Securely extend and access on-premises Active Directory domain controllers in AWS
August 10, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here.
If you have an on-premises Windows Server Active Directory infrastructure, it’s important to plan carefully how to extend it into Amazon Web Services (AWS) when you’re migrating or implementing cloud-based applications. In this scenario, existing applications require Active Directory for authentication and identity management. When you migrate these applications to the cloud, having a locally accessible Active Directory domain controller is an important factor in achieving fast, reliable, and secure Active Directory authentication.
In this blog post, I’ll provide guidance on how to securely extend your existing Active Directory domain to AWS and optimize your infrastructure for maximum performance. I’ll also show you a best practice that implements a remote desktop gateway solution to access your domain controllers securely while using the minimum required ports. Additionally, you will learn about how AWS Systems Manager Session Manager port forwarding helps provide a secure and simple way to manage your domain resources remotely, without the need to open inbound ports and maintain RDGW hosts.
Administrators can use this blog post as guidance to design Active Directory on Amazon Elastic Compute Cloud (Amazon EC2) domain controllers. This post can also be used to determine which ports and protocols are required for domain controller infrastructure communication in a segmented network.
Design and guidelines for EC2-hosted domain controllers
This section provides a set of best practices for designing and deploying EC2-hosted domain controllers in AWS.
AWS has multiple options for hosting Active Directory on AWS, which are discussed in detail in the Active Directory Domain Services on AWS Design and Planning Guide. One option is to use AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). AWS Managed Microsoft AD provides you with a complete new forest and domain to start your Active Directory deployment on AWS. However, if you prefer to extend your existing Active Directory domain infrastructure to AWS and manage it yourself, you have the option of running Active Directory on EC2-hosted domain controllers. See our Quick Start guide for instructions on how to deploy both of these options (AWS Managed Microsoft AD or EC2-hosted domain controllers on AWS).
If you’re operating in more than one AWS Region and require Active Directory to be available in all these Regions, use the best practices in the Design and Planning Guide for a multi-Region deployment strategy. Within each of the Regions, follow the guidelines and best practices described in this blog post.
Figure 1 shows an example of how to deploy Active Directory on EC2 instances in multiple Regions with multiple virtual private clouds (VPCs). In this example, I’m showing the Active Directory design in multiple Regions that interconnect to each other by using AWS Transit Gateway.
In order to extend your existing Active Directory deployment from on-premises to AWS as shown in the example, you do two things. First, you add additional domain controllers (running on Amazon EC2) to your existing domain. Second, you place the domain controllers in multiple Availability Zones (AZs) within your VPC, in multiple Regions, by keeping the same forest (Example.com) and domain structure.
Consider these best practices when you deploy or extend Active Directory on EC2 instances:
- We recommend deploying at least two domain controllers (DCs) in each Region and configuring a minimum of two AZs, to provide high availability.
- If you require additional domain controllers to achieve your performance goals, add more domain controllers to existing AZs or deploy to another available AZ.
- It’s important to define Active D
irectory sites and subnets correctly to prevent clients from using domain controllers that are located in different Regions, which causes increased latency.
- Configure the VPC in a Region as a single Active Directory site and configure Active Directory subnets accordingly in the AD Sites and Services console. This configuration confirms that your clients correctly select the closest available domain controller.
- If you have multiple VPCs, centralize the Active Directory services in one of your existing VPCs or create a shared services VPC to centralize the domain controllers.
- Make sure that robust inter-Region connectivity exists between all of the Regions. Within AWS, you can leverage cross-Region VPC peering to achieve highly available private connectivity between Regions. You can also use the Transit Gateway VPC solution, as shown in Figure 1, to interconnect multiple Regions.
- Make sure that you’re deploying your domain controllers in a private subnet without internet access.
- Keep your security patches up to date on EC2 domain controllers. You can use AWS Systems Manager to patch your domain controllers in a controlled manner.
- Have a dedicated AWS account for directory services and don’t share the account with other general services and applications. This helps you to control access to the AWS account and add domain controller–specific automation.
