This document provides an overview and comparison of options for using Active Directory with AWS workloads. It discusses deploying Active Directory on EC2 instances managed by the customer, using AWS Managed Microsoft Active Directory (AMAD), or connecting to an on-premises Active Directory. AMAD provides a fully managed solution and easier integration with AWS services, while an on-premises solution requires opening ports and managing availability but provides full control. The document provides guidance on choosing an appropriate solution based on factors like management needs, application requirements, and network connectivity.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Best Practices for Active Directory with
AWS Workloads
Michael Cotton
Senior Solutions Architect
June 13, 2017

2. What to expect from the session
• Active Directory in the cloud
• How Active Directory is used – why Active Directory is important in the
cloud
• Deployment options – supporting Windows workloads in the cloud
• How to choose – considerations for selection
• Trusts

3. AWS Active Directory options
• Simple Active Directory
• Microsoft Active Directory Compatible Directory is powered by
Samba 4 and supports common Active Directory features.
• When to use: when there are 5,000 or fewer users and you don’t
need the more advanced Microsoft Active Directory features.
• AWS managed Microsoft Active Directory
• Enterprise Edition.
• When to use: when there are 5,000 users and you need a trust
relationship set up between an AWS hosted directory and your on-
premises directories.

4. Why Active Directory is important in the cloud
Migration path
Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017

5. How Active Directory authentication works across the
spectrum
App
DB
App
User AuthN/Group membership/Login scripts Kerberos AuthN
Federated AuthN
(SAML) Kerberos
AuthZ
Domain join/Machine AuthN/GPO/LDAP

6. Amazon EC2
Amazon
DynamoDB
Amazon
WorkSpaces
Amazon EC2
What if you migrate these parts to AWS?
App
User AuthN/Group membership/Login scripts Kerberos AuthN
Federated AuthN
(SAML) Kerberos
AuthZ
Domain join/Machine AuthN/GPO/LDAP
?RDS for
SQL Server

7. Deployment options – Supporting Windows
workloads in the cloud

8. Active Directory options – On-premises
• Create a VPN or AWS Direct
Connect link to your VPC.
• Manually join EC2 instances
to the on-premises domain.
• Use VPC as an extension of
your network.
• Security considerations
• Latency considerations?
On-premises
Windows Server
domain controller
AD
You manage
1
DC – Active Directory Domain Controller
VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC

9. Active Directory options – EC2 self-managed
Your responsibilities
• Availability deployment strategy
• EC2 domain controller configuration
• DNS configuration
• Sites and Services configuration
• Monitoring
• Domain controller recovery
• Backup
• Restore
• Security group configuration
• EC2 domain joining
• Patch Tuesday management
AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.
On-premises
Windows Server
domain controller
AD
You manage
1
VPC
EC2 for Windows
Server domain
controller
AD
You manage
2

10. AD
Active Directory options – AWS manages
On-premises
Windows Server
DC
AD
You manage
1
VPC
EC2 for Windows
Server DC
AD
You manage
2
VPC endpoint
AMAD
AWS manages
3
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. “AMAD”
DC – Active Directory Domain Controller
VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC
AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.

11. AD
Active Directory options – AWS Microsoft
Active Directory
• Windows Server 2012 R2 domain controllers
• ~3-click setup
• 2 DCs each in a different Availability Zone (AZ)
• Standalone or connected to your Active
Directory with trusts
• AWS apps and services integration
• EC2 seamless domain join
• RDS for SQL Server authentication, authorization
• Amazon WorkSpaces, Amazon QuickSight
Enterprise Edition, Amazon Chime Plus/Pro
provisioning, and authentication
VPC endpoint
AMAD
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. “AMAD”
AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.

12. Active Directory options – AWS Microsoft
Active Directory
Some constraints
• AWS is domain admin.
• You get an OU and delegated
admin over the OU.
• AWS apps/services/EC21 must
be in the same VPC.
• Conservative delegated permissions2 to your OU
admin account:
• Application enablement limits some apps.
• Some admin functions are not available.
Amazon responsibilities - operate
• Multi-AZ deploy, patch, monitor,
domain controller recovery, snapshot, and restore.
Your responsibilities - administer
• Administration through Active Directory Users and
Computers (ADUC) and other standard Active Directory
tools.
• Administer users, groups, GPOs, other Active Directory
content.
AD
VPC endpoint
AMAD
AWS Directory Service
for Microsoft Active Directory
(Enterprise Edition)
a.k.a. “AMAD”
1EC2

13. Active Directory options – Connecting Active Directory
in the cloud to on-premises Active Directory
1
Replication
Your DCs only
On-premises
Windows Server
DC
AD
VPC
EC2 for Windows
Server DC
AD
On-premises
Windows Server
DC
AD
VPC
EC2 for Windows
Server DC
AD2
1-way trust
2-way trust
Your DCs or
AMAD
On-premises
Windows Server
DC
AD
VPC
EC2 for Windows
Server DC
AD3
Sync users Depends
(third-party sync)

14. Application
Availability Zone
Private Subnet
10.0.2.0/24
SQL
Server
Application
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
SQL
Server
Application
Server
IIS
Server
Remote
Users/Admins
Domain
Controllers
Corporate Data Center
DBAPPWEB
DBAPPWEB
Auth/
LDAP
Auth/
LDAP
VPN
Direct
Connect
Example:
On-premises Active
Directory
AD

