How to integrate on premise MS Active Directory with AWS Managed Directory.
- Prepare On Premise AD
- Prepare AWS Directory
- Set up Trust
On Premise AD Setup
- Configure your on-premises firewall so that the following ports are open to the CIDRs for all subnets used by the VPC that contains your AWS Managed Microsoft AD.
- TCP/UDP 53 – DNS
- TCP/UDP 88 – Kerberos authentication
- TCP/UDP 389 – LDAP
- TCP 445 – SMB
2. Ensure that Kerberos pre-authentication is enabled (actually ensure the “do not check pre-authorization” feature is not enabled)
3. Set up domain forwarding by adding the FQDN of the AWS Directory service and adding the IP addresses of the domain controllers, and click to replicate this setting up all DNS servers
AWS Setup
Permit traffic traffic from your on-premises network. This involves
- select the AWS created security group for <yourdirectoryID> directory controllers.
- open around 15 port ranges for inbound traffic (UDP/TCP/ICMP)
- open up for all outbound traffic
- Ensure that Kerberos pre-authentication is enabled (actually ensure the “do not check pre-authorization” feature is not enabled)
Trust Setup
- Log on to on premised AD
- Set up two way Forest Trust
- Set up forest-wide authentication
- Set up Trust password and save for later use on AWS Directory
- Connect to AWS Directory Service
- Select Add Trust Relationship then enter the FQDN of the in-premise directory service, the trust password and choose two-way as the type of trust relationship
- Add IP Addresses of the two on-premise DNS servers as conditional forwarders
Use Cases for Hybrid Directory
- when AWS services require access to on-premise resources
- when on premise services/users require access to AWS resources
- when transitioning services from on-premises to AWS
Use Cases for not using Hybrid Directory
- when access is for a short period of time and an AD connector can be used
- when access to AWS services from on premises can be managed by a role
Advanced Features for Hybrid Directory
- deploying additional domain controllers increases the redundancy, which results in even greater resilience and higher availability. This also improves the performance of your directory by supporting a greater number of AD requests
- use Active Directory Migration Toolkit (ADMT) along with the Password Export Service (PES) to migrate users from your self-managed AD to your AWS Managed Microsoft AD directory. This enables you to migrate AD objects and encrypted passwords for your users more easily.
- create an Access URL for AWS services An access URL in the format
<yourgloballyuniquealias>
.awsapps.com is used with AWS applications and services, such as Amazon WorkSpaces, to reach a login page that is associated with your directory. - You can also enable single sign on, so the user does not need to log in again to use the Amazon service.
Several AWS services are integrated with AWS Directory Services and hence you can use this hybrid setup to give on-premise users access to :
- Amazon Chime
- Amazon Connect
- Amazon FSx for Windows File Server
- Amazon QuickSight
- Amazon Relational Database Service
- Amazon WorkDocs
- Amazon WorkMail
- Amazon WorkSpaces
- Amazon WorkSpaces Application Manager