running active directory in the aws cloud
TRANSCRIPT
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
Running Active Directory in the
AWS Cloud
Wayne Saxe – Ecosystem Solutions Architect
October 28, 2015 | Dallas, TX
Agenda
• 3 Deployment Scenarios– Hybrid Datacenter
– Federation
– Isolated
• General Design Considerations
• AWS Directory Service
• Additional Resources and Information
Hybrid Datacenter
• Takes advantage of either VPN or Direct
Connect
• Design your VPC to be an extension of your
Datacenter
• Minimizes Administrative Process Change
Hybrid Datacenter
• Scenario: Migrate a portion of your on-premises
Datacenter to AWS including Windows Services
that rely upon Active Directory
• Two Design Patters:– On-Premises AD Only
– Deploy Domain Controllers in AWS
Hybrid Datacenter: Scenario 1
AWS CloudOn Premise Datacenter
VPN Connection1
Authenticate User and Request
Kerberos Ticket
Active Directory Forest
2Get Kerberos
Tocket
4Use Information
in Ticket
EC2 Instances
User
3Submit Ticket
Hybrid Datacenter: Scenario 2
AWS CloudRemote Office
VPN Connection1
Authenticate User and Request
Kerberos Ticket
Active Directory Forest
2Get Kerberos
Tocket
4Use Information
in Ticket
EC2 InstancesUser
3Submit Ticket
Federation
• Builds on the basics of the Hybrid Model
• Provides Single-Sign-On capabilities without
extending your corporate AD Forest
• Empowers B2B Trusts
Federation
• Scenario: SSO for AWS Hosted Applications
• Multiple Use Cases:– Internal Use Only
– SaaS Model
Federation: On-Premises Only
AWS CloudOn-Premise Datacenter
User
ADFS 2.0 Server
EC2 Instance
Windows Identity Foundation
Active Directory Domain Services
Application
VPN Connection
1,2Login and
receive Kerberos Ticket
3,4Query For Token
Requirements
5Request Token, Send Kerberos
Ticket8
Return Token
9Forward Token to
Application
10,11, 12Resolve Token and Evaluate
Claim
13Get the Data
6,7Find and Return
Claim
Federation: SaaS Model
• Useful if the application is a SaaS application or
one for which you want to provide access to
users in an unmanaged or untrusted domain
• Establish a trust between the source domain
and the AWS domain via ADFS for trusted login
Federation: SaaS Model
AWS CloudOn-Premise Datacenter
User
8.User is
authenticated to app
ADFS 2.0 Server
EC2 Instance
Active Directory Domain Services
Application
Security Token Service
1: Log into AD/Get Kerberos TGT
2. Establish Session with
App
3. App needs token
redirect to STS
4. STS sends token
request to Identity Provider
5. ADFS gets authuser info from AD createsSAML Tioken
6. ADFS redirects user to STS with SAML token
7. Redirect user back to app with
token
Isolated: One Forest in the Cloud
• Doesn’t require any connectivity between your
on-premises datacenter and AWS
• Good for applications that manage their own
internal users
• Good for applications that require Active
Directory but in instances where you don’t want
to host any corporate information
AWS Design Considerations
• Avoid Single Points of Failure
• Treat AWS Availability Zones as you would
distinct Datacenters
• Consider the characteristics of shared
computing, storage and networking environment
VPC and Networking
• Understand your connectivity choices– Needs for Hybrid/VPC
– Direct Connect vs VPN vs Disconnected
– VPN: Interesting Traffic
• Make sure you use static IP Addresses
• Firewalls (Security Groups) add complexity but
are necessary!
Backup and Recovery
• Microsoft Best Practice is to use an AD
Compatible backup application
• Know the unique requirements driven by the
virtual environment
AD Security in AWS
• AWS and EC2 Security are Very Important
• Control Access to your AD Instances– IAM and 2-factor authentication
– Provisioning
• Domain Controllers should not be Internet facing– Use a DMZ with Jumpboxes
– For ADFS use Web Application Proxy Roles for Frontend
• AD Best Practices still apply
Sites, Subnets, VPCs, and Replication
• AD Sites Look a lot like AZs
• DC Replication is based on AD Sites
• Clients find DCs based on site assignment
• Manual creation of connection objects limits
flexibility
The Role of RODCs
Characteristic RODC Writeable DC
AD Database Access RODC is Read-Only.
Certain write operations
are forwarded and
referrals can be given
All operations supported
Data Replication Only replicated data
FROM a writable DC
Replicate all changes
Data Stored in DB Contains copy of all data
except for credentials and
like attributes
Complete copy of the
entire database
Administration Administration can be
delegated to non-Domain
Admins
Only a Domain Admin
can administer
What is the AWS Directory Service
• Managed Directories hosted in the cloud
• Two Types of Directories: AD Connector and Simple AD
• AD Connector connects your on-premises Microsoft Active Directory to AWS
• Simple AD is a managed, standalone directory on AWS– Offers Microsoft Active Directory compatibility for common features
• Benefits– End users can access AWS applications using common credentials
– IT can manage AWS resources via the AWS Management console using common credentials
– Enables automatic Domain Join for Amazon EC2 Windows Instances
AWS Directory Service
• Easy Provisioning– Three-step wizard to create either type of directory
– Ready for use in minutes
• Managed– Patch Management
– Host and replication monitoring
– API Performance monitoring
• Auditing and Logging– Standard audits for authentication success and failures
– Viewable using Windows Event Log tools
– Applies to Simple AD only
AD Connector
• Directory gateway to your on-premises Active Directory infrastructure
– Uses the AWS VPN gateway or AWS Direct Connect
• Integrates with your RADIUS multi-factor authentication (MFA) to provide increased security
• End users can access Amazon WorkSpaces and Amazon Zocalowith existing corporate credentials
• IT staff can manage AWS resources via the AWS Management Console using their corporate credentials
• Enables automatically domain joining Amazon EC2 Windows instances on launch via AD Connector
Simple AD
• Managed directory hosted in the AWS cloud– Powered by Samba 4 Active Directory Compatible Server
• Microsoft Active Directory compatibility to simplify operating and managing EC2
Windows applications and workloads– Users and Groups
– Domain joining computers
– Kerberos-based SSO
– Group Policy support
• Simple AD user accounts can be used to access Amazon WorkSpaces and Amazon
Zocalo
• IT staff can manage AWS resources via the AWS Management Console using their
Simple AD credentials
• Automatic joining of Amazon EC2 Windows instances to Simple AD
AWS Directory Services Security and Availability
• Security– Directory is isolated to your VPC
– AD Connector uses the existing industry-standard encrypted IPSEC VPN
– RADIUS MFA support
– Domain join support for Amazon EC2 Windows instances
– Consistent policy enforcement
• Strong password and account lockout policies enforced consistently
• Group Policies
• Highly Reliable and Available– Two replicated directory servers in two Availability Zones by default
– Automatic host replacement
– Automatic daily snapshots for Simple AD
Microsoft Quick Starts
• Web Application Proxy and Active Directory Federation Services
• Lync Server 2013
• Exchange Server 2013
• Windows PowerShell DSC
• SharePoint Server 2013
• SQL Server 2012 and 2014 with WSFC
• Remote Desktop Gateway
• Active Directory Domain Services
https://aws.amazon.com/quickstart/
Where Can I learn More?
• AWS Directory Services
• Microsoft Pages on AWS
• Microsoft Whitepapers on AWS
• Windows FAQ on AWS
• Microsoft License Mobility on AWS