Vortrag "Hybride Cloud Infrastrukturen durch Integration mit Active Directory" von Justin Bradley beim AWS Cloud Web Day für Windows Anwendungen. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/1Ucuzzx

1. Justin Bradley,
Solutions Architect, SME Windows
Amazon Web Services Germany GmbH
AWS Web Day, 07. Juni 2016
Hybride Cloud Infrastrukturen durch
Integration mit Active Directory

2. Agenda
• Active Directory on AWS for Windows
• Domain & Forest Model
• AWS Directory Service
• Directory Service Design Considerations
• Domain join Windows and Linux
• Integration with WorkSpaces & WorkDocs
• Q&A

3. Active Directory on AWS for Windows
Single-domain
Multi-domain, single forest
Multi-forest with trust / resource forests

4. Domain and Forest Model – Single-Domain
Deploy domain controllers that are part of the same domain in the same forest.
Architecture
• Build on EC2
Benefits:
• Single identity/account per user.
• Easy to manage
• You can leverage your entire existing directory structure, including users, groups, OUs, policies, and extend it into the
cloud.
• Simplify directory migration to AWS Cloud in the future – Promote backup domain controller in AWS Cloud into primary
domain controller.

5. Domain and Forest Model - Multi-domain, single forest
Deploy domain controllers that are part of a different domain in the same forest, and configure a one-way or two-way trusts.
Architecture:
• Build on EC2
Benefits:
• Single identity/account per user.
• Provide clear visibility of resources in AWS at an AD level.
• Relatively easy to manage.
• Can limit the scope of damage in case of compromise.
One Way Domain Trust

6. Domain and Forest Model - Create a standalone trusted AD forest in AWS
One-Way Forest Trust
Deploy domain controllers that are of a different domain in a different forest, and configure a one-way or two-way trusts. You
can create a new forest in your AWS environment with forest trust enabled to the existing on-premises forest.
Architecture:
• Build on AD DS on EC2 or AWS Directory Service
Benefits:
• Isolates production forest from off-premises forest
• Single identity/account per user.
• Provide clear visibility of resources in AWS at an AD level.

7. You can create a new directory or extend your existing directory by using
AWS Directory Service or by creating one or more domain controllers in
your AWS environment.
AWS Directory Service
Microsoft AD
Simple AD
AD Connector
AWS Directory Service

8. Simple AD
Simple AD is a Microsoft Active Directory–compatible directory from
AWS Directory Service that is powered by Samba 4. Simple AD
supports commonly used Active Directory features such as user
accounts, group memberships, domain-joining EC2 instances running
Linux and Microsoft Windows.
When to use
In most cases, Simple AD is the least expensive option and your best
choice if you have 5,000 or less users and don’t need the more
advanced Microsoft Active Directory features.

9. Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed
Microsoft Active Directory hosted on the AWS Cloud. It provides much of
the functionality offered by Microsoft Active Directory plus integration with
AWS applications. With the additional Active Directory functionality, you
can, for example, easily set up trust relationships with your existing Active
Directory domains to extend those directories to AWS services.
When to use
Microsoft AD is your best choice if you have more than 5,000 users and
need a trust relationship set up between an AWS hosted directory and your
on-premises directories.
*May not be compatible with all applications due to AD Forest Trust

10. AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure.
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services.

11. Multi-forest with trust / resource forests
AWS-Managed VPC
Auth: Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
Kerb/TGT
ticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAP/Kerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest

12. Directory Service Regional availability

13. Directory Service Design Considerations

14. Architecture Considerations
Active Directory Design
• Site Topology
• Highly Available Directory
Domain Services
• Read-Only and Writeable
Domain Controllers

15. Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN / Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3
Cost 10
company.local
company.local
Active Directory AD DS: Sites and Services

