AWS Directory Service Simple AD lets you quickly integrate Amazon EC2 Windows instances with your domain, giving your directory users and groups broad access.
AWS Directory Service is a recent addition to Amazon’s managed services portfolio. As a PaaS, it offers a way for Microsoft Active Directory (AD) based applications to connect to a pre-built directory server in the AWS cloud. This frees the system administrator from having to build an AD from scratch.
Most companies using Active Directory – or another LDAP-compliant server – for identity management would typically run their directory servers on-premise. Even when the infrastructure is fully hosted in AWS, one or more EC2 Windows Servers would be custom-configured as Domain Controllers (DC) in a forest and major services like email, databases or antivirus would use those directories for authentication and group policies. A standard fault tolerance method would be to use two DCs replicating between two Availability Zones (AZs).
With AWS Directory Service, this model goes one step further. Here, Amazon automatically creates and manages the entire directory for customers. It’s the same model followed in other managed services like RDS, DynamoDB or Code Commit: there is no physical access to the underlying machine or its operating system because Amazon takes care of all the hard work. Users simply connect to the service endpoint with a client tool.
Directory Service comes in two flavours:
- Simple AD: AWS creates an Active Directory from scratch with Simple AD. This is the easiest way of starting a domain-based network.
- AD Connector: This is for customers who want to keep their on-premise Active Directory server. AD Connector works like a proxy. Any authentication request from your cloud network is sent to the on-premise Active Directory. Users authenticated by your on-premise AD can seamlessly access AWS-hosted resources based on their privileges.
AWS Directory Service Simple AD: benefits
Both Simple AD and AD Connector offer some great benefits for end users:
- No Manual Setup: Setting up an Active Directory infrastructure is not a trivial matter. Network administrators have to think about the forest, domains, placing primary and backup Domain Controllers in the subnets, DNS, opening up network ports…among many other things. With Simple AD, that worry is gone. Like so many other AWS services, a few clicks gets you started.
- Automatic Fault Tolerance: With Simple AD, AWS will automatically create a Backup Domain Controller in a secondary AZ. In fact, it’s a requirement for the VPC of the Simple AD to have at least two subnets in two different AZs.
- Automated Backup: AWS will automatically create a snapshot of the directory once every day. You can create your own snapshots too. Unfortunately, unlike RDS or EC2 snapshots, AWS Simple AD allows only fives days’ worth of backups. However, you can always send a request to AWS to raise this limit. Snapshots can be invaluable when you want to recover from a critical error.
- Simple Security Group Configuration: For AWS-hosted Active Directories to communicate with the rest of the network, a number of ports have to be enabled. Remembering to open up all these ports can be a difficult matter for the network administrator. AWS Directory Service takes away that headache by creating and assigning Security Groups with custom rules. This allows a finer-grained control of your network.
- Domain Joining Made Easy: It’s easy to add new Windows EC2 instances to the Simple AD, either when the instance is created or afterwards.
- Catering for Windows and Linux: AWS calls its Simple AD a “Microsoft Active Directory compatible directory service”. Simple AD is based on Samba 4, which means it maybe used to authenticate both Windows and Linux servers.
- Integration with other AWS Applications: AWS offers a number of applications for corporate office workload. These include AWS WorkSpace for virtual desktop fleet, WorkDocs for document management and sharing, and WorkMail for low-cost e-mail infrastructure. Each service requires authentication and access control for users. Simple AD can provide that authentication.
- Single Sign-on for Console Users: With Directory Service, IT staff can access the AWS console with Single Sign-on. The current method of using IAM users, roles and policies requires each individual sysadmin to have their own set of credentials. Directory Service can integrate with IAM roles, so once domain users authenticate with the AD, they can access the console seamlessly.
Creating an AWS Directory Service Simple AD
Setting up a Simple AD is easy. As you can see in the screenshots below, we are creating our Simple AD within a previously created Virtual Private Cloud (VPC). We named our VPC “AD-VPC”. It has two subnets with different IP ranges.
- Primary-DC (10.0.1.0/24)
- Backup-DC (10.0.2.0/24)
Next, start the wizard from the AWS Directory Service Console.
- The first step asks you to choose the type of directory. We will be creating a directory from scratch, so we will click on the Create Simple AD button.
- In the next screen, provide the details:
- The Fully Qualified Domain Name (FQDN) for the directory. We are naming it global.mycompany.com.
- The NetBIOS name is just the shorthand name for the FQDN: in this case it is global.
