Active Directory (AD) is essential for Windows workloads in the cloud. AWS offers customers multiple ways to integrate AD with cloud workloads like EC2, RDS, and AWS Enterprise Applications: AWS Directory Service for Microsoft Active Directory (Enterprise Edition) as a managed service and Active Directory running on AWS EC2 Windows instances. Which option is right for you? This session will discuss the key deployment considerations for each option to help you identify which best meets your project goals, and the effort involved. The session will cover options for integrating with your on-premises directory, port and security considerations, application considerations, and best practices.
2. What to Expect from the Session
Running Windows applications and
workloads in the AWS Cloud
• Why Windows workloads in AWS need Active Directory (AD)
• AD options for cloud workloads
AWS Directory Service for Microsoft Active Directory
(Enterprise Edition) – “Microsoft AD”
Other AWS Directory Service solutions
6. Availability Zone
Private Subnet
10.0.2.0/24
DBAPPWEB
SQL
Server
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
DBAPPWEB
SQL
Server
App
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Example: AD on
EC2 with replication
or AD trust
DC
Domain
Controller
DC
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Auth/
LDAP
Application
7. Auth/
LDAP
Auth/
LDAP
DB
RDS
SQL Server
Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
App
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Example: AWS
Microsoft AD with AD
trust to on-premises
DB
RDS
SQL Server
AWS Managed Services
AWS Managed Services
DC
Domain
Controller
DC
Domain
Controller
Trust
Application
8. Availability Zone
Private SubnetPublic Subnet
NAT
10.0.0.0/24 10.0.2.0/24
APPWEB
App
Server
IIS
Server
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.1.0/24 10.0.3.0/24
APPWEB
App
Server
IIS
Server
RDGW
DC
DB
Microsoft
AD DC
RDS
SQL
Server
DC
AWS Managed Services
Microsoft
AD DC
DB
RDS
SQL
Server
AWS Managed Services
Example: AWS
Microsoft AD with
everything in the
cloud
VDI
WorkSpaces
VDI
WorkSpaces
9. AWS Microsoft AD EC2 AD Instance On-Premises AD
Operation
Management
AWS managed
in the cloud
Customer managed
in the cloud
Customer managed
own hardware
Availability
Built-in redundancy and
replication
Customer must design
for high availability
Customer must design
for high availability
Networking
Trust1 ports from cloud
to on-premises
(least exposed)
Trust1 or replication2
ports from cloud to
on-premises AD
Ports to support cloud to
on-premises AD3 (most
exposed)
Admin Control
Designated OU control;
some apps unsupported
Full control Full control
1
2
3
10. Selecting an Active Directory option
AWS Microsoft AD EC2 AD Instances On-Premises AD
• Minimize cost, effort to run AD
• Amazon RDS SQL Server
• AWS Enterprise Applications1
• Windows workloads on
Amazon EC22
• Require a replicated, multi-
region AD solution
• Need NetBIOS name
resolution support
• You require permissions not
yet delegated by AWS
Microsoft AD
• E.g., Exchange, Sharepoint,
SQL Server AlwaysOn
Availability Groups
• Minimal EC2 instances require
access to AD
• Latency to AD over on-
premises link is acceptable
• Security policies allow AD
ports to be exposed to internet
• Comfortable architecting
highly available connectivity to
on-premises AD
1If users are on premises via trust, application requires update; otherwise AD Connector will be needed
2Subject to delegation constraints
11. AD Connector
• AD proxy for Amazon WorkSpaces, Amazon WorkDocs, and Amazon
WorkMail
• Authentication and LDAP forwarded to on-premises AD
• Applications can look up on-premises users and groups
• Users authenticate using existing corporate credentials
• Supports EC2 seamless domain join
• EC2 discovers domain name from AD Connector
• EC2 by-passes AD Connector for everything else
Proxy solution to use on-premises AD accounts with AWS Enterprise Applications
15. Setting up AWS Directory Service
1) Select Directory Service
in the AWS Console
3) Select Create Microsoft AD
for the directory type
2) Select Set up directory
from the menu
4) Configure the Directory
and VPC details
User, group, policy management via Microsoft tools
on domain-joined computers
20. Active Directory instance on EC2
Customer-managed Active Directory server running on EC2
• Customer responsible for patching, monitoring, snapshots, and high availability
• Connectivity via VPN or AWS Direct Connect
• Security groups must allow traffic to and from on-premises data center
• AD sites and subnets must be properly defined
• Site-link costs must be configured
• Enable domain members for "Try Next Closest Site“ group policy setting
Supports use cases and applications that require schema extension
• Microsoft SQL Server
• Microsoft SharePoint
• Microsoft Exchange
• Microsoft Lync/Skype for Business
Use when AWS Microsoft AD does not support use case
23. Availability Zone
Private Subnet
DC3
Corporate Network
Seattle
DC1
VPN
AD forest spanning AWS and corporate
data center
Tacoma
DC2
X
DC1 goes down, where do clients in Seattle go for
Directory Services?
24. Availability Zone
Private Subnet
DC3
Corporate Network
Seattle / AD Site 1
DC1
VPN
AD forest spanning AWS and corporate
data center
Tacoma / AD Site 2
DC2
AD Site 3
Cost 50
Properly implemented site topology and “Try Next Closest
Site” policy enabled. Clients use least cost path to DC.
25. Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
App
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Adding Microsoft
AD for AWS apps
and services
DC
Domain
Controller
DC
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Auth/
LDAP
Application
DC
DB
RDS
SQL
Server
Microsoft
AD DC
AWS Managed Services
VDI
WorkSpaces
DC
DB
RDS
SQL
Server
AWS Managed Services
VDI
WorkSpaces Microsoft
AD DC
Trust
Trust
26. Related Sessions
WIN303 – How to Launch a 100K-User Corporate Back
Office with Microsoft Servers and AWS
WIN403 – How to Migrate Microsoft Windows Applications
to AWS Quickly, with Less Risk, Using Multisite Replication
and SQL HA
27. References
Documentation
• AWS Directory Service – aws.amazon.com/directoryservice
• Microsoft AD - aws.amazon.com/documentation/directory-service/
• Amazon RDS SQL Server - aws.amazon.com/documentation/rds/
Quick Starts - aws.amazon.com/quickstart/
• Active Directory DS (Microsoft AD)
• Exchange Server 2013
• SharePoint 2016 Enterprise
• Lync Server 2013
• SQL Server 2014 AlwaysOn
• PowerShell DSC