 | DependsOn = '[NetAdapterName]RenameNetAdapterPrimary' 107 | } 108 | 109 | # Setting the IP Address on the Primary Interface 110 | IPAddress SetIP { 111 | IPAddress = $IPADDR 112 | InterfaceAlias = 'Primary' 113 | AddressFamily = 'IPv4' 114 | DependsOn = '[NetIPInterface]DisableDhcp' 115 | } 116 | 117 | # Setting Default Gateway on Primary Interface 118 | DefaultGatewayAddress SetDefaultGateway { 119 | Address = $GatewayAddress 120 | InterfaceAlias = 'Primary' 121 | AddressFamily = 'IPv4' 122 | DependsOn = '[IPAddress]SetIP' 123 | } 124 | 125 | # Setting DNS Server IPs on Primary Interface 126 | DnsServerAddress DnsServerAddress { 127 | Address = $DomainController1IP, $DomainController2IP 128 | InterfaceAlias = 'Primary' 129 | AddressFamily = 'IPv4' 130 | DependsOn = '[DefaultGatewayAddress]SetDefaultGateway' 131 | } 132 | 133 | # Setting Connection Suffix Primary Interface to domain FQDN 134 | DnsConnectionSuffix DnsConnectionSuffix { 135 | InterfaceAlias = 'Primary' 136 | ConnectionSpecificSuffix = $DomainDNSName 137 | RegisterThisConnectionsAddress = $True 138 | UseSuffixWhenRegistering = $False 139 | } 140 | 141 | # Adding Required Windows Features 142 | WindowsFeature ADCSCA 143 | { 144 | Name = 'ADCS-Cert-Authority' 145 | Ensure = 'Present' 146 | DependsOn = '[DnsServerAddress]DnsServerAddress' 147 | } 148 | 149 | WindowsFeature RSAT-ADCS-ManagementTools 150 | { 151 | Name = 'RSAT-ADCS' 152 | Ensure = 'Present' 153 | DependsOn = '[DnsServerAddress]DnsServerAddress' 154 | } 155 | 156 | WindowsFeature RSAT-AD-ManagementTools { 157 | Ensure = 'Present' 158 | Name = 'RSAT-AD-Tools' 159 | DependsOn = '[DnsServerAddress]DnsServerAddress' 160 | } 161 | 162 | If ($UseS3ForCRL -eq 'No') { 163 | WindowsFeature IIS { 164 | Ensure = 'Present' 165 | Name = 'Web-WebServer' 166 | DependsOn = '[DnsServerAddress]DnsServerAddress' 167 | } 168 | 169 | WindowsFeature IIS-ManagementTools { 170 | Ensure = 'Present' 171 | Name = 'Web-Mgmt-Console' 172 | DependsOn = '[DnsServerAddress]DnsServerAddress' 173 | } 174 | 175 | WindowsFeature RSAT-DNS-ManagementTools { 176 | Ensure = 'Present' 177 | Name = 'RSAT-DNS-Server' 178 | DependsOn = '[DnsServerAddress]DnsServerAddress' 179 | } 180 | } 181 | 182 | # Rename Computer and Join Domain 183 | Computer JoinDomain { 184 | Name = $SubCaNetBIOSName 185 | DomainName = $DomainDnsName 186 | Credential = $Credentials 187 | DependsOn = '[WindowsFeature]RSAT-ADCS-ManagementTools' 188 | } 189 | } 190 | } 191 | 192 | # Generating MOF File 193 | ConfigSubCa -OutputPath 'C:\AWSQuickstart\ConfigSubCa' -Credentials $Credentials -ConfigurationData $ConfigurationData -------------------------------------------------------------------------------- /scripts/archive/LCM-Config.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | LCM-Config.ps1 4 | 5 | .DESCRIPTION 6 | This script configures the DS Local Configuration Manager 7 | 8 | .EXAMPLE 9 | .\LCM-Config 10 | #> 11 | 12 | #================================================== 13 | # Main 14 | #================================================== 15 | 16 | Write-Output 'Getting the DSC Cert Encryption Thumbprint to Secure the MOF File' 17 | Try { 18 | $DscCertThumbprint = Get-ChildItem -Path 'cert:\LocalMachine\My' -ErrorAction Stop | Where-Object { $_.Subject -eq 'CN=AWSQSDscEncryptCert' } | Select-Object -ExpandProperty 'Thumbprint' 19 | } Catch [System.Exception] { 20 | Write-Output "Failed to get DSC Cert Encryption Thumbprint $_" 21 | Exit 1 22 | } 23 | 24 | # This block sets the LCM configuration to what we need for QS 25 | [DSCLocalConfigurationManager()] 26 | Configuration LCMConfig 27 | { 28 | Node 'localhost' { 29 | Settings { 30 | RefreshMode = 'Push' 31 | ConfigurationModeFrequencyMins = 15 32 | ActionAfterReboot = 'StopConfiguration' 33 | RebootNodeIfNeeded = $false 34 | ConfigurationMode = 'ApplyAndAutoCorrect' 35 | CertificateId = $DscCertThumbprint 36 | } 37 | } 38 | } 39 | 40 | Write-Output 'Generating MOF File for LCM' 41 | LCMConfig -OutputPath 'C:\AWSQuickstart\LCMConfig' 42 | 43 | Write-Output 'Sets LCM Configuration to MOF generated in previous command' 44 | Try { 45 | Set-DscLocalConfigurationManager -Path 'C:\AWSQuickstart\LCMConfig' -ErrorAction Stop 46 | } Catch [System.Exception] { 47 | Write-Output "Failed to set LCM Configuration $_" 48 | Exit 1 49 | } -------------------------------------------------------------------------------- /scripts/archive/New-CertificateAuthority.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [Parameter(Mandatory=$true)] 4 | [string]$Username, 5 | 6 | [Parameter(Mandatory=$true)] 7 | [string]$DomainDNSName, 8 | 9 | [Parameter(Mandatory=$false)] 10 | [string]$Password, 11 | 12 | [Parameter(Mandatory=$false)] 13 | [string]$SSMParamName 14 | ) 15 | 16 | <# 17 | Requires xAdcsDeployment DSC Resource: 18 | 19 | https://gallery.technet.microsoft.com/scriptcenter/xAdcsDeployment-PowerShell-cc0622fa/file/126018/1/xAdcsDeployment_0.1.0.0.zip 20 | https://github.com/PowerShell/xAdcsDeployment 21 | #> 22 | $SSMParamUsed = $false 23 | 24 | if (([string]::IsNullOrEmpty($Password)) -and ([string]::IsNullOrEmpty($SSMParamName))) { 25 | Throw "You must pass either a Password or an SSMParamName argument" 26 | } 27 | Elseif(-not ([string]::IsNullOrEmpty($SSMParamName))) { 28 | echo "SSMParamName argument used" 29 | $SSMParamUsed = $true 30 | } 31 | Else { 32 | echo "Password argument used" 33 | } 34 | 35 | if ($SSMParamUsed -eq "True") { 36 | $Password = (Get-SSMParameterValue -Names $SSMParamName -WithDecryption $True).Parameters[0].Value 37 | } 38 | 39 | 40 | $Pass = ConvertTo-SecureString $Password -AsPlainText -Force 41 | $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "$Username@$DomainDNSName", $Pass 42 | 43 | $ConfigurationData = @{ 44 | AllNodes = @( 45 | @{ 46 | NodeName = $env:COMPUTERNAME 47 | PSDscAllowPlainTextPassword = $true 48 | } 49 | ) 50 | } 51 | 52 | Configuration CertificateAuthority { 53 | Import-DscResource -ModuleName xAdcsDeployment 54 | 55 | Node $AllNodes.NodeName 56 | { 57 | WindowsFeature ADCS-Cert-Authority 58 | { 59 | Ensure = 'Present' 60 | Name = 'ADCS-Cert-Authority' 61 | } 62 | xADCSCertificationAuthority ADCS 63 | { 64 | Ensure = 'Present' 65 | Credential = $Credential 66 | CAType = 'EnterpriseRootCA' 67 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 68 | } 69 | WindowsFeature ADCS-Web-Enrollment 70 | { 71 | Ensure = 'Present' 72 | Name = 'ADCS-Web-Enrollment' 73 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 74 | } 75 | WindowsFeature RSAT-ADCS 76 | { 77 | Ensure = 'Present' 78 | Name = 'RSAT-ADCS' 79 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 80 | } 81 | WindowsFeature RSAT-ADCS-Mgmt 82 | { 83 | Ensure = 'Present' 84 | Name = 'RSAT-ADCS-Mgmt' 85 | DependsOn = '[WindowsFeature]ADCS-Cert-Authority' 86 | } 87 | xADCSWebEnrollment CertSrv 88 | { 89 | Ensure = 'Present' 90 | Name = 'CertSrv' 91 | Credential = $Credential 92 | DependsOn = '[WindowsFeature]ADCS-Web-Enrollment','[xADCSCertificationAuthority]ADCS' 93 | } 94 | } 95 | } 96 | 97 | try { 98 | $ErrorActionPreference = "Stop" 99 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 100 | CertificateAuthority -ConfigurationData $ConfigurationData 101 | Start-DscConfiguration -Path .\CertificateAuthority -Wait -Verbose -Force 102 | Get-ChildItem .\CertificateAuthority *.mof -ErrorAction SilentlyContinue | Remove-Item -Confirm:$false -ErrorAction SilentlyContinue 103 | 104 | Get-ChildItem C:\Windows\system32\CertSrv\CertEnroll *.crt | Copy-Item -Destination c:\inetpub\wwwroot\cert.crt 105 | 106 | } 107 | 108 | catch { 109 | $_ | Write-AWSQuickStartException 110 | } -------------------------------------------------------------------------------- /scripts/archive/New-LabADUser.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [Parameter(Position=0, Mandatory=$false)] 4 | [System.Int32] 5 | $count = 1, 6 | 7 | [Parameter(Position=1, Mandatory=$false)] 8 | [System.String] 9 | $password = [System.Web.Security.Membership]::GeneratePassword(10,2), 10 | 11 | [Parameter(Position=2, Mandatory=$false)] 12 | [System.String] 13 | $UpnSuffix = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().RootDomain.Name, 14 | 15 | [Parameter(Position=3, Mandatory=$false)] 16 | [System.String] 17 | $Description = "", 18 | 19 | [Parameter(Position=4, Mandatory=$false)] 20 | [System.String] 21 | $OrganizationalUnit = ("CN=users," + ([ADSI]"LDAP://RootDSE").defaultNamingContext) 22 | ) 23 | 24 | begin { 25 | $users = Import-Csv $PSScriptRoot\users.csv 26 | } 27 | 28 | process { 29 | $userpwd = ConvertTo-SecureString -AsPlainText $password -Force 30 | 31 | 1..