Active Directory Domain Services On AWS
Active Directory DomainServices on AWSDesign and Planning GuideNovember 20, 2020
NoticesCustomers are responsible for making their own independent assessment of theinformation in this document. This document: (a) is for informational purposes only, (b)represents current AWS product offerings and practices, which are subject to changewithout notice, and (c) does not create any commitments or assurances from AWS andits affiliates, suppliers or licensors. AWS products or services are provided “as is”without warranties, representations, or conditions of any kind, whether express orimplied. The responsibilities and liabilities of AWS to its customers are controlled byAWS agreements, and this document is not part of, nor does it modify, any agreementbetween AWS and its customers. 2020 Amazon Web Services, Inc. or its affiliates. All rights reserved.
ContentsImportance of Active Directory in the cloud .1Terminology and definitions .1Shared responsibility model .3Directory services options in AWS .4AD Connector .4AWS Managed Microsoft Active Directory .5Active Directory on EC2 .7Comparison of Active Directory Services on AWS .7Core infrastructure design on AWS for Windows Workloads and Directory Services .9Planning AWS accounts and Organization .9Network design considerations for AWS Managed Microsoft AD .9Design consideration for AWS Managed Microsoft Active Directory .12Single account, AWS Region, and VPC .12Multiple accounts and VPCs in one AWS Region .13Multiple AWS Regions deployment .14Enable Multi-Factor Authentication for AWS Managed Microsoft AD .16Active Directory permissions delegation .17Design considerations for running Active Directory on EC2 instances.18Single Region deployment .18Multi-region/global deployment of self-managed AD .20Designing Active Directory sites and services topology .21Security considerations .22Trust relationships with on-premises Active Directory .22Multi-factor authentication .24AWS account security .24Domain controller security .24
Other considerations .25Conclusion .26Contributors .26Further Reading .27Document Revisions.27
AbstractCloud is now the center of most enterprise IT strategies. Many enterprises find that awell-planned move to the cloud results in an immediate business payoff. ActiveDirectory is a foundation of the IT infrastructure for many large enterprises. Thiswhitepaper covers best practices for designing Active Directory Domain Services (ADDS) architecture in Amazon Web Services (AWS), including AWS Managed MicrosoftAD, Active Directory on Amazon Elastic Compute Cloud (Amazon EC2) instances, andhybrid scenarios.
Amazon Web ServicesActive Directory Domain Services on AWSImportance of Active Directory in the cloudMicrosoft Active Directory was introduced in 1999 and became de facto standardtechnology for centralized management of Microsoft Windows computers and userauthentications. Active Directory serves as a distributed hierarchical data storage forinformation about corporate IT infrastructure, including Domain Name System (DNS)zones and records, devices and users, user credentials, and access rights based ongroups membership.Currently, 95% of enterprises use Active Directory for authentication. Successfuladoption of cloud technology requires considering existing IT infrastructure andapplications deployed on-premises. Reliable and secure Active Directory architecture isa critical IT infrastructure foundation for companies running Windows workloads.Terminology and definitionsAWS Managed Microsoft Active Directory. AWS Directory Service for MicrosoftActive Directory, also known as AWS Managed Microsoft AD, is Microsoft WindowsServer Active Directory Domain Services (AD DS) deployed and managed by AWS foryou. The service runs on actual Windows Server for the highest possible fidelity andprovides the most complete implementation of AD DS functionality of cloud-managedAD DS services available today.Active Directory Connector (AD Connector) is a directory gateway (proxy) thatredirects directory requests from AWS applications and services to existing MicrosoftActive Directory without caching any information in the cloud. It does not require anytrusts or synchronization of user accounts.Active Directory Trust. A trust relationship (also called a trust) is a logical relationshipestablished between domains to allow authentication and authorization to sharedresources. The authentication process verifies the identity of the user. The authorizationprocess determines what the user is permitted to do on a computer system or network.Active Directory Sites and Services. In Active Directory, a site represents a physicalor logical entity that is defined on the domain controller. Each site is associated with anActive Directory domain. Each site also has IP definitions for what IP addresses andranges belong to that site. Domain controllers use site information to inform ActiveDirectory clients about domain controllers present within the closest site to the client.1
