Deploy and Configure Active Directory Domain Services on a Windows Server EC2 Instance in AWS
Roland Victor Musa
Project Overview
This project demonstrates the process of launching a Windows Server EC2 instance on AWS, remotely connecting to it via Remote Desktop Protocol (RDP), and configuring Active Directory Domain Services (AD DS) on the cloud-hosted server. Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks, used for authenticating and authorizing users and computers.
Objectives
Deploy a Windows Server EC2 instance on AWS
Connect securely using RDP
Install and configure Active Directory Domain Services (AD DS)
Promote the server to a Domain Controller
Tools and Technologies Used
| Tool / Service | Purpose |
| AWS EC2 | Launch and manage the Windows Server instance |
| .pem file | Used to decrypt the default administrator password |
| Remote Desktop (mstsc) | To access the Windows Server GUI |
| Windows Server Manager | Install roles and manage AD DS |
| Active Directory Domain Services (AD DS) | Set up domain controller |
| PowerShell / Server Manager | Administer and configure services |
Step-by-Step Implementation
Step 1: Launch EC2 Instance (Windows Server)
Log into the AWS Management Console
Navigate to EC2 Dashboard > Instances > Launch Instance
Choose an Amazon Machine Image (AMI) such as:
- Microsoft Windows Server 2022 Base
Choose t2.medium or t2.large (based on performance needs)
Key Pair Settings:
- Create a new key pair (
.pemfile) or use an existing one
- Create a new key pair (
Configure Network Settings:
- Ensure port 3389 (RDP) is open to your IP for security
Click Launch Instance
Step 2: Decrypt Administrator Password
Wait until the instance state is running and the status checks are passed
Go to Instances > Actions > Security > Get Windows Password
Upload your .pem file to decrypt the password
Copy the username (
Administrator) and password
Step 3: Connect via Remote Desktop
Open Remote Desktop Connection on your local system:
- Run →
mstsc
- Run →
Enter your Public IPv4 address from the EC2 dashboard
Use the Administrator username and the decrypted password
You are now connected to the Windows Server GUI
Step 4: Install Active Directory Domain Services (AD DS)
Launch Server Manager on the Windows Server
Go to Manage > Add Roles and Features
Choose the following:
Installation type: Role-based or feature-based
Server selection: Your current EC2 instance
Role: Check Active Directory Domain Services
Follow through with defaults and click Install
Wait for installation to complete (no reboot yet)
Make sure that the “Role or feature based installation” option is checked and click the “Next” button:
Ensure Role-based or feature-based installation is selected, then click Next.
Click Install to begin the installation and wait.
Step 5: Promote the Server to a Domain Controller
In Server Manager, click Notifications flag > Promote this server to a domain controller
Select Add a new forest, enter your root domain name (e.g.,
corp.example.com)Choose:
Domain Controller capabilities: DNS, GC (Global Catalog)
Set the Directory Services Restore Mode (DSRM) password
Proceed with default options, review, and install
Server will automatically reboot
• Enter a password for the eventual restoration of directory services and click “Next”:
• We do not need to create a DNS delegation here; click the “Next” button:
• Wait a few moments; the domain name should be displayed; click the “Next” button:
• Review the entered options and, if everything is correct, click the “Next” button:
• Start the role installation procedure by clicking the “Install” button:
You will now need to wait several minutes for the role to be fully installed. The machine will automatically reboot once the process is complete (the process may take a long time):
The server will reboot and display this login window; enter the administrator password as you defined it during server installation:
Your server's home screen displays the Server Manager (dashboard). You can see that the "AD/DS" and "DNS" roles are now installed and configured (left panel):
The Server Manager also displays the status of the services (see above) in green once they are initialized (depending on your hypervisor's resources, the "green" status may not be immediate). The "Tools" menu will be the main menu used thereafter. Once the AD/DS role is installed, check the IP settings by clicking on "Local Server" (left pane) and on the "Ethernet" link with the IP address configured during installation:
• Right-click on the “Ethernet” icon and click “Properties”:
• Double-click on the “Internet Protocol Version 4 (TCP/IPv4)” option:
We can see that the DNS server has been configured on the "localhost" address, namely 127.0.0.1. It recommend that you change this as this can cause errors later:
• Replace the localhost address 127.0.0.1 with the IP address of your server and validate the modification:
CREATE AN ORGANIZATIONAL UNIT IN ACTIVE DIRECTORY
Organizational units (called "OU") are containers for objects that facilitate directory organization and allow for multi-level organization. Without organizational units, the directory would not be able to be sorted properly and administration would be less efficient. Organizational units can be compared to folders that allow objects to be stored within them.
