Amazon AWS Certified Solutions Architect Professional SAP-C02 Topic: Design for New Solutions Part 8
December 16, 2022

76. Understanding Active Directory

Hey everyone, and welcome back to the Knowledge Full video series. And in today’s lecture, we’ll have a high-level overview of Active Directory. Now, I am very sure that most of you have heard about Active Directory because it is generally used in most organisations, specifically enterprises. So let’s look into the Active Directory with a simple use case. So, consider the traditional approach, in which you have an organisation and various applications within that organization. So let’s assume this is AWS. Then there’s application No. 2, and finally application No. 3. And here you have the users, who are part of the organization. Now, if the user wants to log into each of these applications, what would have to be done is that in each and every application, you would have to configure the users manually. For example, if you’re using AWS, you’ll need to go to IAM and create IAM users.

So if you have an application, you again have to create manual users. If you have application 3, again, you have to create manual users over here. If someone leaves the organization, you go to AWS, delete the im user there, then go to application two, delete the im user there, and go to application user. You delete the user in application three.

So, as you can see, this is a significant pain, and in most enterprises, there are around 2030 users who may join or leave the organization. And for a system administrator, doing this on a regular basis for 2030 users is a very big pain. And this is the reason why there is a need for central authentication. So when you talk about a better way, what you basically have is a central server, and what you do is create all the users on this server, and then you connect the central server with all of the applications that are present within the organization. And thus all the user has to do is log in once, and he can access all these services, or he can log into each of these services with the credentials that are stored on the central server. As a result, this central server could be Active Directory. It can be other services as well, like identity management, which is provided by Red Hat.

So this central server is what we will call an Active Directory. Since this is an Active Directory lecture, now things become much simpler because if you want to remove the user, you can remove the user from Active Directory itself. You don’t really have to go to each and every application and remove the user. Same goes with adding the new user. So when you talk about Active Directory, Active Directory is one of the most popular directory services developed by Microsoft. Now the server running the Active Directory service is called the domain controller, and it can authenticate and authorise the users and computers that are associated with it.

So, on the left side of Active Directory, you see the users, and within the users, you can have various users that you can create, and you can change the password of the users from here. You can delete the user, you can add the user, et cetera, et cetera. And then you can configure the users’ access to each of these services. You can configure the policies so that user one only has access to AWS. So this is a very high-level overview of Active Directory. I hope you now have a good understanding of what Active Directory is and what we can accomplish with its assistance. 

77. Introducing AWS Directory Service

Hey everyone, and welcome back. Now, in the earlier video, we discussed the basics of ECS. We had created our first task definition, we had created our first cluster, and we had deployed our first task inside EC to instances associated with the cluster. Now, along with that, we also discussed the high-level differences between the tasks and services. So currently, we do have one task that is up and running in one of the two EC instances. And if I quickly do a Docker PS, in one of the instances, you will see that you have the Apache container up and running. One of the distinctions between tasks and services that we also discussed is that tasks are generally similar to batch jobs or short-running jobs that you may want to deploy. Services are long-running applications or long-running services like Apache, et cetera. Now, if the task or the containers associated with it stop working for any reason, ECS will not restart them automatically. So let’s look at what I mean by that.

Let’s put a stop to this specific container. So I’ll do a Docker stop, and I’ll give the container’s name. Great. As a result, this container has come to a halt. So let’s quickly verify with Docker PS. And you should see that you only have one ECS agent that is up and running. So once the container that is associated with the task stops or there are some issues with it, the ECS will not automatically start it. All right, so this is what the task is all about. So, because this is a web server, similar to Apache, we wanted it to be up and running at all times. So it is not quite suitable for the task. So we’ll go ahead and terminate the task. All right, so this is how you can stop the task. And now we’ll go ahead and create our own service.

