AS
Uploaded byAllice Shandler
PDF, PPTX80 views

Using Active Directory in AWS

The document discusses various Active Directory (AD) options available in AWS, including AD Connector, Simple AD, Managed Microsoft AD, and deploying AD on EC2. It covers the features, setup considerations, security, networking, and backup strategies associated with each option, providing best practices for implementation in multi-region environments. Additionally, it outlines AWS-managed AD service specifications, deployment models, shared responsibilities, and management tips post-creation.

Technology
Related topics:
Amazon Web Services

Embed presentation

Download as PDF, PPTX
Using Active Directory in AWS Re:Invent 2017, AD Best Practices trinimbus.com
What is AD? GENERAL AD • It is both the directory information source and the service that makes the information available and usable • Essentially, it is a phonebook • Users: account information, privileges, profiles, policy management • Servers & workstations: domain joins, policies, network information • Application information: ex: Exchange and mailboxes information 2
AD Options for AWS GENERAL AD • AD Connector – gateway/proxy to existing on-premises Microsoft AD • Simple AD – AD-compatible directory powered by Samba 4 providing a subset of MS AD features • Microsoft AD – AWS-managed AD powered by Windows Server 2012 R2 • AD on EC2 – AD on EC2 3
Choosing the Correct AD Option GENERAL AD 4 Feature AD Connector Simple AD Managed AD AD on EC2 Authenticate sign on requests from AWS applications like Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. Yes (proxy) Yes Yes Yes* Domain join EC2 instances running Linux and Microsoft Windows Yes (proxy) Yes Yes Yes* Enable single sign-on (SSO) to the AWS Management Console using existing AD credentials Yes (proxy) Yes Yes Yes* Support for up to 5,000 users and 20,000 objects Yes Yes Yes Yes Authenticate sign on requests from directory-aware Microsoft workloads, including custom .NET and SQL Server-based applications Yes Yes Yes Common Active Directory features such as user accounts, group memberships, and group policies Yes Yes Yes
Choosing the Correct AD Option GENERAL AD 5 Feature AD Connector Simple AD Managed AD AD on EC2 Advanced Active Directory features such as DNS dynamic updates, Active Directory Administrative Center, PowerShell support, Active Directory recycle bin, group managed service accounts, and schema extensions for POSIX and Microsoft applications Yes Yes Setup trust relationships with other Active Directory domains Yes Yes Establish trust with other AWS directories Yes Yes Support for up to 50,000 users and 200,000 objects Yes Yes
Choosing the Correct AD Option GENERAL AD 6 Feature AD Connector Simple AD Microsoft AD AD on EC2 Active Directory schema modifications, communication over LDAPS, PowerShell AD cmdlets, and the transfer of FSMO roles Yes Yes Active Directory replication Yes Support for more than 50,000 users and 200,000 objects Yes Windows Authentication to authenticate users when they connect to an Amazon RDS DB instance running Microsoft SQL Server Yes
AD Connector 7
AD Connector AD Connector • Proxy service to route authentication/authorization requests back to an AD domain someplace else. 8
Simple AD 9
Simple AD Simple AD • Samba 4, Active Directory compatible server. • Able to manage Windows/Linux EC2 instances. • User accounts allow access to Workspaces, WorkDocs, Workmail. • Daily snapshots. 10
Simple AD Simple AD ● No trust relationships ● Cannot use most Active Directory administration tools. ● No powershell support. 11
AD on EC2 12
Common Scenarios AD ON EC2 • Global (multi-region) deployments - (extension of the corp on-prem AD into the cloud) • Disaster Recovery • Enterprise Applications (with isolated access like third parties, partners and similar) • Hybrid deployments - when you need applications to talk to components hosted on-prem 13
General Design Considerations AD ON EC2 • Customer responsibility for : • patching (ex. Systems Manager), • monitoring (ex. CloudWatch) • backups (either 3rd party enterprise solutions or Windows System Backup) • and high availability • Place DCs in at least two AZs and treat AZs as separate data centers (AZ1 being one site, AZ2 being another site) 14
Security Considerations AD ON EC2 • Access to AWS resources using IAM roles and policies. • Access to EC2 OS using AD security memberships. • Keep Cloud team and AD team separated. • Never internet facing, always in private subnets • NACL and SG. 15
Networking considerations AD ON EC2 • Understand the networking in order to create proper sites, links and replication setup 16
Networking considerations AD ON EC2 • When peering multiple VPCs, it is sufficient to deploy DCs into a single VPC (Shared Services VPC concept) 17
IP addressing and DNS considerations AD ON EC2 • Define separate subnets for AD (or for all Shared/Common services) • Configure network properties of all member servers to point to the IP address of the EC2 host having AD DS & DNS roles - DHCP Option Sets • Set each AZ as a site in Sites and Services. Set each VPC as a site when dealing with multi-region. 18
Multi Region Considerations AD ON EC2 • Deploy DCs in all used regions, and in multiple AZs within each of the regions. • Connect all regions to Data Center and treat the Data Center as a hub when setting the links cost in the replication setup. • Another option is to use a dual-hub and spoke design in case one hub drops offline. 19
