Lab Details
This lab will show you how to create an AD directory that is simple, add users, groups, and computer.
This lab uses the following AWS Services: IAM, EC2, VPC and Directory Services.
Duration: 2 hours
AWS region : US East (N Virginia)
Introduction
What is AWS Directory Service?
AWS Directory Service offers multiple ways to integrate Microsoft Active Directory (AD), with other AWS services.
These directories contain information about users, groups and devices. Administrators use them to manage information and resources.
Directory Service offers multiple options for customers who wish to use existing Microsoft AD and Lightweight Directory Access Protocols (LDAP)-aware applications in the cloud.
This service is built upon the Microsoft Active Directory and powered with Windows Server 2012 R2.
AWS Directory Service offers several types of directory to choose from. These are:
AWS Directory Service for Microsoft Active Directory
AD Connector
Simple AD
Amazon Cognito
AWS Directory Service for Microsoft Active Directory
It is powered by an actual Microsoft Windows Server Active Directory, (AD), managed and maintained by AWS in AWS Cloud.
It can be used with Microsoft SharePoint, Microsoft SQL Server Always on Availability Groups, as well as many other.NET applications.
AWS Managed Services Supports AWS-Managed Applications and Services, including Amazon WorkSpaces and Amazon WorkDocs. Amazon QuickSight, Amazon Chime and Amazon Connect. Amazon Relational Database Service Service for Microsoft SQL Server/ Oracle / PostgreSQL.
AD Connector
It is a proxy service that allows you to connect to compatible AWS applications such as Amazon WorkSpaces, Amazon QuickSight and Amazon EC2 For Windows Server instances to your existing Microsoft Active Directory.
This is the best option if you want to combine your existing Active Directory on-premises with compatible AWS services.
Amazon Cognito
This user directory adds sign up and sign in to your web app or mobile app using Amazon Cognito User Pools.
This is used to create custom registration fields, and then store the metadata in your user directory.
This service can support hundreds of millions of users.
Simple AD
A Microsoft AD-compatible directory that can be used from AWS Directory Service. It is powered by Samba 4.
It can be used in the cloud as a standalone directory to support Windows workloads that require basic AD features or compatible AWS apps, or to support Linux workloads which need LDAP service.
Basic AD features are supported, including user accounts, group memberships and joining a Linux domain, Windows-based EC2 instances, Kerberos based SSO, as well as group policies.
AWS offers monitoring, daily snapshots and recovery as part the service.
Compatible with Amazon WorkSpaces and Amazon WorkDocs.
Supports MFA, Trust relationships and DNS dynamic updates. Does not support schema extensions. Communication over LDAPS is not supported.
Not compatible with RDS MySQL Server.
Available in two sizes
Small - Supports up 500 users
Large - Supports upto 5,000 users
Prerequisites
At least two subnets should be available for your VPC. To ensure that Simple AD can be installed correctly, you will need to place your domain controllers in different subnets. Each subnet must be in a different availability zone. The subnets must also be within the same CIDR range.
To allow domain controllers to communicate with one another, you must make sure that the ports AWS Directory Service provides are open.
The VPC must be assigned default hardware tenancy.
AWS Directory Service does the following tasks for you when the directory is created using Simple AD:
Creates a directory that is Samba-based within the VPC.
This creates a directory administrator account using the username "Administrator" and the password specified. This account will be used to manage your directory.
This creates a security group to be used by directory controllers.
This account is created with domain admin privileges.
Simple AD forwards DNS requests from your VPC to the IP address for the Amazon-provided DNS servers. These DNS servers can resolve names that have been configured in Route 53 private hosted areas.
