Skip to content

Instantly share code, notes, and snippets.

@stknohg

stknohg/00_README.md

Last active August 10, 2025 02:27
Show Gist options
  • Save stknohg/dd55a5ffeabeaa69faf9e84e34a906fa to your computer and use it in GitHub Desktop.
Save stknohg/dd55a5ffeabeaa69faf9e84e34a906fa to your computer and use it in GitHub Desktop.
Download ZIP
AWS Managed Microsoft AD Hybrid Editionの検証環境を作るためのスクリプト
Raw
00_README.md

はじめに

本GistにはAWS Managed Microsoft AD Hybrid Editionの検証環境を作るためのCloudFormationテンプレートとPowerShellスクリプトを記載しています。

01_EC2.yaml

あらかじめ用意されたVPC環境にWindows Server 2022 EC2二台を構築するCloudFormationテンプレートです。 VPCなどのネットワークリソースは別途用意しておく必要があります。

EC2インスタンスはそれぞれadds01, adds02というコンピューター名となりActive Direcotryの構築に必要な機能がインストールされます。

02_Setup-ADDS01.ps1, 03_Setup-ADDS02.ps1

作成されたEC2インスタンスで実行するPowerShellコマンドを列記したスクリプトです。
あくまでもコマンドを列記しているだけなので完全な自動化ではないのでご注意ください。

