On December 3rd, 2015 Amazon announced a new service that allows customers to provision a Microsoft Active Directory managed service in Amazon Web Services (AWS). The service, also referred to as Microsoft AD, uses directory capabilities found in Microsoft Windows Server 2012 R2.
Amazon also offers services that federate with customer’s Active Directory instances, including Simple AD and AD Connector, but this is the first Microsoft native option for customers. In the Amazon announcement, Amazon describes how customers are able to use this service while achieving high availability. “It is created as a highly available pair of domain controllers connected to your virtual private cloud (VPC). The domain controllers run in different Availability Zones in a region of your choice.“
The Microsoft AD service has been designed with simplicity in mind and since this is a managed service, Amazon is responsible for maintenance activities typically required when managing Active Directory. Jeff Barr, chief evangelist for AWS, further explains “provisioning is easy, quick (25-30 minutes), and straightforward. Because this is a managed service, common administrative tasks are handled for you. This includes host monitoring with automatic replacement, data replication, snapshot backups, and automatic software updates. As is often the case with AWS, you will spend less time administering and more time working on your applications and your business.”
For customers, this new service allows them to run Active Directory aware workloads in the AWS such as SharePoint, BizTalk Server, SQL Server and custom .NET applications. This service also allows for Amazon EC2 Linux and Windows instances to be domain joined and allows users to access directory resources in either a customer’s data center or AWS using the same set of credentials.
Since there are three different AWS services, that allow customers to interact with Active Directory, Amazon has positioned each of these services in the following way:
- SimpleAD is a Microsoft Active Directory-compatible directory that leverages Samba 4. Basic Active Directory capabilities are provided including user accounts, group membership and domain joining both Linux and Windows instances. Amazon positions this service as the least expensive option and ideal for organizations with less than 5000 users who have simple Active Directory use cases.
- AD Connector is a proxy service that allows organizations to leverage their on-premises Active Directory from other services such as Amazon WorkSpaces, Amazon WorkDocs or Amazon WorkMail. AD Connector can also be used in conjunction with RADIUS-based multi-factor authentication (MFA) infrastructure to provide additional security. Amazon positions AD Connector as the best choice when federating AWS services with your on-premises Active Directory.
- AWS Directory Service for Microsoft Active Directory is a managed, native Active Directory service that includes support for complex directory synchronization in a highly available configuration. Amazon positions this service for organizations who have between 5000 and 50 000 users with up to 200 000 directory objects. It is also ideal for organizations with other Microsoft Active Directory aware applications where direct integration is required.
The following image illustrates how an administrator will create one of the three directory service offerings from the AWS Directory Service Console.
Image Source: https://aws.amazon.com/blogs/aws/aws-directory-service-update-support-for-managed-microsoft-active-directory/
Rajat Bhargava, co-founder and ceo of JumpCloud, estimates that Active Directory owns approximately 90% market share for directory services in the Fortune 1000. As a result of this market share, customers who use AWS and Active Directory will benefit from deeper integration with this new service. Customers also benefit with reduced management responsibilities as result of the Amazon providing a managed service.