- If your users need to manage AWS services and access AWS applications with their Active Directory credentials, we recommend integrating your identity service with the management account in AWS Organizations. You can configure the AWS IAM Identity Center service to use AD Connector in a primary account VPC to connect to self-managed Active Directory domain controllers that are hosted in a Shared Services account.
Alternatively, you can deploy AWS Managed Microsoft AD in the management account, with trust to your EC2 Active Directory domain, to allow users from any trusted domain to access AWS applications. However, you could host these EC2 domain controllers in the primary account, similar to the AWS Managed AD option.
- Build domain controllers with end-to-end automation using version control (for example, GIT and AWS CodeCommit) and Desired State Configuration (DSC)/PowerShell.
Security considerations for EC2-hosted domains
This section explains how you can maximize the security of your extended EC2-hosted domain controller infrastructure, and use AWS services to help achieve security compliance. You should also refer to your organization’s IT system security policies to determine the most relevant recommendations to implement.
AWS operates under a shared security responsibility model, where AWS is responsible for the security of the underlying cloud infrastructure and you are responsible for securing workloads you deploy in AWS.
Our recommendations for security for EC2-hosted domains are as follows:
- We recommend that you place EC2-hosted domain controllers in a single dedicated AWS account or deploy them in your AWS Organizations management account. This makes it possible for you to use your Active Directory credentials for authentication to access the AWS Management Console and other AWS applications.
- Use tag-based policies to restrict access to domain controllers if you’re using the Shared Services account for hosting domain controllers.
- Take advantage of the EC2 Image Builder service to deploy a domain controller that uses a CIS standard base image. By doing this, you can avoid manual deployment by setting up an image pipeline.
- Secure the AWS account where the domain controllers are running by following the principle of least privilege and by using role-based access control.
- Take advantage of these AWS services to help secure your workloads and application:
- AWS Landing Zone–A solution that helps you more quickly set up a secure, multi-account AWS environment, based on AWS best practices.
- AWS Organizations–A service that helps you centrally manage and govern your environment as you grow and scale your AWS resources.
- Amazon Guard Duty–An automated threat detection service that continuously monitors for suspicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data that are stored in Amazon Simple Storage Service (Amazon S3).
- Amazon Detective–A service that can analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.
- Amazon Inspector–An automated security assessment service that helps improve the security and compliance of applications that are deployed on AWS.
- AWS Security Hub–A service that provides customers with a comprehensive view of their security and compliance status across their AWS accounts. You can import critical patch compliance findings into Security Hub for easy reference.
Use data encryption
AWS offers you the ability to add a layer of security to your data at rest in the cloud, providing scalable and efficient encryption features. These are some best practices for data encryption:
- Encrypt the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the domain controllers, and keep the customer master key (CMK) safe with AWS Key Management Service (AWS KMS) or AWS CloudHSM, according to your security team’s guidance and policies.
- Consider using a separate CMK for the Active Directory and restrict access to the CMK to a specific team.
- Enable LDAP over SSL (LDAPS) on all domain controllers, for secure authentication, if your application supports LDAPS authentication.
- Deploy and manage a public key infrastructure (PKI) on AWS. For more information, see the Microsoft PKI Quick Start guide.
Restrict account and instance access
Provide management access for directory service accounts and domain controller instances only to the specific team that manages the Active Directory. To do this, follow these guidelines:
- Restrict access to an EC2 domain controller’s start, stop, and terminate behavior by using AWS Identity and Access Management (IAM) policy and resources tags. Example: Restrict-ec2-iam
- Restrict access to Amazon EBS volumes and snapshots.
- Restrict account root access and implement multi-factor authentication (MFA) for this access.
Network access control for domain controllers
Whenever possible, block all unnecessary traffic to and from your domain controllers to limit the communication so that only the necessary ports are opened between a domain controller and another computer. Use these best practices:
- Allow only the required network ports between the client and domain controllers, and between domain controllers.
- Use a security group to narrow down the access to domain controllers.
- Use network access control lists (network ACLs) to filter Active Directory ports as this gives you better control than using ephemeral ports.
- Deploy domain controllers in private subnets.
- Route only the required subnets into the VPC that contains the domain controllers.
