Best Practices for Active Directory with

AWS Workloads

Michael Cotton
Senior Solutions Architect

June 13, 2017

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from the session

• Active Directory in the cloud

• How Active Directory is used – why Active Directory is important in the
cloud
• Deployment options – supporting Windows workloads in the cloud
• How to choose – considerations for selection
• Trusts
AWS Active Directory options

• Simple Active Directory

• Microsoft Active Directory Compatible Directory is powered by
Samba 4 and supports common Active Directory features.
• When to use: when there are 5,000 or fewer users and you don’t
need the more advanced Microsoft Active Directory features.
• AWS managed Microsoft Active Directory
• Enterprise Edition.
• When to use: when there are 5,000 users and you need a trust
relationship set up between an AWS hosted directory and your on-
premises directories.
Why Active Directory is important in the cloud
Migration path

Source: Implementing an Identity Strategy for Amazon Web Services, Gartner Group, 24 Feb 2017
How Active Directory authentication works across the
spectrum

Domain join/Machine AuthN/GPO/LDAP

User AuthN/Group membership/Login scripts Kerberos AuthN

Kerberos
AuthZ
Federated AuthN
(SAML) App
DB
App
 What if you migrate these parts to AWS?
Domain join/Machine AuthN/GPO/LDAP

Amazon EC2
User AuthN/Group membership/Login scripts Kerberos AuthN

Amazon
WorkSpaces RDS for
SQL Server

Kerberos
?
AuthZ
Federated AuthN
(SAML)
App
Amazon
Amazon EC2
DynamoDB
Deployment options – Supporting Windows
workloads in the cloud
 Active Directory options – On-premises
On-premises
• Create a VPN or AWS Direct
Connect link to your VPC.
AD
Windows Server
• Manually join EC2 instances
domain controller
to the on-premises domain.
You manage
• Use VPC as an extension of
1 your network.
• Security considerations
• Latency considerations?

DC – Active Directory Domain Controller

VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC
Active Directory options – EC2 self-managed
On-premises VPC
Your responsibilities
• Availability deployment strategy
AD AD • EC2 domain controller configuration
Windows Server
• DNS configuration
EC2 for Windows
domain controller Server domain • Sites and Services configuration
controller
• Monitoring
You manage You manage • Domain controller recovery
• Backup
1 2 • Restore
• Security group configuration
• EC2 domain joining
• Patch Tuesday management

AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.
 Active Directory options – AWS manages
On-premises VPC VPC endpoint
AWS Directory Service
for Microsoft Active Directory
AD AD AD (Enterprise Edition)

Windows Server EC2 for Windows AMAD a.k.a. “AMAD”

DC Server DC

You manage You manage AWS manages

1 2 3

AWS Directory Service is required for AWS enterprise applications and services
DC – Active Directory Domain Controller to your self-managed Active Directory.
to authenticate
VPC – Amazon Virtual Private Cloud
Endpoint – Accessed via IP address in your VPC
Active Directory options – AWS Microsoft
Active Directory VPC endpoint
AWS Directory Service
• Windows Server 2012 R2 domain controllers for Microsoft Active Directory
• ~3-click setup AD (Enterprise Edition)
• 2 DCs each in a different Availability Zone (AZ) AMAD a.k.a. “AMAD”
• Standalone or connected to your Active
Directory with trusts
• AWS apps and services integration
• EC2 seamless domain join
• RDS for SQL Server authentication, authorization
• Amazon WorkSpaces, Amazon QuickSight
Enterprise Edition, Amazon Chime Plus/Pro
provisioning, and authentication

AWS Directory Service is required for AWS enterprise applications and services
to authenticate to your self-managed Active Directory.
Active Directory options – AWS Microsoft
Active Directory VPC endpoint
AWS Directory Service
Some constraints
for Microsoft Active Directory
• AWS is domain admin.
AD (Enterprise Edition)
• You get an OU and delegated
admin over the OU.
AMAD a.k.a. “AMAD”
• AWS apps/services/EC21 must
be in the same VPC.
• Conservative delegated permissions2 to your OU
admin account:
• Application enablement limits some apps.
• Some admin functions are not available.
Amazon responsibilities - operate
• Multi-AZ deploy, patch, monitor,
domain controller recovery, snapshot, and restore.
Your responsibilities - administer
• Administration through Active Directory Users and
Computers (ADUC) and other standard Active Directory
tools.
• Administer users, groups, GPOs, other Active Directory
content.
1EC2
Active Directory options – Connecting Active Directory
in the cloud to on-premises Active Directory
On-premises VPC
Replication
Your DCs only
1 AD AD
Windows Server EC2 for Windows
DC Server DC

On-premises 1-way trust VPC

Your DCs or
2 AD 2-way trust AD AMAD
Windows Server EC2 for Windows
DC Server DC

On-premises VPC
Sync users Depends
3 AD AD (third-party sync)
Windows Server EC2 for Windows
DC Server DC
Example:
Availability Zone
On-premises Active
Directory Private Subnet

WEB APP DB

IIS Application SQL

Server Server Server
Application
10.0.2.0/24
Remote
Users/Admins
Auth/ Direct
LDAP Connect

