SlideShare a Scribd company logo

Microsoft Active Directory Deep Dive

Amazon Web Services
Amazon Web Services

Want to learn about your options for running Microsoft Active Directory on AWS? When you move Microsoft workloads to AWS, it is important to consider how to deploy Microsoft Active Directory in support of group policy management, authentication, and authorization. In this session, we discuss options for deploying Microsoft Active Directory to AWS, including AWS Managed Microsoft AD and deploying Active Directory to Windows on Amazon EC2. We cover such topics as how to integrate your on-premises Microsoft Active Directory environment to the cloud and how to leverage SaaS applications, such as Office 365, with the AWS Single Sign-On service.

1 of 41
P U B L I C S E C T O R S U M M I T Washingt on D.C. Microsoft Active Directory Deep Dive
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T What to expect from the session • Active Directory in the cloud • How Active Directory is used – why Active Directory is important in the cloud • Deployment options – supporting Windows workloads in the cloud • Managed Active Directory Use Cases – with AMAD or Customer Managed AD • How to choose – considerations for selection • Trusts – Domain or Forest • Security Logging – CloudWatch Logs • Managed Active Directory Sharing
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T How Active Directory authentication works across the spectrum App DB App User AuthN/Group membership/Login scriptsKerberos AuthN Federated AuthN (SAML) Kerberos AuthZ Domain join/Machine AuthN/GPO/LDAP
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Amazon EC2 Amazon DynamoDB Amazon WorkSpaces Amazon EC2 What if you migrate these parts to AWS? App User AuthN/Group membership/Login scriptsKerberos AuthN Federated AuthN (SAML) Kerberos AuthZ Domain join/Machine AuthN/GPO/LDAP ?RDS for SQL Server
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Why Active Directory is important in the cloud Migration path Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Active Directory options • Simple Active Directory • Microsoft Active Directory Compatible Directory is powered by Samba 4 and supports common Active Directory features. • When to use: When there are 5,000 or fewer users and you don’t need the more advanced Microsoft Active Directory features. • AWS managed Microsoft Active Directory • Enterprise Edition. • When to use: When there are 5,000 users and you need a trust relationship set up between an AWS hosted directory and your on- premises directories. •Active Directory on EC2 • Another Domain Controller in an existing Domain/Forest
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Deployment options – Supporting Windows workloads in the cloud
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Active Directory (AD) options – On premises • Create a VPN or AWS Direct Connect link to your VPC. • Manually join EC2 instances to the customer managed AD. • Automatically join EC2 instances to customer managed AD using AD connector. • Use VPC as an extension of your network. • Security considerations? • Latency considerations? On premises Windows Server domain controller AD You manage 1
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Application Availability Zone Private Subnet 10.0.2.0/24 SQL Server Application Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 SQL Server Application Server IIS Server Remote Users/Admins Domain Controllers Corporate Data Center DBAPPWEB DBAPPWEB Auth/ LDAP Auth/ LDAP VPN Direct Connect Example: On-premises Active Directory AD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Active Directory options – EC2 self-managed Your responsibilities Availability deployment strategy EC2 domain controller configuration DNS configuration Sites and Services configuration Monitoring Domain controller recovery Backup Restore Security group configuration EC2 domain joining Patch Tuesday management AWS Directory Service is required for AWS enterprise applications and services to authenticate to your self-managed Active Directory. On-premises Windows Server domain controller AD You manage 1 VPC EC2 for Windows Server domain controller AD You manage 2
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Availability Zone Private Subnet 10.0.2.0/24 DBAPPWEB SQL Server Application Server IIS Server Private Subnet 10.0.3.0/24 DBAPPWEB SQL Server Application Server IIS Server Remote Users/Admins Domain Controllers Corporate Data Center Example: Active Directory on EC2 with replication, Active Directory trust, or sync Domain Controller Domain Controller Trust or Replication Auth/ LDAP Auth/ LDAP Application Auth/ LDAP VPN Direct Connect AD EC2 AD EC2 AD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AD Active Directory options – AWS manages On-premises Windows Server DC AD You manage 1 VPC EC2 for Windows Server DC AD You manage 2 VPC endpoint AMAD AWS manages 3 AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. “AMAD” AWS Directory Service is required for AWS enterprise applications and services to authenticate to your self-managed Active Directory.