Upload
aws-germany
View
218
Download
0
Embed Size (px)
Citation preview
Justin Bradley
Solutions Architect SME Windows
Amazon Web Services Germany GmbH
AWS Web Day 07 Juni 2016
Hybride Cloud Infrastrukturen durch
Integration mit Active Directory
Agenda
bull Active Directory on AWS for Windows
bull Domain amp Forest Model
bull AWS Directory Service
bull Directory Service Design Considerations
bull Domain join Windows and Linux
bull Integration with WorkSpaces amp WorkDocs
bull QampA
Active Directory on AWS for Windows
Single-domain
Multi-domain single forest
Multi-forest with trust resource forests
Domain and Forest Model ndash Single-Domain Deploy domain controllers that are part of the same domain in the same forest
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Easy to manage
bull You can leverage your entire existing directory structure including users groups OUs policies and extend it into the
cloud
bull Simplify directory migration to AWS Cloud in the future ndash Promote backup domain controller in AWS Cloud into primary
domain controller
Domain and Forest Model - Multi-domain single forest
Deploy domain controllers that are part of a different domain in the same forest and configure a one-way or two-way trusts
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
bull Relatively easy to manage
bull Can limit the scope of damage in case of compromise
One Way Domain Trust
Domain and Forest Model - Create a standalone trusted AD forest in AWS
One-Way Forest Trust
Deploy domain controllers that are of a different domain in a different forest and configure a one-way or two-way trusts You
can create a new forest in your AWS environment with forest trust enabled to the existing on-premises forest
Architecture
bull Build on AD DS on EC2 or AWS Directory Service
Benefits
bull Isolates production forest from off-premises forest
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
You can create a new directory or extend your existing directory by using AWS Directory Service or by creating one or more domain controllers in your AWS environment
AWS Directory Service
Microsoft AD
Simple AD
AD Connector
AWS Directory Service
Simple AD
Simple AD is a Microsoft Active Directoryndashcompatible directory from
AWS Directory Service that is powered by Samba 4 Simple AD
supports commonly used Active Directory features such as user
accounts group memberships domain-joining EC2 instances running
Linux and Microsoft Windows
When to use
In most cases Simple AD is the least expensive option and your best
choice if you have 5000 or less users and donrsquot need the more
advanced Microsoft Active Directory features
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Agenda
bull Active Directory on AWS for Windows
bull Domain amp Forest Model
bull AWS Directory Service
bull Directory Service Design Considerations
bull Domain join Windows and Linux
bull Integration with WorkSpaces amp WorkDocs
bull QampA
Active Directory on AWS for Windows
Single-domain
Multi-domain single forest
Multi-forest with trust resource forests
Domain and Forest Model ndash Single-Domain Deploy domain controllers that are part of the same domain in the same forest
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Easy to manage
bull You can leverage your entire existing directory structure including users groups OUs policies and extend it into the
cloud
bull Simplify directory migration to AWS Cloud in the future ndash Promote backup domain controller in AWS Cloud into primary
domain controller
Domain and Forest Model - Multi-domain single forest
Deploy domain controllers that are part of a different domain in the same forest and configure a one-way or two-way trusts
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
bull Relatively easy to manage
bull Can limit the scope of damage in case of compromise
One Way Domain Trust
Domain and Forest Model - Create a standalone trusted AD forest in AWS
One-Way Forest Trust
Deploy domain controllers that are of a different domain in a different forest and configure a one-way or two-way trusts You
can create a new forest in your AWS environment with forest trust enabled to the existing on-premises forest
Architecture
bull Build on AD DS on EC2 or AWS Directory Service
Benefits
bull Isolates production forest from off-premises forest
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
You can create a new directory or extend your existing directory by using AWS Directory Service or by creating one or more domain controllers in your AWS environment
AWS Directory Service
Microsoft AD
Simple AD
AD Connector
AWS Directory Service
Simple AD
Simple AD is a Microsoft Active Directoryndashcompatible directory from
AWS Directory Service that is powered by Samba 4 Simple AD
supports commonly used Active Directory features such as user
accounts group memberships domain-joining EC2 instances running
Linux and Microsoft Windows
When to use
In most cases Simple AD is the least expensive option and your best
choice if you have 5000 or less users and donrsquot need the more
advanced Microsoft Active Directory features
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Active Directory on AWS for Windows
Single-domain
Multi-domain single forest
Multi-forest with trust resource forests
Domain and Forest Model ndash Single-Domain Deploy domain controllers that are part of the same domain in the same forest
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Easy to manage
bull You can leverage your entire existing directory structure including users groups OUs policies and extend it into the
cloud
