Amazon Web Services – Paper Title May 2015
Page 6 of 20
correctly and your credentials are documented must be rigorously followed
because a lapse could mean application failures and frustrated users.
Active Directory helps address some of these challenges. It provides a centralized
repository to store credentials, allowing for SSO across all servers in the fleet and
simplifying intercommunication between servers by using Kerberos to
authenticate requests. With GPOs, you can manage the configuration options of
your fleet. Deploying a new Active Directory domain or extending your existing
domain to the AWS cloud and running instances on Amazon EC2 provides great
benefits. You can have SSO using Kerberos, leverage Group Policy to manage the
configuration of the Windows operating system, and easily manage application
and user credentials with native Windows tools like Active Directory Users and
Computers.
There are concerns to address when deploying an Active Directory forest on
Amazon EC2, for example, how to manage the additional domain controller
instances, DNS resolution for the Active Directory domain, and how to monitor
replication traffic between domain controllers in different Availability Zones. One
of the biggest challenges is joining the Windows Server instances to the Active
Directory domain, because you must first use the Amazon EC2 key pair to
individually decrypt the administrator password for all of the instances. This
process is manual, time-consuming, and error-prone. For large-scale server
additions, the domain join step can be automated. For example, you can place a
PowerShell script in the “User Data” option to join the instance to the domain
during launch, but you will have to store the Active Directory credentials where a
script running on a newly launched instance can read them and risk exposing
powerful credentials. AWS Directory Service and SSM make joining your
instances to a domain a low-risk, quick process.
AWS Directory Service Overview
There are two AWS Directory Service products: AD Connector and Simple AD.
AD Connector lets you use your existing identities with AWS services without
replicating them to AWS. Simple AD lets you create a new Active Directory-
compatible directory in AWS with deep integration into AWS services. There is
no software to install; AWS handles patching, backups, and upgrades and runs
your directory infrastructure across multiple Availability Zones for high
availability.