Amazon Web ServicesActive Directory Domain Services on AWSAmazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolatedsection of the AWS Cloud where you can launch AWS resources in a virtual networkthat you define. You have complete control over your virtual networking environment,including the selection of your own private IP address ranges, creation of subnets, andconfiguration of route tables and network gateways. You can also create a hardwareVirtual Private Network (VPN) connection between your corporate data center and yourVPC to leverage the AWS Cloud as an extension of your corporate data center.AWS Direct Connect is a cloud service solution that makes it easy to establish adedicated network connection from your premises to AWS. Using AWS Direct Connect,you can establish private connectivity between AWS and your data center, office, orcolocation environment.AWS Single Sign-On (AWS SSO) is a cloud SSO service that makes it easy tocentrally manage SSO access to multiple AWS accounts and business applications.With AWS SSO, you can easily manage SSO access and user permissions to all ofyour accounts in AWS Organizations centrally.AWS Transit Gateway is a service that enables customers to connect their VPCs andtheir on-premises networks to a single gateway.Domain controller (DC) – an Active Directory server that responds to authenticationrequests and store a replica of Active Directory database.Flexible Single Master Operation (FSMO) roles. In Active Directory, some criticalupdates are performed by a designated domain controller with a specific role and thenreplicated to all other DCs. Active Directory uses roles that are assigned to DCs forthese special tasks. Refer to the Microsoft documentation web-site for more informationon FSMO roles.Global Catalog. A global catalog server is a domain controller that stores partial copiesof all Active Directory objects in the forest. It stores a complete copy of all objects in thedirectory of your domain and a partial copy of all objects of all other forest domains.Read Only Domain Controller (RODC). Read-only domain controllers (RODCs) hold acopy of the AD DS database and respond to authentication requests, but applications orother servers cannot write to them. RODCs are typically deployed in locations wherephysical security cannot be provided.VPC Peering. A VPC peering connection is a networking connection between twoVPCs that enables you to route traffic between them using private IPv4 or IPv62
Amazon Web ServicesActive Directory Domain Services on AWSaddresses. Instances in either VPC can communicate with each other as if they arewithin the same network.Shared responsibility modelWhen operating in the AWS Cloud, Security and Compliance is a shared responsibilitybetween AWS and the customer. AWS is responsible for security “of” the cloud,whereas customers are responsible for security “in” the cloud.Figure 1. Shared Responsibility Model when operating in AWS CloudAWS is responsible for securing its software, hardware, and the facilities where AWSservices are located, including securing its computing, storage, networking, anddatabase services. In addition, AWS is responsible for the security configuration of AWSManaged Services, like Amazon DynamoDB, Amazon Relational Database Service(Amazon RDS), Amazon Redshift, Amazon EMR, Amazon WorkSpaces, and so on.Customers are responsible for implementing appropriate access control policies usingAWS Identity and Access Management (IAM), configuring AWS Security Groups(Firewall) to prevent unauthorized access to ports, and enabling AWS CloudTrail.Customers are also responsible for enforcing appropriate data loss prevention policiesto ensure compliance with internal and external policies, as well as detecting and3
Amazon Web ServicesActive Directory Domain Services on AWSremediating threats arising from stolen account credentials or malicious or accidentalmisuse of AWS.If you decide to run your own Active Directory on Amazon EC2 instances, you have fulladministrative control of the operating system and the Active Directory environment.You can set up custom configurations and create a complex hybrid deploymenttopology. However, you must operate and support it in the same manner as you do withon-premises Active Directory.If you use AWS Managed Microsoft AD, AWS provides instance deployment in one ormultiple regions, operational management of your directory, monitoring, backup,patching, and recovery services. You configure the service and perform administrativemanagement of users, groups, computers, and policies.AWS Managed Microsoft AD has been audited and approved for use in deploymentsthat require Federal Risk and Authorization Management (FedRAMP), Payment CardIndustry Data Security Standard (PCI DSS), U.S. Health Insurance Portability andAccountability Act (HIPAA), or Service Organizational Control (SOC) compliance. Whenused with compliance requirements, it is your responsibility to configure the directorypassword policies and ensure that the entire application and infrastructure deploymentmeets your compliance requirements. For more information, see Manage Compliancefor AWS Managed Microsoft AD.Directory services options in AWSAWS provides a comprehensive set of services and tools for deploying MicrosoftWindows workloads on its reliable and secure cloud infrastructure. AWS ActiveDirectory Connector (AD Connector) and AWS Managed Microsoft AD are fullymanaged services that allow you to connect AWS applications to an existing ActiveDirectory or host a new Active Directory in the cloud. Together, with the ability to deployself-managed Active Directory in Amazon EC2 instances, these services cover all cloudand hybrid scenarios for enterprise identity services.AD ConnectorAD Connector can be used in the following scenarios: Sign in to AWS applications, such as Amazon Chime, Amazon WorkDocs,Amazon WorkMail, or Amazon WorkSpaces using corporate credentials. (Seethe list of compatible applications on the AWS Documentation site.)4