$count | %{ 32 | $r1 = Get-Random -Min 1 -Maximum 1000 33 | $r2 = Get-Random -Min 1 -Maximum 1000 34 | 35 | $firstname = $users[$r1].firstname 36 | $lastname = $users[$r2].lastname 37 | 38 | $upn = "$($firstname[0])$lastname@$UpnSuffix".ToLower() 39 | $name = "$firstname $lastname" 40 | $alias = "$($firstname[0])$lastname".ToLower() 41 | 42 | New-ADUser -Name $name ` 43 | -GivenName $firstname ` 44 | -Surname $lastname ` 45 | -SamAccountName $alias ` 46 | -DisplayName $name ` 47 | -AccountPassword $userpwd ` 48 | -PassThru ` 49 | -Enabled $true ` 50 | -UserPrincipalName $upn ` 51 | -Description $Description ` 52 | -Path $OrganizationalUnit ` 53 | -EA 0 54 | } 55 | } -------------------------------------------------------------------------------- /scripts/archive/Rename-Computer.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param( 3 | [Parameter(Mandatory=$true)] 4 | [string]$NewName, 5 | 6 | [Parameter(Mandatory=$false)] 7 | [switch]$Restart 8 | ) 9 | 10 | try { 11 | $ErrorActionPreference = "Stop" 12 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 13 | 14 | $renameComputerParams = @{ 15 | NewName = $NewName 16 | } 17 | 18 | Rename-Computer @renameComputerParams 19 | 20 | if ($Restart) { 21 | # Execute restart after script exit and allow time for external services 22 | $shutdown = Start-Process -FilePath "shutdown.exe" -ArgumentList @("/r", "/t 10") -Wait -NoNewWindow -PassThru 23 | if ($shutdown.ExitCode -ne 0) { 24 | throw "[ERROR] shutdown.exe exit code was not 0. It was actually $($shutdown.ExitCode)." 25 | } 26 | } 27 | } 28 | catch { 29 | $_ | Write-AWSQuickStartException 30 | } -------------------------------------------------------------------------------- /scripts/archive/Update-DNSServers.ps1: -------------------------------------------------------------------------------- 1 | [CmdletBinding()] 2 | param ( 3 | [Parameter(Mandatory=$true)] 4 | [string]$ADServer1PrivateIP, 5 | 6 | [Parameter(Mandatory=$true)] 7 | [string]$ADServer2PrivateIP 8 | ) 9 | 10 | try { 11 | $ErrorActionPreference = "Stop" 12 | Start-Transcript -Path C:\cfn\log\$($MyInvocation.MyCommand.Name).log -Append 13 | 14 | Get-NetAdapter | Set-DnsClientServerAddress -ServerAddresses $ADServer1PrivateIP,$ADServer2PrivateIP 15 | } 16 | catch { 17 | $_ | Write-AWSQuickStartException 18 | } -------------------------------------------------------------------------------- /scripts/archive/install-ad-modules.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | install-ad-modules.ps1 4 | 5 | .DESCRIPTION 6 | This script downloads and installs the required PowerShell modules to create and configure Active Directory Domain Controllers. 7 | It also creates a self signed certificate to be uses with PowerShell DSC. 8 | 9 | .EXAMPLE 10 | .\install-ad-modules 11 | #> 12 | 13 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 14 | 15 | #================================================== 16 | # Variables 17 | #================================================== 18 | 19 | $Modules = @( 20 | @{ 21 | Name = 'NetworkingDsc' 22 | Version = '8.2.0' 23 | }, 24 | @{ 25 | Name = 'ActiveDirectoryDsc' 26 | Version = '6.0.1' 27 | }, 28 | @{ 29 | Name = 'ComputerManagementDsc' 30 | Version = '8.4.0' 31 | }, 32 | @{ 33 | Name = 'xDnsServer' 34 | Version = '1.16.0.0' 35 | }, 36 | @{ 37 | Name = 'xActiveDirectory' 38 | Version = '3.0.0.0' 39 | } 40 | ) 41 | 42 | #================================================== 43 | # Main 44 | #================================================== 45 | 46 | Write-Output 'Installing NuGet Package Provider' 47 | Try { 48 | $Null = Install-PackageProvider -Name 'NuGet' -MinimumVersion '2.8.5' -Force -ErrorAction Stop 49 | } Catch [System.Exception] { 50 | Write-Output "Failed to install NuGet Package Provider $_" 51 | Exit 1 52 | } 53 | 54 | Write-Output 'Setting PSGallery Respository to trusted' 55 | Try { 56 | Set-PSRepository -Name 'PSGallery' -InstallationPolicy 'Trusted' -ErrorAction Stop 57 | } Catch [System.Exception] { 58 | Write-Output "Failed to set PSGallery Respository to trusted $_" 59 | Exit 1 60 | } 61 | 62 | Write-Output 'Installing the needed Powershell DSC modules for this Quick Start' 63 | Foreach ($Module in $Modules) { 64 | Try { 65 | Install-Module -Name $Module.Name -RequiredVersion $Module.Version -ErrorAction Stop 66 | } Catch [System.Exception] { 67 | Write-Output "Failed to Import Modules $_" 68 | Exit 1 69 | } 70 | } 71 | 72 | Write-Output 'Temporarily disabling Windows Firewall' 73 | Try { 74 | Get-NetFirewallProfile -ErrorAction Stop | Set-NetFirewallProfile -Enabled False -ErrorAction Stop 75 | } Catch [System.Exception] { 76 | Write-Output "Failed to disable Windows Firewall $_" 77 | Exit 1 78 | } 79 | 80 | Write-Output 'Creating Directory for DSC Public Cert' 81 | Try { 82 | $Null = New-Item -Path 'C:\AWSQuickstart\publickeys' -ItemType 'Directory' -ErrorAction Stop 83 | } Catch [System.Exception] { 84 | Write-Output "Failed to create publickeys directory $_" 85 | Exit 1 86 | } 87 | 88 | Write-Output 'Creating DSC Certificate to Encrypt Credentials in MOF File' 89 | Try { 90 | $cert = New-SelfSignedCertificate -Type 'DocumentEncryptionCertLegacyCsp' -DnsName 'AWSQSDscEncryptCert' -HashAlgorithm 'SHA256' -ErrorAction Stop 91 | } Catch [System.Exception] { 92 | Write-Output "Failed to create self signed cert $_" 93 | Exit 1 94 | } 95 | 96 | Write-Output 'Exporting the public key certificate' 97 | Try { 98 | $Null = $cert | Export-Certificate -FilePath 'C:\AWSQuickstart\publickeys\AWSQSDscPublicKey.cer' -Force -ErrorAction Stop 99 | } Catch [System.Exception] { 100 | Write-Output "Failed to copy self signed cert to publickeys directory $_" 101 | Exit 1 102 | } 103 | 104 | Write-Output 'Finding RAW Disk' 105 | $Counter = 0 106 | Do { 107 | Try { 108 | $BlankDisk = Get-Disk -ErrorAction Stop | Where-Object { $_.partitionstyle -eq 'raw' } 109 | } Catch [System.Exception] { 110 | Write-Output "Failed to get disk $_" 111 | $BlankDisk = $Null 112 | } 113 | If (-not $BlankDisk) { 114 | $Counter ++ 115 | Write-Output 'RAW Disk not found sleeping 10 seconds and will try again.' 116 | Start-Sleep -Seconds 10 117 | } 118 | } Until ($BlankDisk -or $Counter -eq 12) 119 | 120 | If ($Counter -ge 12) { 121 | Write-Output 'RAW Disk not found sleeping exitiing' 122 | Exit 1 123 | } 124 | 125 | Write-Output 'Data Volume not initialized attempting to bring online' 126 | Try{ 127 | Initialize-Disk -Number $BlankDisk.Number -PartitionStyle 'GPT' -ErrorAction Stop 128 | } Catch [System.Exception] { 129 | Write-Output "Failed attempting to bring online Data Volume $_" 130 | Exit 1 131 | } 132 | 133 | Start-Sleep -Seconds 5 134 | 135 | Write-Output 'Data Volume creating new partition' 136 | Try { 137 | $Null = New-Partition -DiskNumber $BlankDisk.Number -DriveLetter 'D' -UseMaximumSize -ErrorAction Stop 138 | } Catch [System.Exception] { 139 | Write-Output "Failed creating new partition $_" 140 | Exit 1 141 | } 142 | 143 | Start-Sleep -Seconds 5 144 | 145 | Write-Output 'Data Volume formatting partition' 146 | Try { 147 | $Null = Format-Volume -DriveLetter 'D' -FileSystem 'NTFS' -NewFileSystemLabel 'Data' -Confirm:$false -Force -ErrorAction Stop 148 | } Catch [System.Exception] { 149 | Write-Output "Failed formatting partition $_" 150 | Exit 1 151 | } -------------------------------------------------------------------------------- /scripts/archive/xAdcsDeployment_0.1.0.0.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-microsoft-activedirectory/bb64d5f3034b10b14137b6f0ff46e4fc79cd0a81/scripts/archive/xAdcsDeployment_0.1.0.0.zip -------------------------------------------------------------------------------- /scripts/domainremove.mof: -------------------------------------------------------------------------------- 1 | /* 2 | @TargetNode='localhost' 3 | */ 4 | instance of MSFT_RoleResource as $MSFT_RoleResource1ref 5 | { 6 | ResourceID = "[WindowsFeature]RSAT-AD-PowerShell"; 7 | Ensure = "Present"; 8 | Name = "RSAT-AD-PowerShell"; 9 | ModuleName = "PSDesiredStateConfiguration"; 10 | ModuleVersion = "1.0"; 11 | ConfigurationName = "RemoveDomain"; 12 | }; 13 | instance of MSFT_Credential as $MSFT_Credential1ref 14 | { 15 | Password = "stringdoesntmatter"; 16 | UserName = "arn:aws:secretsmanager:us-west-2:111122223333:secret:secretName"; 17 | }; 18 | instance of MSFT_ADComputer as $MSFT_ADComputer1ref 19 | { 20 | ResourceID = "[ADComputer]RemoveDomain"; 21 | Ensure = "Absent"; 22 | Credential = $MSFT_Credential1ref; 23 | ComputerName = "{tag:Name}"; 24 | ModuleName = "ActiveDirectoryDsc"; 25 | ModuleVersion = "6.0.1"; 26 | DependsOn = { 27 | "[WindowsFeature]RSAT-AD-PowerShell"}; 28 | ConfigurationName = "RemoveDomain"; 29 | }; 30 | instance of OMI_ConfigurationDocument 31 | { 32 | Version="2.0.0"; 33 | MinimumCompatibleVersion = "1.0.0"; 34 | CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; 35 | Name="RemoveDomain"; 36 | }; -------------------------------------------------------------------------------- /scripts/winworkshop.mof: -------------------------------------------------------------------------------- 1 | /* 2 | @TargetNode='localhost' 3 | */ 4 | instance of MSFT_Credential as $MSFT_Credential1ref 5 | { 6 | UserName = "arn:aws:secretsmanager:us-west-2:111122223333:secret:secretName"; 7 | Password = "stringdoesntmatter"; 8 | }; 9 | instance