bull Simplify directory migration to AWS Cloud in the future ndash Promote backup domain controller in AWS Cloud into primary
domain controller
Domain and Forest Model - Multi-domain single forest
Deploy domain controllers that are part of a different domain in the same forest and configure a one-way or two-way trusts
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
bull Relatively easy to manage
bull Can limit the scope of damage in case of compromise
One Way Domain Trust
Domain and Forest Model - Create a standalone trusted AD forest in AWS
One-Way Forest Trust
Deploy domain controllers that are of a different domain in a different forest and configure a one-way or two-way trusts You
can create a new forest in your AWS environment with forest trust enabled to the existing on-premises forest
Architecture
bull Build on AD DS on EC2 or AWS Directory Service
Benefits
bull Isolates production forest from off-premises forest
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
You can create a new directory or extend your existing directory by using AWS Directory Service or by creating one or more domain controllers in your AWS environment
AWS Directory Service
Microsoft AD
Simple AD
AD Connector
AWS Directory Service
Simple AD
Simple AD is a Microsoft Active Directoryndashcompatible directory from
AWS Directory Service that is powered by Samba 4 Simple AD
supports commonly used Active Directory features such as user
accounts group memberships domain-joining EC2 instances running
Linux and Microsoft Windows
When to use
In most cases Simple AD is the least expensive option and your best
choice if you have 5000 or less users and donrsquot need the more
advanced Microsoft Active Directory features
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Domain and Forest Model ndash Single-Domain Deploy domain controllers that are part of the same domain in the same forest
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Easy to manage
bull You can leverage your entire existing directory structure including users groups OUs policies and extend it into the
cloud
bull Simplify directory migration to AWS Cloud in the future ndash Promote backup domain controller in AWS Cloud into primary
domain controller
Domain and Forest Model - Multi-domain single forest
Deploy domain controllers that are part of a different domain in the same forest and configure a one-way or two-way trusts
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
bull Relatively easy to manage
bull Can limit the scope of damage in case of compromise
One Way Domain Trust
Domain and Forest Model - Create a standalone trusted AD forest in AWS
One-Way Forest Trust
Deploy domain controllers that are of a different domain in a different forest and configure a one-way or two-way trusts You
can create a new forest in your AWS environment with forest trust enabled to the existing on-premises forest
Architecture
bull Build on AD DS on EC2 or AWS Directory Service
Benefits
bull Isolates production forest from off-premises forest
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
You can create a new directory or extend your existing directory by using AWS Directory Service or by creating one or more domain controllers in your AWS environment
AWS Directory Service
Microsoft AD
Simple AD
AD Connector
AWS Directory Service
Simple AD
Simple AD is a Microsoft Active Directoryndashcompatible directory from
AWS Directory Service that is powered by Samba 4 Simple AD
supports commonly used Active Directory features such as user
accounts group memberships domain-joining EC2 instances running
Linux and Microsoft Windows
When to use
In most cases Simple AD is the least expensive option and your best
choice if you have 5000 or less users and donrsquot need the more
advanced Microsoft Active Directory features
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Domain and Forest Model - Multi-domain single forest
Deploy domain controllers that are part of a different domain in the same forest and configure a one-way or two-way trusts
Architecture
bull Build on EC2
Benefits
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
bull Relatively easy to manage
bull Can limit the scope of damage in case of compromise
One Way Domain Trust
Domain and Forest Model - Create a standalone trusted AD forest in AWS
One-Way Forest Trust
Deploy domain controllers that are of a different domain in a different forest and configure a one-way or two-way trusts You
can create a new forest in your AWS environment with forest trust enabled to the existing on-premises forest
Architecture
bull Build on AD DS on EC2 or AWS Directory Service
Benefits
bull Isolates production forest from off-premises forest
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
You can create a new directory or extend your existing directory by using AWS Directory Service or by creating one or more domain controllers in your AWS environment
AWS Directory Service
Microsoft AD
Simple AD
AD Connector
AWS Directory Service
Simple AD
Simple AD is a Microsoft Active Directoryndashcompatible directory from
AWS Directory Service that is powered by Samba 4 Simple AD
supports commonly used Active Directory features such as user
accounts group memberships domain-joining EC2 instances running
Linux and Microsoft Windows
When to use
In most cases Simple AD is the least expensive option and your best
choice if you have 5000 or less users and donrsquot need the more
advanced Microsoft Active Directory features
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Domain and Forest Model - Create a standalone trusted AD forest in AWS