Private Subnet
Auth/
LDAP
AD VPN

Domain
WEB APP DB
Controllers

Corporate Data Center

IIS Application SQL
Server Server Server

10.0.3.0/24

Availability Zone
Example: Active
Directory on EC2 with Availability Zone

replication, Active Private Subnet

Auth/
Directory trust, or sync LDAP

WEB APP DB EC2

AD
IIS Application SQL Domain
Server Server Server Controller
Application
10.0.2.0/24
Remote
Users/Admins
Auth/ Direct
Trust or Replication
LDAP Connect

Private Subnet
Auth/
LDAP
AD VPN

Domain
Controllers
WEB APP DB EC2
AD
Corporate Data Center
IIS Application SQL Domain
Server Server Server Controller

10.0.3.0/24

Availability Zone
Example:
Availability Zone
AMAD with Active Directory
trust to on-premises Private Subnet AWS Managed Services

RDS
SQL Server DB
WEB APP
Auth/
LDAP
IIS Application Domain
Server Server Controller DC
AMAD
Application
10.0.2.0/24
Remote
Users/Admins
Auth/ Direct
LDAP Connect Trust

Private Subnet AWS Managed Services

AD VPN
Auth/ Domain
Domain
WEB APP LDAP Controller AMAD
Controllers

Corporate Data Center

IIS Application RDS for
Server Server SQL Server DB
10.0.3.0/24

Availability Zone
Considerations for AWS apps/services and many VPCs
• AMAD with a trust is required to use on-premises Active Directory
credentials*.
• Technical and security issues
• Amazon WorkSpaces and RDS for SQL must be in the same VPC as
AMAD.
• Option 1 – least cost, fewest trusts
• Deploy AMAD in one VPC.
• Deploy all RDS for SQL/WorkSpaces instances in same VPC.
• Use tagging for internal billing.
• Option 2 – Easiest billing, complex trust configuration, high cost
• Deploy AMAD in each VPC.
• Deploy RDS for SQL/WorkSpaces instance(s) in each VPC.
• Amazon QuickSight Enterprise Edition must be in the same account as
AMAD.
*1-way trust for RDS for SQL Server, 2-way trust for Amazon WorkSpaces and Amazon Chime Plus/Pro
How to choose – Considerations for selection
Deployment differences
EC2 Active On-Premises Active
AMAD
Directory Instances Directory
Operation +AWS managed -Customer managed -Customer managed
management in the cloud in the cloud own hardware
+Built-in redundancy -Customer must design -Customer must design
Availability and replication for high availability for high availability
Trust1 or replication2 -Open ports to support
Trust1 ports from cloud
ports from cloud to cloud to on-premises
Networking to on-premises
on-premises Active Active Directory3
(least exposed)
Directory (most exposed)
Designated OU control;
Admin control some apps unsupported
+Full control +Full control

1 If
you use trust to on-premises, open ports from domain controllers to on-premises domain controllers are needed.
2 Active Directory replication requires more open ports than forest trusts, but is limited to DC-to-DC communications.
3 Ports for domain joining, Active Directory interactions, LDAP etc., plus other firewall decisions for cloud to on-premises access.
 How to select an Active Directory option
EC2 Active Directory On-Premises Active
AMAD
Instances Directory
• Minimize cost, effort to run • Require a replicated, multi- • Requires access to Active
Active Directory region Active Directory solution Directory for minimal EC2
• RDS for SQL Server1 • Need NetBIOS name resolution instances

• AWS Enterprise Applications1 support • Latency to Active Directory over

• Require permissions not yet an on-premises link acceptable
• Windows workloads on EC22
delegated by AWS Microsoft • Comfortable with connectivity
Active Directory3 availability to on-premises Active
• For example, Exchange, Directory
SharePoint, SQL Server
AlwaysOn Availability Groups

1RDS for SQL, Amazon WorkSpaces, Amazon QuickSight, and Amazon Chime require trusts only if users are on-premises via trust.
2This
is subject to delegation constraints (for example, managed service account creation).
3AWS is adding more delegations and application enablement over time.
 Forest trusts Trusting
VPC
Trusted
On-premises
network

• The trusting forest has no admin Trust

control over the trusted forest. AD Access AD
• Trusted users have cloud resource AMAD domain Windows Server
access only if they’re entitled by controller Active Directory
domain controller

trusting admins (you control both Cloud On-premises

sides).
• Resources in the cloud have no
access to on-premises resources
without entitlement and trust from on-
premises to the cloud.
Security group
(access entitlements here)
Security group
Securing trusts
• Leave SID filtering on when you set up the on-premises side of a trust.
• Turn on selective authentication on the on-premises side of a trust.
• https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk

• Only permit Active Directory trust ports to the domain controllers in the
cloud.
• https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx

• For cloud-client-to-Active Directory, only permit Active Directory

authentication ports to on-premises Active Directory. Minimize all other ports
from cloud to on-premises
(for example, Amazon WorkSpaces login using on-premises credentials).
• https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts

• Don’t grant groups in the cloud access to on-premises resources.

• Kerberos Forest Search Order:
• https://technet.microsoft.com/en-us/library/configure-kerberos-forest-search-order-kfso(v=ws.10).aspx
Coming soon to AWS Microsoft Active Directory

• Payment Card Industry (PCI) certification

• More than two domain controllers per AWS managed
Active Directory
• Region-wide access across all your VPCs and accounts
• LDAPS support:
• To on-premises Active Directory
• To AWS managed Active Directory
 Thank you!

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.