Skip to main content

AWS Directory Service Simple AD: a Cloud Active Directory!

AWS Directory Service Simple AD lets you quickly integrate Amazon EC2 Windows instances with your domain, giving your directory users and groups broad access.

AWS Directory Service is a recent addition to Amazon’s managed services portfolio. As a PaaS, it offers a way for Microsoft Active Directory (AD) based applications to connect to a pre-built directory server in the AWS cloud. This frees the system administrator from having to build an AD from scratch.
Most companies using Active Directory – or another LDAP-compliant server – for identity management would typically run their directory servers on-premise. Even when the infrastructure is fully hosted in AWS, one or more EC2 Windows Servers would be custom-configured as Domain Controllers (DC) in a forest and major services like email, databases or antivirus would use those directories for authentication and group policies. A standard fault tolerance method would be to use two DCs replicating between two Availability Zones (AZs).
With AWS Directory Service, this model goes one step further. Here, Amazon automatically creates and manages the entire directory for customers. It’s the same model followed in other managed services like RDS, DynamoDB or Code Commit: there is no physical access to the underlying machine or its operating system because Amazon takes care of all the hard work. Users simply connect to the service endpoint with a client tool.
Directory Service comes in two flavours:

  • Simple AD: AWS creates an Active Directory from scratch with Simple AD. This is the easiest way of starting a domain-based network.
  • AD Connector: This is for customers who want to keep their on-premise Active Directory server. AD Connector works like a proxy. Any authentication request from your cloud network is sent to the on-premise Active Directory. Users authenticated by your on-premise AD can seamlessly access AWS-hosted resources based on their privileges.

AWS Directory Service Simple AD: benefits

Both Simple AD and AD Connector offer some great benefits for end users:

  • No Manual Setup: Setting up an Active Directory infrastructure is not a trivial matter. Network administrators have to think about the forest, domains, placing primary and backup Domain Controllers in the subnets, DNS, opening up network ports…among many other things. With Simple AD, that worry is gone. Like so many other AWS services, a few clicks gets you started.
  • Automatic Fault Tolerance: With Simple AD, AWS will automatically create a Backup Domain Controller in a secondary AZ. In fact, it’s a requirement for the VPC of the Simple AD to have at least two subnets in two different AZs.
  • Automated Backup: AWS will automatically create a snapshot of the directory once every day. You can create your own snapshots too. Unfortunately, unlike RDS or EC2 snapshots, AWS Simple AD allows only fives days’ worth of backups. However, you can always send a request to AWS to raise this limit. Snapshots can be invaluable when you want to recover from a critical error.
  • Simple Security Group Configuration: For AWS-hosted Active Directories to communicate with the rest of the network, a number of ports have to be enabled. Remembering to open up all these ports can be a difficult matter for the network administrator. AWS Directory Service takes away that headache by creating and assigning Security Groups with custom rules. This allows a finer-grained control of your network.
  • Domain Joining Made Easy: It’s easy to add new Windows EC2 instances to the Simple AD, either when the instance is created or afterwards.
  • Catering for Windows and Linux: AWS calls its Simple AD a “Microsoft Active Directory compatible directory service”. Simple AD is based on Samba 4, which means it maybe used to authenticate both Windows and Linux servers.
  • Integration with other AWS Applications: AWS offers a number of applications for corporate office workload. These include AWS WorkSpace for virtual desktop fleet, WorkDocs for document management and sharing, and WorkMail for low-cost e-mail infrastructure. Each service requires authentication and access control for users. Simple AD can provide that authentication.
  • Single Sign-on for Console Users: With Directory Service, IT staff can access the AWS console with Single Sign-on. The current method of using IAM users, roles and policies requires each individual sysadmin to have their own set of credentials. Directory Service can integrate with IAM roles, so once domain users authenticate with the AD, they can access the console seamlessly.

Creating an AWS Directory Service Simple AD

Setting up a Simple AD is easy. As you can see in the screenshots below, we are creating our Simple AD within a previously created Virtual Private Cloud (VPC). We named our VPC “AD-VPC”. It has two subnets with different IP ranges.

  • Primary-DC (10.0.1.0/24)
  • Backup-DC (10.0.2.0/24)

aws directory service
Next, start the wizard from the AWS Directory Service Console.

