More Related Content
Similar to WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf (20)
More from Amazon Web Services (20)
WIN302-Deep Dive on Active Directory From One to Many AWS Regions.pdf
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Deep Dive on Active Directory—From
One to Many AWS Regions
L o u D e L a T o r r e , S o l u t i o n s A r c h i t e c t
V i n o d M a d a b u s h i , S o l u t i o n s A r c h i t e c t
N o v e m b e r 2 7 , 2 0 1 7
W I N 3 0 2
- 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
In This Session
• The focus of this session is Active Directory Domain Services (AD
DS) on Amazon Elastic Compute Cloud (Amazon EC2)
• Importance of AD DS in the cloud
• Considerations for deploying AD DS on Amazon Web Services
(AWS)
• Deploying AD DS on AWS—from one to many regions
• Summary
• Resources
- 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Active Directory
- 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What Is Active Directory?
Active Directory
• Domain Services
• Federation Services
• Certificate Services
• Rights Management Services
• Lightweight Directory Services
Active Directory
- 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What Is Active Directory Domain Services?
Active Directory Domain Services
• It is both the directory
information source and the
service that makes the
information available and
useable
• Essentially, it is a phonebook
- 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AD DS Is Important
Active Directory Domain Services
• Users
• Servers
• Clients
• Network devices
• Applications
- 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why AD DS on AWS
• Enterprise Adoption of AWS
is Growing
• Cloud is the new Normal
• Enterprise have Microsoft
applications that needs AD
DS
• AD DS on AWS provides low
latency to Applications
- 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Partners can help Design & Migrate your AD
• We have a large ecosystem of
partners - Consulting &
Technology Partners
• From Large partners like
Cognizant to regional partners
like 2nd Watch.
• Different level of partners
including Competency
• For more info:
https://aws.amazon.com/partner
s/consulting
- 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deployment Scenarios in AWS
Deployment Scenarios
• Global deployments
• Disaster recovery
• Enterprise applications
• Hybrid deployments
- 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Considerations for Deploying AD DS
on AWS
- 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
General Design Considerations
• Customer responsible for patching,
monitoring, backups, and high
availability
• Place domain controllers in a
minimum of two Availability Zones
to provide high availability
• Treat Availability Zones as you
would distinct data centers
- 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Considerations
• Active Directory best practices still apply in
AWS
• Control access to your domain controller
instances
• Domain controllers should not be internet-
facing
• Place domain controllers and other
non-internet facing servers in private
subnets
• Use NACLs and security groups to control
what ports are open in Active Directory
- 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Networking Considerations
• Replication topology
• Understand your
connectivity options
• Needs for hybrid
connectivity
• AWS Direct Connect/
VPN/disconnected
• When peering multiple VPCs, it’s sufficient to deploy DCs
in a single VPC. Application servers in other VPCs can
access the AD over VPC peering.
- 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IP Address and DNS Considerations
• Reserved private IP addresses are assigned
• It’s common practice to define separate
subnets just for AD or use common services
subnets to deploy DCs
• Configure network properties with name and
IP address of server that hosts the DC and DNS
server roles
• Use DHCP options set to configure instances in
the VPC to point to the specified domain and
DNS servers to resolve their domain names
- 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multi-Region DC Considerations
• Deploy domain controllers in both
regions using multiple Availability
Zones
• It’s recommended to connect both
regions to your data center to
reduce AD replication latency
• Use IPSec VPN tunnels between
VPCs in different regions or transit
VPCs
• Consider using AWS or your data
center as the backbone
- 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD DS Configuration Considerations
• Deploy a separate forest without any trusts
• Connectivity between regions should
be established for AD replication
• Deploy a new forest with federation
• Deploy a new forest with Windows Server
Active Directory forest trust for Kerberos
• Extend corp forest by deploying a replica
DC
• Extend corp forest by deploying a new child
domain or domain tree
- 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Global Catalog Considerations
• For single-domain forest,
make all DCs GCs
• For multi-domain forest,
make all DCs GCs with the
following exceptions
• Limited bandwidth
• Infrastructure operations
master Role
incompatibility
- 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DC Installation Considerations
• Deploy Amazon EC2 for Windows and
install AD DS using Windows PowerShell
or DcPromo
• Use VM Import to import a hardened
on-premises image
• Use Quick Start for automated
deployments
• http://docs.aws.amazon.com/quicks
tart/latest/active-directory-
ds/welcome.html
- 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD Backup and Recovery Considerations
• Do not use snapshots for AD DS Backups
• Not crash consistent
• VM ID not supported in Amazon EC2
• Use Windows System State backups
• Create dedicated EBS volume for system
state backups
• Snapshot system state backups to
Amazon S3/Amazon Glacier for long-
term retention
- 20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Office 365 Integration Considerations
• Active Directory on
Amazon EC2
• AD FS
• Active Directory Sync
• Active Directory
service account
• Microsoft Azure AD
Connect
Office 365 Azure
AD
AD on
EC2
VPC
ADFS ADSync
- 21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AD DS on AWS Deployment Options
- 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Single Region/Single VPC
Availability Zone A
AWS Region
Virtual
Private
Gateway
Domain
Controller(s)
Availability Zone B
VPC
Customer
network
Domain
Controller(s)
Private subnet Private subnet
- 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Single Region/Multiple VPCs
Availability Zone A
AWS Region
VPG
Domain
Controller(s)
VPC
Private subnet
Availability Zone B
Domain
Controller(s)
Private subnet
Customer
network
VPC
VPG
VPC
Peering
Availability Zone Availability Zone
OPTIONAL
DC(s)
OPTIONAL
DC(s)
- 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multiple Regions/Single VPC
Availability Zone A
AWS Region 1
DC(s)
VPC
Private subnet
Availability Zone B
DC(s)
Private subnet
Customer
network
VPG
AWS Region 2
DC(s)
VPC
Private subnet
DC(s)
Private subnet
Availability Zone BAvailability Zone A
VPG
Inter Region
Connectivity
- 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Global Reference Architecture
BranchNA
HQ
Dallas DX EU
HQ
Provider
MPLS
Network
us-west-2 us-east-1
Seattle DX
eu-west-2
- 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
- 27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DEMO – MULTI REGION Active Directory
US-EAST-2 (OHIO)
VPC
Private subnet 1 Public subnet 1 Inter-Region
VPN
Private subnet 2 Public subnet 2
DC1
DC2
VPN Device
EU-WEST-2 (LONDON)
VPC
Private subnet 1Public subnet 1
Private subnet 2Public subnet 2
DC3
DC4
VPN Device
RDG
NAT
Gateway
NAT
Gateway
RDG
IGW IGW
- 28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Summary
• AD DS in AWS is required to support Windows
workloads
• AD DS best practices still apply in the cloud
• Leverage AWS features and capabilities to more
efficiently support your AD DS deployments in AWS
• AWS Solutions and Quick Starts to quickly deploy
a global AD DS environment
• AWS is the best platform to host AD DS
- 29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
References
AWS Solutions Transit VPC
https://aws.amazon.com/answers/networking/aws-global-transit-
network/
AWS AD DS Quick Start
https://aws.amazon.com/quickstart/architecture/active-directory-ds/
- 30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Related Sessions
• WIN403 – AWS Directory Service for Microsoft Active Directory Deep
Dive
• WIN304 – How to Bring Microsoft Apps to AWS to unlock Your budget
• WIN306 – Design, Deploy, and Optimize Microsoft SQL Server on AWS
• WIN309 – How to Optimize AWS Architectures for SharePoint
Deployments
• WIN314 – Strategies for Migrating Microsoft SQL Databases to AWS
- 31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!