of DSC_Computer as $DSC_Computer1ref 10 | { 11 | ModuleName = "ComputerManagementDsc"; 12 | DomainName = "{tag:Domain}"; 13 | ModuleVersion = "8.4.0"; 14 | Credential = $MSFT_Credential1ref; 15 | Name = "{tag:Name}"; 16 | ResourceID = "[Computer]JoinDomain"; 17 | ConfigurationName = "DomainJoin"; 18 | }; 19 | instance of MSFT_SecurityOption as $MSFT_SecurityOption1ref 20 | { 21 | Interactive_logon_Message_title_for_users_attempting_to_log_on = "Logon policy From SSM"; 22 | ModuleName = "SecurityPolicyDsc"; 23 | ModuleVersion = "2.10.0.0"; 24 | Name = "LogonMessage"; 25 | ResourceID = "[SecurityOption]LogonMessage"; 26 | Interactive_logon_Message_text_for_users_attempting_to_log_on = "{ssm:LogonMessage}"; 27 | ConfigurationName = "DomainJoin"; 28 | }; 29 | instance of OMI_ConfigurationDocument 30 | { 31 | Version="2.0.0"; 32 | MinimumCompatibleVersion = "1.0.0"; 33 | CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; 34 | Name="DomainJoin"; 35 | }; -------------------------------------------------------------------------------- /templates/README.md: -------------------------------------------------------------------------------- 1 | # Template information 2 | If templates are being referenced, the current templates are the ones that should be used (specifically the existing VPC templates). Previous templates are still in use across other Quick Starts but should be migrated to use the current templates. Deprecated templates are in danger of being removed and should definitely not be used in Quick Starts. 3 | 4 | ## Current Templates 5 | These templates are divided into master templates which nest this and other Quick Starts and existing VPC templates which deploy the scenario in a VPC that satisfies the requirements of the workload. 6 | #### Master Templates 7 | * ad-master-1.template 8 | * ad-master-2.template 9 | * ad-master-3.template 10 | 11 | #### Existing VPC Templates 12 | * ad-1.template 13 | * ad-2.template 14 | * ad-3.template 15 | 16 | ## Previous Templates 17 | * ad-2012r2-1.template 18 | * ad-2012r2-2.template 19 | * ad-2012r2-3.template 20 | 21 | ## Deprecated Templates 22 | These templates include VPC and RDGW creation in addition to the scenario. 23 | * Template_1_AD_2012R2.template 24 | -------------------------------------------------------------------------------- /templates/workshop/Modules/Module-AD/Module-AD.psd1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aws-quickstart/quickstart-microsoft-activedirectory/bb64d5f3034b10b14137b6f0ff46e4fc79cd0a81/templates/workshop/Modules/Module-AD/Module-AD.psd1 -------------------------------------------------------------------------------- /templates/workshop/SystemManagerLab.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: 2010-09-09 2 | Description: Managing Microsoft Workloads at Scale on AWS (qs-1scnfaifg) 3 | Metadata: 4 | AWS::CloudFormation::Interface: 5 | ParameterGroups: 6 | - Label: 7 | default: Network configuration for EC2 and ELB 8 | Parameters: 9 | - VPCID 10 | - PublicSubnet1ID 11 | - PublicSubnet2ID 12 | - PrivateSubnet1ID 13 | - PrivateSubnet2ID 14 | - Label: 15 | default: Microsoft Active Directory Domain configuration 16 | Parameters: 17 | - DomainJoinSecrets 18 | - Label: 19 | default: EC2 Configuration 20 | Parameters: 21 | - LatestAmiId 22 | ParameterLabels: 23 | DomainJoinSecrets: 24 | default: Secrets Manager Domain Secret ARN 25 | PrivateSubnet1ID: 26 | default: Private Subnet 1 ID 27 | PrivateSubnet2ID: 28 | default: Private Subnet 2 ID 29 | PublicSubnet1ID: 30 | default: Public Subnet 1 ID 31 | PublicSubnet2ID: 32 | default: Public Subnet 2 ID 33 | VPCID: 34 | default: VPC ID 35 | LatestAmiId: 36 | default: Amazon Machine Image (AMI) Id 37 | Parameters: 38 | DomainJoinSecrets: 39 | Description: Arn for for Secret Manager Secret containing password for joining machine to the domain. 40 | Type: String 41 | PublicSubnet1ID: 42 | Description: ID of subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) 43 | Type: AWS::EC2::Subnet::Id 44 | PublicSubnet2ID: 45 | Description: ID of subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd) 46 | Type: AWS::EC2::Subnet::Id 47 | PrivateSubnet1ID: 48 | Description: ID of subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) 49 | Type: AWS::EC2::Subnet::Id 50 | PrivateSubnet2ID: 51 | Description: ID of subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd) 52 | Type: AWS::EC2::Subnet::Id 53 | WEBCIDR: 54 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 55 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. 56 | Description: Allowed CIDR block for external access to the ELBs. Use https://checkip.amazonaws.com/ to determine you IP and place here. 57 | Type: String 58 | VPCID: 59 | Description: ID of the VPC (e.g., vpc-0343606e) 60 | Type: AWS::EC2::VPC::Id 61 | LatestAmiId: 62 | Type: "AWS::SSM::Parameter::Value" 63 | Default: "/aws/service/ami-windows-latest/Windows_Server-2016-English-Full-Base" 64 | Resources: 65 | ###################### 66 | # Security Resources # 67 | ###################### 68 | 69 | InstanceRole: 70 | Type: AWS::IAM::Role 71 | Properties: 72 | Policies: 73 | - PolicyDocument: 74 | Version: "2012-10-17" 75 | Statement: 76 | - Effect: Allow 77 | Action: 78 | - secretsmanager:GetSecretValue 79 | - secretsmanager:DescribeSecret 80 | Resource: 81 | - !Ref "DomainJoinSecrets" 82 | PolicyName: secrets-policy 83 | - PolicyDocument: 84 | Version: "2012-10-17" 85 | Statement: 86 | - Action: 87 | - ssm:GetParameter 88 | Resource: 89 | - !Sub "arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${LogonMessageParam}" 90 | Effect: Allow 91 | PolicyName: ssm-param-policy 92 | - PolicyDocument: 93 | Version: "2012-10-17" 94 | Statement: 95 | - Action: 96 | - s3:GetObject 97 | - s3:PutObject 98 | - s3:PutObjectAcl 99 | - s3:ListBucket 100 | Resource: 101 | - !Sub "arn:${AWS::Partition}:s3:::${DSCBucket}/*" 102 | - !Sub "arn:${AWS::Partition}:s3:::${DSCBucket}" 103 | Effect: Allow 104 | PolicyName: dsc-bucket-policy 105 | - PolicyDocument: 106 | Version: "2012-10-17" 107 | Statement: 108 | - Effect: Allow 109 | Action: s3:GetObject 110 | Resource: 111 | - !Sub arn:${AWS::Partition}:s3:::aws-ssm-${AWS::Region}/* 112 | - !Sub arn:${AWS::Partition}:s3:::aws-windows-downloads-${AWS::Region}/* 113 | - !Sub arn:${AWS::Partition}:s3:::amazon-ssm-${AWS::Region}/* 114 | - !Sub arn:${AWS::Partition}:s3:::amazon-ssm-packages-${AWS::Region}/* 115 | - !Sub arn:${AWS::Partition}:s3:::${AWS::Region}-birdwatcher-prod/* 116 | - !Sub arn:${AWS::Partition}:s3:::patch-baseline-snapshot-${AWS::Region}/* 117 | - !Sub arn:${AWS::Partition}:s3:::aws-ssm-distributor-file-${AWS::Region}/* 118 | - !Sub arn:${AWS::Partition}:s3:::aws-ssm-document-attachments-${AWS::Region}/* 119 | PolicyName: ssm-automation-policy 120 | - PolicyDocument: 121 | Version: "2012-10-17" 122 | Statement: 123 | - Effect: Allow 124 | Action: 125 | - ec2:CreateTags 126 | Resource: "*" 127 | Condition: 128 | "StringEquals": 129 | "aws:ARN": "${ec2:SourceInstanceARN}" 130 | "ForAllValues:StringEquals": 131 | "aws:TagKeys": Name 132 | PolicyName: self-ec2-tag-policy 133 | Path: / 134 | ManagedPolicyArns: 135 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ReadOnlyAccess" 136 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore" 137 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/CloudWatchAgentServerPolicy" 138 | Tags: 139 | - Key: StackName 140 | Value: !Ref AWS::StackName 141 | AssumeRolePolicyDocument: 142 | Statement: 143 | - Effect: Allow 144 | Action: sts:AssumeRole 145 | Principal: 146 | Service: 147 | - ec2.amazonaws.com 148 | Version: "2012-10-17" 149 | InstanceProfile: 150 | Type: AWS::IAM::InstanceProfile 151 | Properties: 152 | InstanceProfileName: InstanceProfile 153 | Roles: [!Ref InstanceRole] 154 | ELBSecurityGroup: 155 | Type: AWS::EC2::SecurityGroup 156 | Properties: 157 | GroupDescription: Limits security group egress traffic 158 | VpcId: 159 | Ref: VPCID 160 | SecurityGroupIngress: 161 | - IpProtocol: tcp 162 | FromPort: 80 163 | ToPort: 80 164 | CidrIp: !Ref WEBCIDR 165 | EC2SecurityGroup: 166 | Type: AWS::EC2::SecurityGroup 167 | Properties: 168 | GroupDescription: Limits security group egress traffic 169 | VpcId: 170 | Ref: VPCID 171 | SecurityGroupIngress: 172 | - IpProtocol: tcp 173 | FromPort: 80 174 | ToPort: 80 175 | SourceSecurityGroupId: !GetAtt ELBSecurityGroup.GroupId 176 | 177 | ################### 178 | # App Resources # 179 | ################### 180 | DSCBucket: 181 | Type: AWS::S3::Bucket 182 | Properties: 183 | BucketEncryption: 184 | ServerSideEncryptionConfiguration: 185 | - ServerSideEncryptionByDefault: 186 | SSEAlgorithm: AES256 187 | PublicAccessBlockConfiguration: 188 | BlockPublicAcls: true 189 | BlockPublicPolicy: true 190 | IgnorePublicAcls: true 191 | RestrictPublicBuckets: true 192 | VersioningConfiguration: 193 | Status: Enabled 194 | LifecycleConfiguration: 195 | Rules: 196 | - Id: DeleteAfter30Days 197 | ExpirationInDays: 