AWS Directory Service Simple AD: a Cloud Active Directory!
AWS Directory Service Simple AD lets you quickly integrate Amazon EC2 Windows instances with your domain, giving your directory users and groups broad access.
AWS Directory Service is a recent addition to Amazon’s managed services portfolio. As a PaaS, it offers a way for Microsoft Active Directory (AD) based applications to connect to a pre-built directory server in the AWS cloud. This frees the system administrator from having to build an AD from scratch.
Most companies using Active Directory – or another LDAP-compliant server – for identity management would typically run their directory servers on-premise. Even when the infrastructure is fully hosted in AWS, one or more EC2 Windows Servers would be custom-configured as Domain Controllers (DC) in a forest and major services like email, databases or antivirus would use those directories for authentication and group policies. A standard fault tolerance method would be to use two DCs replicating between two Availability Zones (AZs).
With AWS Directory Service, this model goes one step further. Here, Amazon automatically creates and manages the entire directory for customers. It’s the same model followed in other managed services like RDS, DynamoDB or Code Commit: there is no physical access to the underlying machine or its operating system because Amazon takes care of all the hard work. Users simply connect to the service endpoint with a client tool.
Directory Service comes in two flavours:
Simple AD: AWS creates an Active Directory from scratch with Simple AD. This is the easiest way of starting a domain-based network.
AD Connector: This is for customers who want to keep their on-premise Active Directory server. AD Connector works like a proxy. Any authentication request from your cloud network is sent to the on-premise Active Directory. Users authenticated by your on-premise AD can seamlessly access AWS-hosted resources based on their privileges.
AWS Directory Service Simple AD: benefits
Both Simple AD and AD Connector offer some great benefits for end users:
No Manual Setup: Setting up an Active Directory infrastructure is not a trivial matter. Network administrators have to think about the forest, domains, placing primary and backup Domain Controllers in the subnets, DNS, opening up network ports…among many other things. With Simple AD, that worry is gone. Like so many other AWS services, a few clicks gets you started.
Automatic Fault Tolerance: With Simple AD, AWS will automatically create a Backup Domain Controller in a secondary AZ. In fact, it’s a requirement for the VPC of the Simple AD to have at least two subnets in two different AZs.
Automated Backup: AWS will automatically create a snapshot of the directory once every day. You can create your own snapshots too. Unfortunately, unlike RDS or EC2 snapshots, AWS Simple AD allows only fives days’ worth of backups. However, you can always send a request to AWS to raise this limit. Snapshots can be invaluable when you want to recover from a critical error.
Simple Security Group Configuration: For AWS-hosted Active Directories to communicate with the rest of the network, a number of ports have to be enabled. Remembering to open up all these ports can be a difficult matter for the network administrator. AWS Directory Service takes away that headache by creating and assigning Security Groups with custom rules. This allows a finer-grained control of your network.
Domain Joining Made Easy: It’s easy to add new Windows EC2 instances to the Simple AD, either when the instance is created or afterwards.
Catering for Windows and Linux: AWS calls its Simple AD a “Microsoft Active Directory compatible directory service”. Simple AD is based on Samba 4, which means it maybe used to authenticate both Windows and Linux servers.
Integration with other AWS Applications: AWS offers a number of applications for corporate office workload. These include AWS WorkSpace for virtual desktop fleet, WorkDocs for document management and sharing, and WorkMail for low-cost e-mail infrastructure. Each service requires authentication and access control for users. Simple AD can provide that authentication.
Single Sign-on for Console Users: With Directory Service, IT staff can access the AWS console with Single Sign-on. The current method of using IAM users, roles and policies requires each individual sysadmin to have their own set of credentials. Directory Service can integrate with IAM roles, so once domain users authenticate with the AD, they can access the console seamlessly.
Creating an AWS Directory Service Simple AD
Setting up a Simple AD is easy. As you can see in the screenshots below, we are creating our Simple AD within a previously created Virtual Private Cloud (VPC). We named our VPC “AD-VPC”. It has two subnets with different IP ranges.
Next, start the wizard from the AWS Directory Service Console.
The first step asks you to choose the type of directory. We will be creating a directory from scratch, so we will click on the Create Simple AD button.
In the next screen, provide the details:
The Fully Qualified Domain Name (FQDN) for the directory. We are naming it global.mycompany.com.
The NetBIOS name is just the shorthand name for the FQDN: in this case it is global.
The next two fields are for the Administrator password. This is the account for managing the AD. This password needs to be saved properly. You will also need to know this account (Administrator) and its password when joining an instance to the domain.
A description of the directory
Specify the size of the domain. We are choosing a small size network here. Small domains can manage up to 2000 objects including 500 users, groups and computers each. With large directories, you may use up to 20,000 objects including 5000 users, groups, and computers each.
Name of the VPC and its subnets where the AD is to be created.