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Auth/ LDAP Auth/ LDAP DB RDS for SQL Server Availability Zone Private Subnet 10.0.2.0/24 APPWEB Application Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 APPWEB Application Server IIS Server Remote Users/Admins Domain Controllers Corporate Data Center Example: AMAD with Active Directory trust to on premises DB RDS SQL Server AWS Managed Services AWS Managed Services Domain Controller DC Domain Controller Trust Application Auth/ LDAP VPN Direct Connect AD AMAD AMAD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AD Active Directory options – AWS Microsoft Active Directory • Windows Server 2012 R2 domain controllers ~3-click setup • Minimum of 2 DCs each in a different Availability Zone (AZ) • Add more DCs as needed • Standalone or connected to your Active Directory with trusts • AWS apps and services integration EC2 seamless domain join RDS for SQL Server authentication, authorization Amazon WorkSpaces, Amazon QuickSight Enterprise Edition, Amazon Chime Plus/Pro provisioning, and authentication, AWS Single Sign-on VPC endpoint AMAD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. “AMAD” AWS Directory Service is required for AWS enterprise applications and services to authenticate to your self-managed Active Directory.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Active Directory options – AWS Microsoft Active Directory Some constraints AWS is the domain admin You get an OU and delegated admin over the OU Conservative delegated permissions to your OU admin account: Application enablement limits some apps Some admin functions are not available Amazon responsibilities - operate Multi-AZ deploy, patch, monitor, domain controller recovery, snapshot, and restore Your responsibilities - administer Administration through Active Directory Users and Computers (ADUC) and other standard Active Directory tools Administer users, groups, GPOs, other Active Directory content AD VPC endpoint AMAD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. “AMAD”
Active Directory options – Connecting Active Directory in the cloud to on- premises Active Directory 1 Replication Your DCs only On premises Windows Server DC AD VPC EC2 for Windows Server DC AD On premises Windows Server DC AD VPC EC2 for Windows Server DC AD2 1-way trust 2-way trust Your DCs or AMAD On premises/VPC Windows Server DC/AMAD AD O365 AAD3 Sync users Azure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD AWS Managed Microsoft AD use cases Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services Traditional AD Applications Domain Join and Manage with Group Policy
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD use cases Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services User Directory Traditional AD Applications Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services AWS Managed Microsoft AD Learn more: https://aws.amazon.com/directoryservice
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Azure AD Connect AD FS AWS Managed Microsoft AD use cases Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services Azure AD User Directory Pass- through Use Microsoft Tools with Web Applications Traditional AD Applications Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services AWS Managed Microsoft AD
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD use cases Azure AD Connect AD FS Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services AWS SSO User Directory Traditional AD Applications Use AWS SSO with Web Applications Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services Azure AD Sync SAML AWS Managed Microsoft AD Use Microsoft Tools with Web Applications
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD use cases Azure AD Connect AD FS Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services AWS SSO User Directory Traditional AD Applications Active Directory Extend Existing AD Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services SAML Use AWS SSO with Web Applications Sync Azure AD AWS Managed Microsoft AD Use Microsoft Tools with Web Applications Azure AD Connect
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T How to choose – Considerations for selection
