Implementing Active Directory in the AWS Cloud
AWS Whitepaper by Mike Pfeiffer
1
Introduction This reference implementation guide includes architectural considerations and configuration steps for implementing highly available Active Directory Domain Services (AD DS) in the Amazon Web Services (AWS) cloud. We’ll discuss best practices for launching the necessary AWS services, such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Virtual Private Cloud (Amazon VPC), in two scenarios: • An AWS cloud-based deployment • The extension of an on-premises solution to the AWS cloud We also provide links to automated AWS CloudFormation templates that you can leverage for your implementation or launch directly into your AWS account. This presentation gives an overview of the process to create the example solution. It does not outline each step. For the detailed overview, please consult the whitepaper available here: https://aws.amazon.com/microsoft/whitepapers/#ad
2
Before You Get Started
This is an advanced topic. If you are new to AWS, see the
Getting Started section of the AWS documentation.
You should also be familiar with the following topics:
• Amazon EC2
• Amazon VPC
• AWS CloudFormation
• Windows Server 2012 or 2008 R2
• Windows Server Active Directory and DNS
3
Microsoft Platform on AWS
• Partnership to support running Windows
Server-based workloads on AWS
• Amazon Machine Images (AMIs) with
Windows Server and SQL Server today that
were jointly developed by Microsoft and
AWS
• SharePoint Server and other Microsoft
server products can be licensed to run on
AWS
Two licensing models:
•Windows Server
•SQL Server Standard
Pay-as-you-go – AMI pricing includes
software
•SQL Server Enterprise
•SharePoint Server
•Other qualifying Microsoft Windows Server products*
BYOL – use existing licenses on AWS
*General info on AWS and License Mobility for a variety of MS server products:
http://aws.amazon.com/windows/mslicensemobility/
Detail on AWS and License Mobility with SQL Server:
http://aws.amazon.com/windows/mslicensemobility/sql/
Microsoft “License Mobility through Software Assurance” gives Microsoft Volume Licensing
customers the flexibility to deploy Windows Server applications with active Software
Assurance (SA) on Amazon Web Services.
4
What We’ll Cover
AD Architecture Considerations
Sample Deployment Scenario #1
Deploy Active Directory Domain Services in the AWS Cloud
Considerations for Extending Existing AD Domain Services into the AWS Cloud
Sample Deployment Scenario #2
Extend on-premises Active Directory Domain Services to the AWS Cloud
5
AD Architecture Considerations
Sample Deployment Scenario #1
Deploy Active Directory Domain Services in the AWS Cloud
Considerations for Extending Existing AD Domain Services into the AWS Cloud
Sample Deployment Scenario #2
Extend on-premises Active Directory Domain Services to the AWS Cloud
6
Architecture Considerations
Virtual Private Cloud
• Amazon VPC lets you provision a private, isolated section of the
AWS cloud where you can launch AWS resources in a virtual network
that you define.
• You can define a virtual network topology closely resembling a
traditional network that you might operate on your own premises.
• You have complete control over your virtual networking environment,
including selection of your own IP address range, creation of
subnets, and configuration of route tables and network gateways.
Architecture Considerations
Active Directory Design • Site Topology
• Highly Available Directory
Domain Services
• Read-Only and Writeable
Domain Controllers
Architecture Considerations
Instance Configuration • Active Directory DNS and DHCP
inside the Amazon VPC
• DNS Settings on Windows Server
Instances
• Security Group Ingress Traffic
• Setting up Secure Administrative
Access Using Remote Desktop
Gateway
AD Architecture Considerations
Sample Deployment Scenario #1
Deploy Active Directory Domain Services in the AWS Cloud
Considerations for Extending Existing AD Domain Services into the AWS Cloud
Sample Deployment Scenario #2
Extend on-premises Active Directory Domain Services to the AWS Cloud
10
Sample Deployment Scenario #1
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown.
• Set up the Amazon VPC, including subnets in two Availability Zones.
• Configure private and public routes.
• Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS.
• Create empty private subnets in each Availability Zone into which you
can deploy additional servers.
• Configure security groups and rules for traffic between application tiers.
• Set up and configure AD Sites and Subnets.
• Enable ingress traffic into the Amazon VPC for administrative access to
Remote Desktop Gateway and NAT instances.