A window appears with the name of your domain controller (“skeptic.sio” in our case):
• Click on “>” to expand your Active Directory tree structure:
• Right-click on the name of your domain controller and click “New” - “Organizational Unit”:
• A window appears, enter the name of your organizational unit (here, we have used the name of our domain). Please note, if you want to keep the possibility of deleting the organizational unit later, you must uncheck the box “Protect the container against accidental deletion”. Confirm the creation of your organizational unit by clicking the “OK” button:
The OU now appears in your Active Directory as:
We will create two other organizational units in the general organizational unit, which we will name "profs" and "élèves" To do this, perform the following steps:
• Right-click on the previously created organizational unit and click “New” - “Organizational Unit”:
• Create the “profs” OU and validate by clicking the “OK” button:
Your tree structure should look like this:
• Repeat the previous operation to create the “élèves” OU to obtain this:
Our Active Directory structure is now ready. We will now add users to our Active Directory.
CREATE USERS AND USER GROUPS IN THE ACTIVE DIRECTORY
• Right-click on the "profs" OU and create a user by clicking "New" - "User":
Note:
By right-clicking on the "profs" OU, the user will be automatically added to the OU. If you right-click on "Users" the user will not be added to the "profs" OU and will need to be moved to the appropriate OU.
• A window will appear; enter the new user's ID and click "Next":
• Enter a strong password for the user and configure the options related to the user session password according to your security policy; confirm your choices by clicking “Next”:
• Confirm the creation of your user by clicking “Finish”:
Your user was created directly in the “profs” organizational unit:
Repeat the operation to create another user “prof2” in the “profs” organizational unit and “élève1”, “élève2” in the “élèves” unit.
Note: To create another user, you can right-click on the "prof1" user and click "Copy" (another option).
Your Active Directory should look like this:
CREATING A USER GROUP IN ACTIVE DIRECTORY:
Creating "user groups" is useful because they allow for better rights management for users who are members of the group
• Right-click on the “profs” OU and click “New” - “Group”:
• Enter a group name and click the “OK” button:
The tree structure looks like this:
Next:
Add the members to the appropriate group (profs):
• Double-click on the name of the group concerned
A window will appear; click "Add":
• Enter the name of the users concerned, for example “prof1” and click the “Check names” button:
If the user is located in the Active Directory, the window displays this:
• Enter the name of the other user to add to the group:
If the user is located in the Active Directory, the window displays the following:
• Click the "OK" button; you will see the following:
• Click the "OK" button again to confirm the addition of these users to the "élève" group. Repeat these steps to create a group called “GROUP ELEVE" and to which you will add the relevant users ("élève1" and "élève2").
You should obtain the following tree structure:
Our Active Directory is now ready.
Note:
It's important to properly structure your Active Directory based on your company's organization. Dividing it into organizational units ("OUs") and user groups will facilitate future management of your Active Directory, especially when you need to implement various policies.
Security Recommendation
Only open RDP (port 3389) to trusted IPs
Regularly update Windows Server
Enable CloudWatch monitoring and configure alarms
Create regular snapshots and backups
Consider implementing Multi-Factor Authentication (MFA) for RDP access
Use Security Groups and IAM roles appropriately
Testing & Validation
Test domain login with created AD users
Confirm DNS settings and replication (if deploying multiple domain controllers)
Validate remote management using RSAT (Remote Server Administration Tools)
Outcomes & Benefits
Successfully launched a secure, cloud-based Windows Server
Configured Active Directory in the cloud
Enabled scalable and centralized identity and access management
Demonstrated use of cloud infrastructure for enterprise-grade services
Further Enhancements
Add additional domain controllers for high availability
Set up Active Directory Federation Services (ADFS)
Integrate with Azure AD or Hybrid Identity Solutions
Implement Group Policy Objects (GPOs) to automate configurations
Conclusion
This project provides a foundational walkthrough for deploying Windows Server infrastructure in the cloud, with Active Directory set up for identity services. By leveraging AWS EC2 and standard Microsoft tools, we can create scalable and secure domain environments suitable for both test labs and enterprise networks.
Subscribe to my newsletter
Read articles from Roland Victor Musa directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Roland Victor Musa
Roland Victor Musa
I am Roland Victor Musa, a problem-solving mind with a knack for the digital universe. My journey into cybersecurity began with an innocent inquiry – "How do digital defenses stand strong against a world of omnipresent threats?" That question set a fire that has taken me through countless labs, projects, and simulations in the real world. Currently pursuing a Bachelor's degree in Administration, Computer Systems, and Network Cybersecurity, I have gained hands-on exposure through internships at Hack Secure India and Librairie Papeterie Nationale Morocco. From simulating brute-force attacks and analyzing live traffic using Wireshark to automating incident response with SOAR tools, I've learned that cybersecurity is as much a science as an art—a balance of creativity and precision. My projects, including setting up virtual SOC labs and Web Application Firewalls, have shown me that each vulnerability is a story waiting to be found and secured. Every challenge, from complex firewall rules to threat hunting via SIEMs, has made me more of a problem solver, ready to defend the cyber world. Join me as I document this journey – the wins, the lessons, and the epiphanies in the dead of night. If you're enthusiastic about secure code, hardened networks, and inventive defense, you're among friends. Catch up with me, learn with me, and let's create a safer digital world together.