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Deployment differences AMAD EC2 Active Directory Instances On-Premises Active Directory Operation management +AWS managed in the cloud -Customer managed in the cloud -Customer managed own hardware Availability +Built-in redundancy and replication -Customer must design for high availability -Customer must design for high availability Networking Trust1 ports from cloud to on premises (least exposed) Trust1 or replication2 ports from cloud to on-premises Active Directory -Open ports to support cloud to on-premises Active Directory3 (most exposed) Admin control Designated OU control; some apps unsupported +Full control +Full control 1 If you use trust to on-premises, open ports from domain controllers to on-premises domain controllers are needed. 2 Active Directory replication requires more open ports than forest trusts, but is limited to DC-to-DC communications. 3 Ports for domain joining, Active Directory interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T How to select an Active Directory option AMAD EC2 Active Directory Instances On-Premises Active Directory • Minimize cost, effort to run Active Directory • RDS for SQL Server1 • AWS Enterprise Applications1 • Windows workloads on EC22 • Require a replicated, multi- region Active Directory solution • Need NetBIOS name resolution support • Require permissions not yet delegated by AWS Microsoft Active Directory3 • For example, Exchange, SharePoint, SQL Server AlwaysOn Availability Groups • Requires access to Active Directory for minimal EC2 instances • Latency to Active Directory over an on-premises link acceptable • Comfortable with connectivity availability to on-premises Active Directory 1RDS for SQL, Amazon WorkSpaces, Amazon QuickSight, and Amazon Chime require trusts only if users are on-premises via trust. 2This is subject to delegation constraints (for example, managed service account creation). 3AWS is adding more delegations and application enablement over time.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Deployment differences – Which connection model? AMAD with Sync AMAD with Trust EC2 Active Directory with Sync EC2 Active Directory with Trust EC2 Active Directory Replicated On Premises App Access SSO to cloud No Yes No Yes Yes Yes Complexity/Effort EC2 seamless domain join Yes Yes No No No No Domain controller configuration Medium Low Highest High High None Incremental maintenance High Low Highest Low Medium None Incremental system Medium Low Highest High High None Incremental entitlement High Low High Low None None Sites and Services No No No No Yes None Untested Recommended If necessary
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Trusts Trust Access Active Directory Access requires permissions to resource in the trusting domain Active Directory
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Forests, domains, tree domains Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD forest trust support Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Forest Trust
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD domain trust support Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Domain Trust Domain Trust
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD mixed trust support Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Forest Trust Domain Trust
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Securing trusts • Leave SID filtering on when you set up the on-premises side of a trust. • Turn on selective authentication on the on-premises side of a trust. • https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk • Only permit Active Directory trust ports to the domain controllers in the cloud. • https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx • For cloud-client-to-Active Directory, only permit Active Directory authentication ports to on-premises Active Directory. Minimize all other ports from cloud to on premises (for example, Amazon WorkSpaces login using on-premises credentials). • https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts • Don’t grant groups in the cloud access to on-premises resources.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Security event logging to Amazon CloudWatch
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Use existing or create a new log group
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Cross-account sharing
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T DC1 DC2 DC3 AWS Managed VPC Customer VPC1 Account A Amazon WorKSpaces RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs Communication paths to AWS Managed Microsoft AD Discover DCs Domain Join Read
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Internal DC APIs inaccessible in other accounts DC1 DC2 DC3 AWS-Managed VPC Customer VPC1 Account A Amazon WorKSpaces RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs Account B EC2 Customer VPC2 Discover DCs Domain Join Read Peering
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Cross-account directory sharing DC1 DC2 DC3 AWS-Managed VPC Customer VPC1 Account A Amazon WorKSpaces RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs Account B EC2 Customer VPC2 Discover DCs Domain Join Read AWS Internal DC APIs Peering
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Sharing across multiple VPCs and accounts DC1 DC2 DC3 AWS Managed VPC Account A Customer VPC2 Customer VPC3 Customer VPC4 Account B Customer VPC5 Account C Customer VPC6 Customer VPC1
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Michael Cotton michcott@amazon.com

