8 Examples of AWS Sharing Managed AD with multiple accounts from CLI and Console

After creating an AIR managed in an AWS account, you can share this AIR with other accounts.

This is a common case where you have an AWS Managed Active Directory in a shared service account that you need to share with other workload accounts.

The following points should be taken into account:

  • The sharing of another account can only take place in the same region where the managed DC is located.
  • The shared folder will be visible to all PC’s in the workload accounts.
  • The shared directory in the workload account receives a directory identifier that is different from the original directory identifier in the shared service account.
  • If the managed AD directory is in an account in which the organization is activated, you also have the ability to share it with all accounts in the organization or with a specific account.

This training manual contains the following examples:

  1. Equity managed advertising – AWS CLI
  2. View currently managed AD assets – AWS CLI
  3. Accept the exchange directories – AWS CLI
  4. Catalogue sold out – AWS CLI
  5. Refusal exchange – AWS CLI
  6. AD Managed Shared Access – AWS Console
  7. Accept or refuse folder sharing – AWS Console
  8. Non-shareholder catalogue – AWS console

1. AD – AWS CLIShares invested

First define the source directory ID and the account number of the target AES workload.

DIRECTORY_ID=d-123abc4567
WORKLOAD_ACCOUNT=2222222222222222222222222222222222222222.

Execute the following command to divide the directory of the charging account. Run this command with the shared service account information.

aws ds stock directory –directory-id ${DIRECTORY_ID}
– share price AD directory for work accounts
– target Id=${WORKLOAD_ACCOUNT},Type=ACCOUNT
– share price HANDSHAKE method

Here you will find information on the correct configuration of aws profiles before executing CLI commands: 15 Examples of AWS configuration commands for managing multiple CLI profiles

In the above example :

  • DIRECTORY_ID is the identifier of the managed AD directory located in the shared services account.
  • WORKLOAD_ACCOUNT is the number of the AWS workload account for which you share the maintained AD.
  • Sharing method – since we specifically share with another account, use the HANDSHAKE method.

Here is the output of the above command, which displays the ID of the shared folder.

{
COMMUNITY DIRECTIVE: d-444efg555
}

2. Displays currently managed AD assets – AWS CLI

Once you have a shared folder, you can view the current status of the shared folder and you will also get a list of all existing actions, as shown below

LIST_ID=d-123abc4567

aws ds describe-part-directories
—owner-directory-id ${DIRECTORY_ID}

Below is an example of an output:

{
Owner ListId: d-123abc4567,
ShareNotes : AD directory for workload accounts,
ShareMethod : HANGSHAKE, created TIME DATE: 15585663.171,
General Accounting : 22222222,
CommonDirectoryId: d-444efg555,
Release status : Pending acceptance,
Owner’s accounts : 11111111,
LastUpdatedDateTime : 155856663.171}}} 155856663.171}}}

Pay attention: The above result of ShareStatus includes PendingAcceptance. It is a sharing once the workload account accepts the sharing request.

3. Directory Sharing – AWS CLI

Use your workload account information to accept folder sharing as described below.

aws ds accept-directory
–shared-directory-id d-444efg555

In the example above, d-444efg555 is a shared directory identifier (not an AD directory identifier managed in a shared service account).

There are several ways to obtain a common identification code:

  • You can get it from the output of this CLI: aws ds share-directory.
  • Log in to your workload account and retrieve the directory ID from the console.
  • Use the shared description folders aws ds on the workload account to get this identifier.

4. List of non-shareholder investments – AWS CLI

First define the source directory ID and the account number of the target AES workload.

DIRECTORY_ID=d-123abc4567
WORKLOAD_ACCOUNT=2222222222222222222222222222222222222222.

Execute the following command to divide the directory of the charging account. Run this command with the shared service account information.

aws ds unshare directory –directory id ${DIRECTORY_ID}
–unshare-target Id=${WORKLOAD_ACCOUNT}, type=ACCOUNT

5. Exchange difference – AWS CLI

Use the workload account information to refuse folder sharing, as shown below

aws ds Fault Directory
– Fault Directory ID d-444efg5555

In the example above, d-444efg555 is a shared directory identifier (not an AD directory identifier managed in a shared service account).

6. Managed AD Session – AWS Console

Login to your Shared Services account where the Managed AD is located.

Go to Directory Service -> Catalogs -> Click on the Directory ID d-123abc4567 – Click on the Scaling and Sharing tab.

[AWS Managed AD - Create Shared Directory]

Click Create New Shared Folder from the drop-down menu:

[AWS maintained the AD inventory list]

  • Under Select AWS accounts to share, select Share this folder with other AWS accounts.
  • Enter your workload account number and click Add.
  • In the Send Note section, enter a message that will be visible in the workload account. This is an optional field.
  • Click on Share

7. Accepting or rejecting address file sharing – AWS console

Log in to the AWS console with a workload account.

Go to Directory Service -> Directories shared with me.

You can see this message up here:
You have an invitation to use a shared folder hosted in another AWS account. The administrator of another AWS account has asked you to access your Microsoft AD folder managed by AWS.

Select this folder – Click View – Click Accept (or) Click Reject.

Accepting or denying the release of a managed D.A.

8. Non-dividend Catalogue – AWS Console

Login to your Shared Services account where the Managed AD is located.

Go to Directory Service -> Catalogs -> Click on the Directory ID d-123abc4567 – Click on the Scaling and Sharing tab.

Click Share Folder from the drop-down menu – click Unshare.

[Managed AD Broadcast Directory]

If you like this article, you can also…

 

 

You May Also Like