AWS provides services that continuously monitor your data, accounts, and workloads to help protect them from unauthorized access. We recommend that you take advantage of the following services to securely administer your domain controller’s deployment:
- Use AWS Systems Manager Session Manager or Run Command to manage your instances remotely. The command actions are sent to Amazon CloudWatch Logs or Amazon S3 for auditing purposes. Leaving inbound Remote Desktop Protocol (RDP), WinRM ports, and remote PowerShell ports open on your instances greatly increases the risk of entities running unauthorized or malicious commands on the instances. Session Manager helps you improve your security posture by letting you close these inbound ports, which frees you from managing SSH keys and certificates, bastion hosts, and jump boxes.
- Use Amazon EventBridge to set up rules to detect when changes happen to your domain controller EC2 instances and to send notifications by using Amazon Simple Notification Service (Amazon SNS) when a command is run.
- Manage configuration drift on EC2 instances. Systems Manager State Manager helps you automate the process of keeping your domain controller EC2 instances in the desired state and integrates with Systems Manager Compliance.
- Avoid any manual interventions while you build and manage domain controllers. Automate the domain join process for Amazon EC2 instances from multiple AWS accounts and Regions.
- For developing your applications with domain controllers, use the Windows DC locator service or use the Dynamic DNS (DDNS) service of your AWS Managed Microsoft AD to locate domain controllers. Do not hard-code applications with the address of a domain controller.
- Use AWS Config to manage your domain controller configuration.
- Use Systems Manager Parameter Store or Secrets Manager to store all secrets, as well as configurations for your domain controller automation.
- Use version control to update the domain controller source code with pipeline approvals to avoid any misconfigurations and faulty deployments.
Logging and monitoring
AWS provides tools and features that you can use to see what’s happening in your AWS environment. We recommend that you use these logging and monitoring practices for your EC2-hosted domain controllers:
- Enable VPC Flow Logs data for each domain controller’s accounts to monitor the traffic that’s reaching your domain controller instance.
- Log Windows and Active Directory events in Amazon CloudWatch Logs for increased visibility.
- Consider setting up alerts and notifications for key security events for EC2 domain controllers, in real time. These alerts can be sent to your Red and Blue security response teams for further analysis.
- Deploy the CloudWatch agent or the Amazon Kinesis Agent for Windows on EC2 for detail monitoring and alerting at the domain controller operating system level.
- Log Systems Manager API calls with AWS CloudTrail.
Other security considerations
As a best practice, implement domain controller security at the operating system level, according to your security team’s recommendations. We recommend these options:
- Block executables from running on domain controllers.
- Prevent web browsing from domain controllers.
- Configure a Windows Server Core base image for domain controllers.
- Integrate bastion hosts with Systems Manager Session Manager and use MFA to manage domain controllers remotely.
- Perform regular system state backups of your Active Directory environments. Encrypt these backups.
- Perform Active Directory administrative management from a remote server, and avoid logging in to domain controllers interactively unless needed.
- For FSMO roles, you can follow the same recommendations you would follow for your on-premises deployment to determine FSMO roles on domain controllers. For more information, see these best practices from Microsoft. In the case of AWS Managed Microsoft AD, all domain controllers and FSMO role assignments are managed by AWS and don’t require you to manage or change them.
Domain controller ports
In this section, I’m going to cover the network ports and protocols that are needed to deploy domain services securely. Understanding how traffic flows and is processed by a network firewall is essential when someone requests or implements firewall rules, to avoid any connectivity issues.
Here are some common problems that you might observe because of network port blockage:
- The RPC server is unavailable
- Name resolution issues
- A connectivity issue is detected with LDAP, LDAPS, and Kerberos
- Domain replication issues
- Domain authentication issues
- Domain trust issues between on-premises Active Directory and AWS Managed Microsoft AD
- AD Connector connectivity issues
- Issues with domain join, password reset, and more
Understand Active Directory firewall ports
You must allow traffic from your on-premises network to the VPC that contains your extended domain controllers. To do this, make sure that the firewall ports that opened with the VPC subnets that were used to deploy your EC2-hosted domain controllers and the security group rules that are configured on your domain controllers both allow the network traffic to support domain trusts.
