Do you have questions on how to best use Microsoft Active Directory with your AWS Windows workloads? Do you need a deep-dive on securely setting up trusts between your on-premises Active Directory and your AWS Directory Services for Microsoft Active Directory? This session will help you understand the differences between AWS Directory Service for Microsoft AD, building your own Microsoft Active Directory on Amazon EC2, or joining your cloud resources to your on-premises Active Directory over a direct network connection. After this session you will be an expert on how to setup single sign-on for your cloud applications and resources, using Group Policy for your EC2 systems, and how to securely configure trusts across your on-premises and AWS Cloud Active Directories.
2. What to expect from the session
How AD is used – Why AD is important in the cloud
Deployment Options – Supporting Windows workloads in the cloud
How to choose – Considerations for selection
Trusts vs. Sync – Alternatives to replication
3. How AD is used – Why AD is important in the cloud
4. Why AD is important in the cloud
Migration path
Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
5. How AD works with computers
Domain Join/Machine AuthN/GPO/LDAP
AuthN – Authentication
GPO – Group Policy Object
LDAP – Lightweight Directory Access Protocol
6. How AD works with users
User AuthN/Group Membership/Login Scripts
Domain Join/Machine AuthN/GPO/LDAP
AuthN – Authentication
GPO – Group Policy Object
LDAP – Lightweight Directory Access Protocol
7. How AD works with services
User AuthN/Group Mbrshp/Login Scripts
Domain Join/Machine AuthN/GPO/LDAP
8. How AD works in federated SaaS solutions
App
DB
App
User AuthN/Group Mbrshp/Login Scripts
Federated AuthN
(SAML) Kerb
AuthN
Domain Join/Machine AuthN/GPO/LDAP
11. AD options – Where to run AD
On-premises
Windows Server
DC
AD
You Manage
1
DC – Active Directory Domain Controller
VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC
12. AD options – On-premises
Create VPN or Amazon Direct
Connect link to your VPC
Manually domain join EC2
instances to on-premises
Use VPC as an extension of
your network
• Security considerations
Latency considerations?
On-premises
Windows Server
DC
AD
You Manage
1
DC – Active Directory Domain Controller
VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC
13. AD options – Where to run AD
On-premises
Windows Server
DC
AD
You Manage
1
VPC
EC2 for Windows
Server DC
AD
You Manage
2
DC – Active Directory Domain Controller
VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC
14. AD options – EC2 self-managed
Your responsibilities
• Availability deployment strategy
• EC2 DC configuration
• DNS configuration
• Sites and Services configuration
• Monitoring
• DC recovery
• Backup
• Restore
• Security group configuration
• Manual EC2 domain joining
• Patch Tuesday management
AWS Directory Service required for AWS enterprise applications and services
to authenticate to your self-managed AD
On-premises
Windows Server
DC
AD
You Manage
1
VPC
EC2 for Windows
Server DC
AD
You Manage
2
15. AD
AD options – Where to run AD
On-premises
Windows Server
DC
AD
You Manage
1
VPC
EC2 for Windows
Server DC
AD
You Manage
2
VPC Endpoint
AWS Microsoft AD
AWS Manages
3
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. AWS Microsoft AD
DC – Active Directory Domain Controller
VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC
16. AD
AD options – AWS Microsoft AD
Windows 2012 R2 domain controllers (DC)
• ~3-click setup
• 2 DCs each in a different Availability Zone (AZ)
Standalone or connected to your AD with trusts
AWS apps and services integration
• EC2 seamless domain join
• RDS for SQL Server authentication, authorization
• WorkSpaces, QuickSight Enterprise, Chime
Plus/Pro provisioning and authentication
VPC Endpoint
AWS Microsoft AD
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. AWS Microsoft AD
17. AD options – AWS Microsoft AD
Some constraints
• AWS is domain admin
• You get an OU and delegated
admin over the OU
• AWS apps/services/EC21 must
be in same VPC
• Conservative delegated permissions2 to
your OU admin account
• Application enablement blocks some apps
• Some admin functions unavailable
AD
VPC Endpoint
AWS Microsoft AD
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. AWS Microsoft AD
1EC2 can domain join manually in peered VPC configurations
2Delegations are being expanded over time
