More Related Content Similar to Microsoft Active Directory Deep Dive (20) More from Amazon Web Services (20) Microsoft Active Directory Deep Dive1. P U B L I C S E C T O R
S U M M I T
Washingt on D.C.
Microsoft Active Directory Deep Dive
2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
What to expect from the session
• Active Directory in the cloud
• How Active Directory is used – why Active Directory is important in the
cloud
• Deployment options – supporting Windows workloads in the cloud
• Managed Active Directory Use Cases – with AMAD or Customer
Managed AD
• How to choose – considerations for selection
• Trusts – Domain or Forest
• Security Logging – CloudWatch Logs
• Managed Active Directory Sharing
3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How Active Directory authentication works across the spectrum
App
DB
App
User AuthN/Group membership/Login scriptsKerberos AuthN
Federated AuthN
(SAML)
Kerberos
AuthZ
Domain join/Machine AuthN/GPO/LDAP
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T Amazon EC2
Amazon
DynamoDB
Amazon
WorkSpaces
Amazon EC2
What if you migrate these parts to AWS?
App
User AuthN/Group membership/Login scriptsKerberos AuthN
Federated AuthN
(SAML) Kerberos
AuthZ
Domain join/Machine AuthN/GPO/LDAP
?RDS for
SQL Server
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Why Active Directory is important in the cloud
Migration path
Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Active Directory options
• Simple Active Directory
• Microsoft Active Directory Compatible Directory is powered by
Samba 4 and supports common Active Directory features.
• When to use: When there are 5,000 or fewer users and you don’t
need the more advanced Microsoft Active Directory features.
• AWS managed Microsoft Active Directory
• Enterprise Edition.
• When to use: When there are 5,000 users and you need a trust
relationship set up between an AWS hosted directory and your on-
premises directories.
•Active Directory on EC2
• Another Domain Controller in an existing Domain/Forest
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Deployment options – Supporting Windows workloads
in the cloud
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Active Directory (AD) options – On premises
• Create a VPN or AWS Direct
Connect link to your VPC.
• Manually join EC2 instances to
the customer managed AD.
• Automatically join EC2
instances to customer managed
AD using AD connector.
• Use VPC as an extension of your
network.
• Security considerations?
• Latency considerations?
On premises
Windows Server
domain controller
AD
You manage
1
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Application
Availability Zone
Private Subnet
10.0.2.0/24
SQL
Server
Application
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
SQL
Server
Application
Server
IIS
Server
Remote
Users/Admins
Domain
Controllers
Corporate Data Center
DBAPPWEB
DBAPPWEB
Auth/
LDAP
Auth/
LDAP
VPN
Direct
Connect
Example:
On-premises Active
Directory
AD
10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Active Directory options – EC2 self-managed
Your responsibilities
Availability deployment strategy
EC2 domain controller configuration
DNS configuration
Sites and Services configuration
Monitoring
Domain controller recovery
Backup
Restore
Security group configuration
EC2 domain joining
Patch Tuesday management
AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.
On-premises
Windows Server
domain controller
AD
You manage
1
VPC
EC2 for Windows
Server domain
controller
AD
You manage
2
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Availability Zone
Private Subnet
10.0.2.0/24
DBAPPWEB
SQL
Server
Application
Server
IIS
Server
Private Subnet
10.0.3.0/24
DBAPPWEB
SQL
Server
Application
Server
IIS
Server
Remote
Users/Admins
Domain
Controllers
Corporate Data Center
Example: Active Directory on
EC2 with replication, Active
Directory trust, or sync
Domain
Controller
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Application
Auth/
LDAP
VPN
Direct
Connect
AD
EC2
AD
EC2
AD
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AD
Active Directory options – AWS manages
On-premises
Windows Server DC
AD
You manage
1
VPC
EC2 for Windows
Server DC
AD
You manage
2
VPC endpoint
AMAD
AWS manages
3
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. “AMAD”
AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Auth/
LDAP
Auth/
LDAP
DB
RDS for
SQL Server
Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
Application
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
Application
Server
IIS
Server
Remote
Users/Admins
Domain
Controllers
Corporate Data Center
Example:
AMAD with Active Directory
trust to on premises
DB
RDS
SQL Server
AWS Managed Services
AWS Managed Services
Domain
Controller
DC
Domain
Controller
Trust
Application
Auth/
LDAP
VPN
Direct
Connect
AD
AMAD
AMAD
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AD
Active Directory options – AWS Microsoft Active Directory
• Windows Server 2012 R2 domain controllers
~3-click setup
• Minimum of 2 DCs each in a different
Availability Zone (AZ)
• Add more DCs as needed
• Standalone or connected to your Active
Directory with trusts
• AWS apps and services integration
EC2 seamless domain join
RDS for SQL Server authentication, authorization
Amazon WorkSpaces, Amazon QuickSight Enterprise
Edition, Amazon Chime Plus/Pro provisioning, and
authentication, AWS Single Sign-on