16. Network Traffic Requirements (Ingress) Active Directory
Source – AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2) *
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2) *
tcp 135 RPC, EPM Auth (primary) Active Directory (private datacenter -or- EC2) *
tcp 139 NetLogon,
NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2) *
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2) *
tcp 445 SMB, CIFS Auth (primary) Active Directory (private datacenter -or- EC2) *
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2) *
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2) *
tcp 3268-3269 LDAP GC, GC SSL Trusts Active Directory (private datacenter -or- EC2) *
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2) **
tcp 9389 AD Web Services Remote PowerShell
(Optional)
Active Directory (private datacenter -or- EC2) *
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2) *
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2) *
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2) *
udp 137 DFSN, NetBIOS
Session Service,
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2) *
udp 138 DFSN, NetLogon Auth (primary) Active Directory (private datacenter -or- EC2) *
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2) *
udp 445 SMB, CIFS Auth (primary) Active Directory (private datacenter -or- EC2) *
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2) *
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)*
* Active Directory Port Requirements available at https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
** Dynamic port range: Refer to Microsoft kb 832017

17. Architecture Considerations
Instance Configuration
• Active Directory DNS and DHCP
inside the Amazon VPC
• DNS Settings on Windows Server
Instances
• Security Group Ingress Traffic
• Setting up Secure Administrative
Access Using Remote Desktop
Gateway

18. Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown.
• Set up the Amazon VPC, including subnets in two Availability Zones.
• Configure private and public routes.
• Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS.
• Create empty private subnets in each Availability Zone into which you
can deploy additional servers.
• Configure security groups and rules for traffic between application
tiers.
• Set up and configure AD Sites and Subnets.
• Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances.
LaunchStack
18

19. Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC

20. Considerations for Extending AD into AWS
It isn’t required, but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS.
This reduces network latency and
also provides availability in the
event of an outage on premises

21. AWS Directory Service domains (Simple AD / Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances!
http://aws.amazon.com/about-aws/whats-new/2015/02/17/aws-directory-service-now-supports-seamless-domain-join-for-windows/
Making it simpler still..

22. Domain Join Windows and Linux

23. Joining instances to a directory
Microsoft AD /
AD Connector
EC2 Windows
EC2 Linux

24. Joining your Windows instance
• Microsoft AD or AD Connector
required.
• Create Role „DomainJoin“
• Select Server Role Type
„Amazon EC2“
• Attach Policy
„AmazonEC2RoleforSSM“

25. Joining your Windows instance
• Select your Directory “Domain join directory”.
• Select IAM role „DomainJoin“
Once your Instance has booted it will automatically join your selected domain.

26. Joining your Linux instance
#Step 1 - Log in to the instance
ssh -i "tuesday-demo.pem" ec2-user@xxx.xxx.xxx.xxx
#Step 2 - Make any updates, install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
#Step 3 - Join the instance to the directory
sudo realm join -U administrator@tuesday.mydirectory.com tuesday.mydirectory.com --verbose
#Step 4 - Edit the config file
sudo vi /etc/ssh/sshd_config
PasswordAuthentication yes
#Start SSSD
sudo service sssd start
#Step 5 - Restart the instance - from the AWS Console. Log back in.
#Step 6 - Add the domain administrators group from the example.com domain.
sudo visudo -f /etc/sudoers
%Domain Admins@tuesday.mydirectory.com ALL=(ALL:ALL) ALL
#Step 7 - approve a login
sudo realm permit administrator@tuesday.mydirectory.com
sudo realm permit casey@tuesday.mydirectory.com
#Step 8 - login using a linux user
ssh casey@tuesday.mydirectory.com@xxx.xxx.xxx.xxx
• Microsoft AD or AD Connector
required.
• Install SSSD, Kerberos
• Join domain
• Edit „sshd“ Config
• Start service „sssd“
• Add AD users / Groups to
„sudoers“
Supported Linux Instances
• Amazon Linux AMI 2015.03
• Red Hat Enterprise Linux 7.2
• Ubuntu Server 14.04 LTS
• CentOS 7

27. AWS Enterprise Applications
integration

28. AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft AD/AD Connector

29. AWS Applications integration
Access URL
https://mycompany.awsapps.com

30. Parting thoughts

31. Get started today!
Visit our website
aws.amazon.com/directoryservice
30-day free trial
for small directories

32. Next Steps
Sign up for an AWS account!
Take advantage of the Free Tier: aws.amazon.com/free
Learn more: aws.amazon.com/windows
https://aws.amazon.com/directoryservice/
https://aws.amazon.com/quickstart/

33. justbrad@amazon.de
Thank You!