Support Documents
×


AWS Directory Service - Working with Simple AD

Lab Details

  1. This lab walks you through the steps on how to create a Simple AD directory, add Groups, Users and Computer.

  2. As part of this lab, the primary AWS Services used are - IAM, EC2, VPC, Directory Services.

  3. Duration : 1 hour 30 minutes

  4. AWS region : US East (N Virginia)

Introduction

What is AWS Directory Service?

  • AWS Directory Service provides multiple ways to use Microsoft Active Directory (AD) with other AWS services.

  • These Directories store information about users, groups, and devices, and administrators use them to manage access to information and resources.

  • Directory Service provides multiple choices for customers who want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP) aware applications in the cloud.

  • The service is built on the actual Microsoft Active Directory and powered by Windows Server 2012 R2.

  • AWS Directory Service includes several directory types to choose from.  They are:

  • AWS Directory Service for Microsoft Active Directory

  • AD Connector

  • Simple AD

  • Amazon Cognito

AWS Directory Service for Microsoft Active Directory

  • Is powered by an actual Microsoft Windows Server Active Directory (AD), managed by AWS in AWS Cloud.

  • It works with - Microsoft SharePoint, Microsoft SQL Server Always On Availability Groups, and many .NET applications.

  • Supports AWS managed applications and services including - Amazon WorkSpaces, Amazon WorkDocs, Amazon QuickSight, Amazon Chime, Amazon Connect, and Amazon Relational Database Service for Microsoft SQL Server / Oracle / PostgreSQL.

AD Connector

  • Is a proxy service that provides an easy way to connect compatible AWS applications, such as Amazon WorkSpaces, Amazon QuickSight, and Amazon EC2 for Windows Server instances, to your existing on-premises Microsoft Active Directory.

  • Is the best choice when you want to use your existing on-premises Active Directory with compatible AWS services.

Amazon Cognito

  • Is a user directory that adds sign-up and sign-in to your mobile app or web application using Amazon Cognito User Pools.

  • Is used when you need to create custom registration fields and store that metadata in your user directory.

  • This service scales to support hundreds of millions of users.

Simple AD

  • A standalone Microsoft AD-compatible directory from AWS Directory Service that is powered by Samba 4.

  • It is used as a standalone directory in the cloud to support Windows workloads that need basic AD features, compatible AWS applications, or to support Linux workloads that need LDAP service.

  • Supports basic AD features such as user accounts, group memberships, joining a Linux domain or Windows based EC2 instances, Kerberos-based SSO, and group policies.

  • AWS provides monitoring, daily snapshots, and recovery as part of the service.

  • Compatible with Amazon WorkSpaces, Amazon WorkDocs, Amazon Quicksight, and Amazon WorkMail.

  • Does not support MFA, Trust relationships, DNS dynamic update, schema extensions, communication over LDAPS, etc.

  • Not compatible with RDS SQL Server.

  • Available in 2 sizes.

  • Small - Supports up to 500 users

  • Large - Supports up to 5,000 users

  • Prerequisites

  • Your VPC should have at least 2 subnets.  For Simple AD to install correctly, you must install your two domain controllers in separate subnets that must be in a different Availability Zone.  In addition, the subnets must be in the same CIDR range.

  • The necessary ports for the domain controllers that AWS Directory Service creates for you should be open to allow them to communicate with each other.

  • The VPC must have default hardware tenancy.

  • When the directory is created with Simple AD, AWS Directory Service performs the following tasks on your behalf:

  • Sets up a Samba-based directory within the VPC.

  • Creates a directory administrator account with the user name "Administrator" and the specified password.  This account is used to manage your directory.

  • Creates a security group for the directory controllers.

  • Creates an account that has domain admin privileges.

  • Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your VPC.  These DNS servers will resolve names configured in your Route 53 private hosted zones.

Architectural Diagram

Task Details

  1. Launching lab environment.

  2. Creating an IAM Role to work with Active Directory.

  3. Creating a VPC

  4. Creating an Simple AD Directory

  5. Create a DHCP Option Set

  6. Creating and Configuring Active Directory Server

  7. Launching Active Directory Server

  8. Logging with User credentials.

  9. Adding a computer to Active Directory Server.

  10. Deleting AWS Resources

Prerequisites

In order to proceed with the lab, you should have a Remote Desktop application on your computer.

For Windows users

  1. Click on the Start button, and search for RDC. You will find the Remote Desktop Connection application.

For Mac users

  1. On Mac, we have to download the Remote Desktop application.

  2. Go to the App Store, and search for Microsoft Remote Desktop and download the following application.

For Linux users

  1. On Linux, Remmina is usually included in the distribution.

  2. If not, go to https://remmina.org/how-to-install-remmina/ and follow the instructions to install for any linux distribution.

Case Study

  • We are required to create a Simple AD.

  • Adding groups / users / computers to the created AD.

  • Logging to AD with the new User credentials.