Many Windows shops want to move to the cloud, but are overwhelmed by the numerous options. In this talk we will take a look at how to move your Active Directory environment into AWS and provide some tips and tricks on how to make the most of the options available.
2. What is AD?
GENERAL AD
• It is both the directory information
source and the service that makes the
information available and usable
• Essentially, it is a phonebook
• Users: account information, privileges, profiles, policy
management
• Servers & workstations: domain joins, policies, network
information
• Application information: ex: Exchange and mailboxes
information
2
3. AD Options for AWS
GENERAL AD
• AD Connector – gateway/proxy to existing
on-premises Microsoft AD
• Simple AD – AD-compatible directory powered
by Samba 4 providing a subset of MS AD
features
• Microsoft AD – AWS-managed AD powered by
Windows Server 2012 R2
• AD on EC2 – AD on EC2
3
4. Choosing the Correct AD Option
GENERAL AD
4
Feature AD Connector Simple AD Managed AD AD on EC2
Authenticate sign on requests from AWS
applications like Amazon WorkSpaces,
Amazon WorkDocs, or Amazon WorkMail.
Yes (proxy) Yes Yes Yes*
Domain join EC2 instances running Linux
and Microsoft Windows
Yes (proxy) Yes Yes Yes*
Enable single sign-on (SSO) to the AWS
Management Console using existing AD
credentials
Yes (proxy) Yes Yes Yes*
Support for up to 5,000 users and 20,000
objects
Yes Yes Yes Yes
Authenticate sign on requests from
directory-aware Microsoft workloads,
including custom .NET and SQL
Server-based applications
Yes Yes Yes
Common Active Directory features such as
user accounts, group memberships, and
group policies
Yes Yes Yes
5. Choosing the Correct AD Option
GENERAL AD
5
Feature AD Connector Simple AD Managed AD AD on EC2
Advanced Active Directory features such
as DNS dynamic updates, Active Directory
Administrative Center, PowerShell support,
Active Directory recycle bin, group
managed service accounts, and schema
extensions for POSIX and Microsoft
applications
Yes Yes
Setup trust relationships with other Active
Directory domains
Yes Yes
Establish trust with other AWS directories Yes Yes
Support for up to 50,000 users and
200,000 objects
Yes Yes
6. Choosing the Correct AD Option
GENERAL AD
6
Feature AD Connector Simple AD Microsoft AD AD on EC2
Active Directory schema
modifications, communication over
LDAPS, PowerShell AD cmdlets, and
the transfer of FSMO roles
Yes Yes
Active Directory replication Yes
Support for more than 50,000 users
and 200,000 objects
Yes
Windows Authentication to
authenticate users when they connect
to an Amazon RDS DB instance
running Microsoft SQL Server
Yes
10. Simple AD
Simple AD
• Samba 4, Active Directory compatible
server.
• Able to manage Windows/Linux EC2
instances.
• User accounts allow access to
Workspaces, WorkDocs, Workmail.
• Daily snapshots.
10
11. Simple AD
Simple AD
● No trust relationships
● Cannot use most Active Directory administration tools.
● No powershell support.
11
13. Common Scenarios
AD ON EC2
• Global (multi-region) deployments - (extension of
the corp on-prem AD into the cloud)
• Disaster Recovery
• Enterprise Applications (with isolated access like
third parties, partners and similar)
• Hybrid deployments - when you
need applications to talk
to components hosted
on-prem
13
14. General Design Considerations
AD ON EC2
• Customer responsibility for :
• patching (ex. Systems Manager),
• monitoring (ex. CloudWatch)
• backups (either 3rd party enterprise solutions or
Windows System Backup)
• and high availability
• Place DCs in at least two AZs and treat AZs as
separate data centers (AZ1 being one site, AZ2
being another site)
14
15. Security Considerations
AD ON EC2
• Access to AWS resources using IAM roles and
policies.
• Access to EC2 OS using AD security memberships.
• Keep Cloud team and AD team separated.
• Never internet facing, always in private subnets
• NACL and SG.
15
16. Networking considerations
AD ON EC2
• Understand the networking in order to
create proper sites, links and
replication setup
16
17. Networking considerations
AD ON EC2
• When peering
multiple VPCs, it is
sufficient to deploy
DCs into a single VPC
(Shared Services VPC
concept)
17
18. IP addressing and DNS considerations
AD ON EC2
• Define separate subnets for AD (or for all
Shared/Common services)
• Configure network properties of all member
servers to point to the IP address of the EC2 host
having AD DS & DNS roles - DHCP Option Sets
• Set each AZ as a site in Sites and Services. Set
each VPC as a site when dealing with
multi-region.
