Getting started with AWS Managed Microsoft AD
AWS Managed Microsoft AD creates a fully managed, Microsoft Active Directory in the AWS Cloud and is powered by Windows Server 2019 and operates at the 2012 R2 Forest and Domain functional levels. When you create a directory with AWS Managed Microsoft AD, AWS Directory Service creates two domain controllers and adds the DNS service on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensure that your directory remains accessible even if a failure occurs. If you need more domain controllers, you can add them later. For more information, see Deploying additional domain controllers for your AWS Managed Microsoft AD.
For a demo and overview of AWS Managed Microsoft AD, see the following YouTube video.
Topics
Prerequisites for creating a AWS Managed Microsoft AD
To create a AWS Managed Microsoft AD Active Directory, you need an Amazon VPC with the following:
-
At least two subnets. Each of the subnets must be in a different Availability Zone.
-
The VPC must have default hardware tenancy.
-
You cannot create a AWS Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.
If you need to integrate your AWS Managed Microsoft AD domain with an existing on-premises Active Directory domain, you must have the Forest and Domain functional levels for your on-premises domain set to Windows Server 2003 or higher.
AWS Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside
of your AWS account, and are managed by AWS. They have two network adapters,
ETH0
and ETH1
. ETH0
is the management adapter, and
exists outside of your account. ETH1
is created within your account.
The management IP range of your directory's ETH0 network is 198.18.0.0/15.
For a tutorial on how to create the AWS environment and AWS Managed Microsoft AD, see AWS Managed Microsoft AD test lab tutorials.
AWS IAM Identity Center prerequisites
If you plan to use IAM Identity Center with AWS Managed Microsoft AD, you need to ensure that the following are true:
-
Your AWS Managed Microsoft AD directory is set up in your AWS organization’s management account.
-
Your instance of IAM Identity Center is in the same Region where your AWS Managed Microsoft AD directory is set up.
For more information, see IAM Identity Center prerequisites in the AWS IAM Identity Center User Guide.
Multi-factor authentication prerequisites
To support multi-factor authentication with your AWS Managed Microsoft AD directory, you must
configure either your on-premises or cloud-based Remote Authentication Dial-In User
Service
-
On your RADIUS server, create two RADIUS clients to represent both of the AWS Managed Microsoft AD domain controllers (DCs) in AWS. You must configure both clients using the following common parameters (your RADIUS server may vary):
-
Address (DNS or IP): This is the DNS address for one of the AWS Managed Microsoft AD DCs. Both DNS addresses can be found in the AWS Directory Service Console on the Details page of the AWS Managed Microsoft AD directory in which you plan to use MFA. The DNS addresses displayed represent the IP addresses for both of the AWS Managed Microsoft AD DCs that are used by AWS.
Note
If your RADIUS server supports DNS addresses, you must create only one RADIUS client configuration. Otherwise, you must create one RADIUS client configuration for each AWS Managed Microsoft AD DC.
-
Port number: Configure the port number for which your RADIUS server accepts RADIUS client connections. The standard RADIUS port is 1812.
-
Shared secret: Type or generate a shared secret that the RADIUS server will use to connect with RADIUS clients.
-
Protocol: You might need to configure the authentication protocol between the AWS Managed Microsoft AD DCs and the RADIUS server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is recommended because it provides the strongest security of the three options.
-
Application name: This may be optional in some RADIUS servers and usually identifies the application in messages or reports.
-
-
Configure your existing network to allow inbound traffic from the RADIUS clients (AWS Managed Microsoft AD DCs DNS addresses, see Step 1) to your RADIUS server port.
-
Add a rule to the Amazon EC2 security group in your AWS Managed Microsoft AD domain that allows inbound traffic from the RADIUS server DNS address and port number defined previously. For more information, see Adding rules to a security group in the EC2 User Guide.
For more information about using AWS Managed Microsoft AD with MFA, see Enabling multi-factor authentication for AWS Managed Microsoft AD.
Creating your AWS Managed Microsoft AD
To create a new AWS Managed Microsoft AD Active Directory, perform the following steps. Before starting this procedure, make sure that you have completed the prerequisites identified in Prerequisites for creating a AWS Managed Microsoft AD.
To create an AWS Managed Microsoft AD
-
In the AWS Directory Service console
navigation pane, choose Directories and then choose Set up directory. -
On the Select directory type page, choose AWS Managed Microsoft AD, and then choose Next.
-
On the Enter directory information page, provide the following information:
- Edition
-
Choose from either the Standard Edition or Enterprise Edition of AWS Managed Microsoft AD. For more information about editions, see AWS Directory Service for Microsoft Active Directory.
- Directory DNS name
-
The fully qualified name for the directory, such as
corp.example.com
.Note
If you plan on using Amazon Route 53 for DNS, the domain name of your AWS Managed Microsoft AD must be different than your Route 53 domain name. DNS resolution issues can occur if Route 53 and AWS Managed Microsoft AD share the same domain name.
- Directory NetBIOS name
-
The short name for the directory, such as
CORP
. - Directory description
-
An optional description for the directory. This description can be changed after creating your AWS Managed Microsoft AD.
- Admin password
-
The password for the directory administrator. The directory creation process creates an administrator account with the user name
Admin
and this password. You can change the Admin password after creating your AWS Managed Microsoft AD.The password cannot include the word "admin."
The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:
-
Lowercase letters (a-z)
-
Uppercase letters (A-Z)
-
Numbers (0-9)
-
Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
-
- Confirm password
-
Retype the administrator password.
- (Optional) User and group management
-
To enable AWS Managed Microsoft AD user and group management from the AWS Management Console, select Manage user and group management in the AWS Management Console. For more information on how to use user and group management, see Manage AWS Managed Microsoft AD users and groups with the AWS Management Console, AWS CLI, or AWS Tools for PowerShell.
-
On the Choose VPC and subnets page, provide the following information, and then choose Next.
- VPC
-
The VPC for the directory.
- Subnets
-
Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.
-
On the Review & create page, review the directory information and make any necessary changes. When the information is correct, choose Create directory. Creating the directory takes 20 to 40 minutes. Once created, the Status value changes to Active.
For more information on what is created with your AWS Managed Microsoft AD, see the following: