AWS Directory Service offers Amazon Enterprise IT application customers using services such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail a basic directory solution to get started. You will not be charged for Simple AD or AD Connector directories registered with these services, as long as you meet the active user requirements.
The monthly requirements are:
- At least 1 active user for small directories
- At least 100 active users for large directories
For customers interested in actual Microsoft Active Directory, AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as Microsoft AD, may be a better solution. Visit the Microsoft AD product page to learn more.
Q: What is a Simple AD directory?
A Simple AD directory is a managed directory powered by a Samba 4 Active Directory compatible server. It provides a subset of the functionality offered by Microsoft AD, and supports commonly used features such as user accounts, group memberships, Amazon EC2 instances joined to domains that run Linux and Windows, and Kerberos-based single sign-on (SSO) and Group Policies. This makes it easier to manage EC2 instances running Linux and Windows, and deploy applications in the AWS Cloud. You can use many of the applications and tools you use today that require Microsoft Active Directory support with Simple AD. User accounts in Simple AD also can be used to access AWS Enterprise IT applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail, and to manage AWS resources via the AWS Management Console. Each day, Simple AD also provides automated snapshots by default to enable point-in-time recovery.
Q: How is Simple AD different from Microsoft AD?
Simple AD is a managed directory powered by a Samba 4 Active Directory Compatible Server. It provides a subset of the capabilities offered by Microsoft Active Directory, including Kerberos SSO, computers joined to domains, and Group Policy–based management. Microsoft AD is a managed Microsoft Active Directory powered by Windows Server 2012 R2 that provides additional capabilities such as trust relationships with other domains, Active Directory Administrative Center, Active Directory Recycle Bin, Network Policy Server support, and schema extensions.
Q: Can I migrate from Simple AD to Microsoft AD?
You can use existing tools to migrate data from Simple AD to Microsoft AD, including Microsoft’s CSV data extract tool (csvde). Such migrations require customer planning, and end users must reset their passwords.
Q: Which common directory features are not supported by Simple AD?
Simple AD does not support features such as trust relationships with other domains, Active Directory Administrative Center, Windows PowerShell support, Active Directory Recycle Bin, fine-grained password policies, group-managed service accounts, and schema extensions.
Q: How do I create users, groups, computers, or policies in a Simple AD domain?
You can use your existing Microsoft Active Directory tools to manage users and groups in Simple AD directories. No special tools, policies, or behavior changes are required.
Q: Can I join an existing EC2 instance to a Simple AD domain?
Yes, you can add existing EC2 instances running Linux or Windows to a Microsoft AD or a Simple AD domain.
Q: Can I add additional domain controllers manually to my Simple AD instance?
Not at this time.
Q: What is AD Connector?
AD Connector is a directory gateway designed to support AWS Enterprise IT application authentication, and to join Amazon EC2 instances to domains and to your self-managed Active Directory. AD Connector allows you to proxy directory requests from AWS Enterprise IT applications to your on-premises Microsoft Active Directory, without caching any information in the cloud. AD Connector also enables you to seamlessly domain join Amazon EC2 instances to your self-managed Active Directory. Once set up, your end users and IT staff can use their existing corporate credentials to sign on to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, Amazon WorkMail, and the AWS Management Console. You can also use Group Policies in your self-managed directory to manage AWS resources such as Amazon EC2 instances.
Q: How do I create an AD Connector to connect to my on-premises directory?
You can use the AWS Management Console to create an AD Connector to connect your existing, self-managed Microsoft Active Directory to AWS. You must configure an Amazon Virtual Private Cloud (VPC) with a hardware virtual private network (VPN) connection to your on-premises environment, or provision a dedicated connection with AWS Direct Connect. After you’ve set up this integration, you must provide some basic information such as the name of your on-premises Microsoft Active Directory, DNS servers to discover Microsoft Active Directory, and an account name and password that you’ve created in your Microsoft Active Directory. This is a limited-privilege account used by AD Connector to authenticate and connect to one of the domain controllers, and proxy various authentication, join computers to the domain, and look up requests.
Q: What kind of user account does AD Connector use with my on-premises directory?
AWS Directory Service requires a non-administrative account and password for AD Connector. This account must have read-only permissions to look up users, groups, and computers as well as the ability to join computers to the domain. This user name and password are used when Amazon WorkSpaces automatically joins your existing domain and for user and group lookups for Amazon WorkDocs, or when integrating with AWS Identity and Access Management (IAM).
Q: Can I use multi-factor authentication (MFA) with AD Connector?
Yes. You can also enable MFA using your existing RADIUS-based infrastructure to provide an additional layer of security when users access AWS applications.
Q: How does AD Connector address Microsoft advisory ADV190023, which describes changes to default LDAP security settings on AD domain controllers?
AD Connector supports both LDAP signing and LDAP over SSL/TLS (LDAPS) when acting as LDAP clients communicating with self-managed Active Directory. Client-side LDAP signing requires no customer action to enable, and provides data integrity. Client-side LDAPS requires configuration, and provides data integrity and confidentiality. For more information, see this AWS Forums post.