Download - AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ron Cully, AWS Directory Service
November, 30 2016
Best Practices for Integrating Active
Directory with AWS Workloads
WIN305
What to Expect from the Session
Running Windows applications and
workloads in the AWS Cloud
• Why Windows workloads in AWS need Active Directory (AD)
• AD options for cloud workloads
AWS Directory Service for Microsoft Active Directory
(Enterprise Edition) – “Microsoft AD”
Other AWS Directory Service solutions
AWS Managed
Service VPC
AWS Microsoft
AD DC
AD
VPC
EC2 Windows
Server DC
AD
On-premises
Windows
Server DC
AD
Application
Availability Zone
Private Subnet
10.0.2.0/24
SQL
ServerApp
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
SQL
ServerApp
Server
IIS
Server
Remote
Users / Admins
Example: Domain join
EC2 to on-premises AD
Domain
Controllers
DC
corporate data center
VPN
Connection
DBAPPWEB
DBAPPWEB
Auth/
LDAP
Auth/
LDAP
Availability Zone
Private Subnet
10.0.2.0/24
DBAPPWEB
SQL
ServerApp
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
DBAPPWEB
SQL
ServerApp
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Example: AD on
EC2 with replication
or AD trust
DC
Domain
Controller
DC
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Auth/
LDAP
Application
Auth/
LDAP
Auth/
LDAP
DBRDS
SQL Server
Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
App
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Example: AWS
Microsoft AD with AD
trust to on-premises
DBRDS
SQL Server
AWS Managed Services
AWS Managed Services
DCDomain
Controller
DCDomain
Controller
Trust
Application
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.0.0/24 10.0.2.0/24
APPWEB
App
Server
IIS
Server
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.1.0/24 10.0.3.0/24
APPWEB
App
Server
IIS
Server
RDGW
DC
DB
Microsoft
AD DC
RDS
SQL
Server
DC
AWS Managed Services
Microsoft
AD DC
DBRDS
SQL
Server
AWS Managed Services
Example: AWS
Microsoft AD with
everything in the
cloud
VDI
WorkSpaces
VDI
WorkSpaces
AWS Microsoft AD EC2 AD Instance On-Premises AD
Operation
ManagementAWS managed
in the cloud
Customer managed
in the cloud
Customer managed
own hardware
AvailabilityBuilt-in redundancy and
replication
Customer must design
for high availability
Customer must design
for high availability
NetworkingTrust1 ports from cloud
to on-premises
(least exposed)
Trust1 or replication2
ports from cloud to
on-premises AD
Ports to support cloud to
on-premises AD3 (most
exposed)
Admin ControlDesignated OU control;
some apps unsupportedFull control Full control
1
2
3
Selecting an Active Directory option
AWS Microsoft AD EC2 AD Instances On-Premises AD
• Minimize cost, effort to run AD
• Amazon RDS SQL Server
• AWS Enterprise Applications1
• Windows workloads on
Amazon EC22
• Require a replicated, multi-
region AD solution
• Need NetBIOS name
resolution support
• You require permissions not
yet delegated by AWS
Microsoft AD
• E.g., Exchange, Sharepoint,
SQL Server AlwaysOn
Availability Groups
• Minimal EC2 instances require
access to AD
• Latency to AD over on-
premises link is acceptable
• Security policies allow AD
ports to be exposed to internet
• Comfortable architecting
highly available connectivity to
on-premises AD
1If users are on premises via trust, application requires update; otherwise AD Connector will be needed2Subject to delegation constraints
AD Connector
• AD proxy for Amazon WorkSpaces, Amazon WorkDocs, and Amazon
WorkMail• Authentication and LDAP forwarded to on-premises AD
• Applications can look up on-premises users and groups
• Users authenticate using existing corporate credentials
• Supports EC2 seamless domain join• EC2 discovers domain name from AD Connector
• EC2 by-passes AD Connector for everything else
Proxy solution to use on-premises AD accounts with AWS Enterprise Applications
AWS Microsoft AD
AD AD
On-premises
NetworkVPC
Trust
AWS Microsoft
AD DC
Windows
AD DC
Setting up AWS Directory Service
1) Select Directory Service
in the AWS Console
3) Select Create Microsoft AD
for the directory type
2) Select Set up directory
from the menu
4) Configure the Directory
and VPC details
User, group, policy management via Microsoft tools
on domain-joined computers
AD On EC2 Windows
Active Directory instance on EC2
Customer-managed Active Directory server running on EC2• Customer responsible for patching, monitoring, snapshots, and high availability
• Connectivity via VPN or AWS Direct Connect
• Security groups must allow traffic to and from on-premises data center
• AD sites and subnets must be properly defined
• Site-link costs must be configured
• Enable domain members for "Try Next Closest Site“ group policy setting
Supports use cases and applications that require schema extension• Microsoft SQL Server
• Microsoft SharePoint
• Microsoft Exchange
• Microsoft Lync/Skype for Business
Use when AWS Microsoft AD does not support use case
Microsoft workloads in Amazon VPC
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle
DC1
VPN
AD forest spanning AWS and corporate
data center
Tacoma
DC2
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle
DC1
VPN
AD forest spanning AWS and corporate
data center
Tacoma
DC2
X
DC1 goes down, where do clients in Seattle go for
Directory Services?
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle / AD Site 1
DC1
VPN
AD forest spanning AWS and corporate
data center
Tacoma / AD Site 2
DC2
AD Site 3
Cost 50
Properly implemented site topology and “Try Next Closest
Site” policy enabled. Clients use least cost path to DC.
Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
App
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Adding Microsoft
AD for AWS apps
and services
DC
Domain
Controller
DC
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Auth/
LDAP
Application
DC
DB
RDS
SQL
Server
Microsoft
AD DC
AWS Managed Services
VDI
WorkSpaces
DC
DBRDS
SQL
Server
AWS Managed Services
VDI
WorkSpaces Microsoft
AD DCTrust
Trust
Related Sessions
WIN303 – How to Launch a 100K-User Corporate Back
Office with Microsoft Servers and AWS
WIN403 – How to Migrate Microsoft Windows Applications
to AWS Quickly, with Less Risk, Using Multisite Replication
and SQL HA
ReferencesDocumentation
• AWS Directory Service – aws.amazon.com/directoryservice
• Microsoft AD - aws.amazon.com/documentation/directory-service/
• Amazon RDS SQL Server - aws.amazon.com/documentation/rds/
Quick Starts - aws.amazon.com/quickstart/• Active Directory DS (Microsoft AD)
• Exchange Server 2013
• SharePoint 2016 Enterprise
• Lync Server 2013
• SQL Server 2014 AlwaysOn
• PowerShell DSC
Thank you!
Remember to complete
your evaluations!