Raw
01_EC2.yaml
Parameters:
SystemName:
Description: "Set your system name"
Type: String
Default: "hybridad"
EnvironmentName:
Description: "Set your environment name"
Type: String
Default: "dev"
VPCID:
Description: "Set your VPC id"
Type: AWS::EC2::VPC::Id
SGCIDR:
Description: "Set your security group CIDR"
Type: String
Default: "10.0.0.0/8"
SubnetID:
Description: "Set your subnet ID"
Type: AWS::EC2::Subnet::Id
Windows2022LatestAmi:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base
AllowedValues:
- /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base
InstanceType:
Type: String
Default: "t3a.medium"
KeyPairName:
Description: "Set your EC2 Keypair name"
Type: AWS::EC2::KeyPair::KeyName
Resources:
# IAM Role (SSM)
SSMRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::Sub: "${SystemName}-${EnvironmentName}-adds-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
# Instance Profile
SSMRoleInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
InstanceProfileName:
Fn::Sub: "${SystemName}-${EnvironmentName}-adds-role"
Path: "/"
Roles:
- Ref: SSMRole
# Security Group
# ref : https://docs.aws.amazon.com/ja_jp/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.html
ADDSSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName:
Fn::Sub: "${SystemName}-${EnvironmentName}-adds-sg"
GroupDescription: "Security group for domain controller(ADDS)"
VpcId:
Ref: VPCID
SecurityGroupIngress:
- IpProtocol: icmp
FromPort: -1
ToPort: -1
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 53
ToPort: 53
CidrIp:
Ref: SGCIDR
- IpProtocol: udp
FromPort: 53
ToPort: 53
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 88
ToPort: 88
CidrIp:
Ref: SGCIDR
- IpProtocol: udp
FromPort: 88
ToPort: 88
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 389
ToPort: 389
CidrIp:
Ref: SGCIDR
- IpProtocol: udp
FromPort: 389
ToPort: 389
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 445
ToPort: 445
CidrIp:
Ref: SGCIDR
- IpProtocol: udp
FromPort: 445
ToPort: 445
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 464
ToPort: 464
CidrIp:
Ref: SGCIDR
- IpProtocol: udp
FromPort: 464
ToPort: 464
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 135
ToPort: 135
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 636
ToPort: 636
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 1024
ToPort: 65535
CidrIp:
Ref: SGCIDR
- IpProtocol: tcp
FromPort: 3268
ToPort: 3269
CidrIp:
Ref: SGCIDR
- IpProtocol: udp
FromPort: 123
ToPort: 123
CidrIp:
Ref: SGCIDR
- IpProtocol: udp
FromPort: 138
ToPort: 138
CidrIp:
Ref: SGCIDR
Tags:
- Key: Name
Value:
Fn::Sub: "${SystemName}-${EnvironmentName}-adds-sg"
SelfAllowIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId:
Ref: ADDSSG
IpProtocol: -1
SourceSecurityGroupId:
Ref: ADDSSG
# EC2
ADDS1:
Type: AWS::EC2::Instance
Properties:
ImageId:
Ref: Windows2022LatestAmi
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyPairName
DisableApiTermination: false
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 30
VolumeType: gp3
NetworkInterfaces:
- AssociatePublicIpAddress: false
DeviceIndex: 0
SubnetId:
Ref: SubnetID
GroupSet:
- Ref: ADDSSG
IamInstanceProfile:
Ref: SSMRoleInstanceProfile
UserData:
Fn::Base64: |
<powershell>
Add-WindowsFeature AD-Domain-Services, GPMC, RSAT-ADDS, RSAT-AD-PowerShell, RSAT-DNS-Server | Format-List
Rename-Computer -NewName adds01 -Restart
</powershell>
Tags:
- Key: Name
Value:
Fn::Sub: "${SystemName}-${EnvironmentName}-adds1"
ADDS2:
Type: AWS::EC2::Instance
Properties:
ImageId:
Ref: Windows2022LatestAmi
InstanceType:
Ref: InstanceType
KeyName:
Ref: KeyPairName
DisableApiTermination: false
BlockDeviceMappings:
- DeviceName: /dev/sda1
Ebs:
VolumeSize: 30
VolumeType: gp3
NetworkInterfaces:
- AssociatePublicIpAddress: false
DeviceIndex: 0
SubnetId:
Ref: SubnetID
GroupSet:
- Ref: ADDSSG
IamInstanceProfile:
Ref: SSMRoleInstanceProfile
UserData:
Fn::Base64: |
<powershell>
Add-WindowsFeature AD-Domain-Services, GPMC, RSAT-ADDS, RSAT-AD-PowerShell, RSAT-DNS-Server | Format-List
Rename-Computer -NewName adds02 -Restart
</powershell>
Tags:
- Key: Name
Value:
Fn::Sub: "${SystemName}-${EnvironmentName}-adds2"
Raw
02_Setup-ADDS01.ps1
# ADDS01
# UserDataで実施済み
Add-WindowsFeature AD-Domain-Services, GPMC, RSAT-ADDS, RSAT-AD-PowerShell, RSAT-DNS-Server | Format-List
Rename-Computer -NewName adds01 -Restart
# ドメイン新規作成
Import-Module ADDSDeployment
$params = @{
DomainName = 'corp.contoso.com';
DomainNetbiosName = 'corp';
ForestMode = 'WinThreshold';
DomainMode = 'WinThreshold';
DatabasePath = 'C:\Windows\NTDS';
LogPath = 'C:\Windows\NTDS';
SysvolPath = 'C:\Windows\SYSVOL';
SafeModeAdministratorPassword = (ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force);
InstallDns = $true;
CreateDnsDelegation = $false;
NoRebootOnCompletion = $false;
Confirm = $false;
}
Install-ADDSForest @params
Raw
03_Setup-ADDS02.ps1
# ADDS02
# UserDataで実施済み
Add-WindowsFeature AD-Domain-Services, GPMC, RSAT-ADDS, RSAT-AD-PowerShell, RSAT-DNS-Server | Format-List
Rename-Computer -NewName adds02 -Restart
# DNSクライアント設定
$dnsServers = @('xx.xx.xx.xx') # ADDS01のPrivate IPを指定
$client = Get-NetAdapter | Get-DnsClient
$client | Set-DnsClientServerAddress -ServerAddresses $dnsServers
$client | Get-DnsClientServerAddress -AddressFamily IPv4
# ドメイン参加
$password = ConvertTo-SecureString '<ADDS01 administratorのパスワード>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('administrator', $password)
Add-Computer -DomainName 'corp.contoso.com' -Credential $cred -Restart
# ドメインコントローラーの追加 (OSの再起動後に実施)
Import-Module ADDSDeployment
$Params = @{
DomainName = 'corp.contoso.com';
SiteName = 'Default-First-Site-Name';
DatabasePath = 'C:\Windows\NTDS';
LogPath = 'C:\Windows\NTDS';
SysvolPath = 'C:\Windows\SYSVOL';
ReplicationSourceDC = '';
NoGlobalCatalog = $false;
CriticalReplicationOnly = $false;
SafeModeAdministratorPassword = (ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force);
InstallDns = $true;
CreateDnsDelegation = $false;
NoRebootOnCompletion = $false;
Confirm = $false;
}
Install-ADDSDomainController @Params
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment