AWS Directory Service Simple AD lets you quickly integrate Amazon EC2 Windows instances with your domain, giving your directory users and groups broad access.
AWS Directory Service is a recent addition to Amazon’s managed services portfolio. As a PaaS, it offers a way for Microsoft Active Directory (AD) based applications to connect to a pre-built directory server in the AWS cloud. This frees the system administrator from having to build an AD from scratch.
Most companies using Active Directory – or another LDAP-compliant server – for identity management would typically run their directory servers on-premise. Even when the infrastructure is fully hosted in AWS, one or more EC2 Windows Servers would be custom-configured as Domain Controllers (DC) in a forest and major services like email, databases or antivirus would use those directories for authentication and group policies. A standard fault tolerance method would be to use two DCs replicating between two Availability Zones (AZs).
With AWS Directory Service, this model goes one step further. Here, Amazon automatically creates and manages the entire directory for customers. It’s the same model followed in other managed services like RDS, DynamoDB or Code Commit: there is no physical access to the underlying machine or its operating system because Amazon takes care of all the hard work. Users simply connect to the service endpoint with a client tool.
Directory Service comes in two flavours:
- Simple AD: AWS creates an Active Directory from scratch with Simple AD. This is the easiest way of starting a domain-based network.
- AD Connector: This is for customers who want to keep their on-premise Active Directory server. AD Connector works like a proxy. Any authentication request from your cloud network is sent to the on-premise Active Directory. Users authenticated by your on-premise AD can seamlessly access AWS-hosted resources based on their privileges.
AWS Directory Service Simple AD: benefits
Both Simple AD and AD Connector offer some great benefits for end users:
- No Manual Setup: Setting up an Active Directory infrastructure is not a trivial matter. Network administrators have to think about the forest, domains, placing primary and backup Domain Controllers in the subnets, DNS, opening up network ports…among many other things. With Simple AD, that worry is gone. Like so many other AWS services, a few clicks gets you started.
- Automatic Fault Tolerance: With Simple AD, AWS will automatically create a Backup Domain Controller in a secondary AZ. In fact, it’s a requirement for the VPC of the Simple AD to have at least two subnets in two different AZs.
- Automated Backup: AWS will automatically create a snapshot of the directory once every day. You can create your own snapshots too. Unfortunately, unlike RDS or EC2 snapshots, AWS Simple AD allows only fives days’ worth of backups. However, you can always send a request to AWS to raise this limit. Snapshots can be invaluable when you want to recover from a critical error.
- Simple Security Group Configuration: For AWS-hosted Active Directories to communicate with the rest of the network, a number of ports have to be enabled. Remembering to open up all these ports can be a difficult matter for the network administrator. AWS Directory Service takes away that headache by creating and assigning Security Groups with custom rules. This allows a finer-grained control of your network.
- Domain Joining Made Easy: It’s easy to add new Windows EC2 instances to the Simple AD, either when the instance is created or afterwards.
- Catering for Windows and Linux: AWS calls its Simple AD a “Microsoft Active Directory compatible directory service”. Simple AD is based on Samba 4, which means it maybe used to authenticate both Windows and Linux servers.
- Integration with other AWS Applications: AWS offers a number of applications for corporate office workload. These include AWS WorkSpace for virtual desktop fleet, WorkDocs for document management and sharing, and WorkMail for low-cost e-mail infrastructure. Each service requires authentication and access control for users. Simple AD can provide that authentication.
- Single Sign-on for Console Users: With Directory Service, IT staff can access the AWS console with Single Sign-on. The current method of using IAM users, roles and policies requires each individual sysadmin to have their own set of credentials. Directory Service can integrate with IAM roles, so once domain users authenticate with the AD, they can access the console seamlessly.
Creating an AWS Directory Service Simple AD
Setting up a Simple AD is easy. As you can see in the screenshots below, we are creating our Simple AD within a previously created Virtual Private Cloud (VPC). We named our VPC “AD-VPC”. It has two subnets with different IP ranges.
- Primary-DC (10.0.1.0/24)
- Backup-DC (10.0.2.0/24)
Next, start the wizard from the AWS Directory Service Console.
- The first step asks you to choose the type of directory. We will be creating a directory from scratch, so we will click on the Create Simple AD button.
- In the next screen, provide the details:
- The Fully Qualified Domain Name (FQDN) for the directory. We are naming it global.mycompany.com.
- The NetBIOS name is just the shorthand name for the FQDN: in this case it is global.