18. AD options – AWS Microsoft AD
Amazon responsibilities - Operate
• Multi-AZ deploy, patch, monitor,
DC recovery, snapshot, restore
Your responsibilities - Administer
• Administration via Active Directory Users and
Computers (ADUC) and other standard AD tools
• Administer users, groups, GPOs, other AD
content
AD
VPC Endpoint
AWS Microsoft AD
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. AWS Microsoft AD
19. AD options – Connecting AD in cloud to on-premises
AD
1
Replication
Your DCs only
On-premises
Windows Server
DC
AD
VPC
EC2 for Windows
Server DC
AD
On-premises
Windows Server
DC
AD
VPC
EC2 for Windows
Server DC
AD2
1-way Trust
2-way Trust
Your DCs or
AWS Managed
Microsoft AD
On-premises
Windows Server
DC
AD
VPC
EC2 for Windows
Server DC
AD3
Sync Users Depends
(third-party sync)
21. Availability Zone
Private Subnet
10.0.2.0/24
DBAPPWEB
SQL
Server
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
DBAPPWEB
SQL
Server
App
Server
IIS
Server
Remote
Users/Admins
Domain
Controllers
Corporate data center
Example:
AD on EC2 with
replication or AD trust
Domain
Controller
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Application
Auth/
LDAP
VPN
Direct
Connect
AD
EC2
AD
EC2
AD
22. Auth/
LDAP
Auth/
LDAP
DB
RDS for
SQL Server
Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
App
Server
IIS
Server
Remote
Users/Admins
Domain
Controllers
Corporate data center
Example:
AWS Microsoft AD trust
to on-premises
DB
RDS
SQL Server
AWS Managed Services
AWS Managed Services
AWS Managed
Microsoft AD
DC
AWS Managed
Microsoft AD
Trust
Application
Auth/
LDAP
VPN
Direct
Connect
AD
DC
DC
23. Availability Zone
Private Subnet
10.0.2.0/24
DBAPPWEB
SQL
Server
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
DBAPPWEB
SQL
Server
App
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
Corporate data center
Example:
AD on EC2 with sync
Domain
Controller
Domain
Controller
Sync
Auth/
LDAP
Auth/
LDAP
Application
Auth/
LDAP
Third-party sync tool
Users lose single sign-on to cloud
(same sign-on)
VPN
Direct
Connect
AD
EC2
AD
EC2
AD
Sync
Tool
Password
Changes
24. Considerations for AWS apps/services and many VPCs
AWS Microsoft AD requires a trust when used with on-premises AD*
WorkSpaces and RDS for SQL must be in same VPC as AWS
Microsoft AD, QuickSight in the same account
• Option 1 – Least cost, fewest trusts
• Deploy AWS Microsoft AD in one VPC
• Deploy all RDS for SQL and WorkSpaces instances in same VPC
• Use tagging for internal billing
• Option 2 – Easiest billing, complex trust configuration, high cost
• Deploy AWS Microsoft AD in each VPC
• Deploy RDS for SQL and WorkSpaces instance(s) in each VPC
*1-way trust for RDS for SQL Server, 2-way trust to provision Amazon WorkSpaces, Amazon QuickSight etc.
26. Deployment differences
AWS Microsoft AD EC2 AD instances On-premises AD
Operation
management
+AWS managed
in the cloud
-Customer managed
in the cloud
-Customer managed
own hardware
Availability
+Built-in redundancy
and replication
-Customer must design
for high availability
-Customer must design
for high availability
Networking
Trust1 ports from cloud
to on-premises
(least exposed)
Trust1 or replication2
ports from cloud to
on-premises AD
-Open ports to support
cloud to on-premises
AD3
(most exposed)
Admin control
Designated OU control;
some apps unsupported
+Full control +Full control
1 If trust to on-premises is used, open ports from DCs to on-premises DCs are needed
2 AD replication requires more open ports than forest trusts, but limited to DC-to-DC communications
3 Ports for domain joining, AD interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access
27. How to select an Active Directory option
AWS Microsoft AD EC2 AD instances On-premises AD
• Minimize cost, effort to run AD
• RDS for SQL Server1
• AWS Enterprise Applications1
• Windows workloads on EC22
E.g. SharePoint, SQL Server
AlwaysOn Availability Groups,
.NET applications
• Require a replicated, multi-
region AD solution
• Need NetBIOS name resolution
support
• Require permissions not yet
delegated by AWS Microsoft
AD3
E.g. Exchange, ADFS
• Minimal EC2 instances require
access to AD
• Latency to AD over on-premises
link is acceptable
• Comfortable with connectivity
availability to on-premises AD
1RDS for SQL, WorkSpaces, QuickSight, and Chime require trusts only if users are on-premises via trust
2Subject to delegation constraints (e.g. password sync, special AD containers)
