In this session we will talk through deployment scenarios, design considerations and introduce AWS Active Directory Service. AWS Directory Service is a managed service that allows you to connect your AWS resources with an existing on-premises Microsoft Active Directory or to set up a new, stand-alone directory in the AWS cloud.

1. ©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Running Active Directory in the
AWS Cloud
Wayne Saxe – Ecosystem Solutions Architect
October 28, 2015 | Dallas, TX

2. Agenda
• 3 Deployment Scenarios
– Hybrid Datacenter
– Federation
– Isolated
• General Design Considerations
• AWS Directory Service
• Additional Resources and Information

3. Deployment Scenarios

4. Hybrid Datacenter
• Takes advantage of either VPN or Direct
Connect
• Design your VPC to be an extension of your
Datacenter
• Minimizes Administrative Process Change

5. Hybrid Datacenter
• Scenario: Migrate a portion of your on-premises
Datacenter to AWS including Windows Services
that rely upon Active Directory
• Two Design Patters:
– On-Premises AD Only
– Deploy Domain Controllers in AWS

6. Hybrid Datacenter: Scenario 1
AWS CloudOn Premise Datacenter
VPN Connection
1
Authenticate
User and
Request
Kerberos Ticket
Active Directory Forest
2
Get Kerberos
Tocket
4
Use Information
in Ticket
EC2 Instances
User
3
Submit
Ticket

7. Hybrid Datacenter: Scenario 2
AWS CloudRemote Office
VPN Connection
1
Authenticate
User and
Request
Kerberos Ticket
Active Directory Forest
2
Get Kerberos
Tocket
4
Use Information
in Ticket
EC2 InstancesUser
3
Submit
Ticket

8. Federation
• Builds on the basics of the Hybrid Model
• Provides Single-Sign-On capabilities without
extending your corporate AD Forest
• Empowers B2B Trusts

9. Federation
• Scenario: SSO for AWS Hosted Applications
• Multiple Use Cases:
– Internal Use Only
– SaaS Model

10. Federation: On-Premises Only
AWS CloudOn-Premise Datacenter
User
ADFS 2.0 Server
EC2 Instance
Windows Identity
Foundation
Active Directory
Domain Services
Application
VPN Connection
1,2
Login and
receive Kerberos
Ticket
3,4
Query For Token
Requirements
5
Request Token,
Send Kerberos
Ticket
8
Return Token
9
Forward Token to
Application
10,11, 12
Resolve Token
and Evaluate
Claim
13
Get the Data
6,7
Find and Return
Claim

11. Federation: SaaS Model
• Useful if the application is a SaaS application or
one for which you want to provide access to
users in an unmanaged or untrusted domain
• Establish a trust between the source domain
and the AWS domain via ADFS for trusted login

12. Federation: SaaS Model
AWS CloudOn-Premise Datacenter
User
8.
User is
authenticated
to app
ADFS 2.0 Server
EC2 Instance
Active Directory
Domain Services
Application
Security Token Service
1: Log into AD/
Get Kerberos TGT
2. Establish
Session with
App
3. App needs
token
redirect to
STS
4. STS sends
token
request to
Identity
Provider
5. ADFS
gets auth
user info
from AD
creates
SAML
Tioken
6. ADFS
redirects user
to STS with
SAML token
7. Redirect
user back
to app with
token

13. Isolated: One Forest in the Cloud
• Doesn’t require any connectivity between your
on-premises datacenter and AWS
• Good for applications that manage their own
internal users
• Good for applications that require Active
Directory but in instances where you don’t want
to host any corporate information

14. General Design Considerations

15. AWS Design Considerations
• Avoid Single Points of Failure
• Treat AWS Availability Zones as you would
distinct Datacenters
• Consider the characteristics of shared
computing, storage and networking environment

16. VPC and Networking
• Understand your connectivity choices
– Needs for Hybrid/VPC
– Direct Connect vs VPN vs Disconnected
– VPN: Interesting Traffic
• Make sure you use static IP Addresses
• Firewalls (Security Groups) add complexity but
are necessary!

