Weitere ähnliche Inhalte Ähnlich wie WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive (20) Mehr von Amazon Web Services (20) WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
AWS Directory Service for Microsoft
Active Directory Deep Dive
R o n C u l l y , M a n a g e r o f P r o d u c t M a n a g e m e n t
N o v e m b e r 2 7 , 2 0 1 7
WIN403
2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migrate Windows Workloads While Refactoring
Migration path
Implementing an Identity Strategy for Amazon Web Services
3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Options for AD-aware Cloud Workloads
On-premises
Windows Server
DC
AD
You manage
1
VPC
EC2 for Windows
Server DC
AD
You manage
2
VPC Endpoint
AWS Microsoft AD
AWS manages
3
AWS Directory Service
for Microsoft Active Directory
also known as AWS Managed Microsoft AD
4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Options for AD-aware Cloud Workloads
VPC Endpoint
AWS Microsoft AD
AWS manages
3
AWS Directory Service
for Microsoft Active Directory
also known as AWS Managed Microsoft AD
• What AWS managed Microsoft AD is
• Shared responsibilities
• Deployment models
• How to set it up
• How to configure and administer
• AWS applications support and use cases
5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What AWS Managed Microsoft AD Is
AWS managed, actual Microsoft Active Directory
Windows 2012 R2 domain controllers (DC)
• ~3-click setup from directory service console
or script through API
• 2 DCs each in separate Availability Zones (AZs)
• Scale-out with additional DCs
• Dynamic DNS
• Compliance audited
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Manag e d Microsoft AD: Share d R e sp onsib ilities
Customer—administers
• Configure password policies
• Configure trusts (resource forest deployment)
• Configure certificate authorities (for LDAPS)
• Configure federation
• Administer users, groups, GPOs, other AD content
• Administration via Active Directory Users and
Computers (ADUC) and other standard AD tools
• Add domain controllers as needed
Amazon—operates
• Multi-AZ deployment, patch, monitor,
DC recovery, snapshot, restore
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
EC2
App
Server
EC2
IIS
Server
AWS Managed
Services
D
C
AWS Managed
Microsoft AD
7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Managed Microsoft AD: Two Editions
Enterprise
Edition
Standard
Edition
Storage Capacity 17GB 1GB
Performance
Optimized
100,000+
employees
Up to ~5,000
employees
Enterprise Edition = Standard Edition plus enterprise features
Currently same features
Priced per DC per hour (2 DC minimum)
30-day limited free trial
8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deployment Models
Resource
directory
AWS Managed
Microsoft AD
Primary
directory AWS Managed
Microsoft AD
On-premises data center
or
EC2 Windows in your VPC
AD
Microsoft
Windows Server
DC
Primary
directory
9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Prerequisites You Must Create
• Virtual Private Cloud (VPC)
• Two subnets in different AZs
• Optional on-premises link
• Virtual Private Network (VPN)
• Amazon Direct Connect
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
data center
docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• One AWS
security group
During Creation, AWS Creates…
• 2 DCs with
Dynamic DNS
• Elastic network
interface in your
subnets
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
data center
AWS Managed
Microsoft AD
DC
AWS Managed
Microsoft AD
DC
docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
During Creation, AWS Creates…
Don’t use on other instances
You can edit
Broad for your internal
non-RFC 1918 addresses
Used only in your private VPC
• 2 DCs with
Dynamic DNS
• Elastic network
interface in your
subnets
docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
• One AWS
security group
12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Availability Zone
10.0.2.0/24
Availability Zone
10.0.3.0/24
Optional
VPN
Direct
Connect
OrOr
On-premises
data center
AWS Managed
Microsoft AD
DC
AWS Managed
Microsoft AD
DC
• Key-pair (PEM) file
• EC2 Windows
(Install AD Administration
Tools)
Best Practice After Creation
• DHCP option sets
• AWS security group
• IAM role/policy for EC2
(AmazonEC2RoleforSSM)
DHCP
Option
Set
AD Admin
Tools
docs.aws.amazon.com/directoryservice/latest/admin-guide/tutorials_ad_test_labs.html
13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configure Management Instance
RDP to instance
yourdomainadmin
1
Add features
Group policy management
AD DS and AD LDS tools
DNS server tools
2
Verify tools added
Active Directory Administrative Center
Active Directory Domains and Trusts
Active Directory Module for Windows PowerShell
Active Directory Sites and Services
Active Directory Users and Computers
ADSI Edit
DNS
Group Policy Management
3
14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to Administer AWS Managed Microsoft AD
15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AD Administration Tools
88-856-43-585 88-856-43-585
Domain
“administrator”
OU
“admin”
Customer
16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AD Administration Tools
88-856-43-585 88-856-43-585
OU
“admin”
Customer
Add OU and on-premises
users/groups to reserved
security groups
17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managing from AWS Directory Service Console
27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Application Support and
Use Cases With
AWS Managed Microsoft AD
28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Manag e d Microsoft AD as a Primary Dire ctory
AWS Managed
Microsoft AD
Directory
SaaS Applications
Azure AD
Amazon
WorKSpaces
RDS for SQL
Server
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
Enable, authenticate, & authorize
Manage, authenticate,
& authorize
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePoint
