AWS Directory Services: A Comprehensive Guide
- Duong Hoang
- Jun 5, 2024
- 3 min read
What is AWS Directory Services?
AWS Directory Services offers ways to use Amazon Cloud Directory and Microsoft Active Directory (AD) with other AWS services. It stores information about users, groups, devices, and administrators use it to manage access to information and resources.
AWS Directory Services provides multiple directory options for customers who want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP) applications in the cloud. It also offers similar choices for developers needing a directory service to manage users, groups, devices, and access permissions.
Benefits of AWS Directory Services
Migrate Directory-Aware On-Premises Workloads Easily
AWS Microsoft AD makes it easier to migrate Active Directory-dependent services, on-premises applications, and workloads to the AWS Cloud. With AWS Microsoft AD, you can run your entire infrastructure across your data center and AWS without synchronizing or replicating your existing Active Directory data to the AWS Cloud.
Use Actual Microsoft Active Directory
Utilize familiar Active Directory management tools and features like Group Policy (GPO), trust domains, password policies, and Kerberos-based single sign-on (SSO).
Share a Single Directory for Cloud Workloads
Share one directory for all Active Directory-aware Amazon EC2 instances, Amazon RDS for SQL Server, and AWS Enterprise IT applications such as Amazon WorkSpaces. Using AWS Microsoft AD avoids the complexity of replicating and synchronizing data across multiple directories.
Easily Extend Existing Domains
Extend your existing Active Directory to the AWS Cloud using AWS Microsoft AD. Extend your current Group Policies to your cloud resources and allow users to log in with their existing enterprise credentials.
Centrally Manage Application Access and Devices in the AWS Cloud
Join your computers, laptops, and printers to a managed Active Directory domain. AWS Microsoft AD offers options for on-premises management of users, groups, applications, and systems without the complexity of running and maintaining an existing Active Directory.
Simplify Administration with a Managed Service
AWS Microsoft AD is built on AWS-managed infrastructure. Each directory is deployed across multiple Availability Zones, automatically monitored, detected, and replaced domain controllers when they fail. You don't need to install software; AWS handles all updates, patches, and software maintenance.
AWS Directory Services Options
AD Connector
Utilize an existing Microsoft Active Directory to access AWS applications and services like WorkSpaces, WorkDocs, and WorkMail. AD Connector forwards Kerberos and LDAP requests from these applications to the existing directory for user authentication. It allows EC2 instances to join the existing domain but doesn't support other Windows applications.
Simple AD
A Microsoft Active Directory-compatible directory powered by Samba 4 and hosted on the AWS Cloud. Simple AD offers features like users, groups, EC2 instances running Linux and Windows joining the domain, Kerberos-based SSO, and Group Policies but doesn't support trust relationships with on-premises directories.
Microsoft AD
Also known as AWS Directory Service for Microsoft Active Directory (Enterprise Edition). Microsoft AD is a Microsoft Active Directory hosted on the AWS Cloud. AWS Microsoft AD includes most Active Directory features, including multi-directional trusts, group policy, SSO, and linking to EC2 in the Cloud.
Choosing the Right AWS Directory Service
Below is a table to help you choose the most suitable AWS Directory Service option:
Feature | AD Connector | Simple AD | Microsoft AD | AD on EC2 |
AWS application login authentication (WorkSpaces, WorkDocs, WorkMail) | Yes | Yes | Yes | Yes |
EC2 instances joining the domain (Linux & Windows) | Yes | Yes | Yes | Yes |
AWS Management Console SSO with existing AD credentials | Yes | Yes | Yes | Yes |
Support up to 5,000 users and 20,000 objects | Yes | Yes | Yes | Yes |
Windows application login authentication (.NET, SQL-based) | No | Yes | Yes | Yes |
Active Directory features (users, groups, GPO) | No | Yes | Yes | Yes |
Advanced AD features (DNS dynamic update, AD Administrative Center, PowerShell, AD recycle bin, group managed service accounts, schema extensions) | No | No | Yes | Yes |
Trust relationships between AD domains | No | No | Yes | Yes |
Trust with AWS directories | No | No | Yes | Yes |
Support up to 50,000 users and 200,000 objects | No | No | Yes | Yes |
Edit AD schema, LDAPS communication, PowerShell AD commands, FSMO role transfer | No | No | No | Yes |
Active Directory replication | No | No | No | Yes |
Support over 50,000 users and 200,000 objects | No | No | No | Yes |
Windows Authentication for Amazon RDS DB instance running Microsoft SQL Server | No | No | Yes | No |
Simple Active Directory
Simple AD is an independent, managed directory powered by Samba 4 Active Directory Compatible Server. It comes in two types:
Small: Supports up to 500 users (around 2,000 objects including users, groups, and computers).
Large: Supports up to 5,000 users (around 20,000 objects including users, groups, and computers).
Supported Applications
Microsoft Internet Information Services (IIS)
Windows Server 2003 R2
Windows Server 2008 R1
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Microsoft SQL Server
SQL Server 2005 R2 (Express, Web, and Standard editions)
SQL Server 2008 R2 (Express, Web, and Standard editions)
SQL Server 2012 (Express, Web, and Standard editions)
SQL Server 2014 (Express, Web, and Standard editions)
Microsoft SharePoint
SharePoint 2010 Foundation
SharePoint 2010 Enterprise
SharePoint 2013 Enterprise
Requirements for Creating Simple AD
At least two subnets in different Availability Zones.
The following ports must be open between the subnets:
TCP/UDP 53 - DNS
TCP/UDP 88 - Kerberos authentication
UDP 123 - NTP
TCP 135 - RPC
UDP 137-138 - Netlogon
TCP 139 - Netlogon
TCP/UDP 389 - LDAP
TCP/UDP 445 - SMB
TCP 873 - Rsync
TCP 3268 - Global Catalog
TCP/UDP 1024-65535 - Ephemeral ports for RPC
Enable default hardware tenancy when creating a VPC.
Required encryption types for the directory:
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
This guide covers the essentials of AWS Directory Services. In future posts, we will explore detailed configuration of various AWS Directory Services options.
Commentaires