Multi Region Considerations AD ON EC2 • For replication between the regions (using AWS network as a backbone) use VPC Peering, IPsec VPNs between the regions, or transit VPCs. • If you are separating users from resources and into separate domains, consider using sub-domains based on region. 20
AD Backup and Recovery considerations AD ON EC2 • Do not use snapshots • Not crash consistent • VM IDs not supported in EC2 • Use Windows System State backup or 3rd party enterprise solutions • Leverage separate volumes for backups -> snapshot the volumes to S3 and perhaps to Glacier for longer term storage 21
AD DS specific design considerations AD ON EC2 • Separate forest without trusts • New forest with federation • New forest with Kerberos • Extend corp forest with deploying a replica DC • Extend corp forest by deploying a new child domain or domain tree 22
AD DS specific design considerations AD ON EC2 ● Global Catalog considerations: ○ Same considerations as with an on-prem design. ■ In most cases, it is recommended that you include the global catalog when you install new domain controllers. ■ Any application need GC? ■ More than 100 users using that region? ○ For multi domain forest, make all DCs global catalogs with the following exceptions: ■ Limited bandwidth (like VPN) ■ Security implications 23
Office365 integration AD ON EC2 • AD on EC2.. Will work with Managed AD too • AD FS on separate EC2 • Service Account • Azure AD connect on separate EC2 • AD Sync to replicate AD users into Azure AD • enables users in AWS AD to single sign on to Office365 24
AWS Managed Microsoft AD 25
What is Managed Microsoft AD AWS MANAGED MICROSOFT AD • Windows 2012 R2 DCs. • ~ 3click setup or CLI/API & CFN. • By default 2 DC in 2 AZs, dynamically scalable to more DCs. • PCI, HIPAA and SOC compliant. • Two editions: • Standard: up to ~5,000 objects* • Enterprise: up to 100,000+ objects* • Currently same set of features with a tendency to add more features into the Enterprise edition. • Priced per DC per hour, minimum 2 DC’s. 26
Shared responsibilities AWS MANAGED MICROSOFT AD • AWS: • Backups, snapshots, patching, monitoring • Customer: • policies, trusts, federation, certificate authorities, users & groups, content 27
Deployment models AWS MANAGED MICROSOFT AD • Primary directory in the Cloud only. • Resource directory includes a trust with AD (or any other directory) 28
Design Restrictions AWS MANAGED MICROSOFT AD ● Single Region - Multiple AZ ● Single Forest - Single Domain 29
Prerequisites AWS MANAGED MICROSOFT AD • VPC with 2 AZs. • VPC must have default hardware tenancy. • Cannot use 198.19.0.0/16 address space. • VPN or DirectConnect optional 30
Best practices after creation AWS MANAGED MICROSOFT AD • DHCP option set for VPC. • Tighten the default DC SGs. • Create a seperate Security Group to be assigned to domain member instances. • Separate instance for AD management (tools to be installed manually) 31
Management of the Microsoft AD AWS MANAGED MICROSOFT AD • AWS is the Domain Admin. • May cause issues with compliance. • Pre-created OU with delegated permission. • Add users into predefined (and created by AWS) groups. • Groups are "domain local" and not "universal”. • In is not end of the world if the AD is marked as "Impaired". It is perfectly normal to see it like that every once in a while… • Do AD restore only as a last resort (because it always means a loss of data). Contact AWS Support before you do a restore. 32
Application Support AWS MANAGED MICROSOFT AD 33 • As a primary directory
Application Support AWS MANAGED MICROSOFT AD 34 • As a resource directory
VPC and Account Considerations AWS MANAGED MICROSOFT AD 35
Options for Multiple VPCs with Trusts AWS MANAGED MICROSOFT AD • Option 1 • + Preserve VPC boundaries • + Billing goes to VPC owner • - Costs more 36
Options for Multiple VPCs with Trusts AWS MANAGED MICROSOFT AD • Option 2 • + Saves money • + Enables cost allocation • - Crosses VPC boundaries 37
Options for Multiple Domains +VPCs with Trusts AWS MANAGED MICROSOFT AD • Option 3 • + Isolates Environments • + Centralized Users • + Reduces duplicate systems • - Crosses VPC boundaries 38
Tips and Tricks 39
Things to watch out for Tips and Tricks ● Default Domain policy has a 45 day password rotation. Admin password included. ● Default Security Group doesn’t allow trusts to occur. ● Seamless domain join doesn’t work across VPC’s, but SSM does. ● Active Directory - Standard cannot be built via CloudFormation. Enterprise can be. ● Conditional Forwarders can be managed via CLI. ● Only directly available logs are security logs. ● It is possible to have multiple domains inside one VPC. ○ Works best in a shared services VPC design. 40
Automatic AD Cleanup ● Joining a domain is easy. Seamless domain join, SSM documents, Powershell, etc. ● Leaving a domain is hard. ● Having domain joined computers on an ASG will clutter up Active Directory. 41 Tips and Tricks
References Re:Invent 2017, AD Best Practices • AWS re:invent 2017: Deep Dive on Active Directory – From One to Many AWS Regions (WIN302) • AWS re:invent 2017: AWS Directory Service for Microsoft Active Directory Deep Dive (WIN403) • AWS re:invent 2017: Deep Dive on How Capital One Automates the Delivery of Directory (SID202) 42
QUESTIONS ? ? ? TriNimbus 43
THANK YOU TriNimbus.com Jonathan@triimbus.com Jonathan Best 19 February 2018 TriNimbus 44