Recommended

Azure: PaaS or IaaS
Azure: PaaS or IaaSAzure: PaaS or IaaS
Azure: PaaS or IaaS
Shahed Chowdhuri
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Azure 101
Azure 101Azure 101
Azure 101
Korry Lavoie
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for Partners
Amazon Web Services
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs
Amazon Web Services
 
Azure Arc by K.Narisorn // Azure Multi-Cloud
Azure Arc by K.Narisorn // Azure Multi-CloudAzure Arc by K.Narisorn // Azure Multi-Cloud
Azure Arc by K.Narisorn // Azure Multi-Cloud
Kumton Suttiraksiri
 
Microsoft Azure Platform-as-a-Service (PaaS)
Microsoft Azure Platform-as-a-Service (PaaS)Microsoft Azure Platform-as-a-Service (PaaS)
Microsoft Azure Platform-as-a-Service (PaaS)
Chris Dufour
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 

Recommended

Azure: PaaS or IaaS
Azure: PaaS or IaaSAzure: PaaS or IaaS
Azure: PaaS or IaaS
Shahed Chowdhuri
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 
Azure 101
Azure 101Azure 101
Azure 101
Korry Lavoie
 
Cloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for PartnersCloud Migration, Application Modernization and Security for Partners
Cloud Migration, Application Modernization and Security for Partners
Amazon Web Services
 
(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs(NET406) Deep Dive: AWS Direct Connect and VPNs
(NET406) Deep Dive: AWS Direct Connect and VPNs
Amazon Web Services
 
Azure Arc by K.Narisorn // Azure Multi-Cloud
Azure Arc by K.Narisorn // Azure Multi-CloudAzure Arc by K.Narisorn // Azure Multi-Cloud
Azure Arc by K.Narisorn // Azure Multi-Cloud
Kumton Suttiraksiri
 
Microsoft Azure Platform-as-a-Service (PaaS)
Microsoft Azure Platform-as-a-Service (PaaS)Microsoft Azure Platform-as-a-Service (PaaS)
Microsoft Azure Platform-as-a-Service (PaaS)
Chris Dufour
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)
Amazon Web Services
 
Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking
Colt Technology Services
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft Azure
Martyn Coupland
 
Scaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersScaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million Users
Amazon Web Services
 
What is Cloud Computing with AWS?
What is Cloud Computing with AWS?What is Cloud Computing with AWS?
What is Cloud Computing with AWS?
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Data Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudData Center Migration to the AWS Cloud
Data Center Migration to the AWS Cloud
Tom Laszewski
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study material
Nagesh Ramamoorthy
 
Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101
R M Shahidul Islam Shahed
 
Migrate to Microsoft Azure with Confidence
Migrate to Microsoft Azure with ConfidenceMigrate to Microsoft Azure with Confidence
Migrate to Microsoft Azure with Confidence
David J Rosenthal
 
Intro to azure logic apps
Intro to azure logic appsIntro to azure logic apps
Intro to azure logic apps
nj-azure
 
AWS Cloud Adoption Framework
AWS Cloud Adoption Framework AWS Cloud Adoption Framework
AWS Cloud Adoption Framework
Amazon Web Services
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure fundamentals
Azure fundamentalsAzure fundamentals
Azure fundamentals
Raju Kumar
 
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance WorkshopMicrosoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Nicholas Vossburg
 
Cloud Adoption Framework - Overview_partner.pptx
Cloud Adoption Framework - Overview_partner.pptxCloud Adoption Framework - Overview_partner.pptx
Cloud Adoption Framework - Overview_partner.pptx
abhishek22611
 
Introduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudIntroduction to Microsoft Azure Cloud
Introduction to Microsoft Azure Cloud
Dinesh Kumar Wickramasinghe
 
Azure Automation and Update Management
Azure Automation and Update ManagementAzure Automation and Update Management
Azure Automation and Update Management
Udaiappa Ramachandran
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
FinOps for private cloud
FinOps for private cloudFinOps for private cloud
FinOps for private cloud
Alexander Tokarev
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
Scale - Best Practices for Migrating your Microsoft Workloads to AWS
Scale - Best Practices for Migrating your Microsoft Workloads to AWSScale - Best Practices for Migrating your Microsoft Workloads to AWS
Scale - Best Practices for Migrating your Microsoft Workloads to AWS
Amazon Web Services
 

More Related Content

What's hot

Scaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersScaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million Users
Amazon Web Services
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
Amazon Web Services
 
Data Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudData Center Migration to the AWS Cloud
Data Center Migration to the AWS Cloud
Tom Laszewski
 

What's hot (20)

AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)AWS 101: Cloud Computing Seminar (2012)
AWS 101: Cloud Computing Seminar (2012)
 
Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking Colt's evolution from MPLS to Cloud Networking
Colt's evolution from MPLS to Cloud Networking
 
Introduction to Microsoft Azure
Introduction to Microsoft AzureIntroduction to Microsoft Azure
Introduction to Microsoft Azure
 
Scaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersScaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million Users
 
