AWS Managed Microsoft AD
AWS Directory Service, being a managed service offering, is designed to make your life as an admin easier by reducing management tasks. Domain controllers run on Windows Server 2012 R2 and are built across multiple Availability Zones for better redundancy while cleverly checking your DCs and replacing them should a failure occur.
To manage your directory from an EC2 instance, use Remote Server Administration Tools (RSAT) as you would with a standard on-premises Active Directory infrastructure; no additional tools are required. Since it is a managed service, AWS does remove the ability to use certain tools that you may be familiar with; access to directory instances with PowerShell is not provided and is restricted to directory objects, roles, and groups that don’t require elevated privileges.
Direct access to domain controllers via Telnet, Secure Shell (SSH), or Windows Remote Desktop Connection are also not permitted; however, RSAT is still fully functional and able to carry out these tasks. It must be assigned an organizational unit (OU) and an administrative account with delegated administrative rights to create an AWS Managed Microsoft AD directory.
The features that you would associate with a standard on-premises AD, such as managing users and groups, single sign-on, and creating and applying group policy, are all available in this AWS offering.
To navigate to AWS Managed Microsoft Active Directory from the console, find Directory Services under Security, Identity and Compliance (IAM).
Once presented with the Directory Services landing page, click on Set up directory to get started. The first screen you will be presented with is to choose which Directory type you want to use.
Let's take a look at these options and when we might use them.
AWS Managed Microsoft AD is run as a managed service. By using this directory type, two highly available domain controllers are created and attached to your VPC. As they are highly available, each domain controller is spun up in different Availability Zones. Of course, you have the option to choose the region in which they are built. Since it is a managed service, AWS handles the following for you:
- Host monitoring and recovery
- Data replication
- Software updates
It is worth noting that AWS provides software updates to your Domain Controllers. AWS keeps your Domain Controllers up to date by making sure the software is current with additional functionality added as and when available.
As touched on earlier in the article with regards to availability, AWS by default requires two Domain Controllers at a minimum, each installed in a different Availability Zone. When patching is applied to your DCs, it is done sequentially. So when one DC is being patched, it becomes unavailable; the next DC won't be patched until the initial DC has finished. Should the worst happen and you have a DC temporarily out of service, AWS will delay patching until your server is back up or you have at least two operational DCs.
An area that is appealing to this directory type is the ability to configure a trust relationship between AWS Managed Microsoft AD in the AWS cloud and your existing on-premises Microsoft Active Directory. This benefits users and groups that need to access resources in either domain with single sign-on (SSO).
Simple Active Directory
Simple Active Directory (Simple AD) provides a standalone managed directory that supports two sizes: small and large. The small option can support up to 500 users and up to 2,000 objects. These objects can comprise computers, users, and groups. The larger option goes further by supporting 5,000 users and around 20,000 objects.
Simple AD is powered by Samba. It utilizes the latest version 4, which enables Samba to be an Active Directory Domain Controller, participating fully in a Windows Active Directory domain. Since it is a basic, standalone version of AD, you cannot join it to an on-premises AD as Domain Trusts are not supported. But Simple AD does help to manage EC2s easily as well as any Linux flavors that might require LDAP.
AD Connector is a directory gateway. Use a directory gateway to redirect requests to your on-premises Active Directory. This is exactly what AWS AD Connector does. The benefit of using an AD Connector is that it removes the need for directory synchronization, along with the cost and added complexity of hosting a federation infrastructure where one system is responsible for the authentication of a user.
Similar to Simple AD, AD Connector also comes in two different sizes: small and large. As with Simple AD, small caters to organizations up to 500 users and large up to 5,000 users. When a user logs into an AWS application, AD Connector forwards the sign-in request to your on-premises Domain Controllers. AD Connector supports an MFA RADIUS-based infrastructure, which Simple AD does not. You can also join your EC2 instances to Active Directory with the use of an AD Connector.
AWS also provides another option, Cloud Directory. This is a directory-based store that provides a building block for developers to create solutions easily. The advantage Cloud Directory gives to developers is that there is no need to be concerned about deployment, global scale, availability, or performance, as this is a fully managed service.
Cloud Directory supports multiple hierarchies with hundreds of millions of objects and is optimized for fast lookups. Security is taken care of with encryption at rest and in transit.
If you are looking to remove your current on-premises Active Directory and move fully to AWS, be aware that a migration tool is not provided. You will need to plan and consider all existing polices and configurations when migrating.
AWS only charges you for the type and size of the managed directory that you use. There are two options available to you: the Standard and Enterprise editions. You are free to delete your Managed Directory at any time, as no term is committed when you create your new directory. For further information, please refer to the AWS documentation, found here.
Subscribe to 4sysops newsletter!
AWS offers many ways to work with and use a directory service. Many will be drawn to the fact that you can integrate many AWS services with an on-premises Active Directory infrastructure. Having a fully managed service to look after your patching and protection of Domain Controllers in the cloud gives peace of mind. As we saw with Simple AD and AD connector, there are midrange solutions that offer similar features but at a cheaper cost. Integrating cloud services with existing on-premises Active Directory gives another reason to look up to the cloud!