active directory on aws to support windows workloads...claims based auth –ad integration aws cloud...

© 2020, Amazon Web Services, Inc. or its Affiliates.

Hans Moser

Senior Partner Solutions Architect – Microsoft Workloads

[email protected]

Active Directory on AWS to

Support Windows Workloads


About me

Hans Moser

• Tyrolean/Austrian

• Not a relative to the Austrian actor

• 2 years AWS

• 5 years Microsoft

• 13 years in various companies across Austria

• Infra, Identity, Exchange, PowerShell

• Website/Twitter/LinkedIn/Xing etc exists, but not

really active


What we’ll cover today

• Why Windows Workloads on AWS are AWSome

• Basics

• Active Directory Options on AWS

• DNS in a hybrid world

• AWS SSO


Why are customers choosing

AWS for Windows Workloads?


.NET Core & PowerShell on AL2/UbuntuWindows Deep Learning AMI

.NET Core on Linux AMIs

Lambda Support for PowerShell Core

Amazon ECS for Windows Containers

Amazon EKS for Windows

Mono support on AL2

App Modernization

AWS Tools for Windows PowerShell

.NET SDK

DynamoDB Accelerator SDK for .NET

.NET on Lambda & AWS CodeBuild

.NET Core 2.1 Support with Lambda & X-Ray

X-Ray .NET SDK

.NET Developer Hub

AWS X-Ray .NET Core Support

CloudWatch AppInsights for .NET and SQL

.NET Developer Hub

.NET

SQL 2017 AMI AL2/Ubuntu

SQL Server 2008 R2 Amazon RDS adds SQL Server

SQL Server 2017

SQL Server 2012

SQL Server 2008 R2

SQL Server 2016

SQL Server 2008 Upgrade

AWS Launch Wizard for SQL ServerSQL Server 2019 on EC2

SQL Server

AWS Directory Service

Visual Studio Toolkit

Microsoft SCOM plug-in release.

Microsoft SharePoint 2016 (Marketplace)

Microsoft SCVMM Plug-in

SAP instance on AWS 2012

Trusted Advisor checks for Windows

Hyper-V support in SMS

Windows for Lightsail

Application-consistent Snapshots through VSS

Sessions Manager

Dedicated Host Enhancement Tag-On

EC2 Dedicated Hosts (BYOL)

EC2 Run Command

EC2 Systems Manager

EC2 Dedicated

Instances (BYOL)

EC2 Windows on Bare Metal/Hyper-V AMI

WS 2008 & SQL Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2016

Windows Server 1803

Windows Server 2003

Application migration using AWS SMS

Active Directory Cross VPC SupportAWS License Manager

Amazon FSx for Windows File Server

Windows Server & EC2

2008 2010 2012 2014 2016 2018 Today

12Years of experience

AWS is the best place to run Windows workloads

instance types, 22 instance families

different AMIs for Windows workloads

Windows ISV listings

in AWS Marketplace

90+

40+

750+


Plans for nine more Availability Zones and three more AWS Regions in

Indonesia, Japan, and Spain

Scale globally with resilience in every region

AWS Availability Zone (AZ)AWS Region

A Region is a physical location

in the world where we have

multiple Availability Zones.

Availability Zones consist of one

or more discrete data centers,

each with redundant power,

networking, and connectivity,

housed in separate facilities.

Transit

Transit AZ

AZ

AZ

AZ

Datacenter Datacenter

Datacenter


What do customers need to

think about before migrating?


Network Design

VPC

Design

Subnet

Design

Access Control Lists &

Security Groups

Logging and

Monitoring

VPN /

AWS Direct Connect

AWS Cloud


What Does Every Enterprise Microsoft Service Depend On?

Identities

• Users

• Groups

• Computer Accounts

• Service Accounts

• ….

Microsoft Active Directory on AWS provides

• Choice

• Managed Service

• Familiar management tools

• Easy integration


Active Directory Options on

AWS


AD

Active Directory Architecture Options

On-premises

Windows Server DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

CBA-Integration

With AD

SAML – AD

Integration

5


AD On-premises Overview

• Establish network connectivity between your on-premises environment and AWS either via

VPN or Direct Connect

• AWS resources use your on-premises AD domain controllers for any AD operations.

• Usually a first step to a longer term solution.

AWS CloudCorporate data centerAWS Direct Connect

AWS Site-to-Site VPN

or

AD on-premises

EC2 Instances


AD On-premises Considerations

Benefits

• Leverage on-premises AD

Considerations

• Latency across the network

connection to on-premises AD

servers

• Will need to add AD Connector or

Managed AD to support AWS

services (e.g. SSO, Workspaces,

RDS, Chime, Connect, domain

auto join, etc.)


