© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Ron Cully, AWS Directory Service

November, 30 2016

Best Practices for Integrating Active

Directory with AWS Workloads

WIN305

What to Expect from the Session

Running Windows applications and

workloads in the AWS Cloud

• Why Windows workloads in AWS need Active Directory (AD)

• AD options for cloud workloads

AWS Directory Service for Microsoft Active Directory

(Enterprise Edition) – “Microsoft AD”

Other AWS Directory Service solutions

AWS Managed

Service VPC

AWS Microsoft

AD DC

AD

VPC

EC2 Windows

Server DC

AD

On-premises

Windows

Server DC

AD

Application

Availability Zone

Private Subnet

10.0.2.0/24

SQL

ServerApp

Server

IIS

Server

Availability Zone

Private Subnet

10.0.3.0/24

SQL

ServerApp

Server

IIS

Server

Remote

Users / Admins

Example: Domain join

EC2 to on-premises AD

Domain

Controllers

DC

corporate data center

VPN

Connection

DBAPPWEB

DBAPPWEB

Auth/

LDAP

Auth/

LDAP

Availability Zone

Private Subnet

10.0.2.0/24

DBAPPWEB

SQL

ServerApp

Server

IIS

Server

Availability Zone

Private Subnet

10.0.3.0/24

DBAPPWEB

SQL

ServerApp

Server

IIS

Server

Remote

Users / Admins

Domain

Controllers

DC

corporate data center

VPN

Connection

Example: AD on

EC2 with replication

or AD trust

DC

Domain

Controller

DC

Domain

Controller

Trust or Replication

Auth/

LDAP

Auth/

LDAP

Auth/

LDAP

Application

Auth/

LDAP

Auth/

LDAP

DBRDS

SQL Server

Availability Zone

Private Subnet

10.0.2.0/24

APPWEB

App

Server

IIS

Server

Availability Zone

Private Subnet

10.0.3.0/24

APPWEB

App

Server

IIS

Server

Remote

Users / Admins

Domain

Controllers

DC

corporate data center

VPN

Connection

Example: AWS

Microsoft AD with AD

trust to on-premises

DBRDS

SQL Server

AWS Managed Services

AWS Managed Services

DCDomain

Controller

DCDomain

Controller

Trust

Application

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.0.0/24 10.0.2.0/24

APPWEB

App

Server

IIS

Server

RDGW

Availability Zone

Private SubnetPublic Subnet

NAT

10.0.1.0/24 10.0.3.0/24

APPWEB

App

Server

IIS

Server

RDGW

DC

DB

Microsoft

AD DC

RDS

SQL

Server

DC

AWS Managed Services

Microsoft

AD DC

DBRDS

SQL

Server

AWS Managed Services

Example: AWS

Microsoft AD with

everything in the

cloud

VDI

WorkSpaces

VDI

WorkSpaces

AWS Microsoft AD EC2 AD Instance On-Premises AD

Operation

ManagementAWS managed

in the cloud

Customer managed

in the cloud

Customer managed

own hardware

AvailabilityBuilt-in redundancy and

replication

Customer must design

for high availability

Customer must design

for high availability

NetworkingTrust1 ports from cloud

to on-premises

(least exposed)

Trust1 or replication2

ports from cloud to

on-premises AD

Ports to support cloud to

on-premises AD3 (most

exposed)

Admin ControlDesignated OU control;

some apps unsupportedFull control Full control

1

2

3

Selecting an Active Directory option

AWS Microsoft AD EC2 AD Instances On-Premises AD

• Minimize cost, effort to run AD

• Amazon RDS SQL Server

• AWS Enterprise Applications1

• Windows workloads on

Amazon EC22

• Require a replicated, multi-

region AD solution

• Need NetBIOS name

resolution support

• You require permissions not

yet delegated by AWS

Microsoft AD

• E.g., Exchange, Sharepoint,

SQL Server AlwaysOn

Availability Groups

• Minimal EC2 instances require

access to AD

• Latency to AD over on-

premises link is acceptable

• Security policies allow AD

ports to be exposed to internet

• Comfortable architecting

highly available connectivity to

on-premises AD

1If users are on premises via trust, application requires update; otherwise AD Connector will be needed2Subject to delegation constraints

