Running hybrid Active Directory service with Amazon Managed Microsoft Active Directory

{"value":"Enterprise customers often need to architect a hybrid Active Directory solution to support running applications in the existing on-premises corporate data centers and AWS cloud. There are many reasons for this, such as maintaining the integration with on-premises legacy applications, keeping the control of infrastructure resources, and meeting with specific industry compliance requirements.\n\nTo extend on-premises Active Directory environments to AWS, some customers choose to deploy Active Directory service on self-managed Amazon Elastic Compute Cloud (EC2) instances after setting up connectivity for both environments. This setup works fine, but it also presents management and operations challenges when it comes to EC2 instance operation management, Windows operating system, and Active Directory service patching and backup. This is [where AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD)](https://aws.amazon.com/directoryservice/) helps.\n\n### **Benefits of using AWS Managed Microsoft AD**\nWith AWS Managed Microsoft AD, you can launch an AWS-managed directory in the cloud, leveraging the scalability and high availability of [an enterprise directory](https://aws.amazon.com/directoryservice/active-directory/) service while adding seamless integration into other AWS services.\n\nIn addition, you can still access AWS Managed Microsoft AD using existing administrative tools and techniques, such as delegating administrative permissions to select groups in your organization. The full list of permissions that can be delegated is described in the [AWS Directory Service Administration Guide.](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html)\n\n### **Active Directory service design consideration with a single AWS account**\n***Single region***\nA single AWS account is where the journey begins: a simple use case might be when you need to deploy a new solution in the cloud from scratch (Figure 1).\n\n\n\nFigure 1. A single AWS account and single-region model\n\nIn a single AWS account and single-region model, the on-premises Active Directory has “company.com” domain configured in the on-premises data center. AWS Managed Microsoft AD is set up across two availability zones in the AWS region for high availability. It has a single domain, “na.company.com”, configured. The on-premises Active Directory is configured to trust the AWS Managed Microsoft AD with network connectivity via [AWS Direct Connect](https://aws.amazon.com/cn/directconnect/?trk=cndc-detail) or VPN. Applications that are Active-Directory–aware and run on EC2 instances have joined na.company.com domain, as do the selected AWS managed services (for example, [Amazon Relational Database Service](https://aws.amazon.com/rds/) for SQL server).\n\n***Multi-region***\nAs your cloud footprint expands to more AWS regions, you have two options also to expand AWS Managed Microsoft AD, depending on which edition of AWS Managed Microsoft AD is used (Figure 2):\n\n1. With **AWS Managed Microsoft AD Enterprise Edition**, you can turn on the multi-region replication feature to configure automatically inter-regional networking connectivity, deploy domain controllers, and replicate all the Active Directory data across multiple regions. This ensures that Active-Directory–aware workloads residing in those regions can connect to and use AWS Managed Microsoft AD with low latency and high performance.\n2. With **AWS Managed Microsoft AD Standard Edition**, you will need to add a domain by creating independent AWS Managed Microsoft AD directories per-region. In Figure 2, “eu.company.com” domain is added, and [AWS Transit Gateway](https://aws.amazon.com/cn/transit-gateway/?trk=cndc-detail) routes traffic among Active-Directory–aware applications within two AWS regions. The on-premises Active Directory is configured to trust the AWS Managed Microsoft AD, either by Direct Connect or VPN.\n\n\n\nFigure 2. A single AWS account and multi-region model\n\n### **Active Directory Service Design consideration with multiple AWS accounts**\nLarge organizations use multiple AWS accounts for administrative delegation and billing purposes. This is commonly implemented through [AWS Control Tower](https://aws.amazon.com/cn/controltower/?trk=cndc-detail) service or [AWS Control Tower](https://aws.amazon.com/controltower/?control-blogs.sort-by=item.additionalFields.createdDate&control-blogs.sort-order=desc) landing zone solution.\n\n***Single region***\n\nYou can share a single AWS Managed Microsoft AD with multiple AWS accounts within one AWS region. This capability makes it simpler and more cost-effective to manage Active-Directory–aware workloads from a single directory across accounts and [Amazon Virtual Private Cloud (VPC)](https://aws.amazon.com/vpc/). This option also allows you seamlessly join your EC2 instances for Windows to AWS Managed Microsoft AD.