What is Cloud Computing with AWS?
What is Cloud Computing with AWS?What is Cloud Computing with AWS?
What is Cloud Computing with AWS?
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
Data Center Migration to the AWS Cloud
Data Center Migration to the AWS CloudData Center Migration to the AWS Cloud
Data Center Migration to the AWS Cloud
 
AWS solution Architect Associate study material
AWS solution Architect Associate study materialAWS solution Architect Associate study material
AWS solution Architect Associate study material
 
Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101
 
Migrate to Microsoft Azure with Confidence
Migrate to Microsoft Azure with ConfidenceMigrate to Microsoft Azure with Confidence
Migrate to Microsoft Azure with Confidence
 
Intro to azure logic apps
Intro to azure logic appsIntro to azure logic apps
Intro to azure logic apps
 
AWS Cloud Adoption Framework
AWS Cloud Adoption Framework AWS Cloud Adoption Framework
AWS Cloud Adoption Framework
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Azure fundamentals
Azure fundamentalsAzure fundamentals
Azure fundamentals
 
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance WorkshopMicrosoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
Microsoft Cloud Adoption Framework for Azure: Thru Partner Governance Workshop
 
Cloud Adoption Framework - Overview_partner.pptx
Cloud Adoption Framework - Overview_partner.pptxCloud Adoption Framework - Overview_partner.pptx
Cloud Adoption Framework - Overview_partner.pptx
 
Introduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudIntroduction to Microsoft Azure Cloud
Introduction to Microsoft Azure Cloud
 
Azure Automation and Update Management
Azure Automation and Update ManagementAzure Automation and Update Management
Azure Automation and Update Management
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
FinOps for private cloud
FinOps for private cloudFinOps for private cloud
FinOps for private cloud
 

Similar to Microsoft Active Directory Deep Dive

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
Amazon Web Services
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWS
Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Amazon Web Services
 
ENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS Services
Amazon Web Services
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
Amazon Web Services
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
Amazon Web Services
 

Similar to Microsoft Active Directory Deep Dive (20)

How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
Scale - Best Practices for Migrating your Microsoft Workloads to AWS
Scale - Best Practices for Migrating your Microsoft Workloads to AWSScale - Best Practices for Migrating your Microsoft Workloads to AWS
Scale - Best Practices for Migrating your Microsoft Workloads to AWS
 
Best practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWSBest practices to Support Active Directory Aware Workloads on AWS
Best practices to Support Active Directory Aware Workloads on AWS
 
Migrating Your AD to the Cloud with AWS Directory Services for Microsoft Acti...
Migrating Your AD to the Cloud with AWS Directory Services for Microsoft Acti...Migrating Your AD to the Cloud with AWS Directory Services for Microsoft Acti...
Migrating Your AD to the Cloud with AWS Directory Services for Microsoft Acti...
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
 
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
 
Systems Operations for Windows Workloads
Systems Operations for Windows WorkloadsSystems Operations for Windows Workloads
Systems Operations for Windows Workloads
 
ENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS ServicesENT201 Simplifying Microsoft Architectures with AWS Services
ENT201 Simplifying Microsoft Architectures with AWS Services
 
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
Simplifying Microsoft Architectures with AWS Services (WIN306) - AWS re:Inven...
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
[REPEAT] Microsoft Active Directory Deep Dive (WIN303-R) - AWS re:Invent 2018
 
Migrate & Optimize Microsoft Applications on AWS
Migrate & Optimize Microsoft Applications on AWSMigrate & Optimize Microsoft Applications on AWS
Migrate & Optimize Microsoft Applications on AWS
 
Best Practices for Migrating your Microsoft Workloads to AWS
Best Practices for Migrating your Microsoft Workloads to AWSBest Practices for Migrating your Microsoft Workloads to AWS
Best Practices for Migrating your Microsoft Workloads to AWS
 
Migrating Microsoft Workloads to AWS
Migrating Microsoft Workloads to AWSMigrating Microsoft Workloads to AWS
Migrating Microsoft Workloads to AWS
 
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0 - E...
 