30 198 | Status: Enabled 199 | Prefix: "logs" 200 | 201 | LogonMessageParam: 202 | Type: AWS::SSM::Parameter 203 | Properties: 204 | Description: Logon Message for Interactive Logon 205 | Name: LogonMessage 206 | Type: String 207 | Value: "'This is a Test System.,Testing how to Set a Logon Message with.,PowerShell DSC and AWS Systems Manager.,Parameter Store'" 208 | 209 | WEB01: 210 | Type: AWS::EC2::Instance 211 | Properties: 212 | InstanceType: t3.large 213 | ImageId: !Ref LatestAmiId 214 | IamInstanceProfile: !Ref InstanceProfile 215 | SubnetId: !Ref PrivateSubnet1ID 216 | SecurityGroupIds: 217 | - !Ref EC2SecurityGroup 218 | - !ImportValue DomainMemberSG 219 | Tags: 220 | - Key: "Name" 221 | Value: "WEB01" 222 | - Key: "Role" 223 | Value: "WebServer" 224 | - Key: "OperatingSystem" 225 | Value: "Windows" 226 | - Key: "Domain" 227 | Value: "example.com" 228 | UserData: 229 | Fn::Base64: | 230 | 231 | Install-WindowsFeature -Name WebServer -IncludeAllSubFeature 232 | Add-Content c:\inetpub\wwwroot\default.aspx '<%@ Page Title="" Language="C#" Trace="true"%>' 233 | del c:\inetpub\wwwroot\iisstart.htm 234 | 235 | WEB02: 236 | Type: AWS::EC2::Instance 237 | Properties: 238 | InstanceType: t3.large 239 | ImageId: !Ref LatestAmiId 240 | IamInstanceProfile: !Ref InstanceProfile 241 | SubnetId: !Ref PrivateSubnet2ID 242 | SecurityGroupIds: 243 | - !Ref EC2SecurityGroup 244 | - !ImportValue DomainMemberSG 245 | Tags: 246 | - Key: "Name" 247 | Value: "WEB02" 248 | - Key: "Role" 249 | Value: "WebServer" 250 | - Key: "OperatingSystem" 251 | Value: "Windows" 252 | - Key: "Domain" 253 | Value: "example.com" 254 | UserData: 255 | Fn::Base64: | 256 | 257 | Install-WindowsFeature -Name WebServer -IncludeAllSubFeature 258 | Add-Content c:\inetpub\wwwroot\default.aspx '<%@ Page Title="" Language="C#" Trace="true"%>' 259 | del c:\inetpub\wwwroot\iisstart.htm 260 | 261 | LoadBalancer: 262 | Type: AWS::ElasticLoadBalancing::LoadBalancer 263 | Properties: 264 | Subnets: 265 | - !Ref PublicSubnet1ID 266 | - !Ref PublicSubnet2ID 267 | Instances: 268 | - !Ref WEB01 269 | - !Ref WEB02 270 | SecurityGroups: 271 | - !Ref ELBSecurityGroup 272 | Listeners: 273 | - LoadBalancerPort: "80" 274 | InstancePort: "80" 275 | Protocol: HTTP 276 | HealthCheck: 277 | Target: HTTP:80/ 278 | HealthyThreshold: "3" 279 | UnhealthyThreshold: "5" 280 | Interval: "30" 281 | Timeout: "5" 282 | Outputs: 283 | URL: 284 | Description: The URL for the LoadBalancer 285 | Value: !Sub http://${LoadBalancer.DNSName} 286 | DSCBucket: 287 | Value: !Ref DSCBucket 288 | Description: Bucket Name for Mof files 289 | Export: 290 | Name: DSCBucket 291 | InstanceRoleArn: 292 | Value: !GetAtt InstanceRole.Arn 293 | Description: The Arn for the IAM Role for the Managed Instances 294 | Export: 295 | Name: InstanceRoleArn 296 | InstanceProfileName: 297 | Value: !Ref InstanceProfile 298 | Description: Instance profile name 299 | Export: 300 | Name: InstanceProfile 301 | EC2SecurityGroup: 302 | Value: !Ref EC2SecurityGroup 303 | Description: Security Groups between IIS Servers and ELB 304 | Export: 305 | Name: EC2SecurityGroup 306 | ELBSecurityGroup: 307 | Value: !Ref ELBSecurityGroup 308 | Description: Security Groups between IIS Servers and ELB 309 | Export: 310 | Name: ELBSecurityGroup -------------------------------------------------------------------------------- /templates/workshop/ad-workshop.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: "2010-09-09" 2 | Description: >- 3 | This template creates a AWS Managed Microsoft AD Directory into private subnets in separate Availability Zones inside a VPC. The default Domain 4 | Administrator user is 'admin'. For adding members to the domain, ensure that they are launched into the domain member security group created by this 5 | template and then configure them to use the AD instances fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 6 | Windows instances and related resources. You will be billed for the AWS resources used if you create a stack from this template. (qs-1s5tkblm0) 7 | Metadata: 8 | cfn-lint: 9 | config: 10 | ignore_checks: 11 | - W9006 12 | - E9101 13 | QuickStartDocumentation: 14 | EntrypointName: "Parameters for deploying AWS Managed Microsoft AD into an existing VPC" 15 | Order: "6" 16 | AWS::CloudFormation::Interface: 17 | ParameterGroups: 18 | - Label: 19 | default: Network Configuration 20 | Parameters: 21 | - VPCCIDR 22 | - VPCID 23 | - DHCPOptionSet 24 | - PrivateSubnet1ID 25 | - PrivateSubnet2ID 26 | - Label: 27 | default: AWS Managed Microsoft Active Directory configuration 28 | Parameters: 29 | - DomainDNSName 30 | - DomainNetBIOSName 31 | - ADEdition 32 | - Label: 33 | default: Microsoft Windows Server management instance 34 | Parameters: 35 | - MgmtServer 36 | - MgmtServerInstanceType 37 | - MgmtAmi 38 | - MgmtDataDriveSizeGiB 39 | - MgmtServerNetBIOSName 40 | - Label: 41 | default: AWS Quick Start Configuration 42 | Parameters: 43 | - QSS3BucketName 44 | - QSS3BucketRegion 45 | - QSS3KeyPrefix 46 | ParameterLabels: 47 | ADEdition: 48 | default: AWS Managed Microsoft AD Edition 49 | DHCPOptionSet: 50 | default: Create a DHCP Options set 51 | DomainDNSName: 52 | default: Domain DNS Name 53 | DomainNetBIOSName: 54 | default: Domain NetBIOS Name 55 | MgmtAmi: 56 | default: Management Server SSM Parameter Value for latest AMI ID 57 | MgmtDataDriveSizeGiB: 58 | default: Data Drive Size 59 | MgmtServer: 60 | default: Deploy Management Server 61 | MgmtServerInstanceType: 62 | default: Management Server Instance Type 63 | MgmtServerNetBIOSName: 64 | default: Management Server NetBIOS Name 65 | PrivateSubnet1ID: 66 | default: Subnet 1 ID 67 | PrivateSubnet2ID: 68 | default: Subnet 2 ID 69 | QSS3BucketName: 70 | default: Quick Start S3 bucket name 71 | QSS3BucketRegion: 72 | default: Quick Start S3 bucket Region 73 | QSS3KeyPrefix: 74 | default: Quick Start S3 key prefix 75 | VPCCIDR: 76 | default: VPC CIDR 77 | VPCID: 78 | default: VPC ID 79 | Parameters: 80 | ADEdition: 81 | AllowedValues: 82 | - Standard 83 | - Enterprise 84 | Default: Enterprise 85 | Description: The AWS Managed Microsoft AD Edition you wish to deploy 86 | Type: String 87 | DHCPOptionSet: 88 | AllowedValues: 89 | - "Yes" 90 | - "No" 91 | Default: "Yes" 92 | Description: Do you want to create and apply a new DHCP Options Set 93 | Type: String 94 | DomainDNSName: 95 | AllowedPattern: '[a-zA-Z0-9\-]+\..+' 96 | Default: example.com 97 | Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com 98 | MaxLength: "255" 99 | MinLength: "2" 100 | Type: String 101 | DomainNetBIOSName: 102 | AllowedPattern: '[a-zA-Z0-9\-]+' 103 | Default: example 104 | Description: NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE 105 | MaxLength: "15" 106 | MinLength: "1" 107 | Type: String 108 | MgmtAmi: 109 | Default: "/aws/service/ami-windows-latest/Windows_Server-2019-English-Full-Base" 110 | Description: Management Server SSM Parameter Value to grab the latest AMI ID 111 | Type: String 112 | MgmtDataDriveSizeGiB: 113 | Default: "2" 114 | Description: Size of the Management Server Data Drive in GiB 115 | Type: Number 116 | MgmtServer: 117 | AllowedValues: 118 | - "true" 119 | - "false" 120 | Default: "true" 121 | Description: Do you want to deploy a Management Server 122 | Type: String 123 | MgmtServerInstanceType: 124 | AllowedValues: 125 | - t2.small 126 | - t3.small 127 | - t2.medium 128 | - t3.medium 129 | - t2.large 130 | - t3.large 131 | Default: t3.medium 132 | Description: Amazon EC2 instance type for the Management Server 133 | Type: String 134 | MgmtServerNetBIOSName: 135 | AllowedPattern: '[a-zA-Z0-9\-]+' 136 | Default: MGMT1 137 | Description: NetBIOS name of the Management Server server (up to 15 characters) 138 | MaxLength: "15" 139 | MinLength: "1" 140 | Type: String 141 | PrivateSubnet1ID: 142 | Description: ID of subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) 143 | Type: AWS::EC2::Subnet::Id 144 | PrivateSubnet2ID: 145 | Description: ID of subnet 2 in Availability Zone 2 (e.g., subnet-a0246dcd) 146 | Type: AWS::EC2::Subnet::Id 147 | PublicSubnet1ID: 148 | Description: ID of subnet 1 in Availability Zone 1 (e.g., subnet-a0246dcd) 149 | Type: AWS::EC2::Subnet::Id 150 | QSS3BucketName: 151 | AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ 152 | ConstraintDescription: Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). 153 | Default: aws-quickstart 154 | Description: S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-) It cannot start or end with a hyphen (-). 