Amazon Web ServicesActive Directory Domain Services on AWS Enable Access to the AWS Management Console with AD Credentials. For largeenterprises, AWS recommends using AWS Single Sign-On. Enable multi-factor authentication by integrating with your existing RADIUSbased MFA infrastructure. Join Windows EC2 instances to your on-premises Active Directory.Note: Amazon RDS for SQL Server and Amazon FSx for Windows FileServer are not compatible with AD Connector. Amazon RDS for SQLServer compatible with AWS Managed Microsoft AD only. Amazon FSx forWindows File Server can be deployed with AWS Managed Microsoft ADor self-managed Active Directory.AWS Managed Microsoft Active DirectoryAWS Directory Service lets you run Microsoft Active Directory as a managed service.By default, each AWS Managed Microsoft AD has a minimum of two domain controllers,each deployed in a separate Availability Zone (AZ) for resiliency and fault tolerance. Alldomain controllers are exclusively yours with nothing shared with any other AWScustomer. AWS provides operational management to monitor, update, backup, andrecover domain controller instances. You administer users, groups, computer and grouppolicies using standard Active Directory tools from a Windows computer joined to theAWS Managed Microsoft AD domain.AWS Managed Microsoft AD preserves the Windows single sign-on (SSO) experiencefor users who access AD DS integrated applications in a hybrid IT environment. WithAD DS trust support, your users can sign in once on-premises and access Windowsworkloads running on-premises and in the cloud. You can optionally expand the scale ofthe directory by adding domain controllers, thereby enabling you to distribute requeststo meet your performance requirements. You can also share the directory with anyaccount and VPC. Multi-Region replication can be used to automatically replicate yourAWS Managed Microsoft AD directory data across multiple Regions so you can improveperformance for users and applications in disperse geographic locations. AWSManaged Microsoft AD uses native AD replication to replicate your directory’s datasecurely to the new Region. Multi-Region replication is only supported for the EnterpriseEdition of AWS Managed Microsoft AD.AWS Managed Microsoft AD enables you to forward all domain controller’s WindowsSecurity event log to Amazon CloudWatch, giving you the ability to monitor your use ofthe directory and any administrative intervention performed in the course of AWS5
Amazon Web ServicesActive Directory Domain Services on AWSoperating the service. It is also approved for applications in the AWS Cloud that aresubject to compliance by the U.S. Health Insurance Portability and Accountability Act(HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Federal Risk andAuthorization Management (FedRAMP), or Service Organizational Control (SOC), whenyou enable compliance for your directory. You can also tailor security with features thatenable you to manage password policies, and enable secure LDAP communicationsthrough Secure Socket Layer (SSL)/Transport Layer Security (TLS). You can alsoenable multi-factor authentication (MFA) for AWS Managed Microsoft AD. Thisauthentication provides an additional layer of security when users access AWSapplications from the internet, such as Amazon WorkSpaces or Amazon QuickSight.AWS Managed Microsoft AD enables you to extend your schema and perform LDAPwrite operations. These features, combined with advanced security features, such asKerberos Constrained Delegation and Group Managed Service Account, provide thegreatest degree of compatibility for Active Directory aware applications, like MicrosoftSharePoint, Microsoft SQL Server Always On Availability Groups, and many .NETapplications. Because Active Directory is an LDAP directory, you can also use AWSManaged Microsoft AD for Linux Secure Shell (SSH) authentication and other LDAPenabled applications. The full list of supported AWS applications is available on theAWS Documentation site.AWS Managed Microsoft AD runs actual Window Server 2012 R2 Active DirectoryDomain Services and operates at the 2012 R2 functional level. AWS ManagedMicrosoft AD is available in two editions: Standard and Enterprise. These editions havedifferent storage capacity; Enterprise Edition also has multi-region features.EditionStoragecapacityApproximate number ofobjects that can be stored*Approximate number ofusers in domain*Standard1 GB 30,000Up to 5,000 usersEnterprise17 GB 500,000Over 5,000 users* The number of objects varies based on type of objects, schema extensions, number ofattributes, and data stored in attributes.6