\n\nAs a best practice, place AWS Managed Microsoft AD in a separate AWS account, with limited administrator access but sharing the service with other AWS accounts. After sharing the service and configuring routing, Active Directory aware applications, such as [Microsoft SharePoint,](https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration) can seamlessly join Active Directory Domain Services and maintain control of all administrative tasks. Find more details on sharing AWS Managed Microsoft AD in the [Share your AWS Managed AD directory tutorial.](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_directory_sharing.html)\n\n***Multi-region***\n\nWith multiple AWS Accounts and multiple–AWS-regions model, we recommend using AWS Managed Microsoft AD Enterprise Edition. In Figure 3, AWS Managed Microsoft AD Enterprise Edition supports automating multi-region replication in all AWS regions where AWS Managed Microsoft AD is available. In AWS Managed Microsoft AD multi-region replication, Active-Directory–aware applications use the local directory for high performance but remain multi-region for high resiliency.\n\n\n\nFigure 3. Multiple AWS accounts and multi-region model\n\n### **Domain Name System resolution design**\nTo enable Active-Directory–aware applications communicate between your on-premises data centers and the AWS cloud, a reliable solution for Domain Name System (DNS) resolution is needed. You can set the [Amazon VPC](https://aws.amazon.com/cn/vpc/?trk=cndc-detail) Dynamic Host Configuration Protocol (DHCP) option sets to either AWS Managed Microsoft AD or on-premises Active Directory; then, assign it to each VPC in which the required Active-Directory–aware applications reside. The full list of options working with DHCP option sets is described in [Amazon Virtual Private Cloud User Guide.](https://docs.aws.amazon.com/vpc/latest/userguide/DHCPOptionSet.html)\n\nThe benefit of configuring DHCP option sets is to allow any EC2 instances in that VPC to resolve their domain names by pointing to the specified domain and DNS servers. This prevents the need for manual configuration of DNS on EC2 instances. However, because DHCP option sets cannot be shared across AWS accounts, this requires a DHCP option sets also to be created in additional accounts.\n\n\n\nFigure 4. DHCP option sets\n\nAn alternative option is creating an [Amazon Route 53](https://aws.amazon.com/route53/) Resolver. This allows customers to leverage Amazon-provided DNS and Route 53 Resolver endpoints to forward a DNS query to the on-premises Active Directory or AWS Managed Microsoft AD. This is ideal for multi-account setups and customers desiring hub/spoke DNS management.\n\nThis alternative solution replaces the need to create and manage EC2 instances running as DNS forwarders with a managed and scalable solution, as Route 53 Resolver forwarding rules can be shared with other AWS accounts. Figure 5 demonstrates a Route 53 resolver forwarding a DNS query to on-premises Active Directory.\n\n\n\nFigure 5. Route 53 Resolver\n\n### **Conclusion**\nIn this post, we described the benefits of using AWS Managed Microsoft AD to integrate with on-premises Active Directory. We also discussed a range of design considerations to explore when architecting hybrid Active Directory service with AWS Managed Microsoft AD. Different design scenarios were reviewed, from a single AWS account and region, to multiple AWS accounts and multi-regions. We have also discussed choosing between the [Amazon VPC](https://aws.amazon.com/cn/vpc/?trk=cndc-detail) DHCP option sets and Route 53 Resolver for DNS resolution.\n\nFurther reading\n\n- [Integrating your Directory Service’s DNS resolution with Amazon Route 53 Resolvers](https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/)\n- [AWS Hybrid DNS with Active Directory](https://d1.awsstatic.com/whitepapers/aws-hybrid-dns-with-active-directory.pdf)\n\n#### **Lewis Tang**\n\n\n\nLewis Tang is a Senior Solutions Architect at Amazon Web Services based in Sydney, Australia. Lewis provides partners guidance to a broad range of AWS services and help partners to accelerate AWS practice growth.","render":"<p>Enterprise customers often need to architect a hybrid Active Directory solution to support running applications in the existing on-premises corporate data centers and AWS cloud. There are many reasons for this, such as maintaining the integration with on-premises legacy applications, keeping the control of infrastructure resources, and meeting with specific industry compliance requirements.</p>\n<p>To extend on-premises Active Directory environments to AWS, some customers choose to deploy Active Directory service on self-managed Amazon Elastic Compute Cloud (EC2) instances after setting up connectivity for both environments. This setup works fine, but it also presents management and operations challenges when it comes to EC2 instance operation management, Windows operating system, and Active Directory service patching and backup. This is <a href=\\"https://aws.amazon.com/directoryservice/\\" target=\\"_blank\\">where AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD)</a> helps.