VPC endpoint
AMAD
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. “AMAD”
AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Active Directory options – AWS Microsoft Active Directory
Some constraints
AWS is the domain admin
You get an OU and delegated
admin over the OU
Conservative delegated permissions to your OU
admin account:
Application enablement limits some apps
Some admin functions are not available
Amazon responsibilities - operate
Multi-AZ deploy, patch, monitor,
domain controller recovery, snapshot, and restore
Your responsibilities - administer
Administration through Active Directory Users and
Computers (ADUC) and other standard Active
Directory tools
Administer users, groups, GPOs, other Active Directory
content
AD
VPC endpoint
AMAD
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. “AMAD”
16. Active Directory options – Connecting Active Directory in the cloud to on-
premises Active Directory
1
Replication
Your DCs only
On premises
Windows Server DC
AD
VPC
EC2 for Windows
Server DC
AD
On premises
Windows Server DC
AD
VPC
EC2 for Windows
Server DC
AD2
1-way trust
2-way trust
Your DCs or
AMAD
On premises/VPC
Windows Server
DC/AMAD
AD
O365
AAD3
Sync users Azure
17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Managed
Microsoft AD
AWS Managed Microsoft AD use cases
Remote
Desktop
Licensing
.NET
Apps
SharePoint SQL Server Certificate
Services
Traditional AD Applications
Domain Join and Manage with Group Policy
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Managed Microsoft AD use cases
Amazon
Connect
Amazon
WorkMail
Amazon
WorKSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
Compatible AWS Applications and Services
User Directory
Traditional AD Applications
Remote
Desktop
Licensing
.NET
Apps
SharePoint SQL Server Certificate
Services
AWS Managed
Microsoft AD
Learn more: https://aws.amazon.com/directoryservice
19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Azure AD
Connect
AD FS
AWS Managed Microsoft AD use cases
Amazon
Connect
Amazon
WorkMail
Amazon
WorKSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
Compatible AWS Applications and Services
Azure AD
User Directory
Pass-
through
Use Microsoft Tools
with Web Applications
Traditional AD Applications
Remote
Desktop
Licensing
.NET
Apps
SharePoint SQL Server Certificate
Services
AWS Managed
Microsoft AD
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Managed Microsoft AD use cases
Azure AD
Connect
AD FS
Amazon
Connect
Amazon
WorkMail
Amazon
WorKSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
Compatible AWS Applications and Services
AWS SSO
User Directory
Traditional AD Applications
Use AWS SSO with
Web Applications
Remote
Desktop
Licensing
.NET
Apps
SharePoint SQL Server Certificate
Services
Azure AD
Sync
SAML
AWS Managed
Microsoft AD
Use Microsoft Tools
with Web Applications
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Managed Microsoft AD use cases
Azure AD
Connect
AD FS
Amazon
Connect
Amazon
WorkMail
Amazon
WorKSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
Compatible AWS Applications and Services
AWS SSO
User Directory
Traditional AD Applications
Active Directory
Extend Existing AD
Remote
Desktop
Licensing
.NET
Apps
SharePoint SQL Server Certificate
Services
SAML
Use AWS SSO with
Web Applications
Sync
Azure AD
AWS Managed
Microsoft AD
Use Microsoft Tools
with Web Applications
Azure AD
Connect
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to choose – Considerations for selection
23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Deployment differences
AMAD
EC2 Active
Directory Instances
On-Premises Active
Directory
Operation
management
+AWS managed
in the cloud
-Customer managed
in the cloud
-Customer managed
own hardware
Availability
+Built-in redundancy
and replication
-Customer must design
for high availability
-Customer must design
for high availability
Networking
Trust1 ports from cloud
to on premises
(least exposed)
Trust1 or replication2
ports from cloud to
on-premises Active
Directory
-Open ports to support
cloud to on-premises
Active Directory3
(most exposed)
Admin control
Designated OU control;
some apps unsupported
+Full control +Full control
1 If you use trust to on-premises, open ports from domain controllers to on-premises domain controllers are needed.
2 Active Directory replication requires more open ports than forest trusts, but is limited to DC-to-DC communications.
3 Ports for domain joining, Active Directory interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access.
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
How to select an Active Directory option
AMAD
EC2 Active Directory
Instances
On-Premises Active
Directory
• Minimize cost, effort to run
Active Directory
• RDS for SQL Server1
• AWS Enterprise Applications1
• Windows workloads on EC22
• Require a replicated, multi-
region Active Directory solution
• Need NetBIOS name resolution
support
• Require permissions not yet
delegated by AWS Microsoft
Active Directory3
• For example, Exchange,
SharePoint, SQL Server
AlwaysOn Availability Groups
• Requires access to Active
Directory for minimal EC2
instances
• Latency to Active Directory over
an on-premises link acceptable
• Comfortable with connectivity
availability to on-premises
Active Directory
1RDS for SQL, Amazon WorkSpaces, Amazon QuickSight, and Amazon Chime require trusts only if users are on-premises via trust.