- The next two fields are for the Administrator password. This is the account for managing the AD. This password needs to be saved properly. You will also need to know this account (Administrator) and its password when joining an instance to the domain.
- A description of the directory
- Specify the size of the domain. We are choosing a small size network here. Small domains can manage up to 2000 objects including 500 users, groups and computers each. With large directories, you may use up to 20,000 objects including 5000 users, groups, and computers each.
- Name of the VPC and its subnets where the AD is to be created.
- The next screen gives you a chance to review the options. Note the message about charges. Amazon gives you 750 hours of free usage if you are creating a small-size Simple AD for the first time. After that, charges will accrue. However, if you look at the pricing, it’s quite reasonable: a small-size Simple AD can cost as little as US$ 0.05 per hour.
- Click on the “Create Simple AD” button. This will take you to the Directory Services console. As you can see, the status is shown as “Requested”. The status will eventually change from “Requested” to “Creating”, and after some more time, to “Active”. You will then have your first Active Directory in the cloud.
- Once the directory is ready, you can click on the Directory ID link. This will take you to a new screen where more details are shown. For now, don’t worry about creating an access URL, snapshots, or enabling AWS Services and Apps. Instead, just note the DNS address field, which shows two IP addresses. These are the two DNS servers automatically created in two subnets for your Active Directory.
- The EC2 servers in the VPC to which we want to join to this directory, will need to point to the Active Directory and the DNS server for resolving their domain names. The best way to do this is to create a custom DHCP Option Set and attach it to the VPC. That DHCP Option Set will use the DNS details we just saw. In the following image, we are creating a custom DHCP Option Set – you can find the link for this in the VPC Console. From here we must provide a name tag, the FQDN of the domain we just created and its DNS addresses. The rest of the fields can be left blank.Once created, attach the DHCP Option Set to the VPC.
We talked about how AWS Directory Service creates a Security Group with custom rules. In the following screenshot, we see this Security Group in the VPC:
Joining a Windows Server to AWS Directory Service Simple AD
Now that your Simple AD is created, you need to be able to manage it. For that, you will need to:
- Create a Windows EC2 server (or choose an existing Windows server) in the same VPC.
- Join the EC2 server to the new domain.
- Install the Active Directory tool set.
Amazon strongly recommends using a Windows Server 2008 machine for managing AD. There is a known incompatibility between Simple AD and Windows Server 2012 when it comes to creating users and groups. It’s best to stay safe.
In the image below, we are changing the DNS details of a Windows Server 2008 R2 instance by pointing it to the Simple AD.
We are also adding the machine to the domain from its compute properties. When the dialog box asks for credentials, the username should be Administrator and the password should be what was provided when the AD was created.
Once the configuration completes and the machine reboots, you need to provide the same credentials to remotely log into it. In our case, the user account is GLOBAL.MYCOMPANY.COM\Administrator and the password is what we provided before.
From the computer properties, you can see the server has become part of the Simple AD.
The next step is installing the Active Directory management tools. From the Server Manager, choose the “Add Features” option and install the Active Directory Domain Services and Active Directory Lightweight Directory Service Tools.
Once completed, you will find the regular applications accessible from the Start Menu under Administrative Tools. From here on, you can manage user, groups, and organizational units (OUs) in your Active Directory.
The process of joining to AWS Simple AD remains the same for other Windows servers in your VPC.
Joining a Linux Server to AWS Directory Service Simple AD
Perhaps one of the selling points of Simple AD is that it can serve as a central directory for both Windows and Linux servers. This makes it simpler for Linux based users and services. AD users can connect to the Linux instance with their existing credentials. There is no need to create extra user accounts or SSH keys.This feature is applicable for specific newer versions of Linux though:
- RHEL and CentOS Version 7.x
- Amazon Linux AMI 2015.03
- Ubuntu 14.04
This means you can’t join your existing instances of Ubuntu 12 or RHEL 6.x to a Simple AD.
AWS Simple AD Limitations
Companies may feel reluctant to move to a managed directory service for a few typical reasons:
- AWS documentation shows only three Windows Server applications have been tested for Simple AD: IIS, SharePoint and SQL Server (up to Standard Edition). It makes no mention of Exchange, which perhaps can be expected given Amazon would try to promote its own e-mail gateway: AWS WorkMail. However, other applications depending on Active Directory services need to be tested for functionality and integration before deploying. This includes applications like antivirus servers or Windows Server Update Service (WSUS).