18
19. Multi Region Considerations
AD ON EC2
• Deploy DCs in all used regions, and in multiple AZs
within each of the regions.
• Connect all regions to Data Center and treat the
Data Center as a hub when setting the links cost
in the replication setup.
• Another option is to use a dual-hub and spoke
design in case one hub drops offline.
19
20. Multi Region Considerations
AD ON EC2
• For replication between the regions (using AWS
network as a backbone) use VPC Peering, IPsec
VPNs between the regions, or transit VPCs.
• If you are separating users from resources and
into separate domains, consider using
sub-domains based on region.
20
21. AD Backup and Recovery considerations
AD ON EC2
• Do not use snapshots
• Not crash consistent
• VM IDs not supported in EC2
• Use Windows System State backup or 3rd party
enterprise solutions
• Leverage separate volumes for backups -> snapshot
the volumes to S3 and perhaps to Glacier for longer
term storage
21
22. AD DS specific design considerations
AD ON EC2
• Separate forest without trusts
• New forest with federation
• New forest with Kerberos
• Extend corp forest with deploying a replica DC
• Extend corp forest by deploying a new child
domain or domain tree
22
23. AD DS specific design considerations
AD ON EC2
● Global Catalog considerations:
○ Same considerations as with an on-prem design.
■ In most cases, it is recommended that you include the
global catalog when you install new domain controllers.
■ Any application need GC?
■ More than 100 users using that region?
○ For multi domain forest, make all DCs global catalogs with the
following exceptions:
■ Limited bandwidth (like VPN)
■ Security implications
23
24. Office365 integration
AD ON EC2
• AD on EC2.. Will work with
Managed AD too
• AD FS on separate EC2
• Service Account
• Azure AD connect on separate
EC2
• AD Sync to replicate AD users into
Azure AD
• enables users in AWS AD to single
sign on to Office365
24
26. What is Managed Microsoft AD
AWS MANAGED MICROSOFT AD
• Windows 2012 R2 DCs.
• ~ 3click setup or CLI/API & CFN.
• By default 2 DC in 2 AZs, dynamically scalable to more DCs.
• PCI, HIPAA and SOC compliant.
• Two editions:
• Standard: up to ~5,000 objects*
• Enterprise: up to 100,000+ objects*
• Currently same set of features with a tendency to add more features into the Enterprise
edition.
• Priced per DC per hour, minimum 2 DC’s.
26
28. Deployment models
AWS MANAGED MICROSOFT AD
• Primary directory in the Cloud only.
• Resource directory
includes a trust with
AD (or any other
directory)
28
30. Prerequisites
AWS MANAGED MICROSOFT AD
• VPC with 2 AZs.
• VPC must have default
hardware tenancy.
• Cannot use 198.19.0.0/16
address space.
• VPN or DirectConnect
optional
30
31. Best practices after creation
AWS MANAGED MICROSOFT AD
• DHCP option set for VPC.
• Tighten the default DC SGs.
• Create a seperate Security Group to be
assigned to domain member instances.
• Separate instance for AD management (tools to
be installed manually)
31
32. Management of the Microsoft AD
AWS MANAGED MICROSOFT AD
• AWS is the Domain Admin.
• May cause issues with compliance.
• Pre-created OU with delegated permission.
• Add users into predefined (and created by AWS) groups.
• Groups are "domain local" and not "universal”.
• In is not end of the world if the AD is marked as "Impaired". It
is perfectly normal to see it like that every once in a while…
• Do AD restore only as a last resort (because it always means
a loss of data). Contact AWS Support before you do a
restore.
32
40. Things to watch out for
Tips and Tricks
● Default Domain policy has a 45 day password rotation. Admin password included.
● Default Security Group doesn’t allow trusts to occur.
● Seamless domain join doesn’t work across VPC’s, but SSM does.
● Active Directory - Standard cannot be built via CloudFormation. Enterprise can be.
● Conditional Forwarders can be managed via CLI.
● Only directly available logs are security logs.
● It is possible to have multiple domains inside one VPC.
○ Works best in a shared services VPC design.
40
41. Automatic AD Cleanup
● Joining a domain is easy. Seamless domain join, SSM documents, Powershell, etc.
● Leaving a domain is hard.
● Having domain joined computers on an ASG will clutter up Active Directory.
41
Tips and Tricks
42. References
Re:Invent 2017, AD Best Practices
• AWS re:invent 2017: Deep Dive on Active
Directory – From One to Many AWS Regions
(WIN302)
• AWS re:invent 2017: AWS Directory Service for
Microsoft Active Directory Deep Dive (WIN403)
• AWS re:invent 2017: Deep Dive on How Capital
One Automates the Delivery of Directory (SID202)
42