SQL
Server
RD
Licensing
Enterprise
Certificate
Authority
Certificate
Services
Domain join &
manage
Amazon
Windows EC2
instances
Amazon
Linux EC2
instances
Amazon
EC2
SAML
authenticate
Synchronize
users
AD FS
Server
AD FS
Azure AD
Connect
Server
Federate
ADSync
Enabling features
• Delegated administration for built-in groups
• RAS and IAS servers
(Network Policy Server)
• Terminal Server Licensing Servers
(Remote Desktop Licensing Manager)
• Schema extensions
• Group Managed Service Accounts (gMSA)
• Kerberos Constrained Delegation
• Register for change notifications
• Add Microsoft Enterprise CA
• Enable LDAPS
Administer
users & groups
29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon
EC2
AWS Manag e d Microsoft AD as a R e sou rce Dire ctory
Amazon
WorkSpaces
AWS Managed
Microsoft AD
Directory
RDS for SQL
Server
Amazon
WorkDocs
Amazon
WorkMail
Amazon
QuickSight
AWS Management
Console
Amazon
Chime
Amazon
Connect
AWS Apps & Services
.NET
Applications
Server
SharePoint
Server
AD-aware Workloads
SQL ServerRemote
Desktop
Licensing
Manager
.NET SharePoint
SQL
Server
RD
Licensing
SaaS Applications
Azure AD
Enable, authenticate, &
authorize
Manage,
authenticate, & authorize
Manage, authenticate,
& authorize
3
Enterprise
Certificate
Authority
Certificate
Services
On-premises
Microsoft Active
Directory
On-premises user
credentials
Corporate
data centerVPN
Direct
Connect
or
AD FS
Server
SAML
authenticate
Synchronize
users
Azure AD
Connect
Server
Amazon
Windows EC2
instances
Amazon
Linux EC2
Instances
30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Time tested, secure model
The trusting forest has no admin control over the
trusted forest
Trusted users have cloud resource access, but only if
entitled by trusting admins (you control both sides)
Cloud identities have no access to on-premises
resources unless:
1. On-premises trusts the cloud AND
2. On-premises admins grant permissions to
identities in the cloud
Forest trusts
AD
On-premises
network
VPC
Trust
AWS Managed
Microsoft AD DC
Windows
AD DC
Access
Domain local
security group
(access entitlements here) Universal
security group
Trusting Trusted
Cloud On-premises
31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Securing trusts
Leave SID filtering on (Windows default)
Use selective authentication (on-premises side of trust)
• https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx#w2k3tr_trust_security_zyzk
• Don’t grant AD groups from the cloud access to on-premises resources
Open only ports for AD trust communications between DCs
• https://technet.microsoft.com/en-us/library/cc756944(v=ws.10).aspx
Open ports for AD authentication from cloud to on-premises AD;
minimize all other ports from cloud to on-premises
(e.g., WorkSpaces login using on-premises credentials)
• https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-
trusts
32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC and Account Considerations
D
C
AWS Managed
Microsoft AD
QuickSight Chime
WorkDocs WorkMail
AWS Console Amazon Connect
Account 1
Account 2
QuickSight Chime
WorkDocs WorkMail
AWS Console Amazon Connect
VPC 1
VPC 2
EC2 Manual
Domain Join
WorkSpaces
RDS for
SQL
Server
WorkSpaces
RDS for
SQL
Server
VPC 3
EC2 Seamless
Domain Join
33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Options for Multiple VPC With Trusts
On-premises
Microsoft Active
Directory
On-premises user
credentials
Corporate
data center
D
C
AWS Managed
Microsoft AD
VPC 1
D
C
AWS Managed
Microsoft AD
VPC 2
Option 1
+ Preserves VPC boundaries
+ Billing goes to VPC owner
- Costs more
On-premises
Microsoft Active
Directory
On-premises user
credentials
Corporate
data center
AWS Managed
Microsoft AD
VPC 1 VPC 2
VPC 3
Account 1
Account 2
Account 1
EC2 Manual
Domain Join
EC2 Manual
Domain Join
Tag3
Tag2Tag1
Option 2
+ Saves money
+ Enables cost allocation
- Crosses VPC boundaries
34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reference information
Documentation
• AWS Directory Service—aws.amazon.com/directoryservice
• AWS Security Blog—aws.amazon.com/blogs/security/ (search for “AWS Managed
Microsoft AD”)
• AWS What’s New—aws.amazon.com/new/ (Security, Identity & Compliance)
• AWS Managed Microsoft AD—aws.amazon.com/documentation/directory-service/
• RDS for SQL Server—aws.amazon.com/documentation/rds/
AWS Quick Starts— aws.amazon.com/quickstart/
• Active Directory Domain Services
• Exchange Server 2013
• SharePoint Server 2016 Enterprise
• Lync Server 2013
• SQL Server 2014 AlwaysOn
• Windows PowerShell DSC
35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Other 2017 AWS re:Invent Sessions with AD
AWS Managed Microsoft AD Topics
• WIN302: Deep Dive on Active Directory—From One to Many AWS Regions
• WIN310: Integrating AWS Managed Active Directory into Office 365
• WIN311: Unified Access Management with AWS Managed Services for Microsoft Active Directory
SID202: Deep-dive on how Capital One Automates the Delivery of Directory Services Across AWS Accounts
Other AD related topics
• WIN204: Simplifying Microsoft Architectures with AWS
• WIN302: Deep Dive on Active Directory—From One to Many AWS Regions
• WIN309: How to Optimize AWS Architectures for SharePoint Deployments
• WIN401: Migrating Microsoft Applications to AWS
• ARC324: Building Manageable Windows Workloads
• BAP303: Migrate Your Desktops to Amazon WorkSpaces
• BAP312: Network Configuration, Identity Management, and Device Authentication Considerations for Amazon
WorkSpaces
• BAP315: Amazon Chime Deployment Topics: Using Active Directory with Amazon Chime
• CMP214: Simplifying Microsoft Architectures with AWS
• ENT325: Migrating Your Microsoft Applications to AWS
• ENT329: End-User Computing on AWS with Amazon WorkSpaces and Amazon AppStream 2.0
• GPSCT314: GPS: Running Microsoft Workloads on AWS: Tips from the Pros
36. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!