- With Simple AD supporting a small number of applications, companies with established e-mail gateways, document sharing tools, and virtual desktop fleets may want to stay with their existing directory infrastructure
- Each Simple AD is a standalone domain controller and the root domain of its forest. You cannot add other Simple ADs as child domains of a forest root. We also have not been able to add standalone EC2-based domain controllers as child domains. This means Simple AD based infrastructure may not allow domain trusts or multiple domains (DEV, PRD etc.) under one root (MYCOMPANY.COM).
- Some companies dealing with sensitive information may find it incompatible with their data security compliance requirements and legacy policies.
- There is inherent complexity of AD Connector. AD Connector requires a hardware VPN connection between your on-premise network and its VPC. This becomes more complicated if you want to use Multi Factor Authentication.
Simple AD can provide some excellent value depending on your goals and objectives. Here are some use cases:
- Creating a network for the PoC (Proof of Concept) of a small project. This is where an Active Directory with a quick setup may be used to great effect.
- Setting up a small number of users (teams, departments, or people outside the company) with their own dedicated networks, applications and authentication. Again this may be extremely useful for ad-hoc or seasonal workloads.
New Content: Platforms, Programming, and DevOps – Something for Everyone
This month our team of expert certification specialists released three new or updated learning paths, 16 courses, 13 hands-on labs, and four lab challenges! New content on Cloud Academy You can always visit our Content Roadmap to see what’s just released as well as what’s coming soon....
Mastering AWS Organizations Service Control Policies
Service Control Policies (SCPs) are IAM-like policies to manage permissions in AWS Organizations. SCPs restrict the actions allowed for accounts within the organization making each one of them compliant with your guidelines. SCPs are not meant to grant permissions; you should consider ...
New Content: Focus on DevOps and Programming Content this Month
This month our team of expert certification specialists released 12 new or updated learning paths, 15 courses, 25 hands-on labs, and four lab challenges! New content on Cloud Academy You can always visit our Content Roadmap to see what’s just released as well as what’s coming soon. Ja...
New Content: Get Ready for the CISM Cert Exam & Learn About Alibaba, Plus All the AWS, GCP, and Azure Courses You Know You Can Count On
This month our team of intrepid certification specialists released five learning paths, seven courses, 19 hands-on labs, and three lab challenges! One particularly interesting new learning path is Certified Information Security Manager (CISM) Foundations. After completing this learn...
Which Certifications Should I Get?
The old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and companies. With all that in mind, the s...
The 12 AWS Certifications: Which is Right for You and Your Team?
As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...
AWS Certified Solutions Architect Associate: A Study Guide
Want to take a really impactful step in your technical career? Explore the AWS Solutions Architect Associate certificate. Its new version (SAA-C02) was released on March 23, 2020. The AWS Solutions Architect - Associate Certification (or Sol Arch Associate for short) offers some ...
New Content: AWS Terraform, Java Programming Lab Challenges, Azure DP-900 & DP-300 Certification Exam Prep, Plus Plenty More Amazon, Google, Microsoft, and Big Data Courses
This month our Content Team continues building the catalog of courses for everyone learning about AWS, GCP, and Microsoft Azure. In addition, this month’s updates include several Java programming lab challenges and a couple of courses on big data. In total, we released five new learning...
Where Should You Be Focusing Your AWS Security Efforts?
Another day, another re:Invent session! This time I listened to Stephen Schmidt’s session, “AWS Security: Where we've been, where we're going.” Amongst covering the highlights of AWS security during 2020, a number of newly added AWS features/services were discussed, including: AWS Audit...
AWS re:Invent: 2020 Keynote Top Highlights and More
We’ve gotten through the first five days of the special all-virtual 2020 edition of AWS re:Invent. It’s always a really exciting time for practitioners in the field to see what features and services AWS has cooked up for the year ahead. This year’s conference is a marathon and not a...
WARNING: Great Cloud Content Ahead
At Cloud Academy, content is at the heart of what we do. We work with the world’s leading cloud and operations teams to develop video courses and learning paths that accelerate teams and drive digital transformation. First and foremost, we listen to our customers’ needs and we stay ahea...
Excelling in AWS, Azure, and Beyond – How Danut Prisacaru Prepares for the Future
Meet Danut Prisacaru. Danut has been a Software Architect for the past 10 years and has been involved in Software Engineering for 30 years. He’s passionate about software and learning, and jokes that coding is basically the only thing he can do well (!). We think his enthusiasm shines t...