  1. The first step asks you to choose the type of directory. We will be creating a directory from scratch, so we will click on the Create Simple AD button.aws directory service
  2. In the next screen, provide the details:
    • The Fully Qualified Domain Name (FQDN) for the directory. We are naming it global.mycompany.com.
    • The NetBIOS name is just the shorthand name for the FQDN: in this case it is global.
    • The next two fields are for the Administrator password. This is the account for managing the AD. This password needs to be saved properly. You will also need to know this account (Administrator) and its password when joining an instance to the domain.
    • A description of the directory
    • Specify the size of the domain. We are choosing a small size network here. Small domains can manage up to 2000 objects including 500 users, groups and computers each. With large directories, you may use up to 20,000 objects including 5000 users, groups, and computers each.
    • Name of the VPC and its subnets where the AD is to be created.aws directory service
  3. The next screen gives you a chance to review the options. Note the message about charges. Amazon gives you 750 hours of free usage if you are creating a small-size Simple AD for the first time. After that, charges will accrue. However, if you look at the pricing, it’s quite reasonable: a small-size Simple AD can cost as little as US$ 0.05 per hour.aws directory service
  4. Click on the “Create Simple AD” button. This will take you to the Directory Services console. As you can see, the status is shown as “Requested”. The status will eventually change from “Requested” to “Creating”, and after some more time, to “Active”. You will then have your first Active Directory in the cloud.aws directory service
  5. Once the directory is ready, you can click on the Directory ID link. This will take you to a new screen where more details are shown. For now, don’t worry about creating an access URL, snapshots, or enabling AWS Services and Apps. Instead, just note the DNS address field, which shows two IP addresses. These are the two DNS servers automatically created in two subnets for your Active Directory.aws directory service
  6. The EC2 servers in the VPC to which we want to join to this directory, will need to point to the Active Directory and the DNS server for resolving their domain names. The best way to do this is to create a custom DHCP Option Set and attach it to the VPC. That DHCP Option Set will use the DNS details we just saw. In the following image, we are creating a custom DHCP Option Set – you can find the link for this in the VPC Console. From here we must provide a name tag, the FQDN of the domain we just created and its DNS addresses. The rest of the fields can be left blank.aws directory serviceOnce created, attach the DHCP Option Set to the VPC.aws directory service

We talked about how AWS Directory Service creates a Security Group with custom rules. In the following screenshot, we see this Security Group in the VPC:
aws directory service

Joining a Windows Server to AWS Directory Service Simple AD

Now that your Simple AD is created, you need to be able to manage it. For that, you will need to:

  1. Create a Windows EC2 server (or choose an existing Windows server) in the same VPC.
  2. Join the EC2 server to the new domain.
  3. Install the Active Directory tool set.

Amazon strongly recommends using a Windows Server 2008 machine for managing AD. There is a known incompatibility between Simple AD and Windows Server 2012 when it comes to creating users and groups. It’s best to stay safe.
In the image below, we are changing the DNS details of a Windows Server 2008 R2 instance by pointing it to the Simple AD.aws directory service - AWS-Simple-AD-Domain-Join1
We are also adding the machine to the domain from its compute properties. When the dialog box asks for credentials, the username should be Administrator and the password should be what was provided when the AD was created.AWS Directory Service Simple-AD-Domain-Join2
Once the configuration completes and the machine reboots, you need to provide the same credentials to remotely log into it. In our case, the user account is GLOBAL.MYCOMPANY.COM\Administrator and the password is what we provided before.
From the computer properties, you can see the server has become part of the Simple AD.
AWS Directory Service - Simple AD Domain Join 3
The next step is installing the Active Directory management tools. From the Server Manager, choose the “Add Features” option and install the Active Directory Domain Services and Active Directory Lightweight Directory Service Tools.
aws directory service
Once completed, you will find the regular applications accessible from the Start Menu under Administrative Tools. From here on, you can manage user, groups, and organizational units (OUs) in your Active Directory.
aws directory service
aws directory service
The process of joining to AWS Simple AD remains the same for other Windows servers in your VPC.

Joining a Linux Server to AWS Directory Service Simple AD

Perhaps one of the selling points of Simple AD is that it can serve as a central directory for both Windows and Linux servers. This makes it simpler for Linux based users and services. AD users can connect to the Linux instance with their existing credentials. There is no need to create extra user accounts or SSH keys.This feature is applicable for specific newer versions of Linux though:

  • RHEL and CentOS Version 7.x
  • Amazon Linux AMI 2015.03
  • Ubuntu 14.04

This means you can’t join your existing instances of Ubuntu 12 or RHEL 6.x to a Simple AD.

AWS Simple AD Limitations

Companies may feel reluctant to move to a managed directory service for a few typical reasons:

  • AWS documentation shows only three Windows Server applications have been tested for Simple AD: IIS, SharePoint and SQL Server (up to Standard Edition). It makes no mention of Exchange, which perhaps can be expected given Amazon would try to promote its own e-mail gateway: AWS WorkMail. However, other applications depending on Active Directory services need to be tested for functionality and integration before deploying. This includes applications like antivirus servers or Windows Server Update Service (WSUS).
  • With Simple AD supporting a small number of applications, companies with established e-mail gateways, document sharing tools, and virtual desktop fleets may want to stay with their existing directory infrastructure
  • Each Simple AD is a standalone domain controller and the root domain of its forest. You cannot add other Simple ADs as child domains of a forest root. We also have not been able to add standalone EC2-based domain controllers as child domains. This means Simple AD based infrastructure may not allow domain trusts or multiple domains (DEV, PRD etc.) under one root (MYCOMPANY.COM).
  • Some companies dealing with sensitive information may find it incompatible with their data security compliance requirements and legacy policies.
  • There is inherent complexity of AD Connector. AD Connector requires a hardware VPN connection between your on-premise network and its VPC. This becomes more complicated if you want to use Multi Factor Authentication.