So let’s go to the Services tab, and we’ll click on Create. So the launch type would be easy for the cluster. is my cluster demo the service name I’ll give itas my Apache and we’ll put Daemon here.So there are two service types: replica and DMN. We’ll go with DemonMode and the Minimum Healthy Person. Let’s put it at 50% deployment type. You do have an option for rolling as well as blue and green. And we’ll proceed by clicking Next. So here, it will ask whether you want a load balancer. Ideally, since we have two instances, if you have it in production, you would need a load balancer. but we’ll keep it simple. I’ll simply mark it as “disable service discovery.” I’ll deselect it. We do not really need it right now. For a demo, we’ll click on “next.” Let’s click “next,” and this will give you a review. We’ll proceed with the creation of a service. Great. So now the service has been created. Let’s go ahead and view it.

So now you see that the service is running and that there are two instances of it. So this can be better understood. Let’s go back to our cluster. And now you have the desired task of two within the services. You have two running tasks. Let’s click over here. Within the details, you don’t have the load balancer, and within tasks, you should see two tasks because we have two instances that are up and running. So now, coming back to our CLI, if I quickly do a docker PS, you should see that our Apache image is up and running now. So we’ll try to stop this specific Docker container once more. Great. So our Docker container is now stopped. However, a Docker PS shows that the Docker container is now operational. So the ECS will automatically restart Docker containers that have failed. So this is the high-level overview of these services and the task. I hope this video has been informative for you, and I look forward to seeing the next video.

78. Deploying our first Simple AD based Directory service

Everyone, and welcome back to the Knowledgeable Video series. Now in the earlier lecture we were discussing thebasics about the Active Directory and its use case. So continuing our journey today, we’ll be speaking about the AWS Directory service. Now there are certain challenges whenit comes to Active Directory. So for those who have been setting up Active Directory in their on-premises organizations, I’m sure you know that there are a lot of challenges that you might have to face.

And some of the difficulties include—and this begins with—provisioning, infrastructure, and then installing the directory software. So you must first install Microsoft Windows Server before proceeding to install and configure Active Directory. Once you have configured all the settings and configuration parameters, you also have to make sure that you have a proper replication setup between the domain controllers for high availability. So if the server goes down and you don’t really have a backup, then everything will stop there. So you have to make sure that you have a proper replication setup for high availability. Following that, you must ensure that you monitor and, in the event of new updates, patch, among other things. So this is actually quite a big challenge.

And, in particular, in organisations that rely heavily on Active Directory, there is a dedicated Windows administrator who only handles Active Directory. So this is quite a challenging part, and this is the reason why AWS actually decided to have a directory service in the cloud. So AWS Directory Service is a cloud-based managed service that allows users to create directories. So now that this is a managed service, a lot of things related to high availability, monitoring, backups,  recovery, and patching are managed by the AWS experts. And as the user, I just have to go ahead and create a directory and whatever policies and user groups I need, and let AWS do the entire Nifty Drift technical aspect. So this is what the AWS Directory Service is all about. Now there are three important components of the directory service.

One is the Active Directory service with Microsoft AD. So this is basically the Windows Server, which has the Microsoft ad installed. Then there’s the easy option, which is a Samba 4 compatible server. The third component is the Active Directory connector. So these are the three important components that we need to remember as far as the exams are concerned. So before we go ahead and understand each of them, let me just show you how exactly it might look. So, when you go to the Directory service in AWS, when you set up the directory, you’ll see that there are three important components that we have to remember. One is the Microsoft ad. So Microsoft AD is basically the AWS-managed Microsoft Active Directory, which is powered by Windows Server 2012. So this is the complete Microsoft ad server. Second is the simple ad. So straightforward is the AWS-hosted Samba 4 directory. So, four sambas.

