Active Directory on AWS
This blog-post focus on AWS Directory Service and general information.
”AWS Directory Service for Microsoft Active Directory, also known as AWS Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud.”
Most companies using Active Directory and some of them using LDAP server for identity management and typically run their directory platform on on-premise.
Even when the infrastructure is fully hosted in the cloud, one or more Windows Servers is configured as Domain Controllers in a forest and major services like email, databases or antivirus would use those directories for authentication and group policies.
AWS Directory Service is one of AWS managed services and provides a fully managed, highly available directory service for customers who require Microsoft Active Directory in the cloud but don’t want the overhead of managing their own Active Directory environment.
When starting with AWS Directory Service there are few types of directory services and options.
AWS Directory Service Options and Types
AWS Directory Service provides three different directory types, which are each built for specific workloads.
- AD Connector that uses in your existing on-premise Microsoft Active Directory environment and to access AWS applications and services like Workspaces, Docs and Mail. AD Connector proxies Kerberos and LDAP requests from these applications to your on-premises directory to authenticate users. AD Connector also allows your EC2 instances to seamlessly join your existing domain.
- A simple AD that uses Samba 4 and hosted on the AWS cloud and provides commonly used Active Directory features such as user accounts, group memberships, domain-joining EC2 instances running Linux and Microsoft Windows, Kerberos-based SSO and group policies.
- Microsoft AD that based on AWS Directory Service for Microsoft Active Directory with Enterprise Edition that hosted on the AWS Cloud. AWS Microsoft AD includes most Active Directory features, including support for multi-directional trusts, group-based policy administration, SSO and seamless domain join for your EC2 instances running in the cloud.
AWS Directory Service Benefits
Both Simple AD and AD Connector offer some great benefits:
- Automatic Fault Tolerance With the Simple AD, AWS will automatically create a Backup Domain Controller in a secondary AZ. In fact, it’s a requirement for the VPC of the Simple AD to have at least two subnets in two different AZs.
- Automated Backup AWS will automatically create a snapshot of the directory once every day. You can create your own snapshots too. Unfortunately, unlike RDS or EC2 snapshots, AWS Simple AD allows only fives days worth of backups.
- Simple Security Group Configuration For AWS-hosted Active Directories to communicate with the rest of the network, a number of ports have to be enabled. Remembering to open up all these ports can be a difficult matter for the network administrator. AWS Directory Service takes away that headache by creating and assigning Security Groups with custom rules. This allows a finer-grained control of your network.
- Domain Joining Made Easy It’s easy to add new Windows EC2 instances to the Simple AD, either when the instance is created or afterward.
- Catering for Windows and Linux Simple AD is based on Samba 4, which means it may be used to authenticate both Windows and Linux servers.
- Integration with other AWS Applications AWS offers a number of applications for corporate office workload. These include AWS Space for the virtual desktop fleet, Docs for document management and sharing, and Mail for low-cost e-mail infrastructure.
- Single Sign-on for Console Users With Directory Service, IT staff can access the AWS console with Single Sign-on. The current method of using IAM users, roles and policies require each individual admin to have their own set of credentials. Directory Service can integrate with IAM roles, so once domain users authenticate with the AD, they can access the console seamlessly.
Whether you need Single sign-on, Group Policy, redundancy, application access and easily extend existing domains the AWS Directory Service can provide the simple and easy way to use and manage.
How to use AWS Directory Services with Office 365 in the next post.