Migration to Aws Cloud
Migration to Aws Cloud Migration to Aws Cloud
Migration to Aws Cloud
 
Cloud ibrido nella PA
Cloud ibrido nella PACloud ibrido nella PA
Cloud ibrido nella PA
 
AWSome Day 2019 - New Jersey
AWSome Day 2019 - New JerseyAWSome Day 2019 - New Jersey
AWSome Day 2019 - New Jersey
 
Best-Practices-for-Running-Windows-Workloads-on-AWS
Best-Practices-for-Running-Windows-Workloads-on-AWSBest-Practices-for-Running-Windows-Workloads-on-AWS
Best-Practices-for-Running-Windows-Workloads-on-AWS
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Microsoft Active Directory Deep Dive

  • 1. P U B L I C S E C T O R S U M M I T Washingt on D.C. Microsoft Active Directory Deep Dive
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T What to expect from the session • Active Directory in the cloud • How Active Directory is used – why Active Directory is important in the cloud • Deployment options – supporting Windows workloads in the cloud • Managed Active Directory Use Cases – with AMAD or Customer Managed AD • How to choose – considerations for selection • Trusts – Domain or Forest • Security Logging – CloudWatch Logs • Managed Active Directory Sharing
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T How Active Directory authentication works across the spectrum App DB App User AuthN/Group membership/Login scriptsKerberos AuthN Federated AuthN (SAML) Kerberos AuthZ Domain join/Machine AuthN/GPO/LDAP
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Amazon EC2 Amazon DynamoDB Amazon WorkSpaces Amazon EC2 What if you migrate these parts to AWS? App User AuthN/Group membership/Login scriptsKerberos AuthN Federated AuthN (SAML) Kerberos AuthZ Domain join/Machine AuthN/GPO/LDAP ?RDS for SQL Server
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Why Active Directory is important in the cloud Migration path Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Active Directory options • Simple Active Directory • Microsoft Active Directory Compatible Directory is powered by Samba 4 and supports common Active Directory features. • When to use: When there are 5,000 or fewer users and you don’t need the more advanced Microsoft Active Directory features. • AWS managed Microsoft Active Directory • Enterprise Edition. • When to use: When there are 5,000 users and you need a trust relationship set up between an AWS hosted directory and your on- premises directories. •Active Directory on EC2 • Another Domain Controller in an existing Domain/Forest
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Deployment options – Supporting Windows workloads in the cloud
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Active Directory (AD) options – On premises • Create a VPN or AWS Direct Connect link to your VPC. • Manually join EC2 instances to the customer managed AD. • Automatically join EC2 instances to customer managed AD using AD connector. • Use VPC as an extension of your network. • Security considerations? • Latency considerations? On premises Windows Server domain controller AD You manage 1
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Application Availability Zone Private Subnet 10.0.2.0/24 SQL Server Application Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 SQL Server Application Server IIS Server Remote Users/Admins Domain Controllers Corporate Data Center DBAPPWEB DBAPPWEB Auth/ LDAP Auth/ LDAP VPN Direct Connect Example: On-premises Active Directory AD
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Active Directory options – EC2 self-managed Your responsibilities Availability deployment strategy EC2 domain controller configuration DNS configuration Sites and Services configuration Monitoring Domain controller recovery Backup Restore Security group configuration EC2 domain joining Patch Tuesday management AWS Directory Service is required for AWS enterprise applications and services to authenticate to your self-managed Active Directory. On-premises Windows Server domain controller AD You manage 1 VPC EC2 for Windows Server domain controller AD You manage 2
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Availability Zone Private Subnet 10.0.2.0/24 DBAPPWEB SQL Server Application Server IIS Server Private Subnet 10.0.3.0/24 DBAPPWEB SQL Server Application Server IIS Server Remote Users/Admins Domain Controllers Corporate Data Center Example: Active Directory on EC2 with replication, Active Directory trust, or sync Domain Controller Domain Controller Trust or Replication Auth/ LDAP Auth/ LDAP Application Auth/ LDAP VPN Direct Connect AD EC2 AD EC2 AD
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AD Active Directory options – AWS manages On-premises Windows Server DC AD You manage 1 VPC EC2 for Windows Server DC AD You manage 2 VPC endpoint AMAD AWS manages 3 AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. “AMAD” AWS Directory Service is required for AWS enterprise applications and services to authenticate to your self-managed Active Directory.