- The next two fields are for the Administrator password. This is the account for managing the AD. This password needs to be saved properly. You will also need to know this account (Administrator) and its password when joining an instance to the domain.
- A description of the directory
- Specify the size of the domain. We are choosing a small size network here. Small domains can manage up to 2000 objects including 500 users, groups and computers each. With large directories, you may use up to 20,000 objects including 5000 users, groups, and computers each.
- Name of the VPC and its subnets where the AD is to be created.
- The next screen gives you a chance to review the options. Note the message about charges. Amazon gives you 750 hours of free usage if you are creating a small-size Simple AD for the first time. After that, charges will accrue. However, if you look at the pricing, it’s quite reasonable: a small-size Simple AD can cost as little as US$ 0.05 per hour.
- Click on the “Create Simple AD” button. This will take you to the Directory Services console. As you can see, the status is shown as “Requested”. The status will eventually change from “Requested” to “Creating”, and after some more time, to “Active”. You will then have your first Active Directory in the cloud.
- Once the directory is ready, you can click on the Directory ID link. This will take you to a new screen where more details are shown. For now, don’t worry about creating an access URL, snapshots, or enabling AWS Services and Apps. Instead, just note the DNS address field, which shows two IP addresses. These are the two DNS servers automatically created in two subnets for your Active Directory.
- The EC2 servers in the VPC to which we want to join to this directory, will need to point to the Active Directory and the DNS server for resolving their domain names. The best way to do this is to create a custom DHCP Option Set and attach it to the VPC. That DHCP Option Set will use the DNS details we just saw. In the following image, we are creating a custom DHCP Option Set – you can find the link for this in the VPC Console. From here we must provide a name tag, the FQDN of the domain we just created and its DNS addresses. The rest of the fields can be left blank.Once created, attach the DHCP Option Set to the VPC.
We talked about how AWS Directory Service creates a Security Group with custom rules. In the following screenshot, we see this Security Group in the VPC:
Joining a Windows Server to AWS Directory Service Simple AD
Now that your Simple AD is created, you need to be able to manage it. For that, you will need to:
- Create a Windows EC2 server (or choose an existing Windows server) in the same VPC.
- Join the EC2 server to the new domain.
- Install the Active Directory tool set.
Amazon strongly recommends using a Windows Server 2008 machine for managing AD. There is a known incompatibility between Simple AD and Windows Server 2012 when it comes to creating users and groups. It’s best to stay safe.
In the image below, we are changing the DNS details of a Windows Server 2008 R2 instance by pointing it to the Simple AD.
We are also adding the machine to the domain from its compute properties. When the dialog box asks for credentials, the username should be Administrator and the password should be what was provided when the AD was created.
Once the configuration completes and the machine reboots, you need to provide the same credentials to remotely log into it. In our case, the user account is GLOBAL.MYCOMPANY.COM\Administrator and the password is what we provided before.
From the computer properties, you can see the server has become part of the Simple AD.
The next step is installing the Active Directory management tools. From the Server Manager, choose the “Add Features” option and install the Active Directory Domain Services and Active Directory Lightweight Directory Service Tools.
Once completed, you will find the regular applications accessible from the Start Menu under Administrative Tools. From here on, you can manage user, groups, and organizational units (OUs) in your Active Directory.
The process of joining to AWS Simple AD remains the same for other Windows servers in your VPC.
Joining a Linux Server to AWS Directory Service Simple AD
Perhaps one of the selling points of Simple AD is that it can serve as a central directory for both Windows and Linux servers. This makes it simpler for Linux based users and services. AD users can connect to the Linux instance with their existing credentials. There is no need to create extra user accounts or SSH keys.This feature is applicable for specific newer versions of Linux though:
- RHEL and CentOS Version 7.x
- Amazon Linux AMI 2015.03
- Ubuntu 14.04
This means you can’t join your existing instances of Ubuntu 12 or RHEL 6.x to a Simple AD.
AWS Simple AD Limitations
Companies may feel reluctant to move to a managed directory service for a few typical reasons:
- AWS documentation shows only three Windows Server applications have been tested for Simple AD: IIS, SharePoint and SQL Server (up to Standard Edition). It makes no mention of Exchange, which perhaps can be expected given Amazon would try to promote its own e-mail gateway: AWS WorkMail. However, other applications depending on Active Directory services need to be tested for functionality and integration before deploying. This includes applications like antivirus servers or Windows Server Update Service (WSUS).