3AWS adding more delegations and application enablement over time
28. Deployment differences – Which connection model?
AWS Microsoft
AD with Sync
AWS
Microsoft AD
with Trust
EC2 AD
with Sync
EC2 AD
with Trust
EC2 AD
Replicated
On-
premises
App Access
SSO to cloud No Yes No Yes Yes Yes
Complexity/Effort
EC2 seamless domain
join
Yes Yes No No No No
DC configuration Medium Low Highest High High None
Incremental
maintenance
High Low Highest Low Medium None
Incremental system Medium Low Highest High High None
Incremental
entitlement
High Low High Low None None
Sites and Services No No No No Yes None
Untested Recommended If necessary
30. Customer Feedback: Why sync vs. trusts
Trusts seem scary
• Many admins are unfamiliar with the model and how to secure
• Perception that a trust gives all cloud resources access to on-premises
• Perception that trusts give cloud admins control over on-premises directory
• Trusts require setup coordination (security review, firewall ports, trust setup)
• “Breaks principle” of communication initiation only from on-premises to the cloud
“We are isolating our on-premises from the cloud and need a few users sync’d”
• Only deploying SaaS applications in cloud (built on Windows)
• Only need subset of Windows users with “same sign-on”
to manage AWS resources via AD
31. Considerations for syncing identities to the cloud
Do your on-premises users need access to cloud resources
that use AD group-based authorization?
• If yes, will users object to having to log out of on-premises
and log in to the cloud? (Same sign-on, not single sign-on)
Requires third-party sync tool
• Special configuration for what gets synced
• Must map from on-premises directory to AD structure in the cloud
With AWS Microsoft AD, the tool must not require domain admin
• User creations must be in your OU
Sync adds configuration complexity and latency for managing users
• Incremental entitlements for sync
• What about security groups? How does sync map them to the cloud?
32. Amazon EC2
Amazon
DynamoDB
Amazon EC2
Appropriate for sync – Admins’ user names for RDP
App
Federated AuthN
(SAML) Kerb
AuthN
Domain Join/Machine AuthN/GPO/LDAP
AD
On-premises
or Internet
Cloud
User AuthN/Group
Membership/Login Scripts
AWS Resource
Admin
Sync only
admin users
33. Amazon EC2
Amazon
DynamoDB
Amazon EC2
Complex for sync – Many users to many cloud services
App
Federated AuthN
(SAML) Kerberos
AuthZ
Domain Join/Machine AuthN/GPO/LDAP
AD
On-premises
or Internet
Cloud SQL Server AlwaysOn
SharePoint
Exchange
.NET
34. Forest trusts
Time tested, secure model
The trusting forest has no admin control
over the trusted forest
Trusted users have cloud resource
access, only if entitled by trusting
admins (you control both sides)
Resources in the cloud have no access
to on-premises resources unless on-
premises trusts the cloud AND on-
premises admins grant permissions to
user identities in the cloud
AD AD
On-premises
network
VPC
Trust
AWS Managed
Microsoft AD DC
Windows
AD DC
Access
Security group
(access entitlements here)
Security group
Trusting Trusted
Cloud On-premises
35. No trust vs. 1-way vs. 2-way trusts
Do you need users from one forest to access resources in another forest?
• If no, use no trust
Can you use only a 1-way trust?
• If yes, only use 1-way
• RDS for SQL Server with on-premises users requires at least 1-way
Is a 2-way trust required?
• If yes, use 2-way trust
• WorkSpaces, QuickSight Enterprise Edition, and Chime use 2-way trusts
• On-premises to AWS Microsoft AD trust used only to read users/groups to provision
them into the application
Always Secure Your Trust
36. Securing trusts
Leave SID filtering on when setting up the on-premises side of a trust
Turn on selective authentication on the on-premises side of a trust
• https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk
Only permit AD trust ports to the DCs in the cloud
• https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx
For cloud-client-to-AD, only permit AD authentication ports to on-premises AD;
minimize all other ports from cloud to on-premises
(e.g., WorkSpaces login using on-premises credentials)
• https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
Don’t grant groups in the cloud access to on-premises resources
37. Recap
AD is used in many ways and is often required in the cloud
• Where AD-dependent systems exist affects where you place AD
AD on EC2 and AWS Microsoft AD have advantages
over using on-premises AD domain controllers
AD on EC2 is appropriate when you require full domain admin
permissions or a replicated AD in the cloud
AWS Microsoft AD is
• Appropriate to support resources in the cloud
• Required to support AWS applications and services with on-premises users
Trusts are secure and appropriate when you need SSO from on-premises to
AD-dependent workloads in the cloud
Synchronization may be appropriate for isolation with a small set of users
• Sync requires a compatible third-party solution and has many considerations
38. References
Documentation
• AWS Directory Service – aws.amazon.com/directoryservice
• AWS Microsoft AD – aws.amazon.com/documentation/directory-service/
• RDS for SQL Server – aws.amazon.com/documentation/rds/
AWS Quick Starts – aws.amazon.com/quickstart/
• Active Directory Domain Services
• Exchange Server 2013
• SharePoint Server 2016 Enterprise
• Lync Server 2013
• SQL Server 2014 AlwaysOn
• Windows PowerShell DSC