Active Directory provides a centralized management application for Microsoft Windows computers and user administration. The AD architecture is a distributed hierarchical database for information about your IT infrastructure, containing configuration and management for users, user credentials, and access rights based on group memberships, DHCP, policy management, DNS zones and records, applications and devices, and application management.
AWS has multiple AD deployment options that meet different needs and use cases. These include the AWS Managed Microsoft AD, Active Directory on Amazon Elastic Compute Cloud, EC2 instances, and hybrid scenarios.
The AWS Active Directory service is an actual Microsoft Active Directory Server that is managed by AWS inside of the AWS cloud. Since it is a complete deployment of Active Directory running on a Windows server, you can manage all of the features and application integrations that AD supports. The service is fully managed by AWS, so you do not have to support the underlying server or manage backups, operating system, or application updates. AWS manages all the patching and software updates and automatic domain controller replacement. The managed service allows you to migrate AD-aware applications more easily into the AWS cloud by providing local directory services inside of AWS. The AWS Managed Microsoft AD comes in Standard and Enterprise editions. The editions have different storage capacities to fit your organization’s size, and the Enterprise Edition also has multiregion support. In addition to user administration, the service supports access to the AWS management console and cloud services, connecting EC2 Windows instances to AD, managing Amazon RDS databases with Windows authentication, using FSx for Windows File Services, and using federated access in to productivity tools like Amazon Chime and Amazon WorkSpaces.
The AWS Managed Microsoft AD deploys a minimum of two domain controllers, each in a separate availability zone for high availability. The AWS managed domain controllers are not shared between accounts, so you have the complete server allocated to your account. However, Active Directory can share with any accounts or VPCs that you specify. Multiregion replication replicates your AD directory data across multiple regions. This puts directory services closer to your users for reduced latency and better performance.
Event logs can be exported to CloudWatch for integration with all other AWS service monitoring operations.
The AWS Active Directory service is a shared responsibility service where AWS manages the server, including the monitoring, firmware patch updates, backups, and recovery of domain controller instances should the virtual server fail.
Your responsibility is to administer Active Directory, including the users, groups, computers, and group policies using the Microsoft or add-on tools from all Windows computers joined to the Active Directory domain.
The replication service uses the native Microsoft AD replication tools. However, multiregion replication is only included in the Enterprise edition of the AWS Managed Microsoft AD service. See Table 8.1 for the differences between the Standard and Enterprise offerings.
TABLE 8.1 Standard vs. Enterprise
| Edition | Storage Capacity | Approximate # of Objects | Approximate # of Users in Domain |
| Standard | 1 GB | ~30,000 | Up to ~5,000 users |
| Enterprise | 17 GB | ~500,000 | Over 5,000 users |
The AWS Simple AD service is a lightweight directory service that is compatible with Active Directory. It can be used as a low-cost stand-alone alternative to a full Microsoft Active Directory deployment. Simple AD supports Samba 4 and Linux applications through LDAP directory services.
AWS also offers the Active Directory Connector (AD Connector) service that is a directory gateway proxy that redirects directory requests originating in AWS to your existing enterprise Active Directory deployment. The connector does not cache any data in AWS, and there is no trust or synchronization requirement for your AD user accounts. The connector can be used to sign in to AWS applications, such as Chime, WorkDocs, WorkMail, or WorkSpaces using corporate credentials stored in Active Directory.
If you choose to implement your own Active Directory service in your AWS account, there is the option of deploying Active Directory on an EC2 instance. This will not be managed by AWS, and you will be responsible for all server and Active Directory patching and maintenance.
All Active Directory services can be created and managed in the web console in the Security, Identity & Compliance section under Directory Services, as shown in Figure 8.11.
For a list of Active Directory services on AWS and feature differences, see the following resources:
https://docs.aws.amazon.com/whitepapers/latest/active-directory-domain-services/directory-services-options-in-aws.html
https://docs.aws.amazon.com/directory-service/index.html
https://aws.amazon.com/directoryservice
FIGURE 8.11 AWS Directory Service configuration screen
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
