Skip to Content

Introducing AWS Directory Service for Microsoft Active Directory (Standard Edition)

Posted on October 28, 2022 by

Categories: AWS


AWS has just unveiled AWS Directory Service for Microsoft Active Directory (Standard Edition), a managed version of Microsoft Active Directory (AD) that is performance optimized for small and midsize businesses. You can manage users, groups, and computers using the AWS Microsoft AD (Standard Edition) primary directory, which is highly available and reasonably priced. It supports a wide range of AWS and third-party applications and services and makes it simple to add Amazon EC2 instances to your domain. Additionally, it can support most small and midsize businesses’ typical use cases. You can control access to cloud applications like Microsoft Office 365 and offer single sign-on (SSO) when you use AWS Microsoft AD (Standard Edition) as your leading directory.

Suppose you already have a Microsoft AD directory. In that case, you can migrate your AD-aware applications to the AWS Cloud while using your existing on-premises AD login information. AWS Microsoft AD (Standard Edition) is a resource forest that primarily contains computers and groups.

In this blog post, I provide three key AWS Microsoft AD (Standard Edition) answers to assist you in getting started.

  • How do I get it?
  • How do I utilize it?
  • Which characteristics stand out?

I respond to these queries before demonstrating how to create and use your own AWS Microsoft AD (Standard Edition) directory.

What do I get first?

AWS deploys two Microsoft AD domain controllers running Microsoft Windows Server 2012 R2 in your Amazon Virtual Private Cloud when you create an AWS Microsoft AD (Standard Edition) directory (VPC). The domain controllers operate in various Availability Zones in the AWS Region of your choice to help deliver high availability.

AWS Microsoft AD (Standard Edition) manages all patching and software updates, automates daily snapshots, and configures directory replication as a managed service. Additionally, AWS Microsoft AD (Standard Edition) keeps track of domain controllers and restores them automatically in the case of a loss.

With the ability to serve about 5,000 employees, AWS Microsoft AD (Standard Edition) has been designed as a top directory for small and medium organizations. AWS Microsoft AD (Standard Edition) can store 30,000 or more total directory objects with 1 GB of directory object storage (users, groups, and computers). You also have the choice to add domain controllers with AWS Microsoft AD (Standard Edition) to satisfy the unique performance requirements of your applications. Additionally, you may utilize AWS Microsoft AD (Standard Edition) as a resource forest connected to your on-premises directory through a trust connection.

2. How do I utilize it?

You may share a single directory using AWS Microsoft AD (Standard Edition) for several use cases. For instance, you may use Windows Authentication with Amazon RDS for SQL Server, Amazon Chime for communications, and other services to authenticate and approve access for.NET apps.

Some of the use cases for your AWS Microsoft AD (Standard Edition) directory are depicted in the figure below, including the ability to provide your users access to third-party cloud services and let your on-premises AD users control and manage resources in the AWS Cloud. The diagram can be enlarged by clicking on it.

Use case 1: Log in to AWS services and apps using your AD credentials

You may allow a variety of AWS programmes and services to access your Microsoft AD (Standard Edition) directory, including the AWS Management Console, Amazon WorkSpaces, and Amazon RDS for SQL Server. Your users can access an AWS application or service using their AD credentials after you have enabled it in your directory.

For instance, you may permit your users to log in to the AWS Management Console using their AD credentials. Assigning your AD users and groups to IAM roles after enabling the AWS Management Console as an application in your directory will do this. Users take on an IAM role when logging into the AWS Management Console to handle AWS resources. Thanks to this, you can now allow users access to the AWS Management Console without having to set up and maintain a separate SAML infrastructure.

Utilization 2: Controlling Amazon EC2 instances

By adding your Amazon EC2 for Windows or Linux instances to your AWS Microsoft AD (Standard Edition) domain, you may deploy AD Group Policy objects (GPOs) to centrally control your instances using well-known AD administration tools.

Additionally, your users may access your instances using their AD login information. As a result, there is no longer a requirement to share private key (PEM) files or utilize individual instance credentials. The tools you now use for AD user administration may now be used to rapidly give or cancel access to users.

Provide directory services to your workloads that are aware of AD in use case 3

You can operate conventional AD-aware applications like Remote Desktop Licensing Manager, Microsoft SharePoint, and Microsoft SQL Server Always On in the AWS Cloud thanks to AWS Microsoft AD (Standard Edition), a genuine Microsoft AD. By utilizing group Managed Service Accounts (MSAs) and Kerberos restricted delegation, AWS Microsoft AD (Standard Edition) further assists you in streamlining and enhancing the security of AD-integrated.NET applications (KCD).

SSO to Office 365 and other cloud apps is the fourth use case.

Cloud apps may provide SSO via AWS Microsoft AD (Standard Edition). After syncing your users with Azure AD using Azure AD Connect, you may utilize Active Directory Federation Services (AD FS) to provide user authentication for Microsoft Office 365 and other SAML 2.0 cloud apps.

Extend your on-premises AD to the AWS Cloud (Use Case 5)

AWS Microsoft AD (Standard Edition) might be advantageous if you already have an AD infrastructure and wish to use it while moving workloads that need AD to the AWS Cloud. AWS Microsoft AD (Standard Edition) may be linked to your current AD using AD trusts. As a result, you won’t need to synchronize users, groups, or passwords for your users to utilize their on-premises AD credentials to access AD-aware and AWS services.

Your users may use their current AD user names and passwords to log in to the AWS Management Console and Amazon WorkSpaces, for instance. Additionally, your logged-in Windows users may use AD-aware apps like SharePoint using AWS Microsoft AD (Standard Edition) without inputting their credentials again.