17. Backup and Recovery
• Microsoft Best Practice is to use an AD
Compatible backup application
• Know the unique requirements driven by the
virtual environment

18. AD Security in AWS
• AWS and EC2 Security are Very Important
• Control Access to your AD Instances
– IAM and 2-factor authentication
– Provisioning
• Domain Controllers should not be Internet facing
– Use a DMZ with Jumpboxes
– For ADFS use Web Application Proxy Roles for Frontend
• AD Best Practices still apply

19. Sites, Subnets, VPCs, and Replication
• AD Sites Look a lot like AZs
• DC Replication is based on AD Sites
• Clients find DCs based on site assignment
• Manual creation of connection objects limits
flexibility

20. The Role of RODCs
Characteristic RODC Writeable DC
AD Database Access RODC is Read-Only.
Certain write operations
are forwarded and
referrals can be given
All operations supported
Data Replication Only replicated data
FROM a writable DC
Replicate all changes
Data Stored in DB Contains copy of all data
except for credentials and
like attributes
Complete copy of the
entire database
Administration Administration can be
delegated to non-Domain
Admins
Only a Domain Admin
can administer

21. AWS Directory Service

22. What is the AWS Directory Service
• Managed Directories hosted in the cloud
• Two Types of Directories: AD Connector and Simple AD
• AD Connector connects your on-premises Microsoft Active Directory
to AWS
• Simple AD is a managed, standalone directory on AWS
– Offers Microsoft Active Directory compatibility for common features
• Benefits
– End users can access AWS applications using common credentials
– IT can manage AWS resources via the AWS Management console using common
credentials
– Enables automatic Domain Join for Amazon EC2 Windows Instances

23. AWS Directory Service
• Easy Provisioning
– Three-step wizard to create either type of directory
– Ready for use in minutes
• Managed
– Patch Management
– Host and replication monitoring
– API Performance monitoring
• Auditing and Logging
– Standard audits for authentication success and failures
– Viewable using Windows Event Log tools
– Applies to Simple AD only

24. AD Connector
• Directory gateway to your on-premises Active Directory
infrastructure
– Uses the AWS VPN gateway or AWS Direct Connect
• Integrates with your RADIUS multi-factor authentication (MFA) to
provide increased security
• End users can access Amazon WorkSpaces and Amazon Zocalo
with existing corporate credentials
• IT staff can manage AWS resources via the AWS Management
Console using their corporate credentials
• Enables automatically domain joining Amazon EC2 Windows
instances on launch via AD Connector

25. Simple AD
• Managed directory hosted in the AWS cloud
– Powered by Samba 4 Active Directory Compatible Server
• Microsoft Active Directory compatibility to simplify operating and managing EC2
Windows applications and workloads
– Users and Groups
– Domain joining computers
– Kerberos-based SSO
– Group Policy support
• Simple AD user accounts can be used to access Amazon WorkSpaces and Amazon
Zocalo
• IT staff can manage AWS resources via the AWS Management Console using their
Simple AD credentials
• Automatic joining of Amazon EC2 Windows instances to Simple AD

26. AWS Directory Services Security and Availability
• Security
– Directory is isolated to your VPC
– AD Connector uses the existing industry-standard encrypted IPSEC VPN
– RADIUS MFA support
– Domain join support for Amazon EC2 Windows instances
– Consistent policy enforcement
• Strong password and account lockout policies enforced consistently
• Group Policies
• Highly Reliable and Available
– Two replicated directory servers in two Availability Zones by default
– Automatic host replacement
– Automatic daily snapshots for Simple AD

27. Additional Resources

28. Microsoft Quick Starts
• Web Application Proxy and Active Directory Federation
Services
• Lync Server 2013
• Exchange Server 2013
• Windows PowerShell DSC
• SharePoint Server 2013
• SQL Server 2012 and 2014 with WSFC
• Remote Desktop Gateway
• Active Directory Domain Services
https://aws.amazon.com/quickstart/

29. Where Can I learn More?
• AWS Directory Services
• Microsoft Pages on AWS
• Microsoft Whitepapers on AWS
• Windows FAQ on AWS
• Microsoft License Mobility on AWS

30. Dallas