Conclusion

Simple AD can provide some excellent value depending on your goals and objectives. Here are some use cases:

  • Creating a network for the PoC (Proof of Concept) of a small project. This is where an Active Directory with a quick setup may be used to great effect.
  • Setting up a small number of users (teams, departments, or people outside the company) with their own dedicated networks, applications and authentication. Again this may be extremely useful for ad-hoc or seasonal workloads.

Written by

Sadequl Hussain is an IT pro based in Sydney, Australia. He comes from a strong database administration backround and has more than 15 years of experience in development, database management, training, and technical writing. Sadequl also holds a number of vendor certifications, including one from AWS. He loves working with cloud technologies, NoSQL / Big Data databases, automation toolsets, open source technologies and Windows / Linux system administration. When he is not doing any of these, Sadequl loves to spend time with his young family.

Related Posts

— November 28, 2018

Two New EC2 Instance Types Announced at AWS re:Invent 2018 – Monday Night Live

Let’s look at what benefits these two new EC2 instance types offer and how these two new instances could be of benefit to you. Both of the new instance types are built on the AWS Nitro System. The AWS Nitro System improves the performance of processing in virtualized environments by...

Read more
  • AWS
  • EC2
  • re:Invent 2018
— November 21, 2018

Google Cloud Certification: Preparation and Prerequisites

Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2018, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the first time. In t...

Read more
  • AWS
  • Azure
  • Google Cloud
Khash Nakhostin
— November 13, 2018

Understanding AWS VPC Egress Filtering Methods

Security in AWS is governed by a shared responsibility model where both vendor and subscriber have various operational responsibilities. AWS assumes responsibility for the underlying infrastructure, hardware, virtualization layer, facilities, and staff while the subscriber organization ...

Read more
  • Aviatrix
  • AWS
  • VPC
— November 10, 2018

S3 FTP: Build a Reliable and Inexpensive FTP Server Using Amazon’s S3

Is it possible to create an S3 FTP file backup/transfer solution, minimizing associated file storage and capacity planning administration headache?FTP (File Transfer Protocol) is a fast and convenient way to transfer large files over the Internet. You might, at some point, have conf...

Read more
  • Amazon S3
  • AWS
— October 18, 2018

Microservices Architecture: Advantages and Drawbacks

Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs).Microservices have become increasingly popular over the past few years. The modular architectural style,...

Read more
  • AWS
  • Microservices
— October 2, 2018

What Are Best Practices for Tagging AWS Resources?

There are many use cases for tags, but what are the best practices for tagging AWS resources? In order for your organization to effectively manage resources (and your monthly AWS bill), you need to implement and adopt a thoughtful tagging strategy that makes sense for your business. The...

Read more
  • AWS
  • cost optimization
— September 26, 2018

How to Optimize Amazon S3 Performance

Amazon S3 is the most common storage options for many organizations, being object storage it is used for a wide variety of data types, from the smallest objects to huge datasets. All in all, Amazon S3 is a great service to store a wide scope of data types in a highly available and resil...

Read more
  • Amazon S3
  • AWS
— September 18, 2018

How to Optimize Cloud Costs with Spot Instances: New on Cloud Academy

One of the main promises of cloud computing is access to nearly endless capacity. However, it doesn’t come cheap. With the introduction of Spot Instances for Amazon Web Services’ Elastic Compute Cloud (AWS EC2) in 2009, spot instances have been a way for major cloud providers to sell sp...

Read more
  • AWS
  • Azure
  • Google Cloud
— August 23, 2018

What are the Benefits of Machine Learning in the Cloud?

A Comparison of Machine Learning Services on AWS, Azure, and Google CloudArtificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...

Read more
  • AWS
  • Azure
  • Google Cloud
  • Machine Learning
— August 17, 2018

How to Use AWS CLI

The AWS Command Line Interface (CLI) is for managing your AWS services from a terminal session on your own client, allowing you to control and configure multiple AWS services.So you’ve been using AWS for awhile and finally feel comfortable clicking your way through all the services....

Read more
  • AWS
Albert Qian
— August 9, 2018

AWS Summit Chicago: New AWS Features Announced

Thousands of cloud practitioners descended on Chicago’s McCormick Place West last week to hear the latest updates around Amazon Web Services (AWS). While a typical hot and humid summer made its presence known outside, attendees inside basked in the comfort of air conditioning to hone th...

Read more
  • AWS
  • AWS Summits
— August 8, 2018

From Monolith to Serverless – The Evolving Cloudscape of Compute

Containers can help fragment monoliths into logical, easier to use workloads. The AWS Summit New York was held on July 17 and Cloud Academy sponsored my trip to the event. As someone who covers enterprise cloud technologies and services, the recent Amazon Web Services event was an insig...

Read more
  • AWS
  • AWS Summits
  • Containers
  • DevOps
  • serverless