155 | Type: String 156 | QSS3BucketRegion: 157 | Default: us-east-1 158 | Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value 159 | Type: String 160 | QSS3KeyPrefix: 161 | AllowedPattern: ^[0-9a-zA-Z-/]*$ 162 | ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) 163 | Default: quickstart-microsoft-activedirectory/ 164 | Description: S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) 165 | Type: String 166 | VPCCIDR: 167 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 168 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 169 | Default: 10.0.0.0/16 170 | Description: CIDR Block for the VPC 171 | Type: String 172 | VPCID: 173 | Description: ID of the VPC (e.g., vpc-0343606e) 174 | Type: AWS::EC2::VPC::Id 175 | Rules: 176 | SubnetsInVPC: 177 | Assertions: 178 | - Assert: !EachMemberIn 179 | - !ValueOfAll 180 | - AWS::EC2::Subnet::Id 181 | - VpcId 182 | - !RefAll "AWS::EC2::VPC::Id" 183 | AssertDescription: All subnets must in the VPC 184 | Conditions: 185 | ShouldCreateDHCPOption: !Not [!Equals [!Ref DHCPOptionSet, "No"]] 186 | ShouldCreateMgmtServer: !Equals [!Ref MgmtServer, "true"] 187 | UsingDefaultBucket: !Equals [!Ref QSS3BucketName, "aws-quickstart"] 188 | Resources: 189 | DHCPOptions: 190 | Condition: ShouldCreateDHCPOption 191 | Type: AWS::EC2::DHCPOptions 192 | Properties: 193 | DomainName: !Ref "DomainDNSName" 194 | DomainNameServers: !GetAtt "MicrosoftAD.DnsIpAddresses" 195 | Tags: 196 | - Key: Domain 197 | Value: !Ref "DomainDNSName" 198 | VPCDHCPOptionsAssociation: 199 | Condition: ShouldCreateDHCPOption 200 | Type: AWS::EC2::VPCDHCPOptionsAssociation 201 | Properties: 202 | VpcId: !Ref "VPCID" 203 | DhcpOptionsId: !Ref "DHCPOptions" 204 | ADAdminSecrets: 205 | Type: AWS::SecretsManager::Secret 206 | Properties: 207 | Name: !Sub "ADAdminSecret-${AWS::StackName}" 208 | GenerateSecretString: 209 | SecretStringTemplate: !Sub '{"Username": "${DomainNetBIOSName}\\Admin"}' 210 | GenerateStringKey: "Password" 211 | PasswordLength: 12 212 | ExcludeCharacters: '"@/\' 213 | MicrosoftAD: 214 | Type: AWS::DirectoryService::MicrosoftAD 215 | Properties: 216 | Name: !Ref "DomainDNSName" 217 | Edition: !Ref "ADEdition" 218 | ShortName: !Ref "DomainNetBIOSName" 219 | Password: 220 | !Join [ 221 | "", 222 | [ 223 | "{{resolve:secretsmanager:", 224 | !Ref ADAdminSecrets, 225 | ":SecretString:Password}}", 226 | ], 227 | ] 228 | VpcSettings: 229 | SubnetIds: 230 | - !Ref "PrivateSubnet1ID" 231 | - !Ref "PrivateSubnet2ID" 232 | VpcId: !Ref "VPCID" 233 | DomainMemberSG: 234 | Type: AWS::EC2::SecurityGroup 235 | Metadata: 236 | cfn_nag: 237 | rules_to_suppress: 238 | - id: F1000 239 | reason: "Standard Amazon practice" 240 | Properties: 241 | GroupDescription: Domain Members 242 | VpcId: !Ref "VPCID" 243 | Tags: 244 | - Key: Name 245 | Value: DomainMembersSecurityGroup 246 | DomainMembersIngressRDP: 247 | Type: AWS::EC2::SecurityGroupIngress 248 | Properties: 249 | Description: RDP 250 | GroupId: !Ref DomainMemberSG 251 | IpProtocol: tcp 252 | FromPort: 3389 253 | ToPort: 3389 254 | SourceSecurityGroupId: !Ref DomainMemberSG 255 | DomainMembersIngressWinRMHTTP: 256 | Type: AWS::EC2::SecurityGroupIngress 257 | Properties: 258 | Description: WinRM-HTTP 259 | GroupId: !Ref DomainMemberSG 260 | IpProtocol: tcp 261 | FromPort: 5985 262 | ToPort: 5985 263 | SourceSecurityGroupId: !Ref DomainMemberSG 264 | DomainMembersIngressWinRMHTTPS: 265 | Type: AWS::EC2::SecurityGroupIngress 266 | Properties: 267 | Description: WinRM-HTTPS 268 | GroupId: !Ref DomainMemberSG 269 | IpProtocol: tcp 270 | FromPort: 5986 271 | ToPort: 5986 272 | SourceSecurityGroupId: !Ref DomainMemberSG 273 | MgmtStack: 274 | Condition: ShouldCreateMgmtServer 275 | Type: AWS::CloudFormation::Stack 276 | Properties: 277 | TemplateURL: !Sub 278 | - "https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workshop/mgmt-1.template.yaml" 279 | - S3Region: 280 | !If [UsingDefaultBucket, !Ref "AWS::Region", !Ref QSS3BucketRegion] 281 | S3Bucket: 282 | !If [ 283 | UsingDefaultBucket, 284 | !Sub "${QSS3BucketName}-${AWS::Region}", 285 | !Ref QSS3BucketName, 286 | ] 287 | Parameters: 288 | AdministratorSecret: !Ref "ADAdminSecrets" 289 | DirectoryID: !Ref "MicrosoftAD" 290 | DomainController1IP: !Select ["0", !GetAtt "MicrosoftAD.DnsIpAddresses"] 291 | DomainController2IP: !Select ["1", !GetAtt "MicrosoftAD.DnsIpAddresses"] 292 | DomainDNSName: !Ref "DomainDNSName" 293 | DomainMembersSG: !Ref "DomainMemberSG" 294 | DomainNetBIOSName: !Ref "DomainNetBIOSName" 295 | MgmtAmi: !Ref "MgmtAmi" 296 | MgmtDataDriveSizeGiB: !Ref "MgmtDataDriveSizeGiB" 297 | MgmtServerInstanceType: !Ref "MgmtServerInstanceType" 298 | MgmtServerNetBIOSName: !Ref "MgmtServerNetBIOSName" 299 | MgmtServerSubnet: !Ref "PublicSubnet1ID" 300 | QSS3BucketName: !Ref "QSS3BucketName" 301 | QSS3BucketRegion: !Ref "QSS3BucketRegion" 302 | QSS3KeyPrefix: !Ref "QSS3KeyPrefix" 303 | VPCCIDR: !Ref "VPCCIDR" 304 | VPCID: !Ref "VPCID" 305 | Outputs: 306 | ADSecretsArn: 307 | Description: Managed AD Admin Secrets 308 | Value: !Ref "ADAdminSecrets" 309 | Export: 310 | Name: DomainSecretsArn 311 | ADServer1PrivateIP: 312 | Description: AD Server 1 Private IP Address (this may vary based on Directory Service order of IP addresses) 313 | Value: !Select ["0", !GetAtt "MicrosoftAD.DnsIpAddresses"] 314 | ADServer2PrivateIP: 315 | Description: AD Server 2 Private IP Address (this may vary based on Directory Service order of IP addresses) 316 | Value: !Select ["1", !GetAtt "MicrosoftAD.DnsIpAddresses"] 317 | DirectoryID: 318 | Description: Directory Services ID 319 | Value: !Ref "MicrosoftAD" 320 | DomainAdmin: 321 | Description: Domain administrator account 322 | Value: !Sub ${DomainNetBIOSName}\admin 323 | DomainMemberSGID: 324 | Description: Domain Member Security Group ID 325 | Value: !Ref "DomainMemberSG" 326 | Export: 327 | Name: DomainMemberSG 328 | -------------------------------------------------------------------------------- /templates/workshop/ad-worskshop-main.template.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: '2010-09-09' 2 | Description: >- 3 | This template creates a VPC infrastructure for a multi-AZ, multi-tier deployment of a Windows based Application infrastructure. It deploys a managed 4 | Microsoft AD Directory Service into private subnets in separate Availability Zones inside a VPC, as well as Remote Desktop Gateway instances and 5 | managed NAT gateways into the public subnet for each Availability Zone. The default Domain Administrator user is 'admin'. For adding members to the 6 | domain, ensure that they are launched into the domain member security group created by this template and then configure them to use the AD instances 7 | fixed private IP addresses as the DNS server. **WARNING** This template creates Amazon EC2 Windows instance and related resources. You will be 8 | billed for the AWS resources used if you create a stack from this template. (qs-1s5tkbllm) 9 | Metadata: 10 | cfn-lint: 11 | config: 12 | ignore_checks: 13 | - W9006 14 | QuickStartDocumentation: 15 | EntrypointName: 'Parameters for deploying AWS Managed Microsoft AD into a new VPC' 16 | Order: '5' 17 | AWS::CloudFormation::Interface: 18 | ParameterGroups: 19 | - Label: 20 | default: Network configuration 21 | Parameters: 22 | - NumberOfAZs 23 | - VPCCIDR 24 | - DHCPOptionSet 25 | - PrivateSubnet1CIDR 26 | - PrivateSubnet2CIDR 27 | - PrivateSubnet3CIDR 28 | - PublicSubnet1CIDR 29 | - PublicSubnet2CIDR 30 | - PublicSubnet3CIDR 31 | - Label: 32 | default: Microsoft Active Directory configuration 33 | Parameters: 34 | - DomainDNSName 35 | - DomainNetBIOSName 36 | - ADEdition 37 | - Label: 38 | default: Microsoft Windows Server management instance 39 | Parameters: 40 | - MgmtServer 41 | - MgmtServerInstanceType 42 | - MgmtDataDriveSizeGiB 43 | - MgmtServerNetBIOSName 44 | - Label: 45 | default: AWS Quick Start configuration 46 | Parameters: 47 | - QSS3BucketName 48 | - QSS3BucketRegion 49 | - QSS3KeyPrefix 50 | ParameterLabels: 51 | ADEdition: 52 | default: AWS Microsoft AD Edition 53 | DHCPOptionSet: 54 | default: Create a DHCP Options set 55 | DomainDNSName: 56 | default: Domain DNS Name 57 | DomainNetBIOSName: 58 | default: Domain NetBIOS Name 59 | MgmtDataDriveSizeGiB: 60 | default: Data Drive Size 61 | MgmtServer: 62 | default: Deploy Management Server 63 | MgmtServerInstanceType: 64 | default: Management Server Instance Type 65 | MgmtServerNetBIOSName: 66 | default: Management Server NetBIOS Name 67 | NumberOfAZs: 68 | default: Number of Availability Zones 69 | PrivateSubnet1CIDR: 70 | default: Private Subnet 1 CIDR 71 | PrivateSubnet2CIDR: 72 | default: Private Subnet 2 CIDR 73 | PrivateSubnet3CIDR: 74 | default: (Optional) Private Subnet 3 CIDR 75 | PublicSubnet1CIDR: 76 | default: Public Subnet 1 CIDR 77 | PublicSubnet2CIDR: 78 | default: Public Subnet 2 CIDR 79 | PublicSubnet3CIDR: 80 | default: (Optional) Public Subnet 3 CIDR 81 | QSS3BucketName: 82 | default: Quick Start S3 bucket name 83 | QSS3BucketRegion: 84 | default: Quick Start S3 bucket region 85 | QSS3KeyPrefix: 86 | default: Quick Start S3 key prefix 87 | VPCCIDR: 88 | default: VPC CIDR 89 | Parameters: 90 | ADEdition: 91 | AllowedValues: 92 | - Standard 93 | - Enterprise 94 | Default: Standard 95 | Description: The AWS Microsoft AD Edition you wish to deploy 96 | Type: String 97 | DHCPOptionSet: 98 | AllowedValues: 99 | - 'Yes' 100 | - 'No' 101 | Default: 'Yes' 102 | Description: Do you want to create and apply a new DHCP Options Set 103 | Type: String 104 | DomainDNSName: 105 | AllowedPattern: '[a-zA-Z0-9\-]+\..