AD


On-premises

Windows Server DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

CBA-Integration

With AD

SAML – AD

Integration

5


AD on EC2 Overview

• You create EC2 Instances in AWS

• You promote instances to be Microsoft Active Directory domain controllers in the same on-

premises AD forest.

• Could be in the same AD domain as on-premises or a new AD domain.

AWS Cloud

Corporate data center

AWS Direct Connect


or

AD on-premises AD on EC2


AD on EC2 Overview

Benefits

• Leverage same AD as on-premises

• You are domain administrators and

have full permissions in the

environment.

• Use same AD schema, users, and

configuration as on-premises AD

• Can load applications that require

extensive AD permissions (e.g. MS

Exchange)

• Supports multiple regions

Considerations

• You are responsible for patching,

managing, and maintaining the AD

domain.

• Will need to add AD Connector or

Managed AD to support AWS

services (e.g. AWS SSO, Amazon

Workspaces, Amazon RDS,

Amazon Connect, EC2 domain

auto join, etc.)


General Design Considerations

• Customer responsible for patching,

monitoring, backups, and high

availability

• Place domain controllers in a

minimum of two Availability Zones to

provide high availability

• Treat Availability Zones as you would

distinct data centers (e.g. AD Sites)


Security / Network Considerations

• Active Directory best practices still apply in AWS

• Control access to your domain controller instances

• Domain controllers should not be internet-facing

• Place domain controllers and other non-

internet facing servers in private subnets

• Use NACLs and security groups to control what ports

are open in Active Directory

• EC2 instances have dynamic IPs (and that’s fine, also

for DCs; DHCP reservation on ENI)

• DHCP Option Sets / VPC


AD Backup and Recovery Considerations

Do not use snapshots for AD DS Backups

• Crash-consistent, not application consistent

• VM ID not supported in Amazon EC2

Use Windows System State backups

Create dedicated EBS volume for system state

backups

• Snapshot system state backups to Amazon

S3/Amazon Glacier for long-term retention

• AWS Backup Plans via Tags


AD


On-premises

Windows Server DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

CBA-Integration

With AD

SAML – AD

Integration

5


AWS Managed Microsoft Active Directory Service

Amazon—Fully managed AD directory service

• Sets up 2 AD domain controllers in a new AD

forest

• Manages (patches, monitors, backs up)

• Comes in 2 editions*

Customer—administer and configure

• Administer users, groups, GPOs, other AD

content

• Administration via Active Directory Users

and Computers (ADUC) and other

standard AD tools

• Configure password policies

• Add domain controllers as needed

• Configure trusts (resource forest deployment)

• Configure certificate authorities (for LDAPS)

• Configure federation

* Standard: 1GB, ~5k employees, ~ 30k objects

Enterprise: 17GB, > 5k employees, ~500k objects


AWS Managed Microsoft Active Directory Service

Benefits

• AWS manages the hardware

and software (patching,

backing up, monitoring)

• Can establish an AD trust with

your on-premises AD to

leverage the existing AD users

and groups

• Support AWS services (e.g.

AWS SSO, Amazon

Workspaces, Amazon Connect,

EC2 domain auto join, etc.)

Considerations

• Get a delegated Admin (not

domain admin) and delegated

groups

• Each AWS managed Microsoft

AD supports one AWS region.

• Each AWS managed Microsoft

AD is a new AD forest.


AD


On-premises

Windows Server DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

CBA-Integration

With AD

SAML – AD

Integration

5


AWS AD Connector

• Proxy solution to AD domain controllers (either on-premises or Managed AD)

• Sign in to AWS applications (e.g. AWS SSO, Amazon WorkSpaces, Amazon WorkDocs)

• Seamless domain join for Windows instances

• Federated sign-in to AWS Console

AWS Cloud

Corporate data centerAWS Direct Connect


or

AD on-premises

AD Connector

Amazon EC2

Managed AD

Potentially Another AWS

Account or Region


AWS AD Connector

Benefits

• AWS manages the hardware

and software

• Support AWS services (e.g.

AWS SSO, Amazon

Workspaces, Amazon Connect,

EC2 domain auto join, etc.)

• Leverages your on-premises

AD

Considerations

• Provides a proxy connection to

Active Directory

• Application compatibility

• Requires a self managed AD or

AWS Managed AD


AD


On-premises

Windows Server DC

AD

You Manage

1

AWS

AD on EC2

AD

You Manage

2

AWS

AWS Managed AD

AWS Manages

3

AD

AWS

AD on Premises

AWS AD

Connector

4

AD

AWS

CBA-Integration

With AD

CBA – AD

Integration

5


Claims Based Auth – AD Integration

AWS Cloud

AD Connector,

Managed AD

Amazon EC2

AWS Single Sign-On

Office365

Google

Ping

Okta

On-Premises

Active Directory

• AWS SSO provides integration to 3rd party Identity Providers

(e.g. Azure AD, Google, Okta, Ping).

