reference deployment

Active Directory Domain Services on AWS

Create or extend your AD DS environment, or use AD DS with AWS Directory Service

This Quick Start deploys Microsoft Active Directory Domain Services (AD DS) on the Amazon Web Services (AWS) Cloud. AD DS and Domain Name System (DNS) are core Windows services that provide the foundation for many Microsoft-based solutions for the enterprise, including Microsoft SharePoint, Microsoft Exchange, and .NET Framework applications.

This Quick Start is for organizations running workloads in the AWS Cloud to help set up secure, low-latency connectivity to AD DS and DNS services. For all new AD DS installations, the Quick Start deploys AD DS and AD-integrated DNS, and it sets up Active Directory sites and subnets.

The Quick Start supports three scenarios:

  • Scenario 1: Deploy a new AWS Cloud–based AD DS environment that you manage yourself
  • Scenario 2: Extend your existing on-premises AD DS to AWS
  • Scenario 3: Deploy Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD)

For each scenario, you have the option to create a new virtual private cloud (VPC) or use your existing VPC infrastructure. You also have the option of deploying a one- or two-tier Microsoft Public Key Infrastructure.

cloudreach-logo_300x210

This Quick Start was developed by AWS solutions architects. If you have questions about this Quick Start, contact Cloudreach, a Premier AWS Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Scenario 1: Deploy self-managed AD

    In this scenario, the Quick Start sets up the following (with an option to deploy a certificate authority in Availability Zone 1):

    • A VPC configured with public and private subnets in two Availability Zones for high availability.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • Remote Desktop Gateway (RD Gateway) instances in an Auto Scaling group to help secure remote access to instances in private subnets.*
    • In the private subnets:
      • A Windows Server forest and domain functional level, including security groups and rules for traffic between instances.
    • AWS Systems Manager Automation documents to set up and configure AD DS and AD-integrated DNS.
    • AWS Secrets Manager to store passwords.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

    Scenario 2: Extend your on-premises AD

    In this scenario—except for the virtual private network (VPN) gateway, VPN connection, and customer gateway, which you create manually—the Quick Start sets up the following:

    • A VPC configured with public and private subnets in two Availability Zones for high availability.*
    • In the public subnets:
      • Managed NAT gateways to allow outbound internet access for resources in the private subnets.*
      • RD Gateway instances in an Auto Scaling group to help secure remote access to instances in private subnets.*
    • In the private subnets:
      • Windows Server forest and domain functional level, including security groups and rules for traffic between instances.
    • AWS Systems Manager Automation documents to set up and configure AD DS and AD-integrated DNS.
    • AWS Secrets Manager to store passwords.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

    Scenario 3: Deploy AWS Managed Microsoft AD

    In this scenario, the Quick Start sets up the following:

    • A VPC configured with public and private subnets in two Availability Zones for high availability.*
    • In the public subnets:
      • Managed NAT gateways to allow outbound internet access for resources in the private subnets.*
      • RD Gateway instances in an Auto Scaling group to help secure remote access to instances in private subnets.*
    • In the private subnets:
      • (Optional) A Windows EC2 instance to act as a management instance, including security groups and rules for traffic between instances.
    • AWS Systems Manager Automation documents to set up and configure AD DS and AD-integrated DNS.
    • AWS Secrets Manager to store passwords.
    • AWS Directory Service to provision and manage AD DS in the private subnets.

    *  The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To build your AD DS environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at https://aws.amazon.com, and sign in to your account.
    2. Launch the Quick Start. You can choose from the following options:
    3. (Scenario 2 only) Complete a few connection and configuration tasks to ensure that your hybrid environment works properly.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start.

    The AWS CloudFormation templates for this Quick Start include configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy the Quick Start, create AWS Cost and Usage Reports to track costs associated with the Quick Start. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

    This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2019 and includes the license for the Windows Server operating system. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI doesn’t require client access licenses (CALs). It includes two Microsoft Remote Desktop Services (RDS) licenses. For details, see Microsoft Licensing on AWS.