+' 106 | Default: example.com 107 | Description: Fully qualified domain name (FQDN) of the forest root domain e.g. example.com 108 | MaxLength: '255' 109 | MinLength: '2' 110 | Type: String 111 | DomainNetBIOSName: 112 | AllowedPattern: '[a-zA-Z0-9\-]+' 113 | Default: example 114 | Description: NetBIOS name of the domain (upto 15 characters) for users of earlier versions of Windows e.g. EXAMPLE 115 | MaxLength: '15' 116 | MinLength: '1' 117 | Type: String 118 | MgmtDataDriveSizeGiB: 119 | Default: '2' 120 | Description: Size of the Managment Server Data Drive in GiB 121 | Type: Number 122 | MgmtServer: 123 | AllowedValues: 124 | - 'true' 125 | - 'false' 126 | Default: 'true' 127 | Description: Do you want to deploy a Management Server 128 | Type: String 129 | MgmtServerInstanceType: 130 | AllowedValues: 131 | - t2.small 132 | - t3.small 133 | - t2.medium 134 | - t3.medium 135 | - t2.large 136 | - t3.large 137 | Default: t3.medium 138 | Description: Amazon EC2 instance type for the Management Server 139 | Type: String 140 | MgmtServerNetBIOSName: 141 | AllowedPattern: '[a-zA-Z0-9\-]+' 142 | Default: MGMT1 143 | Description: NetBIOS name of the Management Server server (up to 15 characters) 144 | MaxLength: '15' 145 | MinLength: '1' 146 | Type: String 147 | NumberOfAZs: 148 | AllowedValues: 149 | - '2' 150 | - '3' 151 | Default: '2' 152 | Description: Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter 153 | Type: String 154 | PrivateSubnet1CIDR: 155 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 156 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 157 | Default: 10.0.0.0/19 158 | Description: CIDR block for private subnet 1 located in Availability Zone 1 159 | Type: String 160 | PrivateSubnet2CIDR: 161 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 162 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 163 | Default: 10.0.32.0/19 164 | Description: CIDR block for private subnet 2 located in Availability Zone 2 165 | Type: String 166 | PrivateSubnet3CIDR: 167 | Default: '' 168 | Description: CIDR block for private subnet 3 located in Availability Zone 3 169 | Type: String 170 | PublicSubnet1CIDR: 171 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 172 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 173 | Default: 10.0.128.0/20 174 | Description: CIDR Block for the public subnet 1 located in Availability Zone 1 175 | Type: String 176 | PublicSubnet2CIDR: 177 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 178 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 179 | Default: 10.0.144.0/20 180 | Description: CIDR Block for the public subnet 2 located in Availability Zone 2 181 | Type: String 182 | PublicSubnet3CIDR: 183 | Default: '' 184 | Description: CIDR Block for the public subnet 3 located in Availability Zone 3 185 | Type: String 186 | WEBCIDR: 187 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ 188 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/x. 189 | Description: Allowed CIDR block for external access to the ELBs. 190 | Default: 10.0.0.0/16 191 | Type: String 192 | QSS3BucketName: 193 | AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ 194 | ConstraintDescription: 195 | Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-) 196 | Default: aws-quickstart 197 | Description: 198 | S3 bucket name for the Quick Start assets. Quick Start bucket name can include numbers, lowercase letters, uppercase letters, and hyphens (-). 199 | It cannot start or end with a hyphen (-) 200 | Type: String 201 | QSS3BucketRegion: 202 | Default: us-east-1 203 | Description: The AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. When using your own bucket, you must specify this value 204 | Type: String 205 | QSS3KeyPrefix: 206 | AllowedPattern: ^[0-9a-zA-Z-/]*$ 207 | ConstraintDescription: Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slash (/) 208 | Default: quickstart-microsoft-activedirectory/ 209 | Description: 210 | S3 key prefix for the Quick Start assets. Quick Start key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and 211 | forward slash (/) 212 | Type: String 213 | VPCCIDR: 214 | AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-8]))$ 215 | ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28 216 | Default: 10.0.0.0/16 217 | Description: CIDR Block for the VPC 218 | Type: String 219 | Conditions: 220 | IsTwoAz: !Equals [!Ref 'NumberOfAZs', '2'] 221 | UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] 222 | Resources: 223 | VPCStack: 224 | Type: AWS::CloudFormation::Stack 225 | Properties: 226 | TemplateURL: !Sub 227 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workshop/aws-vpc.template.yaml' 228 | - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] 229 | S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 230 | Parameters: 231 | NumberOfAZs: !If [IsTwoAz, '2', '3'] 232 | PrivateSubnet1ACIDR: !Ref 'PrivateSubnet1CIDR' 233 | PrivateSubnet2ACIDR: !Ref 'PrivateSubnet2CIDR' 234 | PrivateSubnet3ACIDR: !If [IsTwoAz, !Ref 'AWS::NoValue', !Ref 'PrivateSubnet3CIDR'] 235 | PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR' 236 | PublicSubnet2CIDR: !Ref 'PublicSubnet2CIDR' 237 | PublicSubnet3CIDR: !If [IsTwoAz, !Ref 'AWS::NoValue', !Ref 'PublicSubnet3CIDR'] 238 | VPCCIDR: !Ref 'VPCCIDR' 239 | ADStack: 240 | Type: AWS::CloudFormation::Stack 241 | Properties: 242 | TemplateURL: !Sub 243 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workshop/ad-workshop.template.yaml' 244 | - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] 245 | S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 246 | Parameters: 247 | ADEdition: !Ref 'ADEdition' 248 | DHCPOptionSet: !Ref 'DHCPOptionSet' 249 | DomainDNSName: !Ref 'DomainDNSName' 250 | DomainNetBIOSName: !Ref 'DomainNetBIOSName' 251 | MgmtDataDriveSizeGiB: !Ref 'MgmtDataDriveSizeGiB' 252 | MgmtServer: !Ref 'MgmtServer' 253 | MgmtServerInstanceType: !Ref 'MgmtServerInstanceType' 254 | MgmtServerNetBIOSName: !Ref 'MgmtServerNetBIOSName' 255 | PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID' 256 | PrivateSubnet2ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID' 257 | PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID' 258 | QSS3BucketName: !Ref 'QSS3BucketName' 259 | QSS3BucketRegion: !Ref 'QSS3BucketRegion' 260 | QSS3KeyPrefix: !Ref 'QSS3KeyPrefix' 261 | VPCCIDR: !Ref 'VPCCIDR' 262 | VPCID: !GetAtt 'VPCStack.Outputs.VPCID' 263 | WorkshopInstances: 264 | Type: AWS::CloudFormation::Stack 265 | Properties: 266 | TemplateURL: !Sub 267 | - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/workshop/SystemManagerLab.yaml' 268 | - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] 269 | S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] 270 | Parameters: 271 | DomainJoinSecrets: !GetAtt 'ADStack.Outputs.ADSecretsArn' 272 | PublicSubnet1ID: !GetAtt 'VPCStack.Outputs.PublicSubnet1ID' 273 | PublicSubnet2ID: !GetAtt 'VPCStack.Outputs.PublicSubnet2ID' 274 | PrivateSubnet1ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet1AID' 275 | PrivateSubnet2ID: !GetAtt 'VPCStack.Outputs.PrivateSubnet2AID' 276 | WEBCIDR: !Ref WEBCIDR 277 | VPCID: !GetAtt 'VPCStack.Outputs.VPCID' -------------------------------------------------------------------------------- /templates/workshop/asgparams.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ParameterKey": "ASGMinSize", 4 | "ParameterValue": "2" 5 | }, 6 | { 7 | "ParameterKey": "ASGMaxSize", 8 | "ParameterValue": "4" 9 | }, 10 | { 11 | "ParameterKey": "ASGDesiredCapacity", 12 | "ParameterValue": "2" 13 | }, 14 | { 15 | "ParameterKey": "VPCID", 16 | "ParameterValue": "vpc-b0359bac" 17 | }, 18 | { 19 | "ParameterKey": "ELBSubnets", 20 | "ParameterValue": "subnet-a0246dcd,subnet-b0359bac" 21 | }, 22 | { 23 | "ParameterKey": "WorkloadSubnets", 24 | "ParameterValue": "subnet-a0246dcd,subnet-b0359bac" 25 | } 26 | ] -------------------------------------------------------------------------------- /templates/workshop/autoscaling-windows.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: "2010-09-09" 2 | Description: Autoscaling Group set to trigger an SSM Active Directory (AD) Document at creation and termination. (qs-1scnfaiha) 3 | Metadata: 4 | AWS::CloudFormation::Interface: 5 | ParameterGroups: 6 | - Label: 7 | default: Launch Template Configuration 8 | Parameters: 9 | - ImageId 10 | - IISServerInstanceType 11 | - Label: 12 | default: Amazon EC2 Auto Scaling Configuration 13 | Parameters: 14 | - ASGDesiredCapacity 15 | - ASGMinSize 16 | - ASGMaxSize 17 | - WorkloadSubnets 18 | - Label: 19 | default: Amazon ELB Configuration 20 | Parameters: 21 | - ELBSubnets 22 | - ELBSchemeParameter 23 | - VPCID 24 | - Label: 25 | default: Active Directory Configuration 26 | Parameters: 27 | - DomainDNSName 28 | ParameterLabels: 29 | ImageId: 30 | default: Amazon Machine Image (AMI) Id 31 | IISServerInstanceType: 32 | default: Instance Type 33 | WorkloadSubnets: 34 | default: VPC Subnets 35 | ASGMinSize: 36 | default: Minimum Size 37 | ASGMaxSize: 38 | default: Maximum Size 39 | ASGDesiredCapacity: 40 | default: Desired Capacity 41 | ELBSubnets: 42 | default: ELB Subnets 43 | ELBSchemeParameter: 44 | default: ELB Scheme 45 | VPCID: 46 | default: ELB VPC ID 47 | DomainDNSName: 48 | default: Domain DNS Name 49 | Parameters: 50 | DomainDNSName: 51 | AllowedPattern: '[a-zA-Z0-9\-]+\..