So, in general, Samba 4 is excellent software that is both AD compatible and capable of acting as an Active Directory domain controller. So you can consider this the open source version, which does a lot of things that Active Directory does. The third component is the ad connector, which allows us to connect on-premise ads to AWS applications. So these are the three important components that we need to remember. So let’s start with the first one, where you have a directory service with Microsoft ads. So this is basically powered by an actual Microsoft Windows Server, which is Windows Server 2012, which has Active Directory installed. Now again, this entire server is managed, so you don’t have to worry about replication or high availability. It is managed by AWS. Now, within this, there are two types. One is the standard edition, and the other is the Enterprise edition. So Standard Edition is designed for small and medium-sized businesses with up to 5000 users. So for small startups or for midsize organisations, this can be used. Now, if you have a lot of users, you have to go with Enterprise Edition, which is designed for larger deployments.

So this is the first one. Now let’s look at the ad connector. So Ad Connector is basically a proxy service that basically provides us an easy way to connect applications in the cloud to your existing on-premises premise ad. So this is the ad connector. So this acts as a proxy for the applications that are present in the cloud, and it allows them to connect to the on-premises ad server. So this ad server can be in your datacenter or even in your organisation as well. So when the user logs into the application, the ad connector forwards, basically sending a request to the on-premises ActiveDirectory domain controller for authentication. So whatever request that application receives, Ed Connector will forward that request to the on-premises Active Directory for authentication and authorization.

So this is what the Ed connector does. And this is quite important because many organisations already have Active Directory set up in their data centres or on premise. And now if they want to have applications in the AWS cloud, which are Adaware, then you need connectivity, and the Ad Connector is one of the easiest ways to achieve this. Now, one important thing to remember is that in order for the application in AWS to connect to the ad, you need to have a VPN tunnel in place. In an ideal scenario, you cannot do so without a VPN tunnel. So this is one important point to remember. And third is the simple ad. So simple. Ad is a Microsoft Active Directory compatible directory powered by the Samba 4 server from the AWS Directory service. So this is not an actual Microsoft Active Directory, but it is a compatible directory service. So again, this is like a free version that supports certain features of Active Directory. So Simple AD supports basic Active Directory features such as users, user accounts, group membership, joining a Linux domain, and so on, as well as Windows features such as Carpools, SSO, group policies, and so on.

So, as part of Simple AD, AWS provides monitoring, daily snapshots, and recovery as part of this service. Now, since this is not an Active Directory, there are certain features that are not yet available for Simple Ad. So Simple Ad does not support trust relationships, DNS, dynamic updates, schema extensions, multifactor authentication, communication over LDAPI, and many other features. So these are the things that are not supported by Simple Ad. So, if you require these features, you must choose the first option that we have chosen: the widget directory service with Microsoft Ad. So let me just give you one simple example. Simple Ad can actually connect to or see join a Linux domain. So I’ll show you one of the examples. Over here, I have a simple ad that is already created, and along with that, I have an EC2 instance. So what I have done is connect this EC2 instance to my Simple Ad.

So now, if I want to log into the EC2 instance, I can log in with the users that are present in this directory service and not the users that are present over here. So, let me just show you. So I’ll sign in. You see, I’m logging in with the administrator at the time of the directory service, followed by the IP address. Now I have to provide a password, and now you can see that I am logged in over here. So if I do ID, it will give me the UID, which is the administrator at rate ad, followed by the GID, which is the group within the G ID. You see, it is part of the domain, which is So, if I create more users within this directory service, these users can log in to the EC to create instances; I don’t have to manually create the user within this EC. For example, I can log in from the users who are part of this simple advertisement. So, if I have 100 Linux servers that are connected to the directory service, I can easily create users within that directory, and that user will be able to log into all 100 servers. The same goes for the deletion as well. If I remove the user from the directory service, the user will lose access to all other users. 