</p>\\n<h3><a id=\\"Benefits_of_using_AWS_Managed_Microsoft_AD_4\\"></a><strong>Benefits of using AWS Managed Microsoft AD</strong></h3>\\n<p>With AWS Managed Microsoft AD, you can launch an AWS-managed directory in the cloud, leveraging the scalability and high availability of <a href=\\"https://aws.amazon.com/directoryservice/active-directory/\\" target=\\"_blank\\">an enterprise directory</a> service while adding seamless integration into other AWS services.</p>\\n<p>In addition, you can still access AWS Managed Microsoft AD using existing administrative tools and techniques, such as delegating administrative permissions to select groups in your organization. The full list of permissions that can be delegated is described in the <a href=\\"https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html\\" target=\\"_blank\\">AWS Directory Service Administration Guide.</a></p>\\n<h3><a id=\\"Active_Directory_service_design_consideration_with_a_single_AWS_account_9\\"></a><strong>Active Directory service design consideration with a single AWS account</strong></h3>\\n<p><em><strong>Single region</strong></em><br />\\nA single AWS account is where the journey begins: a simple use case might be when you need to deploy a new solution in the cloud from scratch (Figure 1).</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/89b951ffe0614719b3e1b31bb2e17df5_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 1. A single AWS account and single-region model</p>\n<p>In a single AWS account and single-region model, the on-premises Active Directory has “company.com” domain configured in the on-premises data center. AWS Managed Microsoft AD is set up across two availability zones in the AWS region for high availability. It has a single domain, “na.company.com”, configured. The on-premises Active Directory is configured to trust the AWS Managed Microsoft AD with network connectivity via AWS Direct Connect or VPN. Applications that are Active-Directory–aware and run on EC2 instances have joined na.company.com domain, as do the selected AWS managed services (for example, <a href=\\"https://aws.amazon.com/rds/\\" target=\\"_blank\\">Amazon Relational Database Service</a> for SQL server).</p>\\n<p><em><strong>Multi-region</strong></em><br />\\nAs your cloud footprint expands to more AWS regions, you have two options also to expand AWS Managed Microsoft AD, depending on which edition of AWS Managed Microsoft AD is used (Figure 2):</p>\n<ol>\\n<li>With <strong>AWS Managed Microsoft AD Enterprise Edition</strong>, you can turn on the multi-region replication feature to configure automatically inter-regional networking connectivity, deploy domain controllers, and replicate all the Active Directory data across multiple regions. This ensures that Active-Directory–aware workloads residing in those regions can connect to and use AWS Managed Microsoft AD with low latency and high performance.</li>\\n<li>With <strong>AWS Managed Microsoft AD Standard Edition</strong>, you will need to add a domain by creating independent AWS Managed Microsoft AD directories per-region. In Figure 2, “eu.company.com” domain is added, and [AWS Transit Gateway](https://aws.amazon.com/cn/transit-gateway/?trk=cndc-detail) routes traffic among Active-Directory–aware applications within two AWS regions. The on-premises Active Directory is configured to trust the AWS Managed Microsoft AD, either by Direct Connect or VPN.</li>\\n</ol>\n<p><img src=\\"https://dev-media.amazoncloud.cn/10a3316d328e44e79d8c6ac0ed88d97c_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 2. A single AWS account and multi-region model</p>\n<h3><a id=\\"Active_Directory_Service_Design_consideration_with_multiple_AWS_accounts_29\\"></a><strong>Active Directory Service Design consideration with multiple AWS accounts</strong></h3>\\n<p>Large organizations use multiple AWS accounts for administrative delegation and billing purposes. This is commonly implemented through AWS Control Tower service or <a href=\\"https://aws.amazon.com/controltower/?control-blogs.sort-by=item.additionalFields.createdDate&amp;control-blogs.sort-order=desc\\" target=\\"_blank\\">AWS Control Tower</a> landing zone solution.</p>\\n<p><em><strong>Single region</strong></em></p>\n<p>You can share a single AWS Managed Microsoft AD with multiple AWS accounts within one AWS region. This capability makes it simpler and more cost-effective to manage Active-Directory–aware workloads from a single directory across accounts and <a href=\\"https://aws.amazon.com/vpc/\\" target=\\"_blank\\">Amazon Virtual Private Cloud (VPC)</a>. This option also allows you seamlessly join your EC2 instances for Windows to AWS Managed Microsoft AD.