AWS Managed AD versus Self Managed AD DS on AWS

1. Use Case One – Replicate all  on premises AD Objects to AWS. Redirect all external apps, SaaS apps to authenticate against a Single entry point (the AWS Managed AD)
2. Use Case Two – Use AWS managed AD as a failover solution for your primary, on-premises AD.

Both of these use cases can be addressed by the two solutions listed below (AWS Managed and Self Managed AD DS on EC2)

This solution describes two possible routes – an AWS managed AD, Enterprise edition (Route 1) and a custom AD DS installation on an EC2 instance (Self Managed Route ).

Route 1 – AWS Managed AD – Enterprise Edition (for up to 500,000 Dictionary objects), Standard Edition (for up to 30,000 Dictionary Objects)

· Setting up a VPC, including private and public subnets in two Availability Zones.

· Setting up a VPN tunnel between On Premises and AWS

· Setting up a one-way trust between an AWS Managed domain and your on premises primary AD (Windows Server 2008).

· Replication of all user objects from the primary domain to the AWS Managed Domain

· Deployment of an EC2 instance (windows) to manage the AWS Managed AD

· Domain Joining of the EC2 management instance to the new managed AD

· Installation of AD tools on the EC2 instance using PowerShell

 

Route 2 – Self Managed AD DS on AWS As a fallback solution, a new AD DS can be installed on an EC2 instance (Route 2). The exact sizing of the EC2 instance would be determined only by exact sizing, although it would most likely be from the following list of enterprise grade, storage optimized instance types

T2, M4, X1, F1

The exact steps involved in installing and configuring a custom AD DS on AWS include:

· Setting up a VPC, including private and public subnets in two Availability Zones.

· Configuring two NAT gateways in the public subnets.

· Configuring private and public routes.

· Allowing ingress traffic into the VPC for administrative access to Remote Desktop Gateway.

· Creating Systems Manager Automation documents that set up and configure AD DS and AD-integrated DNS.

· Storing alternate domain administrator credentials in Secrets Manager.

· Using Secrets Manager to generate and store Restore Mode and Domain Administrator passwords.

· Launching instances using the Windows Server 2016 (or 2019 Datacenter) AMI.

· Configuring security groups and rules for traffic between instances.

Configuring Active Directory sites and subnets.

Summary

AWS’ Managed AD should always be your default option. Even the Enterprise Edition costs no more than $400 / month. Should you have more than 500,000 user objects, your other alternative is to install an ADDS server on an EC2 instance, as described in Route 2 above.