Domain controller to domain controller core ports requirements
|Source||Destination||Protocol||Port||Type||Active Directory usage||Type of traffic|
|Any domain controller||Any domain controller||TCP and UDP||53||Bi-directional||User and computer authentication, name resolution, trusts||DNS|
|TCP and UDP||88||Bi-directional||User and computer authentication, forest level trusts||Kerberos|
|UDP||123||Bi-directional||Windows Time, trusts||Windows Time|
|TCP||135||Bi-directional||Replication||RPC, Endpoint Mapper (EPM)|
|UDP||137||Bi-directional||User and computer authentication||NetLogon, NetBIOS name resolution|
|UDP||138||Bi-directional||Distributed File System (DFS), Group Policy||DFSN, NetLogon, NetBIOS Datagram Service|
|TCP||139||Bi-directional||User and computer authentication, replication||DFSN, NetBIOS Session Service, NetLogon|
|TCP and UDP||389||Bi-directional||Directory, replication, user, and computer authentication, Group Policy, trustss||LDAP|
|TCP and UDP||445||Bi-directional||Replication, user, and computer authentication, Group Policy, trusts||SMB, CIFS, SMB2, DFSN, LSARPC, NetLogonR, SamR, SrvSvc|
|TCP and UDP||464||Bi-directional||Replication, user, and computer authentication, trusts||Kerberos change/set password|
|TCP||636||Bi-directional||Directory, replication, user, and computer authentication, Group Policy, trusts||LDAP SSL (required only if LDAP over SSL is configured)|
|TCP||3268||Bi-directional||Directory, replication, user, and computer authentication, Group Policy, trusts||LDAP Global Catalog (GC)|
|TCP||3269||Bi-directional||Directory, replication, user, and computer authentication, Group Policy, trusts||LDAP GC SSL (required only if LDAP over SSL is configured)|
|TCP||5722||Bi-directional||File replication||RPC, DFSR (SYSVOL)|
|TCP||9389||Bi-directional||AD DS web services||SOAP|
|TCP Dynamic||49152–65535||Bi-directional||Replication, user, and computer authentication, Group Policy, trusts||RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, File Replication Service (FRS)|
|UDP Dynamic||49152–65535||Bi-directional||Group Policy||DCOM, RPC, EPM|
Note: There is no need to open a DNS port on domain controllers if you are not using a domain controller as a DNS server, or if you’re using any third-party DNS solutions.
Client to domain controller core ports requirements
The following table lists the port requirements for establishing client to domain controller communication for Active Directory.
|Source||Destination||Protocol||Port||Type||Usage||Type of traffic|
|All internal company client network IP subnets||Any domain controller||TCP||53||Uni-directional||DNS||DNS|
|UDP||123||Uni-directional||Windows Time||Windows Time|
|TCP||135||Uni-directional||RPC, EPM||RPC, EPM|
|UDP||137||Uni-directional||NetLogon, NetBIOS name||User and computer authentication|
|UDP||138||Uni-directional||DFSN, NetLogon, NetBIOS datagram service||DFS, Group Policy, NetBIOS, NetLogon, browsing|
|TCP||389||Uni-directional||LDAP||Directory, replication, user, and computer authentication, Group Policy, trust|
|UDP||389||Uni-directional||LDAP||Directory, replication, user, and computer authentication, Group Policy, trust|
|TCP||445||Uni-directional||SMB, CIFS, SMB3, DFSN, LSARPC, NetLogonR, SamR, SrvSvc||Replication, user, and computer authentication, Group Policy, trust|
|TCP||464||Uni-directional||Kerberos change/set password||Replication, user, and computer authentication, trust|
|UDP||464||Uni-directional||Kerberos change/set password||Replication, user, and computer authentication, trust|
|TCP||636||Uni-directional||LDAP SSL||Directory, replication, user, and computer authentication, Group Policy, trust|
|TCP||3268||Uni-directional||LDAP GC||Directory, replication, user, and computer authentication, Group Policy, trust|
|TCP||3269||Uni-directional||LDAP GC SSL||Directory, replication, user, and computer authentication, Group Policy, trust|
|TCP||9389||Uni-directional||SOAP||AD DS web service|
|TCP||49152–65535||Uni-directional||DCOM, RPC, EPM||Group Policy|
- You must allow network traffic communication from your on-premises network to the VPC that contains your AWS-hosted EC2 domain controllers.
