Posted On: Jul 29, 2016

AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also referred to as Microsoft AD, now supports routing to your on-premises DNS servers, conditional forwarders and hosts that use public Internet Protocol (IP) addresses. Through the link to your VPC, you can now create trusts and domain join hosts with on-premises computers that have public IP addresses. This provides you more flexibility in how you integrate Microsoft AD with your on-premises environment. 

Establishing trusts between Active Directory forests requires Domain Name System (DNS) to resolve host names to IP addresses between trusting forests. When setting up AD trusts through the Directory Service console or API, you can now specify on-premises DNS servers, called conditional forwarders, which have public IP addresses. If your DNS server resolves host addresses to public IP addresses, Microsoft AD can route communications to those hosts through your VPC. 

A trust relationship between your Microsoft AD and your on-premises Microsoft Active Directory domain enables you to create a resource domain in your Amazon VPC. With this resource domain, you can deploy and control access to custom .NET, SQL Server, and other Active Directory aware workloads. Through the trust relationship, your on-premises directory provides authentication for these resources utilizing existing user accounts in your on-premises directory. This makes it easy to migrate existing Active Directory aware workloads, or launch new ones in the cloud without the need to move or synchronize user accounts. 

To join on-premises computers to Microsoft AD, there must be a secure IP route between the systems through your VPC to your network. If your on-premises computers use public IP addresses, static routes are needed in your VPC to discern between traffic that should go out to the Internet and traffic that should be kept within your private network. From the Directory Service console or API, you can now define routes between Microsoft AD and public IP addresses associated with your on-premises network even if you are not setting up a trust.  This keeps communications between Microsoft AD and your on-premises host secured within the network you control. 

The added routing and conditional forwarder capability of this release offers greater flexibility when creating trusts between Microsoft AD and your on-premises Microsoft Active Directory domains, as well as with other Microsoft AD domains in the AWS cloud. To get started, see the AWS Directory Service Trust Creation page. To learn more about Microsoft AD, please visit AWS Directory Services.