- With Simple AD supporting a small number of applications, companies with established e-mail gateways, document sharing tools, and virtual desktop fleets may want to stay with their existing directory infrastructure
- Each Simple AD is a standalone domain controller and the root domain of its forest. You cannot add other Simple ADs as child domains of a forest root. We also have not been able to add standalone EC2-based domain controllers as child domains. This means Simple AD based infrastructure may not allow domain trusts or multiple domains (DEV, PRD etc.) under one root (MYCOMPANY.COM).
- Some companies dealing with sensitive information may find it incompatible with their data security compliance requirements and legacy policies.
- There is inherent complexity of AD Connector. AD Connector requires a hardware VPN connection between your on-premise network and its VPC. This becomes more complicated if you want to use Multi Factor Authentication.
Simple AD can provide some excellent value depending on your goals and objectives. Here are some use cases:
- Creating a network for the PoC (Proof of Concept) of a small project. This is where an Active Directory with a quick setup may be used to great effect.
- Setting up a small number of users (teams, departments, or people outside the company) with their own dedicated networks, applications and authentication. Again this may be extremely useful for ad-hoc or seasonal workloads.
New on Cloud Academy: Red Hat, Agile, OWASP Labs, Amazon SageMaker Lab, Linux Command Line Lab, SQL, Git Labs, Scrum Master, Azure Architects Lab, and Much More
Happy New Year! We hope you're ready to kick your training in overdrive in 2020 because we have a ton of new content for you. Not only do we have a bunch of new courses, hands-on labs, and lab challenges on AWS, Azure, and Google Cloud, but we also have three new courses on Red Hat, th...
Cloud Academy’s Blog Digest: Azure Best Practices, 6 Reasons You Should Get AWS Certified, Google Cloud Certification Prep, and more
Happy Holidays from Cloud Academy We hope you have a wonderful holiday season filled with family, friends, and plenty of food. Here at Cloud Academy, we are thankful for our amazing customer like you. Since this time of year can be stressful, we’re sharing a few of our latest article...
Google Cloud Platform Certification: Preparation and Prerequisites
Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2019, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the second consecuti...
New Lab Challenges: Push Your Skills to the Next Level
Build hands-on experience using real accounts on AWS, Azure, Google Cloud Platform, and more Meaningful cloud skills require more than book knowledge. Hands-on experience is required to translate knowledge into real-world results. We see this time and time again in studies about how pe...
New on Cloud Academy: AWS Solution Architect Lab Challenge, Azure Hands-on Labs, Foundation Certificate in Cyber Security, and Much More
Now that Thanksgiving is over and the craziness of Black Friday has died down, it's now time for the busiest season of the year. Whether you're a last-minute shopper or you already have your shopping done, the holidays bring so much more excitement than any other time of year. Since our...
Understanding Enterprise Cloud Migration
What is enterprise cloud migration? Cloud migration is about moving your data, applications, and even infrastructure from your on-premises computers or infrastructure to a virtual pool of on-demand, shared resources that offer compute, storage, and network services at scale. Why d...
6 Reasons Why You Should Get an AWS Certification This Year
In the past decade, the rise of cloud computing has been undeniable. Businesses of all sizes are moving their infrastructure and applications to the cloud. This is partly because the cloud allows businesses and their employees to access important information from just about anywhere. ...
AWS Regions and Availability Zones: The Simplest Explanation You Will Ever Find Around
The basics of AWS Regions and Availability Zones We’re going to treat this article as a sort of AWS 101 — it’ll be a quick primer on AWS Regions and Availability Zones that will be useful for understanding the basics of how AWS infrastructure is organized. We’ll define each section,...
Application Load Balancer vs. Classic Load Balancer
What is an Elastic Load Balancer? This post covers basics of what an Elastic Load Balancer is, and two of its examples: Application Load Balancers and Classic Load Balancers. For additional information — including a comparison that explains Network Load Balancers — check out our post o...
Advantages and Disadvantages of Microservices Architecture
What are microservices? Let's start our discussion by setting a foundation of what microservices are. Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs). ...
Kubernetes Services: AWS vs. Azure vs. Google Cloud
Kubernetes is a popular open-source container orchestration platform that allows us to deploy and manage multi-container applications at scale. Businesses are rapidly adopting this revolutionary technology to modernize their applications. Cloud service providers — such as Amazon Web Ser...
AWS Internet of Things (IoT): The 3 Services You Need to Know
The Internet of Things (IoT) embeds technology into any physical thing to enable never-before-seen levels of connectivity. IoT is revolutionizing industries and creating many new market opportunities. Cloud services play an important role in enabling deployment of IoT solutions that min...