Amazon Web ServicesActive Directory Domain Services on AWSNote: AWS Domain Administrators have full administrative access to alldomains hosted on AWS. See your agreement with AWS and the AWSData Privacy FAQ for more information about how AWS handles contentthat you store on AWS systems, including directory information. You donot have Domain or Enterprise Admin permissions and rely on delegatedgroups for administration.AWS Managed Microsoft AD can be used for following scenarios: managing access toAWS Management Console and cloud services, joining EC2 Windows instances toActive Directory, deploying Amazon RDS databases with Windows authentication, usingFSx for Windows File Services, and signing in to productivity tools like Amazon Chimeand Amazon WorkSpaces. For more information on this solution, see Designconsideration for AWS Managed Microsoft Active Directory in this document.Active Directory on EC2If you prefer to extend your Active Directory to AWS and manage it yourself for flexibilityor other reasons, you have the option of running Active Directory on EC2. For moreinformation, see Design considerations for running Active Directory on EC2 instances inthis document.Comparison of Active Directory Services on AWSThe following table compares the features and functions between various DirectoryServices options available on AWS. Many features are not applicable directly to AWSAD Connector, because it is actins only as a proxy to the existing Active Directorydomain.FunctionAWS ADConnectorAWSManagedMicrosoft ADActiveDirectory onEC2Managed serviceyesyesnoMulti-Region deploymentn/ayes, EnterpriseyesShare directory with multiple accountsnoEditionyesnoSupported by AWS applications (AmazonChime, Amazon WorkSpaces, AWS SingleSign-On & etc.)yesyesyes (throughfederation orAD Connector)7
Amazon Web ServicesFunctionActive Directory Domain Services on AWSAWS ADConnectorAWSManagedMicrosoft ADActiveDirectory onEC2Supported
Active Directory Sites and Services. In Active Directory, a site represents a physical or logical entity that is defined on the domain controller. Each site is associated with an Active Directory domain. Each site also has IP definitions for what IP addresses and ranges belong to that site. Domain controllers use site information to inform Active
DNS is a requirement for Active Directory. Active Directory clients such as users computers) use DNS to find each other and locate services advertised in Active Directory by the Active Directory domain controllers. You must decide whether DNS will be integrated with Active Directory or not. It is easier to get Active Directory up and
An Active Directory forest is a collection of one or more Active Directory domains that share a common Active Directory schema . Most Active Directory environments exist with one Active Directory domain in its own Active Directory forest .
An Active Directory domain contains all the data for the domain which is stored in the domain database (NTDS.dit) on all Domain Controllers in the domain. Compromise of one Domain Controller and/or the AD database file compromises the domain. The Active Directory forest is the security boundary, not the domain.
Module 4: Principles of Active Directory Integration This module explains how Active Directory can be integrated and used with other Active Directory Forests, X.500 Realms, LDAP services and Cloud services. Lessons Active Directory and The loud _ User Principle Names, Authentication and Active Directory Federated Services
Install Active Directory Domain Services and DNS Server roles. 2. Configure the DNS server. 3. Join the domain. 4. Promote the server to a read-only domain controller. Installing the server roles For this server to be promoted to a domain controller, you need to install the Active Directory Domain Services
1. The Structure of the Active Directory Environment The whole AD environment composes the following systems and services Active Directory Server: A server that is running Microsoft Windows Server 2008 Enterprise with DNS, DHCP, Active Directory Domain Services, and Active Directory Certificate Service, which provides AD, DNS, and DHCP services.
Active Directory Recovery Planning Chewy Chong Senior Consultant Systems Engineering Practice Avanade Australia SVR302 . Key Takeaways . Backup utility, DNS Manager, Active Directory Domains and Trusts Microsoft Management Console snap-in, Active Directory Installation Wizard, Active Directory Schema snap-in, Active Directory Sites and .
AutoCAD has a very versatile user interface that allows you to control the program in several different ways. At the top of the window is a row of menus. Clicking on the Home, Insert, or Annotate causes another selection of menus to appear. This new selection of commands is frequently called a Ribbon or a Dashboard. You can operate the program by clicking on the icons in these menus. Another .