+' 52 | Default: example.com 53 | Description: Fully qualified domain name (FQDN). 54 | MaxLength: "255" 55 | MinLength: "2" 56 | Type: String 57 | ImageId: 58 | Type: AWS::SSM::Parameter::Value 59 | Default: /aws/service/ami-windows-latest/Windows_Server-2019-English-Core-Base 60 | Description: 61 | "Enter an AMI Id. The default value is Windows Server 2019 Core: 62 | /aws/service/ami-windows-latest/Windows_Server-2019-English-Core-Base." 63 | IISServerInstanceType: 64 | AllowedValues: 65 | - t3.large 66 | - m5.large 67 | Default: t3.large 68 | Description: Amazon EC2 instance type for the Internet Information Services servers 69 | Type: String 70 | VPCID: 71 | Type: AWS::EC2::VPC::Id 72 | Description: List of Virtual Private Cloud (VPC) Ids in your account. 73 | ELBSchemeParameter: 74 | Type: String 75 | Default: internet-facing 76 | AllowedValues: 77 | - internet-facing 78 | - internal 79 | Description: Select whether the ELB is internet-facing (public) or internal (private). 80 | ASGMinSize: 81 | Type: Number 82 | Description: Minimum instance size for the Auto Scaling Group. 83 | ASGMaxSize: 84 | Type: Number 85 | Description: Maximum instance size for the Auto Scaling Group. 86 | ASGDesiredCapacity: 87 | Type: Number 88 | Description: Desired capacity instance size for the Auto Scaling Group. 89 | ELBSubnets: 90 | Description: IDs of the ELB subnets (e.g., subnet-a0246dcd) 91 | Type: List 92 | WorkloadSubnets: 93 | Description: IDs of the private subnets (e.g., subnet-a0246dcd) 94 | Type: List 95 | Resources: 96 | ###################### 97 | # Security Resources # 98 | ###################### 99 | 100 | EventBridgeSSMAutoRole: 101 | Type: AWS::IAM::Role 102 | Properties: 103 | Description: EventBridge IAM role which will trigger Automation Document & pass role to SSM role. 104 | Policies: 105 | - PolicyDocument: 106 | Version: "2012-10-17" 107 | Statement: 108 | - Effect: Allow 109 | Action: 110 | - ssm:StartAutomationExecution 111 | Resource: 112 | - !ImportValue SetupConfigurationDocArn 113 | - !ImportValue RemoveConfigurationDocArn 114 | - Effect: Allow 115 | Action: 116 | - iam:PassRole 117 | Resource: "*" 118 | Condition: 119 | StringLike: 120 | "iam:AssociatedResourceARN": 121 | - !ImportValue SetupConfigurationDocArn 122 | - !ImportValue RemoveConfigurationDocArn 123 | PolicyName: ssm-start-automation 124 | AssumeRolePolicyDocument: 125 | Version: "2012-10-17" 126 | Statement: 127 | - Effect: Allow 128 | Principal: 129 | Service: 130 | - events.amazonaws.com 131 | Action: sts:AssumeRole 132 | 133 | ALBSecurityGroup: 134 | Type: AWS::EC2::SecurityGroup 135 | Properties: 136 | GroupDescription: Security group for ALB 137 | SecurityGroupIngress: 138 | - IpProtocol: tcp 139 | FromPort: 80 140 | ToPort: 80 141 | CidrIp: 0.0.0.0/0 142 | VpcId: !Ref "VPCID" 143 | 144 | ALBListenersSecurityGroup: 145 | Type: AWS::EC2::SecurityGroup 146 | Properties: 147 | GroupDescription: Security group for listeners of ALB 148 | SecurityGroupIngress: 149 | - IpProtocol: tcp 150 | FromPort: 80 151 | ToPort: 80 152 | SourceSecurityGroupId: !GetAtt ALBSecurityGroup.GroupId 153 | VpcId: !Ref "VPCID" 154 | 155 | ####################### 156 | # ASG Resources # 157 | ####################### 158 | 159 | EC2LaunchTemplateResource: 160 | Type: AWS::EC2::LaunchTemplate 161 | DeletionPolicy: Delete 162 | Properties: 163 | LaunchTemplateData: 164 | InstanceType: !Ref "IISServerInstanceType" 165 | ImageId: !Ref "ImageId" 166 | SecurityGroupIds: 167 | - !ImportValue DomainMemberSG 168 | - !Ref ALBListenersSecurityGroup 169 | IamInstanceProfile: 170 | Name: !ImportValue InstanceProfile 171 | 172 | ALBResource: 173 | Type: AWS::ElasticLoadBalancingV2::LoadBalancer 174 | Properties: 175 | Scheme: !Ref "ELBSchemeParameter" 176 | Subnets: !Ref ELBSubnets 177 | SecurityGroups: 178 | - !Ref ALBSecurityGroup 179 | 180 | ALBTargetGroupResource: 181 | Type: AWS::ElasticLoadBalancingV2::TargetGroup 182 | Properties: 183 | Port: 80 184 | Protocol: HTTP 185 | VpcId: !Ref "VPCID" 186 | HealthyThresholdCount: 5 187 | HealthCheckTimeoutSeconds: 120 188 | HealthCheckIntervalSeconds: 300 189 | UnhealthyThresholdCount: 10 190 | TargetGroupAttributes: 191 | - Key: deregistration_delay.timeout_seconds 192 | Value: "60" 193 | 194 | ALBListenerResource: 195 | Type: AWS::ElasticLoadBalancingV2::Listener 196 | Properties: 197 | LoadBalancerArn: !Ref "ALBResource" 198 | Port: 80 199 | Protocol: HTTP 200 | DefaultActions: 201 | - Type: forward 202 | TargetGroupArn: !Ref "ALBTargetGroupResource" 203 | 204 | ASGResource: 205 | DependsOn: 206 | - ScaleUpEventBridgeResource 207 | - ScaleDownEventBridgeResource 208 | Type: AWS::AutoScaling::AutoScalingGroup 209 | Properties: 210 | AutoScalingGroupName: !Sub ASG-${AWS::StackName} 211 | MinSize: !Ref "ASGMinSize" 212 | MaxSize: !Ref "ASGMaxSize" 213 | DesiredCapacity: !Ref "ASGDesiredCapacity" 214 | HealthCheckType: EC2 215 | HealthCheckGracePeriod: 60 216 | Cooldown: "30" 217 | LaunchTemplate: 218 | LaunchTemplateId: !Ref "EC2LaunchTemplateResource" 219 | Version: !GetAtt "EC2LaunchTemplateResource.LatestVersionNumber" 220 | VPCZoneIdentifier: !Ref WorkloadSubnets 221 | TargetGroupARNs: 222 | - !Ref "ALBTargetGroupResource" 223 | LifecycleHookSpecificationList: 224 | - LifecycleTransition: autoscaling:EC2_INSTANCE_LAUNCHING 225 | LifecycleHookName: DomainJoinHook 226 | DefaultResult: ABANDON 227 | HeartbeatTimeout: 1200 228 | - LifecycleTransition: autoscaling:EC2_INSTANCE_TERMINATING 229 | LifecycleHookName: DomainUnjoinHook 230 | DefaultResult: ABANDON 231 | HeartbeatTimeout: 600 232 | Tags: 233 | - Key: Domain 234 | Value: !Ref "DomainDNSName" 235 | PropagateAtLaunch: true 236 | 237 | ######################### 238 | # EventBridge Resources # 239 | ######################### 240 | 241 | ScaleUpEventBridgeResource: 242 | Type: AWS::Events::Rule 243 | Properties: 244 | State: ENABLED 245 | Description: Run Configuration Document that Joins Domain and Configures IIS. 246 | EventPattern: 247 | source: 248 | - aws.autoscaling 249 | detail-type: 250 | - EC2 Instance-launch Lifecycle Action 251 | detail: 252 | AutoScalingGroupName: 253 | - !Sub ASG-${AWS::StackName} 254 | Targets: 255 | - Arn: !ImportValue SetupConfigurationDocArn 256 | Id: Windows-Scale-Out 257 | RoleArn: !GetAtt EventBridgeSSMAutoRole.Arn 258 | InputTransformer: 259 | InputPathsMap: 260 | InstanceId: $.detail.EC2InstanceId 261 | ASGName: $.detail.AutoScalingGroupName 262 | LCHName: $.detail.LifecycleHookName 263 | InputTemplate: 264 | Fn::Sub: 265 | - '{"InstanceId":[],"ASGName":[],"LCHName":[],"ConfigBucket":["${DSCBucket}"]}' 266 | - DSCBucket: !ImportValue DSCBucket 267 | ScaleDownEventBridgeResource: 268 | Type: AWS::Events::Rule 269 | Properties: 270 | State: ENABLED 271 | Description: Run Removal Document that Un-joins Domain. 272 | EventPattern: 273 | source: 274 | - aws.autoscaling 275 | detail-type: 276 | - EC2 Instance-terminate Lifecycle Action 277 | detail: 278 | AutoScalingGroupName: 279 | - !Sub ASG-${AWS::StackName} 280 | Targets: 281 | - Arn: !ImportValue RemoveConfigurationDocArn 282 | Id: Windows-Scale-In 283 | RoleArn: !GetAtt EventBridgeSSMAutoRole.Arn 284 | InputTransformer: 285 | InputPathsMap: 286 | InstanceId: $.detail.EC2InstanceId 287 | ASGName: $.detail.AutoScalingGroupName 288 | LCHName: $.detail.LifecycleHookName 289 | InputTemplate: 290 | Fn::Sub: 291 | - '{"InstanceId":[],"ASGName":[],"LCHName":[],"ConfigBucket":["${DSCBucket}"]}' 292 | - DSCBucket: !ImportValue DSCBucket 293 | Outputs: 294 | ELBUrl: 295 | Description: DNS name of the ELB. 296 | Value: !Sub http://${ALBResource.DNSName} 297 | LaunchTemplateId: 298 | Description: Launch template Id 299 | Value: !Ref "EC2LaunchTemplateResource" 300 | -------------------------------------------------------------------------------- /templates/workshop/copy-mofs.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: "2010-09-09" 2 | Description: MOF files to be copied to designated s3 bucket (qs-1scnfaifg) 3 | Parameters: 4 | Bucket: 5 | Description: "Name of bucket to copy MOFs, if not leave blank and one will be created." 