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Auth/ LDAP Auth/ LDAP DB RDS for SQL Server Availability Zone Private Subnet 10.0.2.0/24 APPWEB Application Server IIS Server Availability Zone Private Subnet 10.0.3.0/24 APPWEB Application Server IIS Server Remote Users/Admins Domain Controllers Corporate Data Center Example: AMAD with Active Directory trust to on premises DB RDS SQL Server AWS Managed Services AWS Managed Services Domain Controller DC Domain Controller Trust Application Auth/ LDAP VPN Direct Connect AD AMAD AMAD
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AD Active Directory options – AWS Microsoft Active Directory • Windows Server 2012 R2 domain controllers ~3-click setup • Minimum of 2 DCs each in a different Availability Zone (AZ) • Add more DCs as needed • Standalone or connected to your Active Directory with trusts • AWS apps and services integration EC2 seamless domain join RDS for SQL Server authentication, authorization Amazon WorkSpaces, Amazon QuickSight Enterprise Edition, Amazon Chime Plus/Pro provisioning, and authentication, AWS Single Sign-on VPC endpoint AMAD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. “AMAD” AWS Directory Service is required for AWS enterprise applications and services to authenticate to your self-managed Active Directory.
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Active Directory options – AWS Microsoft Active Directory Some constraints AWS is the domain admin You get an OU and delegated admin over the OU Conservative delegated permissions to your OU admin account: Application enablement limits some apps Some admin functions are not available Amazon responsibilities - operate Multi-AZ deploy, patch, monitor, domain controller recovery, snapshot, and restore Your responsibilities - administer Administration through Active Directory Users and Computers (ADUC) and other standard Active Directory tools Administer users, groups, GPOs, other Active Directory content AD VPC endpoint AMAD AWS Directory Service for Microsoft Active Directory (Enterprise Edition) a.k.a. “AMAD”
  • 16. Active Directory options – Connecting Active Directory in the cloud to on- premises Active Directory 1 Replication Your DCs only On premises Windows Server DC AD VPC EC2 for Windows Server DC AD On premises Windows Server DC AD VPC EC2 for Windows Server DC AD2 1-way trust 2-way trust Your DCs or AMAD On premises/VPC Windows Server DC/AMAD AD O365 AAD3 Sync users Azure
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD AWS Managed Microsoft AD use cases Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services Traditional AD Applications Domain Join and Manage with Group Policy
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD use cases Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services User Directory Traditional AD Applications Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services AWS Managed Microsoft AD Learn more: https://aws.amazon.com/directoryservice
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Azure AD Connect AD FS AWS Managed Microsoft AD use cases Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services Azure AD User Directory Pass- through Use Microsoft Tools with Web Applications Traditional AD Applications Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services AWS Managed Microsoft AD
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD use cases Azure AD Connect AD FS Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services AWS SSO User Directory Traditional AD Applications Use AWS SSO with Web Applications Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services Azure AD Sync SAML AWS Managed Microsoft AD Use Microsoft Tools with Web Applications
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD use cases Azure AD Connect AD FS Amazon Connect Amazon WorkMail Amazon WorKSpaces RDS for SQL Server Amazon WorkDocs Amazon QuickSight Amazon Chime Compatible AWS Applications and Services AWS SSO User Directory Traditional AD Applications Active Directory Extend Existing AD Remote Desktop Licensing .NET Apps SharePoint SQL Server Certificate Services SAML Use AWS SSO with Web Applications Sync Azure AD AWS Managed Microsoft AD Use Microsoft Tools with Web Applications Azure AD Connect
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T How to choose – Considerations for selection
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Deployment differences AMAD EC2 Active Directory Instances On-Premises Active Directory Operation management +AWS managed in the cloud -Customer managed in the cloud -Customer managed own hardware Availability +Built-in redundancy and replication -Customer must design for high availability -Customer must design for high availability Networking Trust1 ports from cloud to on premises (least exposed) Trust1 or replication2 ports from cloud to on-premises Active Directory -Open ports to support cloud to on-premises Active Directory3 (most exposed) Admin control Designated OU control; some apps unsupported +Full control +Full control 1 If you use trust to on-premises, open ports from domain controllers to on-premises domain controllers are needed. 2 Active Directory replication requires more open ports than forest trusts, but is limited to DC-to-DC communications. 3 Ports for domain joining, Active Directory interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access.