2This is subject to delegation constraints (for example, managed service account creation).
3AWS is adding more delegations and application enablement over time.
25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Deployment differences – Which connection model?
AMAD with
Sync
AMAD with
Trust
EC2 Active
Directory
with Sync
EC2 Active
Directory
with Trust
EC2 Active
Directory
Replicated
On
Premises
App Access
SSO to cloud No Yes No Yes Yes Yes
Complexity/Effort
EC2 seamless
domain join
Yes Yes No No No No
Domain controller
configuration
Medium Low Highest High High None
Incremental
maintenance
High Low Highest Low Medium None
Incremental system Medium Low Highest High High None
Incremental
entitlement
High Low High Low None None
Sites and Services No No No No Yes None
Untested Recommended If necessary
26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Trusts
Trust
Access
Active Directory
Access requires
permissions to
resource in the
trusting domain
Active Directory
27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Forests, domains, tree domains
Active Directory
Root Domain
Active Directory
Child Domain
Active Directory
Child Domain
Active Directory
Child Domain
Active Directory
Tree Root Domain
Active Directory
Tree Child Domain
AWS Managed
Microsoft AD
Single
domain
forest
Active Directory
Root Domain
28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Managed Microsoft AD forest trust support
Active Directory
Root Domain
Active Directory
Child Domain
Active Directory
Child Domain
Active Directory
Child Domain
Active Directory
Tree Root Domain
Active Directory
Tree Child Domain
AWS Managed
Microsoft AD
Single
domain
forest
Active Directory
Root Domain
Forest Trust
29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Managed Microsoft AD domain trust support
Active Directory
Root Domain
Active Directory
Child Domain
Active Directory
Child Domain
Active Directory
Child Domain
Active Directory
Tree Root Domain
Active Directory
Tree Child Domain
AWS Managed
Microsoft AD
Single
domain
forest
Active Directory
Root Domain
Domain Trust
Domain Trust
30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
AWS Managed Microsoft AD mixed trust support
Active Directory
Root Domain
Active Directory
Child Domain
Active Directory
Child Domain
Active Directory
Child Domain
Active Directory
Tree Root Domain
Active Directory
Tree Child Domain
AWS Managed
Microsoft AD
Single
domain
forest
Active Directory
Root Domain
Forest Trust
Domain Trust
31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Securing trusts
• Leave SID filtering on when you set up the on-premises side of a trust.
• Turn on selective authentication on the on-premises side of a trust.
• https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk
• Only permit Active Directory trust ports to the domain controllers in the
cloud.
• https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx
• For cloud-client-to-Active Directory, only permit Active Directory
authentication ports to on-premises Active Directory. Minimize all other ports
from cloud to on premises
(for example, Amazon WorkSpaces login using on-premises credentials).
• https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
• Don’t grant groups in the cloud access to on-premises resources.
32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Security event logging to Amazon
CloudWatch
34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Use existing or create a new log group
35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Cross-account sharing
37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
DC1 DC2 DC3
AWS Managed VPC
Customer VPC1
Account A
Amazon
WorKSpaces
RDS for
SQL Server
EC2
Amazon
Connect
Amazon
WorkMail
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
AWS SSO
AWS Internal
DC APIs
Communication paths to AWS Managed Microsoft AD
Discover DCs
Domain Join
Read
38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Internal DC APIs inaccessible in other accounts
DC1 DC2 DC3
AWS-Managed VPC
Customer VPC1
Account A
Amazon
WorKSpaces
RDS for
SQL Server
EC2
Amazon
Connect
Amazon
WorkMail
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
AWS SSO
AWS Internal
DC APIs
Account B
EC2
Customer VPC2
Discover DCs
Domain Join
Read
Peering
39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Cross-account directory sharing
DC1 DC2 DC3
AWS-Managed VPC
Customer VPC1
Account A
Amazon
WorKSpaces
RDS for
SQL Server
EC2
Amazon
Connect
Amazon
WorkMail
Amazon
WorkDocs
Amazon
QuickSight
Amazon
Chime
AWS SSO
AWS Internal
DC APIs
Account B
EC2
Customer VPC2
Discover DCs
Domain Join
Read
AWS Internal
DC APIs
Peering
40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Sharing across multiple VPCs and accounts
DC1 DC2 DC3
AWS Managed VPC
Account A
Customer VPC2
Customer VPC3
Customer VPC4
Account B
Customer VPC5
Account C
Customer VPC6
Customer VPC1
41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.P U B L I C S E C T O R
S U M M I T
Michael Cotton
michcott@amazon.com