79. Domain Joining the EC2 Linux Instance with Directory Service

Hey everyone, and welcome back. Now, in the earlier lecture, we went ahead and created a directory service based on the simple ad type. So in today’s lecture, what we’ll do is do a domain join between this simple ad and the EC to create an instance. So an EC2 instance has been created. As a result, this will be a domain join. So this is the simple instance that is created, and we will join this EC2 instance to the simple ad, and then we’ll log in with the user that is present in the simple ad to the EC2 instance. Perfect. So let’s try this out. So I’ll connect to the EC instance over here. So please allow me to perform my EC to the user at the optimal rate. So I am logged in. So I’ll do a “sudo sue” hyphen. So I’m connected to Root. Now, there is a small guide that I have written over here, and this guide will help us with the overall process. So you see, it is quite simple to achieve this. So let’s try this out. The first step is to install three SDrealm D workstations as well as three KRB-5 workstations.

So let’s install these packages. So I’m using the Amazon Linux machine, and the steps that are mentioned are for the Amazon Linux machine. Perfect. So, once these are installed, you must ensure that when you create a simple ADUC, it includes the DNS address, and that this simple AD kplabs in or whatever domain you specify is only resolvable via these DNS addresses. So let me just show you. When I perform a simple Nslookup on a simple ad, I can see that it is unable to locate the relevant IP address. However, let me try to give the IP address. This time I’ll copy the IP address. It seems to be giving a perfect answer. So let’s do one thing. I’m going to f. I’ll simply comment out the previous entry and create a new entry name server, followed by the first IP address name server, and then the second IP address that is given over. Perfect. So, now that we have a proper entry, let’s try to do an NSlookup on some simple ads in the database. I’ll press Enter, and now I am able to get the perfect response back. Great. So, once you’ve completed this, you can proceed to join a realm.

So let me just copy this command. I’ll copy this up, let me just clear the screen, and I’ll press Enter. So, when you login, you will have to provide the password. So this password is the one that you gave while you were creating the simple ad instance. So in my case, it is password 1, 2, 3, hash. Now it basically asks you for the password one more time, and one of the funny things is that it is shown in clear text. So, once you’ve entered this, just sit tight. Perfect. So you see, the command has been executed, and this is the last output that you should find that is successful and has rolled the machine in the realm. Now, I believe this is one of the bugs where it asks you to enter the password again. When I entered the password, you can see that the password’s one-to-three hash command was not formed. So this is something that needs to be fixed anyway. So currently the machine is successfully enrolled in the realm of simple ads.

So now this part is done. The next part that we have to do is modify the SSH configuration to enable password authentication. So let’s do that. So I’ll do a BITC SSH SSHD underscore configuration, search for password authentication, and change “no” to “yes.” So once you have done this, there are two services that we’ll have to restart at the end. One is the triple SD, and one is the SSHD. So let’s see if the triple SD is running or not. So it has started. So I’ll just do a triple SD restart. And now there are a few important things that you must do. The first is the etc pseudo-command and the pastethe command, both of which are present here. I’ll copy this up and a little down, I’ll paste it, and I’ll save it. So once you have done this, just restart the AAA SD and restart the SSD service. Perfect. So now that you have done it, let me just log out of this machine. And we were previously using Key to log into this specific server. This time we’ll be using the credentials from our active directory. Let me just show you. So we’ll use this command. Now we’ll replace the IP address of the EC2 instance with the IP address of the new EC2 instance. And currently, let me just replace the things. So we are using the administrator at the rate of “simple ads” “kplabs in.” So we know what this is, and this is the user. So when you press Enter, it is asking for the password of the administrator. So I’ll use the password, which is password 1, 2, 3, hash.

Okay, so let’s try that out again. Oops, we made a small mistake, I believe. As a result, we mistyped the domain name. It is simple to type. This is where we made a mistake. So let’s do it again. It is asking for the password. I’ll do a password one, two, three hash, and this time it will log me in. So now, if you do an ID, you see in the G ID that it is saying it is from the domain users at simple ad kplabs. So basically, this user, this administrator user, is part of the simple ad directory service. So in this directory service, if we add more users, These users will be able to login to any EC instance that is joined with this simple ad directory service. So this is it. About this lecture: I hope this has been informative for you, and I’ll be posting this guide in the forum sections so you can go ahead and try it out and look into how it really works. So this is it. Thanks for watching, and I look forward to seeing you in the next lecture.

