7. What AWS Managed Microsoft AD Is
AWS managed, actual Microsoft Active Directory
Windows 2012 R2 domain controllers (DC)
• ~3-click setup from directory service console
or script through API
• 2 DCs each in separate Availability Zones (AZs)
• Scale-out with additional DCs
• Dynamic DNS
• Compliance audited
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
8. AWS Managed Microsoft AD: Shared Responsibilities
Customer—administers
• Configure password policies
• Configure trusts (resource forest deployment)
• Configure certificate authorities (for LDAPS)
• Configure federation
• Administer users, groups, GPOs, other AD content
• Administration via Active Directory Users and
Computers (ADUC) and other standard AD tools
• Add domain controllers as needed
Amazon—operates
• Multi-AZ deployment, patch, monitor,
DC recovery, snapshot, restore
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
13. AWS Microsoft AD as a resource directory
Amazon
WorkSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
AWS Microsoft
AD Directory
Enable, Authenticate, &
Authorize
Manage,
Authenticate, & Authorize
Manage, Authenticate,
& Authorize
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePoint
SQL
Server
RD
Licensing
Enterprise
Certificate
Authority
Certificate
Services
On-Premises
Microsoft Active
Directory
On-Premises User
Credentials
Corporate Data
Center
SaaS Applications
Azure AD
SAML
Authenticate
Synchronize
Users
VPN
Direct
Connect
or
AD FS
Server
Azure AD
Connect
Server
Trust
Authenticate& Authorize
Amazon
EC2
Amazon
Windows EC2
Instances
Amazon
Linux EC2
Instances
14. Manage,
Authenticate, & Authorize
AWS Microsoft AD as a primary directory
Amazon
WorkSpaces
AWS Microsoft
AD Directory
RDS for SQL
Server
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePoint
SQL
Server
RD
Licensing
SaaS Applications
Azure AD
Enable, Authenticate, &
Authorize
SAML
Authenticate
Synchronize
Users
Manage, Authenticate,
& Authorize
Enterprise
Certificate
Authority
Certificate
Services
Amazon
Windows EC2
Instances
Amazon
Linux EC2
Instances
Amazon
EC2
AD FS
Server
Azure AD
Connect
Server
Federate
ADSync
AD FS
On-Premises
Microsoft Active
Directory
On-Premises User
Credentials
Corporate Data
CenterVPN
Direct
Connect
or
AD FS
Server
Azure AD
Connect
Server
Trust
Authenticate& Authorize
15. Set Up Environment (Prerequisites)
1. Create AWS Microsoft AD directory
2. Join EC2 Windows server to AWS Microsoft
AD domain (admin instance)
3. Install AD Administration tools on EC2*
4. Join EC2 Windows server to AWS Microsoft
AD domain (AD FS instance)*
5. Join EC2 Windows server to AWS Microsoft
AD domain (Azure AD Connect instance)*
6. Create AD FS service account in AWS
Microsoft AD using AD Users and Computers
7. Set up Office 365 account
8. Integrate AD Domain with O365 (tenant)
9. Set up Azure AD domain
AWS Microsoft AD
AD
1
adfsserver
EC2
AD FS Server
(Windows Server 2016)
4
adsync
EC2
Azure AD
Connect
5
Install AD
Admin
Tools
3
management
2
EC2
AD Administration
Tools
ADFSSVC
6
Office 365
7
Azure
AD
8
*Can be the same instance
16. Integrate AD FS with Azure AD (continued)
Set context to the AD FS server using the internal FQDN
Set-MsolADFSContext -computer adfsserver.awsexample.com
Convert Azure AD to use adfsserver for federated authentication to your AD
domain
Convert-MsolDomainToFederated –domain awsexample.com
17. Azure AD
Connect
10.0.2.0/24
AWS Managed
Microsoft AD
DC
RDP
Synchronize Users to Azure AD
Download Azure AD Connect MSI and
install with Custom settings
On the Connect Directories page choose
Active Directory as the directory type,
choose
your Microsoft AD Forest as your Forest
Enter your AWS Microsoft AD admin
credentials