6 | Type: "String" 7 | Default: "" 8 | DomainJoinSecrets: 9 | Description: "Name of secret to join domain" 10 | Type: "String" 11 | Default: "" 12 | Conditions: 13 | CreateBucket: !Equals 14 | - !Ref Bucket 15 | - "" 16 | Resources: 17 | ###################### 18 | # Security Resources # 19 | ###################### 20 | 21 | WriteS3LambdaRole: 22 | Type: AWS::IAM::Role 23 | Properties: 24 | Policies: 25 | - PolicyDocument: 26 | Version: "2012-10-17" 27 | Statement: 28 | - Effect: Allow 29 | Action: 30 | - s3:PutObject 31 | - s3:DeleteObject 32 | - s3:ListBucket 33 | Resource: 34 | - !If [ 35 | CreateBucket, 36 | !Sub "arn:aws:s3:::${ConfigBucket}", 37 | !Sub "arn:aws:s3:::${Bucket}", 38 | ] 39 | - !If [ 40 | CreateBucket, 41 | !Sub "arn:aws:s3:::${ConfigBucket}/*", 42 | !Sub "arn:aws:s3:::${Bucket}/*", 43 | ] 44 | PolicyName: write-mof-s3-policy 45 | Path: / 46 | AssumeRolePolicyDocument: 47 | Version: "2012-10-17" 48 | Statement: 49 | - Effect: Allow 50 | Principal: 51 | Service: 52 | - lambda.amazonaws.com 53 | Action: sts:AssumeRole 54 | ManagedPolicyArns: 55 | - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" 56 | 57 | ############### 58 | # S3 Bucket # 59 | ############### 60 | 61 | ConfigBucket: 62 | Condition: CreateBucket 63 | Type: AWS::S3::Bucket 64 | Properties: 65 | BucketEncryption: 66 | ServerSideEncryptionConfiguration: 67 | - ServerSideEncryptionByDefault: 68 | SSEAlgorithm: AES256 69 | PublicAccessBlockConfiguration: 70 | BlockPublicAcls: true 71 | BlockPublicPolicy: true 72 | IgnorePublicAcls: true 73 | RestrictPublicBuckets: true 74 | VersioningConfiguration: 75 | Status: Enabled 76 | LifecycleConfiguration: 77 | Rules: 78 | - Id: DeleteAfter30Days 79 | ExpirationInDays: 30 80 | Status: Enabled 81 | Prefix: "logs/" 82 | 83 | ###################### 84 | # Lambda Functions # 85 | ###################### 86 | 87 | WriteMOFFunction: 88 | Type: AWS::Lambda::Function 89 | Properties: 90 | Code: 91 | ZipFile: | 92 | import json 93 | import logging 94 | import threading 95 | import boto3 96 | import cfnresponse 97 | def create_object(bucket, body, key): 98 | s3 = boto3.client('s3') 99 | s3.put_object(Body=body,Bucket=bucket, Key=key) 100 | def delete_objects(bucket, key): 101 | s3 = boto3.client('s3') 102 | objects = s3.list_objects_v2(Bucket=bucket) 103 | logsobjects = s3.list_objects_v2(Bucket=bucket, Prefix='logs') 104 | if logsobjects['KeyCount'] != 0: 105 | for object in logsobjects['Contents']: 106 | s3.delete_object(Bucket=bucket, Key=object['Key']) 107 | s3.delete_object(Bucket=bucket, Key=key) 108 | else: 109 | s3.delete_object(Bucket=bucket, Key=key) 110 | def timeout(event, context): 111 | logging.error('Execution is about to time out, sending failure response to CloudFormation') 112 | cfnresponse.send(event, context, cfnresponse.FAILED, {}, None) 113 | def handler(event, context): 114 | # make sure we send a failure to CloudFormation if the function is going to timeout 115 | timer = threading.Timer((context.get_remaining_time_in_millis() / 1000.00) - 0.5, timeout, args=[event, context]) 116 | timer.start() 117 | print('Received event: %s' % json.dumps(event)) 118 | status = cfnresponse.SUCCESS 119 | try: 120 | bucket = event['ResourceProperties']['Bucket'] 121 | body = event['ResourceProperties']['Body'] 122 | key = event['ResourceProperties']['Key'] 123 | if event['RequestType'] == 'Delete': 124 | delete_objects(bucket, key) 125 | else: 126 | create_object(bucket, body, key) 127 | except Exception as e: 128 | logging.error('Exception: %s' % e, exc_info=True) 129 | status = cfnresponse.FAILED 130 | finally: 131 | timer.cancel() 132 | object_url = f'https://{bucket}.s3.amazonaws.com/{key}' 133 | cfnresponse.send(event, context, status, {}, object_url) 134 | Handler: index.handler 135 | Role: !GetAtt "WriteS3LambdaRole.Arn" 136 | Runtime: python3.11 137 | Timeout: 240 138 | 139 | ###################### 140 | # Custom Resources # 141 | ###################### 142 | 143 | WriteDomainJoinIISMOF: 144 | Type: Custom::WriteMOFFile 145 | Properties: 146 | ServiceToken: !GetAtt WriteMOFFunction.Arn 147 | Bucket: !If [CreateBucket, !Ref ConfigBucket, !Ref Bucket] 148 | Key: "DomainJoinWebBuild.mof" 149 | Body: !Sub | 150 | /* 151 | @TargetNode='localhost' 152 | */ 153 | instance of MSFT_Credential as $MSFT_Credential1ref 154 | { 155 | Password = "stringdoesntmatter"; 156 | UserName = "${DomainJoinSecrets}"; 157 | 158 | }; 159 | instance of DSC_Computer as $DSC_Computer1ref 160 | { 161 | ResourceID = "[Computer]JoinDomain"; 162 | Credential = $MSFT_Credential1ref; 163 | DomainName = "{tag:DomainToJoin}"; 164 | Name = "{tag:Name}"; 165 | ModuleName = "ComputerManagementDsc"; 166 | ModuleVersion = "8.0.0"; 167 | ConfigurationName = "DomainJoin"; 168 | }; 169 | WriteWebBuildMOF: 170 | Type: Custom::WriteMOFFile 171 | Properties: 172 | ServiceToken: !GetAtt WriteMOFFunction.Arn 173 | Bucket: !If [CreateBucket, !Ref ConfigBucket, !Ref Bucket] 174 | Key: "WebSite.mof" 175 | Body: | 176 | /* 177 | @TargetNode='localhost' 178 | */ 179 | instance of MSFT_RoleResource as $MSFT_RoleResource1ref 180 | { 181 | ResourceID = "[WindowsFeature]WebServer"; 182 | Ensure = "Present"; 183 | Name = "Web-Server"; 184 | ModuleName = "PSDesiredStateConfiguration"; 185 | ModuleVersion = "1.0"; 186 | ConfigurationName = "WebsiteTest"; 187 | }; 188 | instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref 189 | { 190 | ResourceID = "[Script]GetWebFiles"; 191 | GetScript = "\n $filelocation = \"c:\\webfiles\\index.html\"\n Return @{Result = [string]$(test-path $filelocation)}\n "; 192 | TestScript = "\n $filelocation = \"c:\\webfiles\\index.html\"\n if((test-path $filelocation) -eq $false) {\n Write-Verbose 'Files need to be Downloaded'\n Return $false\n } else {\n Write-Verbose 'Files are present locally'\n Return $true\n }\n "; 193 | SetScript = "\n Copy-Item -Path c:\\windows\\temp\\index.html -Destination c:\\inetpub\\wwwroot\\index.html -Force\n "; 194 | ModuleName = "PSDesiredStateConfiguration"; 195 | ModuleVersion = "1.0"; 196 | DependsOn = { 197 | "[WindowsFeature]WebServer"}; 198 | ConfigurationName = "WebsiteTest"; 199 | }; 200 | instance of OMI_ConfigurationDocument 201 | { 202 | Version="2.0.0"; 203 | MinimumCompatibleVersion = "1.0.0"; 204 | CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; 205 | Name="WebsiteTest"; 206 | }; 207 | WriteDomainJoinMOF: 208 | Type: Custom::WriteMOFFile 209 | Properties: 210 | ServiceToken: !GetAtt WriteMOFFunction.Arn 211 | Bucket: !If [CreateBucket, !Ref ConfigBucket, !Ref Bucket] 212 | Key: "DomainJoin.mof" 213 | Body: !Sub | 214 | /* 215 | @TargetNode='localhost' 216 | */ 217 | instance of MSFT_Credential as $MSFT_Credential1ref 218 | { 219 | Password = "stringdoesntmatter"; 220 | UserName = "${DomainJoinSecrets}"; 221 | }; 222 | instance of DSC_Computer as $DSC_Computer1ref 223 | { 224 | ResourceID = "[Computer]JoinDomain"; 225 | Credential = $MSFT_Credential1ref; 226 | DomainName = "{tag:DomainToJoin}"; 227 | Name = "{tag:Name}"; 228 | ModuleName = "ComputerManagementDsc"; 229 | ModuleVersion = "8.0.0"; 230 | ConfigurationName = "DomainJoin"; 231 | }; 232 | instance of OMI_ConfigurationDocument 233 | { 234 | Version="2.0.0"; 235 | MinimumCompatibleVersion = "1.0.0"; 236 | CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; 237 | Name="DomainJoin"; 238 | }; 239 | WriteDomainRemoveMOF: 240 | Type: Custom::WriteMOFFile 241 | Properties: 242 | ServiceToken: !GetAtt WriteMOFFunction.Arn 243 | Bucket: !If [CreateBucket, !Ref ConfigBucket, !Ref Bucket] 244 | Key: "DomainRemove.mof" 245 | Body: !Sub | 246 | /* 247 | @TargetNode='localhost' 248 | */ 249 | instance of MSFT_RoleResource as $MSFT_RoleResource1ref 250 | { 251 | ResourceID = "[WindowsFeature]RSAT-AD-PowerShell"; 252 | Ensure = "Present"; 253 | Name = "RSAT-AD-PowerShell"; 254 | ModuleName = "PSDesiredStateConfiguration"; 255 | ModuleVersion = "1.0"; 256 | ConfigurationName = "RemoveDomain"; 257 | }; 258 | instance of MSFT_Credential as $MSFT_Credential1ref 259 | { 260 | Password = "stringdoesntmatter"; 261 | UserName = "${DomainJoinSecrets}"; 262 | }; 263 | instance of MSFT_ADComputer as $MSFT_ADComputer1ref 264 | { 265 | ResourceID = "[ADComputer]RemoveDomain"; 266 | Ensure = "Absent"; 267 | Credential = $MSFT_Credential1ref; 268 | ComputerName = "{tag:Name}"; 269 | ModuleName = "ActiveDirectoryDsc"; 270 | ModuleVersion = "6.0.1"; 271 | DependsOn = { 272 | "[WindowsFeature]RSAT-AD-PowerShell"}; 273 | ConfigurationName = "RemoveDomain"; 274 | }; 275 | instance of OMI_ConfigurationDocument 276 | { 277 | Version="2.0.0"; 278 | MinimumCompatibleVersion = "1.0.0"; 279 | CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; 280 | Name="RemoveDomain"; 281 | }; 282 | WriteHtmlFile: 283 | Type: Custom::WriteMOFFile 284 | Properties: 285 | ServiceToken: !GetAtt WriteMOFFunction.Arn 286 | Bucket: !If [CreateBucket, !Ref ConfigBucket, !Ref Bucket] 287 | Key: "webfiles/index.html" 288 | Body: !Join 289 | - "" 290 | - - " " 291 | - " " 292 | - >- 293 | 295 | - >- 296 | 298 | - " " 299 | - >- 300 |
Powered by 302 | AWS Cloud Computing 303 | - "

AWS QuickStart IIS Sample Webpage

" 304 | - "

Congratulations!

Your application is running on Amazon EC2" 305 | --------------------------------------------------------------------------------