One-Way Forest Trust
Deploy domain controllers that are of a different domain in a different forest and configure a one-way or two-way trusts You
can create a new forest in your AWS environment with forest trust enabled to the existing on-premises forest
Architecture
bull Build on AD DS on EC2 or AWS Directory Service
Benefits
bull Isolates production forest from off-premises forest
bull Single identityaccount per user
bull Provide clear visibility of resources in AWS at an AD level
You can create a new directory or extend your existing directory by using AWS Directory Service or by creating one or more domain controllers in your AWS environment
AWS Directory Service
Microsoft AD
Simple AD
AD Connector
AWS Directory Service
Simple AD
Simple AD is a Microsoft Active Directoryndashcompatible directory from
AWS Directory Service that is powered by Samba 4 Simple AD
supports commonly used Active Directory features such as user
accounts group memberships domain-joining EC2 instances running
Linux and Microsoft Windows
When to use
In most cases Simple AD is the least expensive option and your best
choice if you have 5000 or less users and donrsquot need the more
advanced Microsoft Active Directory features
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
You can create a new directory or extend your existing directory by using AWS Directory Service or by creating one or more domain controllers in your AWS environment
AWS Directory Service
Microsoft AD
Simple AD
AD Connector
AWS Directory Service
Simple AD
Simple AD is a Microsoft Active Directoryndashcompatible directory from
AWS Directory Service that is powered by Samba 4 Simple AD
supports commonly used Active Directory features such as user
accounts group memberships domain-joining EC2 instances running
Linux and Microsoft Windows
When to use
In most cases Simple AD is the least expensive option and your best
choice if you have 5000 or less users and donrsquot need the more
advanced Microsoft Active Directory features
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Simple AD
Simple AD is a Microsoft Active Directoryndashcompatible directory from
AWS Directory Service that is powered by Samba 4 Simple AD
supports commonly used Active Directory features such as user
accounts group memberships domain-joining EC2 instances running
Linux and Microsoft Windows
When to use
In most cases Simple AD is the least expensive option and your best
choice if you have 5000 or less users and donrsquot need the more
advanced Microsoft Active Directory features
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Microsoft AD
AWS Directory Service for Microsoft Active Directory is a managed Microsoft Active Directory hosted on the AWS Cloud It provides much of the functionality offered by Microsoft Active Directory plus integration with AWS applications With the additional Active Directory functionality you can for example easily set up trust relationships with your existing Active Directory domains to extend those directories to AWS services
When to use
Microsoft AD is your best choice if you have more than 5000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories
May not be compatible with all applications due to AD Forest Trust
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
AD Connector
AD Connector is a proxy service for connecting your on-premises
Microsoft Active Directory to the AWS Cloud without requiring complex
directory synchronization or the cost and complexity of hosting a
federation infrastructure
When to use
AD Connector is your best choice when you want to use your existing
on-premises directory with AWS services
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Multi-forest with trust resource forests
AWS-Managed VPC
Auth Directory Service
EC2
auth-only
corp
servers
Direct Connect
or VPN
Customer
Corp Net
Users
Customer
firewall needs to
allow for ingress
traffic
KerbTGTticket
AD Connector
auth-only
Microsoft AD
ENI
AWS-Managed
Customer-Managed
all other traffic
NETWORK TRAFFIC LEGEND
auth (LDAPKerberos)
Auth (Trust)
Active
Directory
One Way- Trust
Resource Forest
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Directory Service Regional availability
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Directory Service Design Considerations
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Architecture Considerations
Active Directory Design
bull Site Topology
bull Highly Available Directory
Domain Services
bull Read-Only and Writeable
Domain Controllers
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Availability Zone B
Private subnet
DC4
Corporate Network
London
DC1
VPN Direct
Connect
Paris
DC2
Cost 50
Availability Zone A
Private subnet
DC3Cost 10
companylocal
companylocal
Active Directory AD DS Sites and Services
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Network Traffic Requirements (Ingress) Active DirectorySource ndash AWS (customer VPC CIDR block -or- subnet CIDR blocks -or- AD Connector IP addresses)
Protocol Port Type Use Destination
tcp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 135 RPC EPM Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 139 NetLogon NetBIOS Name
Resolution
Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 636 LDAP SSL Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 3268-3269 LDAP GC GC SSL Trusts Active Directory (private datacenter -or- EC2)
tcp 49152 - 65535 Dynamic Auth (primary) Active Directory (private datacenter -or- EC2)
tcp 9389 AD Web Services Remote PowerShell (Optional)
Active Directory (private datacenter -or- EC2)
