Deploying Microsoft Active Directory in AWS as a Managed Service
I recently had the chance of deploying an AWS managed Microsoft Active Directory and was pleasantly surprised how straight forward it was to setup. Ok, there were a few challenges, but once I got over that hurdle then it was plain sailing.
In this post I will explain how to deploy and manage AWS Managed Microsoft AD and integrate it with an on-premises environment.
In order to setup a managed Microsoft AD environment in AWS, you first need to build out the Virtual Private Cloud (VPC) Network. This will entail building a VPC if you don’t have one already and Availability Zones (AZ’s), public and private subnets, an internet gateway, highly available RDP gateway instances and finally a pair of NAT gateways. AWS has a quick start guide that can help with the deployment of the network using a CloudFormation template.
The network design would look something like this:
CloudFormation is AWS’s Infrastructure as Code (IaC) service that allows you to create infrastructure based upon a template (written in YAML or JSON)
Once the network creation is complete the next step is to deploy Microsoft Managed Active Directory. It can be deployed in two ways; using EC2 instances and promoting them to Domain Controllers. This means you manage them end-to-end. However, we want to deploy a Managed Service AD. Once in the AWS console navigate to Directory Services and launch setup for the deployment of Microsoft AD. Fill in the parameters such as; Edition, (Standard or Enterprise) DNS name, NetBIOS and an admin password. The VPC and subnets created previously also needs to be specified. Click finish to complete the setup and creation of a managed AD. It will take about 20 minutes or so to deploy. Once its fully deployed, it will show as ‘active’ in the directory console.
Microsoft AD in AWS is a managed service and therefore fully managed by AWS. To administer your new AWS Microsoft AD environment, you are unable to do so directly so you have to create a management server and perform all domain operations from there. The management server should be installed in your private network, then install all the domain management tools. The server needs to be joined to the domain. During the creation of the AD management server, use the seamless domain join feature to join the server to AD.
The new VPC environment will look like this once the AWS MS AD and the management server are deployed.
To use the ‘Domain Join’ feature, a role needs to be created with the following permissions: -
AmazonSSMDirectoryServiceAccess and AmazonSSMManagedInstanceCore. When creating the AWS instance, this role is specified for the instance and allows it to call AWS services on your behalf.
In order to login and manage AWS Microsoft AD, a Remote Desktop Gateway (RDGW) is required. You rdp to the RDGW then rdp to the AWS Microsoft AD environment.
To integrate your on-premises Microsoft AD with Microsoft AD in AWS, you need to create a trust between the two AD forests. First you need to configure a conditional forwarder to point to the AWS managed AD, then configure a trust relationship in the on-premises AD and finally configure a trust relationship in the AWS managed AD.
In this article, a two-way trust was created and this means that any authentication requests can be passed between the two domains in both directions.