- You also can restrict DC-to-DC replication traffic and DC-to-client communications to specific ports.
- Packet fragmentation can cause issues with services such as Kerberos. You should make sure that maximum transmission unit (MTU) sizes match your network devices.
- Additionally, unless a tunneling protocol is used to encapsulate traffic to Active Directory, ranges of ephemeral TCP ports between 49152 to 65535 are required. Ephemeral ports are also known as service response ports. These ports are created dynamically for session responses for each client that establishes a session. These ports are required not only for Windows but for Linux and UNIX.
Manage domain controllers securely using a bastion host and RDGW
We recommend that you restrict the domain controller’s management by using a secure, highly available, and scalable Microsoft Remote Desktop Gateway (RDGW) solution in conjunction with bastion hosts. A bastion host that is designed to work with a specific part of the infrastructure should work with that unit only, and nothing else. Limiting the use of bastion hosts to a specific instance example domain controller can help improve your security posture.
The reference architecture shown in Figure 2 restricts management access to your domain controllers and access via port 443. The bastion hosts in the diagram are configured to only allow RDP from the RDGW.
For additional security, follow these best practices:
- Configure RDGW and bastions hosts to use MFA for logins.
- Implement login restrictions by using a Group Policy Object (GPO), so that only required administrators log in to RDGW and the bastion host, based on their group membership.
Bastion host to domain controllers ports requirements
The following table lists the port requirements for establishing bastion host-to-DC communication in all versions of Windows Server.
|Source||Destination||Protocol||Ports||Type||Usage||Type of traffic|
|Bastion host to domain controller||Any domain controller subset||TCP||443||Uni-directional||TPKT||Remote Protocol Gateway access|
|UDP||3389||Uni-directional||TPKT||Remote Desktop Protocol|
|TCP||3389||Uni-directional||WS-Man||Remote Desktop Protocol|
|TCP||5985||Bi-directional||HTTPS||Windows Remote Management (WinRM)|
|TCP||5985||Bi-directional||WS-Man||Windows Remote Management (WinRM)|
You can also take advantage of Systems Manager Session Manager to manage domain joined resources instead of using bastion hosts for management. This option eliminates the need to manage bastion infrastructure and open any inbound rules. It also integrates natively with IAM and AWS CloudTrail, two services that enhance your security and audit posture. In the next section, I’ll discuss Session Manager and how it is useful in this context.
Session Manager port forwarding
Active Directory administrators are accustomed to managing domain resources by using Remote Server Administrators Tools (RSAT) that are installed on either their workstations or a member server in the domain (for example, RDP to a bastion host). Although RDP is effective, using RDP requires more management, such as managing inbound rules for port 3389. In some cases, having this port exposed to the internet might put your systems at risk. For example, systems can be susceptible to brute force or unauthorized dictionary activity. Instead of using a RDGW host and opening RDP inbound RDP ports, we recommend using the Session Manager Service, which provides port-forwarding ability without opening inbound ports.
Port forwarding provides the ability to forward traffic between your clients to open ports on your EC2 instance. After you configure port forwarding, you can connect to the local port and access the server application that is running inside the instance, as shown in Figure 3. To configure the port-forwarding feature in Session Manager, you can use IAM policies and the AWS-StartPortForwardingSession document.
To start a session using the AWS Command Line Interface (AWS CLI), run the following command.
Note: You can use any available ephemeral port. 9999 is just an example. Install and configure the AWS CLI, if you haven’t already.
You can also start a session by using an IAM policy like the one shown in the following example. To learn more about creating IAM policies for Session Manager, see the topic Quickstart default IAM policies for Session Manager.
In this policy example, I created the policy for Systems Manager for both AWS-StartPortForwadingSession and AWS-StartSSHSession for Linux (SSH) environments, for your reference and guidance.
