Disclaimer: This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
Within the AWS Cloud, there are a few ways to connect cloud-hosted resources a Microsoft Active Directory environment. Typically, administrators are in the habit of configuring Windows Servers and then adding the Active Directory Domain Services role and then building and managing the domain forest. The ongoing management tasks include the Windows VM or instance itself. This includes Windows Operating System patching, etc. While this is entirely possible and supported, personally, I’m a fan of eliminating mundane and irrelevant (where it makes sense) management tasks. In this blog post, we’ll examine the AWS Managed Microsoft Active Directory (AD) offering.
AWS Managed Microsoft Active Directory
AWS Directory Service allows you run Microsoft Active Directory (AD) as a managed service within the AWS Cloud. AWS Managed Microsoft AD, is run on the reliable Windows Server 2012 R2 (Windows 2012 R2 Domain Functional Level) platform. The underlying AD infrastructure is 100% managed by AWS, equating to an extremely simple deployment and management process. Administrators own the responsibility of managing applications, domain joined computer objects (Windows & Linux), Users, Groups and Group Policy Objects. By default, AWS Managed Microsoft AD is deployed with a highly available pair of Windows Server 2012 R2 domain controllers. These domain controllers are placed within an existing Virtual Private Cloud (VPC). Also, by default, the deployed domain controllers run within different Availability Zones within an AWS Region of your choice. Host monitoring and recovery, data replication, snapshots, and software updates are automatically configured and managed for you.
This blog post will focus on the use cases and day 1 operations including the initial setup & configuration of the AWS Managed Active Directory.
AWS Managed AD Use Cases
Use cases are important, especially when administrators consider whether or not a solution is valid for their environment. Now, we’ll take a look at these use cases in subsequent blog posts as this topic is one that is of extreme interest to me. Especially since I’ve talked with several that are interested in connecting an existing on-premises AD Infrastructure to an AWS Managed AD environment.
Image courtesy of Amazon Web Services @ https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_use_cases.html
- Use Case 1: Sign In to AWS Applications and Services with AD Credentials
- Use Case 2: Manage Amazon EC2 Instances
- Use Case 3: Provide Directory Services to Your AD-Aware Workloads
- Use Case 4: SSO to Office 365 and Other Cloud Applications
- Use Case 5: Extend Your On-Premises AD to the AWS Cloud
- Use Case 6: Share Your Directory to Seamlessly Join Amazon EC2 Instances to a Domain Across AWS Accounts
Setup & Initial Configuration
AWS Managed Active Directory is easily accessed, setup and managed through the the AWS Management Console within the Security, Identity and Compliance portion of the UI. In my environment I’ve setup and deployed AWS Managed AD within the US West Region while I have resources in other regions that are able to be managed too. To achieve this I have setup VPC Peering between multiple AWS regions. As previously mentioned, by default 2 – Windows Server 2012 R2 domain controllers are deployed within different Availability Zones and can easily be scaled out after the initial deployment. The deployment process relies upon an existing VPC and Subnets within the Region of your choice. A basic prerequisite includes: VPC subnets must be in different Availability Zones. The required ports will automatically be included in a resulting Network Security Group which will allow communication between these subnets.
1.) Choose AWS Managed Microsoft AD:
2.) Enter your directory information. Note: There are 2 different editions. Standard and Enterprise. Each Edition has an associated base cost per month as well as additional costs for each additional domain controller. Standard Edition is sized to host approximately 30K objects whereas the Enterprise Edition is sized to host approximately 500K objects.
3.) Choose VPC & subnets:
The deployment takes a few minutes but at the end, you’ll be left with a full managed instance of Microsoft Active Directory!
In the next blog post we’ll take a look at day 2 and on going operations including adding computers to the managed AD environment, group policy and a few other common tasks.