AWS Directory Service offers several choices for organizations to deploy existing applications on AWS that rely on Microsoft AD or Lightweight Directory Access Protocol (LDAP). This is the native AWS service to use when you need a directory to manage users, groups, devices, and access.
AWS Directory Service proposes different options to use Microsoft AD with AWS services, as follows:
The following sections will discuss the main differences between these three options and when to use one or the other.
Simple AD is a Microsoft AD-compatible directory that provides basic AD features such as managing user accounts, group memberships, and group policies, joining a (Linux or Windows) EC2 instance to your directory, and Kerberos-based SSO.
Simple AD is a standalone directory running on AWS to create and manage user identities and control access to applications. It is compatible with various applications and tools that only require basic AD features. For example, Simple AD supports Amazon WorkSpaces and Amazon QuickSight, among others. You can also use it to log in to the AWS Management Console.
Limitations
Simple AD does not support MFA or trust relationships with other domains and many other advanced AD features. Simple AD is not compatible with Amazon RDS for SQL Server, and it can support applications or services on AWS only.
When to Use It
Use Simple AD if you need to support Windows workloads that need basic AD features, to work with compatible AWS applications, or to support Linux workloads that need an LDAP service.
AD Connector is a scalable proxy service that forwards requests to your on-premises AD. It offers an easy way to connect compatible AWS applications—for instance, Amazon WorkSpaces, Amazon QuickSight, or Amazon EC2 for Microsoft Windows Server instances—to your existing on-premises Microsoft AD. It does not require you to synchronize your directory and does not add extra cost or complexity—there’s no need, for instance, to set up a federation infrastructure.
AD Connector supports numerous AWS applications and services such as Amazon WorkSpaces, Amazon WorkDocs, Amazon QuickSight, or Amazon Connect. It also lets you join your EC2 Windows instances to your on-premises AD domain seamlessly. Users can also leverage it to sign in to the AWS Management Console and manage AWS resources using their existing AD credentials.
AD Connector does not cache any information on AWS, which has both benefits (your users’ information is never stored on AWS) and drawbacks (every sign-in request is a request back to your on-premises directory).
There is a one-to-one relationship between AD connectors and your AD domains; each on-premises domain requires a separate AD connector before it can be used for authentication.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