When you use the port-forwarding feature in Session Manager, you have the option to use an auditing service like AWS CloudTrail to provide a record of the connections made to your instances. You can also monitor the session by using Amazon CloudWatch Events with Amazon SNS to receive notifications when a user starts or ends session activity.
There is no additional charge for accessing EC2 instances by using Session Manager port forwarding. Port forwarding is available today in all AWS Regions where Systems Manager is available. You will be charged for the outgoing bandwidth from the NAT Gateway or your VPC Private Link.
Bastion host architecture using Session Manager
In this section, I discuss how to use a bastion host with Session Manager. Session Manager uses the Systems Manager infrastructure to create an SSH-like session with an instance. Session Manager tunnels real SSH connections, which allows you to tunnel to another resource within your VPC directly from your local machine. A managed instance that you create, acts as a bastion host, or gateway, to your AWS resources. The benefits of this configuration are:
- Increased security: This configuration uses only one EC2 instance (the bastion host), and connects outbound port 443 to Systems Manager infrastructure. This allows you to use Session Manager without any inbound connections. The local resource must allow inbound traffic only from the instance that is acting as bastion host. Therefore, there is no need to open any inbound rule publicly.
- Ease of use: You can access resources in your private VPC directly from your local machine.
In the example shown in Figure 4, the EC2 instance is acting as a domain controller that must be accessed securely by an Active Directory administrator who is working remotely via bastion host. To support this use case, I’ve chosen to use an interface VPC endpoint for Systems Manager, in order to facilitate private connectivity between Systems Manager Agent (SSM Agent) on the EC2 instance that is acting as a bastion host, and the Systems Manager service endpoints. You can configure Session Manager to enable port forwarding between the administrator’s local workstation and the private EC2 bastion instances, so that they can securely access the bastion host from the internet. This architecture helps you to eliminate RDGW infrastructure setup and reduce management efforts. You can add MFA at the bastion host level to enhance security.
- If you want to use the AWS CLI to start and end sessions that connect you to your managed instances, you must first install the Session Manager plugin on your local machine.
- Make sure that the bastion host has SSM Agent installed, because Session Manager only works with Systems Manager managed instances.
- Follow the steps in Creating an interface endpoint to create the following interface endpoints:
- com.amazonaws.<region>.ssm – The endpoint for the Systems Manager service.
- com.amazonaws.><region>.ec2messages – Systems Manager uses this endpoint to make calls from the SSM Agent to the Systems Manager service.
- com.amazonaws.<region>.ec2 – The endpoint to the EC2 service. If you’re using Systems Manager to create VSS-enabled snapshots, you must ensure that you have this endpoint. Without the EC2 endpoint defined, a call to enumerate attached EBS volumes fails. This causes the Systems Manager command to fail.
- com.amazonaws.<region>.ssmmessages – This endpoint is required for connecting to your instances through a secure data channel by using Session Manager, in this case the port-forwarding requirement.
Support for domain controllers in Session Manager
You can use Session Manager to connect EC2 domain controllers directly, as well. To initiate a connection with either the default Session Manager connection or the port-forwarding feature discussed in this post, complete these steps.
To initiation a connection
- Create the ssm-user in your domain.
- Add the ssm-user to the domain groups that grant the user local access to the domain controller. One example is to add the user to the Domain Admins group.
IMPORTANT: Follow your organization’s security best practices when you grant the ssm-user access to the domain.
In this blog post, I described best practices for deploying domain controllers on EC2 instances and extending on-premises Active Directory to AWS for your guidance and quick reference. I also covered how you can maximize security for your extended EC2-hosted domain controller infrastructure by using AWS services. In addition, you learned about how AWS Systems Manager Session Manager port forwarding to RDP provides a simple and secure way to manage your domain resources remotely, without the need to open inbound ports and maintain RDGW hosts. Port forwarding works for Windows and Linux instances. It’s available today in all AWS Regions where Systems Manager is available. Depending on your use case, you should consider additional protection mechanisms per your organization’s security best practices.
To learn more about migrating Windows Server or SQL Server, visit Windows on AWS. For more information about how AWS can help you modernize your legacy Windows applications, see Modernize Windows Workloads with AWS. Contact us to start your modernization journey today.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.