Server configurations

Configure the instances remotely SSM

In this step you will add permission the account domain user to manage your db and open firewall rules remotely using SSM

Verify that the instances are ready before continue (see progress via the EC2 Console)

Install Failover cluster role remotely

Use the script provided in 1.4 or manually use the cli commands (on macOS) and run the following command to install the failover cluster role

windows

## Install Failover clustering role + management tools using the script
.\runcommand.ps1 -instanceids i-09a4ee96bb0fef47a,i-0b9bfacd2996cd5b6 -commands "Install-WindowsFeature -Name Failover-Clustering -IncludeManagementTools" -region "eu-west-1" -profile workshop -IsLinux $false

macOS

## Send the command to the server
aws ssm send-command --instance-ids "i-0e51d2fc1693d184b" --document-name "AWS-RunPowerShellScript" --comment 'Install failover cluster role' --parameters "commands='Install-WindowsFeature -Name Failover-Clustering -IncludeManagementTools'" --region eu-west-1 --profile workshop

## see the output with **Change the command-id with the output of the previous command
aws ssm get-command-invocation --command-id "d44b1034-3b8e-4db7-9ae2-8fe11138416c" --instance-id "i-0e51d2fc1693d184b" --region eu-west-1 --profile workshop

It will take up to 2-4 minutes,

See example of a good output:

Task 1

Now, change the script parameters / manually use the cli commands to run the following powershell commands:

  • ADD-WindowsFeature RSAT-AD-Tools

  • ADD-WindowsFeature RSAT-DNS-Server

See solution

macOS Users: do not use the script, do it manually with the CLI commands aws ssm send-command

See macOS solution

Task 2:

Use SSM to open the local Windows Firewall to allow VPC Traffic (10.0.0.0/16)

See solution

Session Manager

Session Manager is a new option for shell-level access. The Session Manager makes the AWS Systems Manager even more powerful. You can use a new browser-based interactive shell and a command-line interface (CLI) to manage your Windows and Linux instances.

Main features:

  • Secure Access – You don’t have to manually set up user accounts, passwords, or SSH keys on the instances and you don’t have to open up any inbound ports. Session Manager communicates with the instances via the SSM Agent across an encrypted tunnel that originates on the instance, and does not require a bastion host.

  • Access Control – You use IAM policies and users to control access to your instances, and don’t need to distribute SSH keys. You can limit access to a desired time/maintenance window by using IAM’s Date Condition Operators.

  • Auditability – Commands and responses can be logged to Amazon CloudWatch and to an S3 bucket. You can arrange to receive an SNS notification when a new session is started.

  • Interactivity – Commands are executed synchronously in a full interactive bash (Linux) or PowerShell (Windows) environment

  • Programming and Scripting – In addition to the console access you can also initiate sessions from the command line (aws ssm …) or via the Session Manager APIs.

The SSM Agent running on the EC2 instances must be able to connect to Session Manager’s public endpoint. You can also set up a PrivateLink connection to allow instances running in private VPCs (without Internet access or a public IP address) to connect to Session Manager.

Let’s try it (Task 3)


Task 3

Use Session Manager to create a logon script that map the FSx share file (Get the FSx mount url from FSx Console click on “Attach”).

See hint
See solution

Do the same on the second node


Task 4

Add sysadmin role to the domain user (Domain\Admin)

See solution

Since the machine is domain joined, you don’t need to use the search, you can simply write Domain\Admin user directly in the user box.

Set the SQL Service to run with the domain user

We want to avoid permissions issues, so we will set the service to use domain user

See solution

Do the same on the second instance (add sysadmin role and change the service account) And restart the servers

Note: On producation enviroment, it’s best practice to create a sql service account in AD with minimum permissions.

Connect and verify

Connect with domain\admin user (After the servers rebooted, you now can connect with RDP and the user domain\admin that you created previously with Managed AD.)

Note: If you are using account from the workshop, you can see the admin password in the cloudformation page

Verify your solution:

  1. Make sure that you have permissions to launch SSMS with the domain user.
  2. Make sure you see F: drive as the FSx folder
  3. Open the Windows explorer and make sure you see all the drives as following: instance-result