AWS Quick Starts

Active Directory DS on AWS

Create or extend your AD DS environment, or use with AWS Directory Service

Deploy new AD DS on AWS

(for additional scenarios, see deployment guide)

View guide — HTML | PDF

Quick Start architecture for Active Directory Domain Services on the AWS Cloud

Quick Start architecture for new cloud-based AD DS environment
(view architectures for hybrid AD DS environments and deployment with AWS Directory Service)


This Quick Start deploys Microsoft Active Directory Domain Services (AD DS) on the AWS Cloud. AD DS and Domain Name Server (DNS) are core Windows services that provide the foundation for many Microsoft-based solutions for the enterprise, including Microsoft SharePoint, Microsoft Exchange, and .NET Framework applications.

The Quick Start supports three scenarios:

Deploying a new AWS Cloud-based AD DS environment that you manage yourself
Extending your existing on-premises AD DS to the AWS Cloud
Deploying AD DS with AWS Directory Service

For each scenario, you also have the option to create a new Amazon VPC or use your existing Amazon VPC infrastructure.  

For additional Quick Starts, see the complete catalog.

  • What you'll build

    Use this Quick Start to set up the following AD DS environment on AWS:

    • An Amazon Virtual Private Cloud (Amazon VPC) configured with public and private subnets in two Availability Zones for high availability.*
    • Managed network address translation (NAT) gateways to allow outbound Internet access for resources in the private subnets.*
    • Configuration for private and public routes.*
    • Remote Desktop Gateway instances in each public subnet for secure remote access to instances in private subnets.*
    • Ingress traffic into the Amazon VPC for administrative access to Remote Desktop Gateway.*
    • Windows Server 2012 R2 forest and domain functional level.
    • Security groups and rules for traffic between instances.
    • Your choice to create a new VPC or deploy into your existing VPC on AWS. The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks (*) above.


    For new AD DS installations, the Quick Start also deploys AD DS and AD-integrated DNS, and sets up Active Directory Sites and Subnets.

    If you choose to deploy AD DS with the AWS Active Directory Service, the Quick Start sets up AWS Directory Service to provision and manage AD DS in the private subnets.

    For details, see the Quick Start deployment guide.

  • Deployment details

    Building your AD DS environment on AWS involves a few simple steps and takes about an hour:

    1. Prepare your AWS account.
    2. Launch the Quick Start. You can choose one of three scenarios:
         - Deploy and manage your own AD DS environment
         - Extend your on-premises AD DS environment to AWS
         - Deploy AD DS with AWS Directory Service

      For each scenario, you can also choose whether to deploy AD DS into a new Amazon VPC or into your existing VPC.
    3. If you're extending your on-premises AD DS to the cloud, complete a few connection and configuration tasks to ensure that your hybrid environment works properly.


    Customization options include CIDR block sizes, Remote Desktop Gateway and domain controller instance types and IP addresses, and Active Directory configuration.

    For complete details, see the Quick Start deployment guide.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. For cost estimates, please use the AWS Simple Monthly Calculator, and see the pricing pages for each AWS service you will be using in this Quick Start for full details.  

    This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2012 R2 and includes the license for the Windows Server operating system. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI doesn’t require Client Access Licenses (CALs) and includes two Microsoft Remote Desktop Services licenses. For details, see Microsoft Licensing on AWS.