More Related Content

PDF
AWS vs. Azure vs. Google vs. SoftLayer: Network, Storage and DBaaS
byRightScale
 
PPTX
Running SQL Server on AWS | John McCormack | DataGrillen 2019
byJohn McCormack
 
PPTX
IBM Cloud Object Storage
byNagesh Ramamoorthy
 
PPTX
Key Design Considerations Private and Hybrid Clouds - RightScale Compute 2013
byRightScale
 
PPTX
AWS Cloud SAA Relational Database presentation
byTATA LILIAN SHULIKA
 
PPTX
Perth Azure Usergroup Build 2018 updates
byNirmal Thewarathanthri
 
PPTX
Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
byAdrian Hornsby
 
PPTX
EC2 and S3 Level 100
byAWS Riyadh User Group
 
AWS vs. Azure vs. Google vs. SoftLayer: Network, Storage and DBaaS
byRightScale
 
Running SQL Server on AWS | John McCormack | DataGrillen 2019
byJohn McCormack
 
IBM Cloud Object Storage
byNagesh Ramamoorthy
 
Key Design Considerations Private and Hybrid Clouds - RightScale Compute 2013
byRightScale
 
AWS Cloud SAA Relational Database presentation
byTATA LILIAN SHULIKA
 
Perth Azure Usergroup Build 2018 updates
byNirmal Thewarathanthri
 
Deep Dive on Object Storage: Amazon S3 and Amazon Glacier
byAdrian Hornsby
 
EC2 and S3 Level 100
byAWS Riyadh User Group
 

Similar to Using Active Directory in AWS

PDF
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...
byAWS Germany
 
PDF
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
byModern Workplace Conference Paris
 
PPTX
Aws managed microsoft ad
bySubramanyam Vemala
 
PPTX
Lanzando tu primera cargo de trabajo
byAmazon Web Services LATAM
 
PPTX
ECS 19 Anil Erduran - simplifying microsoft architectures with aws services
byEuropean Collaboration Summit
 
PDF
Active directory basics
byCouploa Couploa
 
PPT
Windows server 2003_r2
bytameemyousaf
 
PPTX
Simplifying Microsoft Architectures with AWS Services
byAWS Summits
 
PDF
How to Protect your AWS Environment
byLahav Savir
 
PDF
How AD has been re-engineered to extend to the cloud
byLDAPCon
 
PPTX
ADFS + IAM
byRichard Harvey
 
PDF
Complete ad troubleshooting
byapshirame
 
PDF
Mastering Active Directory_ Design, deploy, and protect Active Directory Doma...
byYogeshwaran R
 
PPTX
Cloudifying your Security Operations on AWS
byCloudHesive
 
PDF
Ms active directory_design_guide
byvamsi1986
 
PDF
AD_Connector
byKnoldus Inc.
 