The next screen gives you a chance to review the options. Note the message about charges. Amazon gives you 750 hours of free usage if you are creating a small-size Simple AD for the first time. After that, charges will accrue. However, if you look at the pricing, it’s quite reasonable: a small-size Simple AD can cost as little as US$ 0.05 per hour.
Click on the “Create Simple AD” button. This will take you to the Directory Services console. As you can see, the status is shown as “Requested”. The status will eventually change from “Requested” to “Creating”, and after some more time, to “Active”. You will then have your first Active Directory in the cloud.
Once the directory is ready, you can click on the Directory ID link. This will take you to a new screen where more details are shown. For now, don’t worry about creating an access URL, snapshots, or enabling AWS Services and Apps. Instead, just note the DNS address field, which shows two IP addresses. These are the two DNS servers automatically created in two subnets for your Active Directory.
The EC2 servers in the VPC to which we want to join to this directory, will need to point to the Active Directory and the DNS server for resolving their domain names. The best way to do this is to create a custom DHCP Option Set and attach it to the VPC. That DHCP Option Set will use the DNS details we just saw. In the following image, we are creating a custom DHCP Option Set – you can find the link for this in the VPC Console. From here we must provide a name tag, the FQDN of the domain we just created and its DNS addresses. The rest of the fields can be left blank.Once created, attach the DHCP Option Set to the VPC.
We talked about how AWS Directory Service creates a Security Group with custom rules. In the following screenshot, we see this Security Group in the VPC:
Joining a Windows Server to AWS Directory Service Simple AD
Now that your Simple AD is created, you need to be able to manage it. For that, you will need to:
Create a Windows EC2 server (or choose an existing Windows server) in the same VPC.
Join the EC2 server to the new domain.
Install the Active Directory tool set.
Amazon strongly recommends using a Windows Server 2008 machine for managing AD. There is a known incompatibility between Simple AD and Windows Server 2012 when it comes to creating users and groups. It’s best to stay safe.
In the image below, we are changing the DNS details of a Windows Server 2008 R2 instance by pointing it to the Simple AD.
We are also adding the machine to the domain from its compute properties. When the dialog box asks for credentials, the username should be Administrator and the password should be what was provided when the AD was created.
Once the configuration completes and the machine reboots, you need to provide the same credentials to remotely log into it. In our case, the user account is GLOBAL.MYCOMPANY.COM\Administrator and the password is what we provided before.
From the computer properties, you can see the server has become part of the Simple AD.
The next step is installing the Active Directory management tools. From the Server Manager, choose the “Add Features” option and install the Active Directory Domain Services and Active Directory Lightweight Directory Service Tools.
Once completed, you will find the regular applications accessible from the Start Menu under Administrative Tools. From here on, you can manage user, groups, and organizational units (OUs) in your Active Directory.
The process of joining to AWS Simple AD remains the same for other Windows servers in your VPC.
Joining a Linux Server to AWS Directory Service Simple AD
Perhaps one of the selling points of Simple AD is that it can serve as a central directory for both Windows and Linux servers. This makes it simpler for Linux based users and services. AD users can connect to the Linux instance with their existing credentials. There is no need to create extra user accounts or SSH keys.This feature is applicable for specific newer versions of Linux though:
RHEL and CentOS Version 7.x
Amazon Linux AMI 2015.03
This means you can’t join your existing instances of Ubuntu 12 or RHEL 6.x to a Simple AD.
AWS Simple AD Limitations
Companies may feel reluctant to move to a managed directory service for a few typical reasons:
AWS documentation shows only three Windows Server applications have been tested for Simple AD: IIS, SharePoint and SQL Server (up to Standard Edition). It makes no mention of Exchange, which perhaps can be expected given Amazon would try to promote its own e-mail gateway: AWS WorkMail. However, other applications depending on Active Directory services need to be tested for functionality and integration before deploying. This includes applications like antivirus servers or Windows Server Update Service (WSUS).
With Simple AD supporting a small number of applications, companies with established e-mail gateways, document sharing tools, and virtual desktop fleets may want to stay with their existing directory infrastructure
Each Simple AD is a standalone domain controller and the root domain of its forest. You cannot add other Simple ADs as child domains of a forest root. We also have not been able to add standalone EC2-based domain controllers as child domains. This means Simple AD based infrastructure may not allow domain trusts or multiple domains (DEV, PRD etc.) under one root (MYCOMPANY.COM).
Some companies dealing with sensitive information may find it incompatible with their data security compliance requirements and legacy policies.
There is inherent complexity of AD Connector. AD Connector requires a hardware VPN connection between your on-premise network and its VPC. This becomes more complicated if you want to use Multi Factor Authentication.
Simple AD can provide some excellent value depending on your goals and objectives. Here are some use cases:
Creating a network for the PoC (Proof of Concept) of a small project. This is where an Active Directory with a quick setup may be used to great effect.
Setting up a small number of users (teams, departments, or people outside the company) with their own dedicated networks, applications and authentication. Again this may be extremely useful for ad-hoc or seasonal workloads.