AD Connector

• AD proxy for Amazon WorkSpaces, Amazon WorkDocs, and Amazon

WorkMail• Authentication and LDAP forwarded to on-premises AD

• Applications can look up on-premises users and groups

• Users authenticate using existing corporate credentials

• Supports EC2 seamless domain join• EC2 discovers domain name from AD Connector

• EC2 by-passes AD Connector for everything else

Proxy solution to use on-premises AD accounts with AWS Enterprise Applications

AWS Microsoft AD

AD AD

On-premises

NetworkVPC

Trust

AWS Microsoft

AD DC

Windows

AD DC

Setting up AWS Directory Service

1) Select Directory Service

in the AWS Console

3) Select Create Microsoft AD

for the directory type

2) Select Set up directory

from the menu

4) Configure the Directory

and VPC details

User, group, policy management via Microsoft tools

on domain-joined computers

AD On EC2 Windows

Active Directory instance on EC2

Customer-managed Active Directory server running on EC2• Customer responsible for patching, monitoring, snapshots, and high availability

• Connectivity via VPN or AWS Direct Connect

• Security groups must allow traffic to and from on-premises data center

• AD sites and subnets must be properly defined

• Site-link costs must be configured

• Enable domain members for "Try Next Closest Site“ group policy setting

Supports use cases and applications that require schema extension• Microsoft SQL Server

• Microsoft SharePoint

• Microsoft Exchange

• Microsoft Lync/Skype for Business

Use when AWS Microsoft AD does not support use case

Microsoft workloads in Amazon VPC

Availability Zone

Private Subnet

DC3

Corporate Network

Seattle

DC1

VPN

AD forest spanning AWS and corporate

data center

Tacoma

DC2

Availability Zone

Private Subnet

DC3

Corporate Network

Seattle

DC1

VPN

AD forest spanning AWS and corporate

data center

Tacoma

DC2

X

DC1 goes down, where do clients in Seattle go for

Directory Services?

Availability Zone

Private Subnet

DC3

Corporate Network

Seattle / AD Site 1

DC1

VPN

AD forest spanning AWS and corporate

data center

Tacoma / AD Site 2

DC2

AD Site 3

Cost 50

Properly implemented site topology and “Try Next Closest

Site” policy enabled. Clients use least cost path to DC.

Availability Zone

Private Subnet

10.0.2.0/24

APPWEB

App

Server

IIS

Server

Availability Zone

Private Subnet

10.0.3.0/24

APPWEB

App

Server

IIS

Server

Remote

Users / Admins

Domain

Controllers

DC

corporate data center

VPN

Connection

Adding Microsoft

AD for AWS apps

and services

DC

Domain

Controller

DC

Domain

Controller

Trust or Replication

Auth/

LDAP

Auth/

LDAP

Auth/

LDAP

Application

DC

DB

RDS

SQL

Server

Microsoft

AD DC

AWS Managed Services

VDI

WorkSpaces

DC

DBRDS

SQL

Server

AWS Managed Services

VDI

WorkSpaces Microsoft

AD DCTrust

Trust

Related Sessions

WIN303 – How to Launch a 100K-User Corporate Back

Office with Microsoft Servers and AWS

WIN403 – How to Migrate Microsoft Windows Applications

to AWS Quickly, with Less Risk, Using Multisite Replication

and SQL HA

ReferencesDocumentation

• AWS Directory Service – aws.amazon.com/directoryservice

• Microsoft AD - aws.amazon.com/documentation/directory-service/

• Amazon RDS SQL Server - aws.amazon.com/documentation/rds/

Quick Starts - aws.amazon.com/quickstart/• Active Directory DS (Microsoft AD)

• Exchange Server 2013

• SharePoint 2016 Enterprise

• Lync Server 2013

• SQL Server 2014 AlwaysOn

• PowerShell DSC

Thank you!

Remember to complete

your evaluations!