80. Introduction to Virtual Private Networks

Hey everyone, and welcome back. In today’s video, we will be discussing the virtual private network. Now, the virtual private network, which I also refer to as the VPN, basically allows us to route the traffic from your network to the destination through the VPN server. It is now comparable to the proxy. This can be illustrated with a simple example in which you have your computer and the destination server on the Internet. Internet. Your computer would now have a unique IP address if it is connected to the Internet. So your laptop or computer, when you connect to the destination server, will have full access to logs related to your connection details. Now in the case of a VPN server, what happens here is that let’s say that this is a VPN server, and this VPN server has an IP address of 54. 2030. 56.

Now, when you send the traffic via the VPN to the destination server, it can go over the Internet. This destination server will not see your IP address here.It will see the IP address of the VPN because it is the VPN that is routing all the traffic over here. Now there are a lot of advantages, and there are also a lot of use cases where the attacker uses VPN extensively for the attack. So let me quickly give you a demonstration of what exactly this might look like. So this is a “cyber ghost” VPN. This is pretty famous. Now, if you see this VPN server over here, as shown in the slide, you can select whether you want it from us, Europe, Singapore, or somewhere else. So if I can quickly show you, you can select various locations over here. So, if I click on more servers, you’ll see that there are many servers available, ranging from the United States to Vietnam, France, Germany, Australia, and so on. Now let’s do one thing. Let me just click on “connect” so I’ll be connected to the VPN server. So let’s quickly wait for a moment here. Great. So I am connected to the VPN server residing in Canada.

So now what happens? My laptop or computer is in India, and the VPN server is in Canada. Now if I browse the Internet, the destination server will assume that the connection is coming from Canada, and hence the details will be shown accordingly. So let’s try it out. Let’s put, and here, let’s put: what’s that? My IP. So, if you open up one of the websites here, you’ll see that the IP address on the 71 page is 71, and the country is Canada, and the region is Alberta. And this is how the VPN works at a high level overview. With the assistance of a VPN, one or more use cases can now be accomplished. One is that if you are connected to an insecure network, let’s say a public wireless hotspot, then it is better never to directly access it. In such cases, you should always connect to a VPN. The second reason why people typically use VPNs is to unblock certain blocked websites. So if I can quickly show you, there’s a website called Nine Gag TV. All right? So now what is happening is that it is redirecting to Nine Gag. I’m sure a lot of people might be using it. So, if you use the IndianISP to search for Nine Gag TV, you will notice that the website is specifically blocked.

But since I am connecting to a VPN, that website is unblocked for me. The third use case is something that attackers use. Let’s say that they want to attack a server in a specific country. So what they do is make use of VPNs so that their IP address is not directly visible. Now, one thing I’ll quickly share—let’s say this is just an example. Let’s say that someone wants to attack a server that is located in the United States. So what I’ll do is select a VPN that belongs to an enemy country. Let’s say China. As a result, the United States and China are not generally friendly. So, even if the US government wants to get information from you if you use a VPN server in China, the Chinese government may not. So this is what attackers generally do a lot of times. They generally choose the VPN server of a country that is an enemy of the target that they are trying to exploit into.Anyways, so this is just a high-level overview and some of the things that I wanted to share. This is more appropriate for the certifications related to security, anyway. So, in terms of VPN use in corporate networks, this is a good VPN use.

So how exactly it is used is, let’s say, that you have an EC2 instance in a private subnet, and this has a private IP. So private IP cannot be communicated directly over the internet. So it is a non-routable IP. So what you do is put a VPN server in the public subnet inside the VPN VPC, and then you route your traffic from your computer to the VPN and from the VPN towards the private instances. So now, if you want to connect to a private instance, your traffic will be routed from the VPN to the private instance. And this is how the VPN is typically used in the AWS environment.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!