15. Availability Zone
Private Subnet
10.0.2.0/24
DBAPPWEB
SQL
Server
Application
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
DBAPPWEB
SQL
Server
Application
Server
IIS
Server
Remote
Users/Admins
Domain
Controllers
Corporate Data Center
Example: Active
Directory on EC2 with
replication, Active
Directory trust, or sync
Domain
Controller
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Application
Auth/
LDAP
VPN
Direct
Connect
AD
EC2
AD
EC2
AD

16. Auth/
LDAP
Auth/
LDAP
DB
RDS for
SQL Server
Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
Application
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
Application
Server
IIS
Server
Remote
Users/Admins
Domain
Controllers
Corporate Data Center
Example:
AMAD with Active Directory
trust to on-premises
DB
RDS
SQL Server
AWS Managed Services
AWS Managed Services
Domain
Controller
DC
Domain
Controller
Trust
Application
Auth/
LDAP
VPN
Direct
Connect
AD
AMAD
AMAD

17. Considerations for AWS apps/services and many VPCs
• AMAD with a trust is required to use on-premises Active Directory
credentials*.
• Technical and security issues
• Amazon WorkSpaces and RDS for SQL must be in the same VPC as
AMAD.
• Option 1 – least cost, fewest trusts
• Deploy AMAD in one VPC.
• Deploy all RDS for SQL/WorkSpaces instances in same VPC.
• Use tagging for internal billing.
• Option 2 – Easiest billing, complex trust configuration, high cost
• Deploy AMAD in each VPC.
• Deploy RDS for SQL/WorkSpaces instance(s) in each VPC.
• Amazon QuickSight Enterprise Edition must be in the same account as
AMAD.
*1-way trust for RDS for SQL Server, 2-way trust for Amazon WorkSpaces and Amazon Chime Plus/Pro

18. How to choose – Considerations for selection

19. Deployment differences
AMAD
EC2 Active
Directory Instances
On-Premises Active
Directory
Operation
management
+AWS managed
in the cloud
-Customer managed
in the cloud
-Customer managed
own hardware
Availability
+Built-in redundancy
and replication
-Customer must design
for high availability
-Customer must design
for high availability
Networking
Trust1 ports from cloud
to on-premises
(least exposed)
Trust1 or replication2
ports from cloud to
on-premises Active
Directory
-Open ports to support
cloud to on-premises
Active Directory3
(most exposed)
Admin control
Designated OU control;
some apps unsupported
+Full control +Full control
1 If you use trust to on-premises, open ports from domain controllers to on-premises domain controllers are needed.
2 Active Directory replication requires more open ports than forest trusts, but is limited to DC-to-DC communications.
3 Ports for domain joining, Active Directory interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access.

20. How to select an Active Directory option
AMAD
EC2 Active Directory
Instances
On-Premises Active
Directory
• Minimize cost, effort to run
Active Directory
• RDS for SQL Server1
• AWS Enterprise Applications1
• Windows workloads on EC22
• Require a replicated, multi-
region Active Directory solution
• Need NetBIOS name resolution
support
• Require permissions not yet
delegated by AWS Microsoft
Active Directory3
• For example, Exchange,
SharePoint, SQL Server
AlwaysOn Availability Groups
• Requires access to Active
Directory for minimal EC2
instances
• Latency to Active Directory over
an on-premises link acceptable
• Comfortable with connectivity
availability to on-premises Active
Directory
1RDS for SQL, Amazon WorkSpaces, Amazon QuickSight, and Amazon Chime require trusts only if users are on-premises via trust.
2This is subject to delegation constraints (for example, managed service account creation).
3AWS is adding more delegations and application enablement over time.

21. Forest trusts
• The trusting forest has no admin
control over the trusted forest.
• Trusted users have cloud resource
access only if they’re entitled by
trusting admins (you control both
sides).
• Resources in the cloud have no
access to on-premises resources
without entitlement and trust from on-
premises to the cloud.
AD AD
On-premises
network
VPC
Trust
AMAD domain
controller
Windows Server
Active Directory
domain controller
Access
Security group
(access entitlements here)
Security group
Trusting Trusted
Cloud On-premises

22. Securing trusts
• Leave SID filtering on when you set up the on-premises side of a trust.
• Turn on selective authentication on the on-premises side of a trust.
• https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk
• Only permit Active Directory trust ports to the domain controllers in the
cloud.
• https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx
• For cloud-client-to-Active Directory, only permit Active Directory
authentication ports to on-premises Active Directory. Minimize all other ports
from cloud to on-premises
(for example, Amazon WorkSpaces login using on-premises credentials).
• https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts
• Don’t grant groups in the cloud access to on-premises resources.
• Kerberos Forest Search Order:
• https://technet.microsoft.com/en-us/library/configure-kerberos-forest-search-order-kfso(v=ws.10).aspx

23. Coming soon to AWS Microsoft Active Directory
• Payment Card Industry (PCI) certification
• More than two domain controllers per AWS managed
Active Directory
• Region-wide access across all your VPCs and accounts
• LDAPS support:
• To on-premises Active Directory
• To AWS managed Active Directory

24. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!