PPTX
AWS AD Connector - SSO - Directory Service - Cloud
bySubramanyam Vemala
 
PPTX
Active Directory Domain Services Presentation
byAlfred Salazar
 
PPTX
Microsoft Azure Active Directory
byÖnder Değer
 
PDF
AD-Design Deploying.pdf
byYogeshwaran R
 
Hybride Cloud Infrastrukturen durch Integration mit Active Directory - AWS Cl...
byAWS Germany
 
2018 10-17 J1 3C - Hybrid architectures with Amazon Web Services, Office 365 ...
byModern Workplace Conference Paris
 
Aws managed microsoft ad
bySubramanyam Vemala
 
Lanzando tu primera cargo de trabajo
byAmazon Web Services LATAM
 
ECS 19 Anil Erduran - simplifying microsoft architectures with aws services
byEuropean Collaboration Summit
 
Active directory basics
byCouploa Couploa
 
Windows server 2003_r2
bytameemyousaf
 
Simplifying Microsoft Architectures with AWS Services
byAWS Summits
 
How to Protect your AWS Environment
byLahav Savir
 
How AD has been re-engineered to extend to the cloud
byLDAPCon
 
ADFS + IAM
byRichard Harvey
 
Complete ad troubleshooting
byapshirame
 
Mastering Active Directory_ Design, deploy, and protect Active Directory Doma...
byYogeshwaran R
 
Cloudifying your Security Operations on AWS
byCloudHesive
 
Ms active directory_design_guide
byvamsi1986
 
AD_Connector
byKnoldus Inc.
 
AWS AD Connector - SSO - Directory Service - Cloud
bySubramanyam Vemala
 
Active Directory Domain Services Presentation
byAlfred Salazar
 
Microsoft Azure Active Directory
byÖnder Değer
 
AD-Design Deploying.pdf
byYogeshwaran R
 

Recently uploaded

PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
How to Evaluate a High Performance Database
byScyllaDB
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
API-First Architecture in Financial Systems
bycyy111112
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 