ADFS


AWS SAML – AD Integration

Benefits

• Can leverage existing

customer’s Identity Provider.

• AWS SSO supports SCIM sync

from Azure AD

Considerations

• Some AWS services don’t

support a SAML integration

(e.g. Amazon Workspaces,

Amazon RDS, Amazon

Connect, EC2 domain auto join,

etc.)

• These services will still need a

AD integration


Demo

Managed Active Directory Administration


Migration

SMS, DMS, CloudEndure?


Microsoft Active Directory migration using ADMT

Availability Zone B

Department Network

Trust relationship

Availability Zone A

department.local

VPNDomain

client

AWS Managed Active Directory

PES Install

ADMT

DC1

Direct

Connect


Hybrid DNS Design


DNS and Windows EC2 Seamless Domain Join

With seamless domain join

• Static DNS Servers are set inside

the Windows instance

• DNS servers IPs are provided by

Managed AD or AD Connector

Without seamless domain join

• 'Obtain DNS sever address

automatically’ within instance

• DHCP setting controlled by DHCP

option set for the particular VPC

• By default points to Route53

address (VPC +2)


Route 53 Resolver Endpoints

Inbound endpoints

• Allow on-premises resolvers query Route 53 Resolver

• Creates routable ENIs in VPC reachable over AWS Direct Connect or VPN

Outbound endpoints

• Path for the Route 53 Resolver to query your DNS Resolvers

• Creates source ENIs in your VPC

• Usable by many VPCs

Limit: 10,000 QPS per ENI


AWS Cloud

Corporate

Network

VPC

Availability Zone

Availability Zone

Direct

Connect

Clients

DNS

Resolver

ServersInstances

Instances

Inbound

Resolver

Resolver

Inbound

VPC +2

VPC +2


AWS Cloud

Corporate

Network

VPC

Availability Zone

Availability Zone

Direct

Connect

Clients

DNS

Resolver

ServersInstances

Instances

Resolver

Resolver

VPC +2

VPC +2

Outbound

Outbound

Zones

mycompany.com

168.192.in-addr.arpa

Query: foo.mycompany.com/A


1. Private DNS

DNS Resolver 1

DNS Resolver 2

Route 53 Resolver Processing Order

Route 53 Resolver Rules

• Configure how Route 53 Resolver makes queries

• Two types: FORWARD and SYSTEM


Hybrid DNS Summary

• Multiple options when using AWS Managed AD or AD on EC2

• Microsoft AD best practices still apply (e.g. DCs as DNS, Secure dynamic updates, AD integrated zones etc.)

• Conditional forwards can point to .2 Route 53 resolver (e.g. Route 53 private zones)

• Keep DNS resolution local to the region

For more details see:

AWS re:Invent 2019: Deep dive on DNS in the hybrid cloud (NET410)


AWS Single Sign-On (SSO)


Centrally manage access

External SAML IdPs

(e.g. AzureAD, Okta,

Ping, OneLogin, etc)SAML apps (SaaS, On-prem,

custom in AWS)

AWS SSO

Multiple AWS accounts


AzureAD & AWS SSO: Inbound SAML & SCIM

SCIM: System for Cross domain Identity Management.

Think: Provisioning users & groups (minus creds)

Multiple AWS accounts (console, CLI, API)

AWS & app

entitlements

Azure AD

User & group

information

AWS Single

Sign-On

SCIM

Replicated user & group information (no creds)

In advance/on-going

SAML: Security Assertion Markup Language

Think: Runtime authenticationSAML

At runtime


AWS SSO - Looking ahead

AWS Single

Sign-On

AWS & app

entitlements

AWS 1st party applications

Multiple AWS accounts (console, CLI, API)

SSO native identities

External IdP identities

(e.g. AzureAD, Okta,

Ping, OneLogin, etc)

Active Directory identities

SmartAuth

SAML apps (SaaS, On-prem, custom in AWS)

Choice of Identities Cloud ready & integrated 1 identity, use everywhere


Demo

AWS SSO


Summary

Today we covered

• Microsoft Active Directory Options on AWS

• DNS Options when using Active Directory on AWS

• How AWS SSO can help you with central access management

• For more details see:

AWS re:Invent 2019: Managing user permissions at scale with AWS

SSO (SEC308)


Thank You

[email protected]

[email protected]

Q&A

Feel free to use the chat for your questions, or reach out to us directly

active directory on aws to support windows workloads...claims based auth –ad integration aws cloud...

Documents