Active Directory in AWS

Photo by Guillaume Meurice

Here are some of my notes as I read up on using Active Directory in AWS.

What is an Active Directory?

A network of Windows Machines can choose to manage Users independently of each other. Alternatively, that network can rely on a central server to provide this management service. That central server is called a Domain Controller. The service running on it that manages Users, Groups and Devices is named Active Directory.

Trust Relationships

There can be multiple Domain Controllers in a network, and they can be replicated to each other for high availability. However, if replication is not desired, the Active Directory instance can have its own independent database while establishing a trust relationship with another Active Directory. In a trust relationship, an AD can defer requests to a trusted AD and vice-versa.

There are 2 types of trust relationships -

• One Way - One AD trusts another AD
• Two Way - Two ADs trusts each other

The Need for Active Directory (in the Cloud)

The primary reason for running Active Directory in AWS is to reduce latency for AWS workloads that require Active Directory. The secondary reason is to have a backup of Active Directory in the cloud. 

It is possible to run MS Windows instances in the AWS Cloud. A network of these instances may benefit from using Active Directory as it will undoubtedly ease the management of users and groups on these instances.

AWS RDS-provided SQL Server may require Active Directory depending on the type of user management required.  

Active Directory on EC2

It is possible to run Active Directory natively on AWS. This can be achieved by running Windows Server on an EC2 instance. It supports full replication and trust relationships between any Active Directory instances.

Communication between on-premise and AWS Active Directory installations requires a Direct Connect or VPN.

.

Active Directory Connector

AD Connector is a proxy for all AD requests that originate in AWS. It connects over Direct Connect or VPN to an Active Directory on-premise. 

AD Connector does not support AWS RDS SQL Server (at the time of writing). The applications supported are limited, and a complete list can be found here. 

AWS Managed Active Directory

This is the managed offering from AWS that provides the exact functionality of Active Directory, minus the need to provision and manage VMs. Currently, the base price of AWS Active Directory includes 2 Domain Controllers. Therefore, this base deployment already provides high availability, but more Domain Controllers can be added if needed.

Trust & Replication

The managed offering supports establishing trust between an on-premise instance but, unfortunately, does not support replication to and from an on-premise AD. However, it does support multi-region replication between different AWS Managed Active Directories.

Managed Active Directory supports AWS RDS SQL Server. 

Note- AWS RDS SQL Server can only authenticate against an on-premise AD via a trust relationship from a Managed Active Directory.

A complete list of supported applications can be found here.

Simple Active Directory

This is a Directory Service implemented with Samba 4. This low-cost option allows you to run a Directory Service for EC2 Windows instances.

Simple Active Directory is a stand-alone solution as it does not support trust relationships with other MS Active Directory Domain Controllers.

Sources

• What is a Windows Domain Controller?
• Active Directory Domain Services For Beginners - Windows Server 2019
• AWS Directory Services Introduction
• AWS Docs