Using Active Directory in AWS

  • 1.
    Using Active Directoryin AWS Re:Invent 2017, AD Best Practices trinimbus.com
  • 2.
    What is AD? GENERALAD • It is both the directory information source and the service that makes the information available and usable • Essentially, it is a phonebook • Users: account information, privileges, profiles, policy management • Servers & workstations: domain joins, policies, network information • Application information: ex: Exchange and mailboxes information 2
  • 3.
    AD Options forAWS GENERAL AD • AD Connector – gateway/proxy to existing on-premises Microsoft AD • Simple AD – AD-compatible directory powered by Samba 4 providing a subset of MS AD features • Microsoft AD – AWS-managed AD powered by Windows Server 2012 R2 • AD on EC2 – AD on EC2 3
  • 4.
    Choosing the CorrectAD Option GENERAL AD 4 Feature AD Connector Simple AD Managed AD AD on EC2 Authenticate sign on requests from AWS applications like Amazon WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. Yes (proxy) Yes Yes Yes* Domain join EC2 instances running Linux and Microsoft Windows Yes (proxy) Yes Yes Yes* Enable single sign-on (SSO) to the AWS Management Console using existing AD credentials Yes (proxy) Yes Yes Yes* Support for up to 5,000 users and 20,000 objects Yes Yes Yes Yes Authenticate sign on requests from directory-aware Microsoft workloads, including custom .NET and SQL Server-based applications Yes Yes Yes Common Active Directory features such as user accounts, group memberships, and group policies Yes Yes Yes
  • 5.
    Choosing the CorrectAD Option GENERAL AD 5 Feature AD Connector Simple AD Managed AD AD on EC2 Advanced Active Directory features such as DNS dynamic updates, Active Directory Administrative Center, PowerShell support, Active Directory recycle bin, group managed service accounts, and schema extensions for POSIX and Microsoft applications Yes Yes Setup trust relationships with other Active Directory domains Yes Yes Establish trust with other AWS directories Yes Yes Support for up to 50,000 users and 200,000 objects Yes Yes
  • 6.
    Choosing the CorrectAD Option GENERAL AD 6 Feature AD Connector Simple AD Microsoft AD AD on EC2 Active Directory schema modifications, communication over LDAPS, PowerShell AD cmdlets, and the transfer of FSMO roles Yes Yes Active Directory replication Yes Support for more than 50,000 users and 200,000 objects Yes Windows Authentication to authenticate users when they connect to an Amazon RDS DB instance running Microsoft SQL Server Yes
  • 7.
  • 8.
    AD Connector AD Connector •Proxy service to route authentication/authorization requests back to an AD domain someplace else. 8
  • 9.
  • 10.
    Simple AD Simple AD •Samba 4, Active Directory compatible server. • Able to manage Windows/Linux EC2 instances. • User accounts allow access to Workspaces, WorkDocs, Workmail. • Daily snapshots. 10
  • 11.
    Simple AD Simple AD ●No trust relationships ● Cannot use most Active Directory administration tools. ● No powershell support. 11
  • 12.
  • 13.
    Common Scenarios AD ONEC2 • Global (multi-region) deployments - (extension of the corp on-prem AD into the cloud) • Disaster Recovery • Enterprise Applications (with isolated access like third parties, partners and similar) • Hybrid deployments - when you need applications to talk to components hosted on-prem 13
  • 14.
    General Design Considerations ADON EC2 • Customer responsibility for : • patching (ex. Systems Manager), • monitoring (ex. CloudWatch) • backups (either 3rd party enterprise solutions or Windows System Backup) • and high availability • Place DCs in at least two AZs and treat AZs as separate data centers (AZ1 being one site, AZ2 being another site) 14
  • 15.
    Security Considerations AD ONEC2 • Access to AWS resources using IAM roles and policies. • Access to EC2 OS using AD security memberships. • Keep Cloud team and AD team separated. • Never internet facing, always in private subnets • NACL and SG. 15
  • 16.
    Networking considerations AD ONEC2 • Understand the networking in order to create proper sites, links and replication setup 16
  • 17.
    Networking considerations AD ONEC2 • When peering multiple VPCs, it is sufficient to deploy DCs into a single VPC (Shared Services VPC concept) 17
  • 18.
    IP addressing andDNS considerations AD ON EC2 • Define separate subnets for AD (or for all Shared/Common services) • Configure network properties of all member servers to point to the IP address of the EC2 host having AD DS & DNS roles - DHCP Option Sets • Set each AZ as a site in Sites and Services. Set each VPC as a site when dealing with multi-region. 18
  • 19.
    Multi Region Considerations ADON EC2 • Deploy DCs in all used regions, and in multiple AZs within each of the regions. • Connect all regions to Data Center and treat the Data Center as a hub when setting the links cost in the replication setup. • Another option is to use a dual-hub and spoke design in case one hub drops offline. 19
  • 20.
    Multi Region Considerations ADON EC2 • For replication between the regions (using AWS network as a backbone) use VPC Peering, IPsec VPNs between the regions, or transit VPCs. • If you are separating users from resources and into separate domains, consider using sub-domains based on region. 20