udp 53 DNS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 88 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 123 Windows Time Auth (primary) Active Directory (private datacenter -or- EC2)
udp 137 DFSN NetBIOS Session Service
NetLogon
Auth (primary) Active Directory (private datacenter -or- EC2)
udp 138 DFSN NetLogon Auth (primary) Active Directory (private datacenter -or- EC2)
udp 389 LDAP Auth (primary) Active Directory (private datacenter -or- EC2)
udp 445 SMB CIFS Auth (primary) Active Directory (private datacenter -or- EC2)
udp 464 Kerberos Auth (primary) Active Directory (private datacenter -or- EC2)
udp 1812 RADIUS Auth (MFA) (optional) RADIUS (private datacenter -or- EC2)
Active Directory Port Requirements available at httpstechnetmicrosoftcomen-uslibrarydd772723(v=ws10)aspx
Dynamic port range Refer to Microsoft kb 832017
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Architecture Considerations
Instance Configuration
bull Active Directory DNS and DHCP
inside the Amazon VPC
bull DNS Settings on Windows Server
Instances
bull Security Group Ingress Traffic
bull Setting up Secure Administrative
Access Using Remote Desktop
Gateway
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Useful Sample Stack
Automated Deployment
The AWS CloudFormation template performs these actions to
deploy the architecture shown
bull Set up the Amazon VPC including subnets in two Availability Zones
bull Configure private and public routes
bull Launch Windows Server 2012 Amazon Machine Images (AMIs) and
set up and configure AD DS and AD integrated DNS
bull Create empty private subnets in each Availability Zone into which you
can deploy additional servers
bull Configure security groups and rules for traffic between application
tiers
bull Set up and configure AD Sites and Subnets
bull Enable ingress traffic into the Amazon VPC for administrative access
to Remote Desktop Gateway and NAT instances
LaunchStack
18
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Securely Extending AD into AWS
IPSec Tunnels over the Internet AWS Direct Connect
Two ways to extend an on-premises
network to the Amazon VPC
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Considerations for Extending AD into AWS
It isnrsquot required but
recommended to add an
additional DC within the cloud for
resources in AWS that need
access to your AD DS
This reduces network latency and
also provides availability in the
event of an outage on premises
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
AWS Directory Service domains (Simple AD Microsoft AD
or extended with AD Connector) now support automatic
domain join for windows instances
httpawsamazoncomabout-awswhats-new20150217aws-directory-service-now-supports-seamless-domain-join-for-windows
Making it simpler still
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Domain Join Windows and Linux
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Joining instances to a directory
Microsoft AD
AD Connector
EC2 Windows
EC2 Linux
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Joining your Windows instance
bull Microsoft AD or AD Connector
required
bull Create Role bdquoDomainJoinldquo
bull Select Server Role Type
bdquoAmazon EC2ldquo
bull Attach Policy
bdquoAmazonEC2RoleforSSMldquo
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Joining your Windows instance
bull Select your Directory ldquoDomain join directoryrdquo
bull Select IAM role bdquoDomainJoinldquo
Once your Instance has booted it will automatically join your selected domain
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Joining your Linux instanceStep 1 - Log in to the instance
ssh -i tuesday-demopem ec2-userxxxxxxxxxxxx
Step 2 - Make any updates install SSSD
sudo yum -y update
sudo yum -y install sssd realmd krb5-workstation
Step 3 - Join the instance to the directory
sudo realm join -U administratortuesdaymydirectorycom tuesdaymydirectorycom --verbose
Step 4 - Edit the config file
sudo vi etcsshsshd_config
PasswordAuthentication yes
Start SSSD
sudo service sssd start
Step 5 - Restart the instance - from the AWS Console Log back in
Step 6 - Add the domain administrators group from the examplecom domain
sudo visudo -f etcsudoers
Domain Adminstuesdaymydirectorycom ALL=(ALLALL) ALL
Step 7 - approve a login
sudo realm permit administratortuesdaymydirectorycom
sudo realm permit caseytuesdaymydirectorycom
Step 8 - login using a linux user
ssh caseytuesdaymydirectorycomxxxxxxxxxxxx
bull Microsoft AD or AD Connector required
bull Install SSSD Kerberos
bull Join domain
bull Edit bdquosshdldquo Config
bull Start service bdquosssdldquo
bull Add AD users Groups to bdquosudoersldquo
Supported Linux Instances
bull Amazon Linux AMI 201503
bull Red Hat Enterprise Linux 72
bull Ubuntu Server 1404 LTS
bull CentOS 7
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
AWS Enterprise Applications
integration
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
AWS Applications integration
WorkSpaces WorkDocs WorkMail
Microsoft ADAD Connector
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
AWS Applications integration
Access URL
httpsmycompanyawsappscom
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Parting thoughts
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Get started today
Visit our website
awsamazoncomdirectoryservice
30-day free trial
for small directories
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
Next Steps
Sign up for an AWS account
Take advantage of the Free Tier awsamazoncomfree
Learn more awsamazoncomwindows
httpsawsamazoncomdirectoryservice
httpsawsamazoncomquickstart
justbradamazonde
Thank You
justbradamazonde
Thank You