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T How to select an Active Directory option AMAD EC2 Active Directory Instances On-Premises Active Directory • Minimize cost, effort to run Active Directory • RDS for SQL Server1 • AWS Enterprise Applications1 • Windows workloads on EC22 • Require a replicated, multi- region Active Directory solution • Need NetBIOS name resolution support • Require permissions not yet delegated by AWS Microsoft Active Directory3 • For example, Exchange, SharePoint, SQL Server AlwaysOn Availability Groups • Requires access to Active Directory for minimal EC2 instances • Latency to Active Directory over an on-premises link acceptable • Comfortable with connectivity availability to on-premises Active Directory 1RDS for SQL, Amazon WorkSpaces, Amazon QuickSight, and Amazon Chime require trusts only if users are on-premises via trust. 2This is subject to delegation constraints (for example, managed service account creation). 3AWS is adding more delegations and application enablement over time.
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Deployment differences – Which connection model? AMAD with Sync AMAD with Trust EC2 Active Directory with Sync EC2 Active Directory with Trust EC2 Active Directory Replicated On Premises App Access SSO to cloud No Yes No Yes Yes Yes Complexity/Effort EC2 seamless domain join Yes Yes No No No No Domain controller configuration Medium Low Highest High High None Incremental maintenance High Low Highest Low Medium None Incremental system Medium Low Highest High High None Incremental entitlement High Low High Low None None Sites and Services No No No No Yes None Untested Recommended If necessary
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Trusts Trust Access Active Directory Access requires permissions to resource in the trusting domain Active Directory
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Forests, domains, tree domains Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD forest trust support Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Forest Trust
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD domain trust support Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Domain Trust Domain Trust
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T AWS Managed Microsoft AD mixed trust support Active Directory Root Domain Active Directory Child Domain Active Directory Child Domain Active Directory Child Domain Active Directory Tree Root Domain Active Directory Tree Child Domain AWS Managed Microsoft AD Single domain forest Active Directory Root Domain Forest Trust Domain Trust
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Securing trusts • Leave SID filtering on when you set up the on-premises side of a trust. • Turn on selective authentication on the on-premises side of a trust. • https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk • Only permit Active Directory trust ports to the domain controllers in the cloud. • https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx • For cloud-client-to-Active Directory, only permit Active Directory authentication ports to on-premises Active Directory. Minimize all other ports from cloud to on premises (for example, Amazon WorkSpaces login using on-premises credentials). • https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts • Don’t grant groups in the cloud access to on-premises resources.
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  • 33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Security event logging to Amazon CloudWatch
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Use existing or create a new log group
  • 35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T
  • 36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Cross-account sharing
  • 37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T DC1 DC2 DC3 AWS Managed VPC Customer VPC1 Account A Amazon WorKSpaces RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs Communication paths to AWS Managed Microsoft AD Discover DCs Domain Join Read
  • 38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Internal DC APIs inaccessible in other accounts DC1 DC2 DC3 AWS-Managed VPC Customer VPC1 Account A Amazon WorKSpaces RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs Account B EC2 Customer VPC2 Discover DCs Domain Join Read Peering
  • 39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Cross-account directory sharing DC1 DC2 DC3 AWS-Managed VPC Customer VPC1 Account A Amazon WorKSpaces RDS for SQL Server EC2 Amazon Connect Amazon WorkMail Amazon WorkDocs Amazon QuickSight Amazon Chime AWS SSO AWS Internal DC APIs Account B EC2 Customer VPC2 Discover DCs Domain Join Read AWS Internal DC APIs Peering
  • 40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Sharing across multiple VPCs and accounts DC1 DC2 DC3 AWS Managed VPC Account A Customer VPC2 Customer VPC3 Customer VPC4 Account B Customer VPC5 Account C Customer VPC6 Customer VPC1
  • 41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R S U M M I T Michael Cotton michcott@amazon.com