  • 21.
    AD Backup andRecovery considerations AD ON EC2 • Do not use snapshots • Not crash consistent • VM IDs not supported in EC2 • Use Windows System State backup or 3rd party enterprise solutions • Leverage separate volumes for backups -> snapshot the volumes to S3 and perhaps to Glacier for longer term storage 21
  • 22.
    AD DS specificdesign considerations AD ON EC2 • Separate forest without trusts • New forest with federation • New forest with Kerberos • Extend corp forest with deploying a replica DC • Extend corp forest by deploying a new child domain or domain tree 22
  • 23.
    AD DS specificdesign considerations AD ON EC2 ● Global Catalog considerations: ○ Same considerations as with an on-prem design. ■ In most cases, it is recommended that you include the global catalog when you install new domain controllers. ■ Any application need GC? ■ More than 100 users using that region? ○ For multi domain forest, make all DCs global catalogs with the following exceptions: ■ Limited bandwidth (like VPN) ■ Security implications 23
  • 24.
    Office365 integration AD ONEC2 • AD on EC2.. Will work with Managed AD too • AD FS on separate EC2 • Service Account • Azure AD connect on separate EC2 • AD Sync to replicate AD users into Azure AD • enables users in AWS AD to single sign on to Office365 24
  • 25.
  • 26.
    What is ManagedMicrosoft AD AWS MANAGED MICROSOFT AD • Windows 2012 R2 DCs. • ~ 3click setup or CLI/API & CFN. • By default 2 DC in 2 AZs, dynamically scalable to more DCs. • PCI, HIPAA and SOC compliant. • Two editions: • Standard: up to ~5,000 objects* • Enterprise: up to 100,000+ objects* • Currently same set of features with a tendency to add more features into the Enterprise edition. • Priced per DC per hour, minimum 2 DC’s. 26
  • 27.
    Shared responsibilities AWS MANAGEDMICROSOFT AD • AWS: • Backups, snapshots, patching, monitoring • Customer: • policies, trusts, federation, certificate authorities, users & groups, content 27
  • 28.
    Deployment models AWS MANAGEDMICROSOFT AD • Primary directory in the Cloud only. • Resource directory includes a trust with AD (or any other directory) 28
  • 29.
    Design Restrictions AWS MANAGEDMICROSOFT AD ● Single Region - Multiple AZ ● Single Forest - Single Domain 29
  • 30.
    Prerequisites AWS MANAGED MICROSOFTAD • VPC with 2 AZs. • VPC must have default hardware tenancy. • Cannot use 198.19.0.0/16 address space. • VPN or DirectConnect optional 30
  • 31.
    Best practices aftercreation AWS MANAGED MICROSOFT AD • DHCP option set for VPC. • Tighten the default DC SGs. • Create a seperate Security Group to be assigned to domain member instances. • Separate instance for AD management (tools to be installed manually) 31
  • 32.
    Management of theMicrosoft AD AWS MANAGED MICROSOFT AD • AWS is the Domain Admin. • May cause issues with compliance. • Pre-created OU with delegated permission. • Add users into predefined (and created by AWS) groups. • Groups are "domain local" and not "universal”. • In is not end of the world if the AD is marked as "Impaired". It is perfectly normal to see it like that every once in a while… • Do AD restore only as a last resort (because it always means a loss of data). Contact AWS Support before you do a restore. 32
  • 33.
    Application Support AWS MANAGEDMICROSOFT AD 33 • As a primary directory
  • 34.
    Application Support AWS MANAGEDMICROSOFT AD 34 • As a resource directory
  • 35.
    VPC and AccountConsiderations AWS MANAGED MICROSOFT AD 35
  • 36.
    Options for MultipleVPCs with Trusts AWS MANAGED MICROSOFT AD • Option 1 • + Preserve VPC boundaries • + Billing goes to VPC owner • - Costs more 36
  • 37.
    Options for MultipleVPCs with Trusts AWS MANAGED MICROSOFT AD • Option 2 • + Saves money • + Enables cost allocation • - Crosses VPC boundaries 37
  • 38.
    Options for MultipleDomains +VPCs with Trusts AWS MANAGED MICROSOFT AD • Option 3 • + Isolates Environments • + Centralized Users • + Reduces duplicate systems • - Crosses VPC boundaries 38
  • 39.
  • 40.
    Things to watchout for Tips and Tricks ● Default Domain policy has a 45 day password rotation. Admin password included. ● Default Security Group doesn’t allow trusts to occur. ● Seamless domain join doesn’t work across VPC’s, but SSM does. ● Active Directory - Standard cannot be built via CloudFormation. Enterprise can be. ● Conditional Forwarders can be managed via CLI. ● Only directly available logs are security logs. ● It is possible to have multiple domains inside one VPC. ○ Works best in a shared services VPC design. 40
  • 41.
    Automatic AD Cleanup ●Joining a domain is easy. Seamless domain join, SSM documents, Powershell, etc. ● Leaving a domain is hard. ● Having domain joined computers on an ASG will clutter up Active Directory. 41 Tips and Tricks
  • 42.
    References Re:Invent 2017, ADBest Practices • AWS re:invent 2017: Deep Dive on Active Directory – From One to Many AWS Regions (WIN302) • AWS re:invent 2017: AWS Directory Service for Microsoft Active Directory Deep Dive (WIN403) • AWS re:invent 2017: Deep Dive on How Capital One Automates the Delivery of Directory (SID202) 42
  • 43.
  • 44.