</p>\\n<p>As a best practice, place AWS Managed Microsoft AD in a separate AWS account, with limited administrator access but sharing the service with other AWS accounts. After sharing the service and configuring routing, Active Directory aware applications, such as <a href=\\"https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration\\" target=\\"_blank\\">Microsoft SharePoint,</a> can seamlessly join Active Directory Domain Services and maintain control of all administrative tasks. Find more details on sharing AWS Managed Microsoft AD in the <a href=\\"https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_directory_sharing.html\\" target=\\"_blank\\">Share your AWS Managed AD directory tutorial.</a></p>\\n<p><em><strong>Multi-region</strong></em></p>\n<p>With multiple AWS Accounts and multiple–AWS-regions model, we recommend using AWS Managed Microsoft AD Enterprise Edition. In Figure 3, AWS Managed Microsoft AD Enterprise Edition supports automating multi-region replication in all AWS regions where AWS Managed Microsoft AD is available. In AWS Managed Microsoft AD multi-region replication, Active-Directory–aware applications use the local directory for high performance but remain multi-region for high resiliency.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/358fe912a016477f89be0dcc72fe94f2_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 3. Multiple AWS accounts and multi-region model</p>\n<h3><a id=\\"Domain_Name_System_resolution_design_46\\"></a><strong>Domain Name System resolution design</strong></h3>\\n<p>To enable Active-Directory–aware applications communicate between your on-premises data centers and the AWS cloud, a reliable solution for Domain Name System (DNS) resolution is needed. You can set the Amazon VPC Dynamic Host Configuration Protocol (DHCP) option sets to either AWS Managed Microsoft AD or on-premises Active Directory; then, assign it to each VPC in which the required Active-Directory–aware applications reside. The full list of options working with DHCP option sets is described in <a href=\\"https://docs.aws.amazon.com/vpc/latest/userguide/DHCPOptionSet.html\\" target=\\"_blank\\">Amazon Virtual Private Cloud User Guide.</a></p>\\n<p>The benefit of configuring DHCP option sets is to allow any EC2 instances in that VPC to resolve their domain names by pointing to the specified domain and DNS servers. This prevents the need for manual configuration of DNS on EC2 instances. However, because DHCP option sets cannot be shared across AWS accounts, this requires a DHCP option sets also to be created in additional accounts.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/001e9f1176ce4a53b8c1a55cc8694e6d_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 4. DHCP option sets</p>\n<p>An alternative option is creating an <a href=\\"https://aws.amazon.com/route53/\\" target=\\"_blank\\">Amazon Route 53</a> Resolver. This allows customers to leverage Amazon-provided DNS and Route 53 Resolver endpoints to forward a DNS query to the on-premises Active Directory or AWS Managed Microsoft AD. This is ideal for multi-account setups and customers desiring hub/spoke DNS management.</p>\\n<p>This alternative solution replaces the need to create and manage EC2 instances running as DNS forwarders with a managed and scalable solution, as Route 53 Resolver forwarding rules can be shared with other AWS accounts. Figure 5 demonstrates a Route 53 resolver forwarding a DNS query to on-premises Active Directory.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/c8415c4856f24eb992d05ffc20d3ff09_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 5. Route 53 Resolver</p>\n<h3><a id=\\"Conclusion_63\\"></a><strong>Conclusion</strong></h3>\\n<p>In this post, we described the benefits of using AWS Managed Microsoft AD to integrate with on-premises Active Directory. We also discussed a range of design considerations to explore when architecting hybrid Active Directory service with AWS Managed Microsoft AD. Different design scenarios were reviewed, from a single AWS account and region, to multiple AWS accounts and multi-regions. We have also discussed choosing between the Amazon VPC DHCP option sets and Route 53 Resolver for DNS resolution.</p>\n<p>Further reading</p>\n<ul>\\n<li><a href=\\"https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/\\" target=\\"_blank\\">Integrating your Directory Service’s DNS resolution with Amazon Route 53 Resolvers</a></li>\\n<li><a href=\\"https://d1.awsstatic.com/whitepapers/aws-hybrid-dns-with-active-directory.pdf\\" target=\\"_blank\\">AWS Hybrid DNS with Active Directory</a></li>\\n</ul>\n<h4><a id=\\"Lewis_Tang_71\\"></a><strong>Lewis Tang</strong></h4>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/1780d08ad7d14d84bc1f5d2cd948fbb9_image.png\\" alt=\\"image.png\\" /></p>\n<p>Lewis Tang is a Senior Solutions Architect at Amazon Web Services based in Sydney, Australia. Lewis provides partners guidance to a broad range of AWS services and help partners to accelerate AWS practice growth.</p>\n"}