LaunchStack
11
Template Customization
• Sample Template 1 allows
for customization of 26
defined parameters
• You can modify these or
use them as a guide for
creating your own set of
parameters
AD Architecture Considerations
Sample Deployment Scenario #1
Deploy Active Directory Domain Services in the AWS Cloud
Considerations for Extending Existing AD Domain Services into the AWS Cloud
Sample Deployment Scenario #2
Extend on-premises Active Directory Domain Services to the AWS Cloud
13
Considerations for Extending AD DS into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD DS into AWS
• It isn’t required, but
recommended to add an
additional DC within the cloud
for resources in AWS that need
access to your AD DS.
• This reduces network latency
and also provides availability in
the event of an outage on
premises
Deploy Additional Domain Controllers
Considerations for Extending AD DS into AWS
Initial DNS Configuration • Manually assign DNS server settings on the Windows instances. This static
DNS setting would initially point to the on-premises Active Directory DNS server. After promoting the instance to a Domain Controller, you could modify the setting to use a cloud based Active Directory DNS server IP address to prevent subsequent DNS queries from traversing the link back to the on-premises environment.
• Initially configure the Amazon VPC DHCP Option Set to assign your on-
premises Active Directory DNS server IP address to your instances launched into the Amazon VPC. After the Windows instances have been joined to the domain and promoted to Domain Controllers, you can create a new DHCP option set to assign the IP address of the Active Directory DNS server instances running in AWS.
AD Architecture Considerations
Sample Deployment Scenario #1
Deploy Active Directory Domain Services in the AWS Cloud
Considerations for Extending Existing AD Domain Services into the AWS Cloud
Sample Deployment Scenario #2
Extend on-premises Active Directory Domain Services to the AWS Cloud
17
Sample Deployment Scenario #2
Partially Automated Deployment
The AWS CloudFormation template performs these
actions to deploy the architecture shown. You will need to
create the virtual private gateway and VPN connection
manually.
• Set up the Amazon VPC, including subnets in two Availability Zones.
• Configure private and public routes.
• Launch Windows Server 2012 Amazon Machine Images (AMIs).
• Create empty private subnets in each Availability Zone into which you
can deploy additional servers.
• Configure security groups and rules for traffic between application
tiers.
• Set up and configure AD Sites and Subnets.
• Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances.
LaunchStack
Template Customization
• Sample Template 2
allows for customization
of 20 defined
parameters
• These can be modified
or extended just like
Template 1
More Reference Architectures from AWS
• Remote Desktop Gateway: – Reference Architecture Whitepaper
– Advanced Implementation Guide and CloudFormation templates
• SharePoint Server: – Reference Architecture Whitepaper
– Advanced Implementation Guide and CloudFormation templates
• SQL Server: – “Implementing Microsoft Windows Server Failover Clustering (WSFC) and SQL Server 2012
AlwaysOn Availability Groups in the AWS Cloud”
• Microsoft Exchange: – “Microsoft Exchange Server 2010 in the AWS Cloud: Planning and Implementation Guide”
These and more can be found at http://aws.amazon.com/microsoft/whitepapers/
20
Additional Resources
Web Pages
Microsoft on AWS
http://aws.amazon.com/microsoft/
Windows on AWS (includes pricing)
http://aws.amazon.com/windows/
Reference Deployment Quickstart
http://aws.amazon.com/quickstart/
AWS Windows and .NET Developer Center (with sdk)
http://aws.amazon.com/net/
Amazon EC2 Windows Guide
http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/
Scenarios for Amazon VPC
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scen
arios.html
Microsoft Licensing
http://aws.amazon.com/windows/mslicensemobility/
Covers Exchange, SharePoint, SQL, Lync, SCOM, and Dynamics.
See page for specific details, including which versions are covered.
Whitepapers
Secure Microsoft Applications on AWS
Relational Database Management Systems in the Cloud:
Microsoft SQL Server 2008 R2
Amazon’s Corporate IT Deploys SharePoint 2010 to the AWS
Cloud
Remote Desktop Gateway Reference Architecture
Contact Us
https://aws.amazon.com/microsoft/contact-us/
If you have either business or technical questions about running
Microsoft software on AWS, please don’t hesitate to contact us.
21
Join us and learn about the AWS platform,
new services and how to get started.
Register for a Summit near you.
aws.amazon.com/aws-summit-2014/
New York | July 10
Register now
Tokyo | July 17-18
Register now
Brisbane | August 5
Registration coming soon
Melbourne | August 12
Registration coming soon
Perth | August 20
Registration coming soon
Beijing | September 4
Registration coming soon
Tel Aviv | September 17
Registration coming soon
Implementing Active Directory in the AWS Cloud
Thank You
24