Getting started with AWS Managed Microsoft AD - AWS Directory Service
AWS Managed Microsoft AD prerequisitesAWS IAM Identity Center prerequisitesMulti-factor authentication prerequisitesCreating your AWS Managed Microsoft AD

Getting started with AWS Managed Microsoft AD

AWS Managed Microsoft AD creates a fully managed, Microsoft Active Directory in the AWS Cloud and is powered by Windows Server 2019 and operates at the 2012 R2 Forest and Domain functional levels. When you create a directory with AWS Managed Microsoft AD, AWS Directory Service creates two domain controllers and adds the DNS service on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensure that your directory remains accessible even if a failure occurs. If you need more domain controllers, you can add them later. For more information, see Deploying additional domain controllers for your AWS Managed Microsoft AD.

Topics

Prerequisites for creating a AWS Managed Microsoft AD

To create a AWS Managed Microsoft AD Active Directory, you need an Amazon VPC with the following:

  • At least two subnets. Each of the subnets must be in a different Availability Zone.

  • The VPC must have default hardware tenancy.

  • You cannot create a AWS Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.

If you need to integrate your AWS Managed Microsoft AD domain with an existing on-premises Active Directory domain, you must have the Forest and Domain functional levels for your on-premises domain set to Windows Server 2003 or higher.

AWS Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside of your AWS account, and are managed by AWS. They have two network adapters, ETH0 and ETH1. ETH0 is the management adapter, and exists outside of your account. ETH1 is created within your account.

The management IP range of your directory's ETH0 network is 198.18.0.0/15.

For a tutorial on how to create the AWS environment and AWS Managed Microsoft AD, see AWS Managed Microsoft AD test lab tutorials.

AWS IAM Identity Center prerequisites

If you plan to use IAM Identity Center with AWS Managed Microsoft AD, you need to ensure that the following are true:

  • Your AWS Managed Microsoft AD directory is set up in your AWS organization’s management account.

  • Your instance of IAM Identity Center is in the same Region where your AWS Managed Microsoft AD directory is set up.

For more information, see IAM Identity Center prerequisites in the AWS IAM Identity Center User Guide.

Multi-factor authentication prerequisites

To support multi-factor authentication with your AWS Managed Microsoft AD directory, you must configure either your on-premises or cloud-based Remote Authentication Dial-In User Service (RADIUS) server in the following way so that it can accept requests from your AWS Managed Microsoft AD directory in AWS.

  1. On your RADIUS server, create two RADIUS clients to represent both of the AWS Managed Microsoft AD domain controllers (DCs) in AWS. You must configure both clients using the following common parameters (your RADIUS server may vary):

    • Address (DNS or IP): This is the DNS address for one of the AWS Managed Microsoft AD DCs. Both DNS addresses can be found in the AWS Directory Service Console on the Details page of the AWS Managed Microsoft AD directory in which you plan to use MFA. The DNS addresses displayed represent the IP addresses for both of the AWS Managed Microsoft AD DCs that are used by AWS.

      Note

      If your RADIUS server supports DNS addresses, you must create only one RADIUS client configuration. Otherwise, you must create one RADIUS client configuration for each AWS Managed Microsoft AD DC.

    • Port number: Configure the port number for which your RADIUS server accepts RADIUS client connections. The standard RADIUS port is 1812.

    • Shared secret: Type or generate a shared secret that the RADIUS server will use to connect with RADIUS clients.

    • Protocol: You might need to configure the authentication protocol between the AWS Managed Microsoft AD DCs and the RADIUS server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is recommended because it provides the strongest security of the three options.

    • Application name: This may be optional in some RADIUS servers and usually identifies the application in messages or reports.

  2. Configure your existing network to allow inbound traffic from the RADIUS clients (AWS Managed Microsoft AD DCs DNS addresses, see Step 1) to your RADIUS server port.

  3. Add a rule to the Amazon EC2 security group in your AWS Managed Microsoft AD domain that allows inbound traffic from the RADIUS server DNS address and port number defined previously. For more information, see Adding rules to a security group in the EC2 User Guide.

For more information about using AWS Managed Microsoft AD with MFA, see Enabling multi-factor authentication for AWS Managed Microsoft AD.

Creating your AWS Managed Microsoft AD

To create a new AWS Managed Microsoft AD Active Directory, perform the following steps. Before starting this procedure, make sure that you have completed the prerequisites identified in Prerequisites for creating a AWS Managed Microsoft AD.

To create an AWS Managed Microsoft AD

  1. In the AWS Directory Service console navigation pane, choose Directories and then choose Set up directory.

  2. On the Select directory type page, choose AWS Managed Microsoft AD, and then choose Next.

  3. On the Enter directory information page, provide the following information:

    Edition

    Choose from either the Standard Edition or Enterprise Edition of AWS Managed Microsoft AD. For more information about editions, see AWS Directory Service for Microsoft Active Directory.

    Directory DNS name

    The fully qualified name for the directory, such as corp.example.com.

    Note

    If you plan on using Amazon Route 53 for DNS, the domain name of your AWS Managed Microsoft AD must be different than your Route 53 domain name. DNS resolution issues can occur if Route 53 and AWS Managed Microsoft AD share the same domain name.

    Directory NetBIOS name

    The short name for the directory, such as CORP.

    Directory description

    An optional description for the directory.

    Admin password

    The password for the directory administrator. The directory creation process creates an administrator account with the user name Admin and this password.

    The password cannot include the word "admin."

    The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:

    • Lowercase letters (a-z)

    • Uppercase letters (A-Z)

    • Numbers (0-9)

    • Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

    Confirm password

    Retype the administrator password.

    (Optional) User and group management

    To enable AWS Managed Microsoft AD user and group management from the AWS Management Console, select Manage user and group management in the AWS Management Console. For more information on how to use user and group management, see Manage AWS Managed Microsoft AD users and groups with the AWS Management Console or AWS CLI.

  4. On the Choose VPC and subnets page, provide the following information, and then choose Next.

    VPC

    The VPC for the directory.

    Subnets

    Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.

  5. On the Review & create page, review the directory information and make any necessary changes. When the information is correct, choose Create directory. Creating the directory takes 20 to 40 minutes. Once created, the Status value changes to Active.

For more information on what is created with your AWS Managed Microsoft AD, see the following: