Menu
Active Directory Domain Services on AWS
Quick Start Reference Deployment Guide

Step 3. Post-Deployment Tasks (Scenario 2 Only)

If you’re extending your on-premises AD DS to the AWS Cloud (scenario 2), you’ll need to perform the following tasks manually, after the stack has been successfully created:

  1. Connect your on-premises network to the VPC using AWS Direct Connect or a VPN connection.

  2. Add domain controllers to the AWS Cloud to provide a reliable, low-latency network connection for resources in AWS that need access to your AD DS.

  3. Configure your on-premises Active Directory Sites and Services to include sites and subnets that represent the Availability Zones within your VPC.

  4. Promote the Windows Server instances in the private subnet 1 and private subnet 2 to domain controllers in your Active Directory domain.

  5. Ensure that instances can resolve names via AD DNS by using one of these methods:

    • Statically assign AD DNS servers on Windows instances.

      —or—

    • Set the domain-name-servers field in a new DHCP options set in your VPC to include your AWS-based domain controllers hosting Active Directory DNS.

The following sections provide more information about these post-deployment tasks.

Connecting Your On-Premises Network to the VPC

By default, instances that you launch into a virtual private cloud can't communicate with your own network. To extend your existing AD DS into the AWS Cloud, you'll need to extend your on-premises network to the VPC. We'll discuss two ways to do this: by using IPsec Virtual Private Network (VPN) tunnels or by using AWS Direct Connect.

Using IPSec VPN Tunnels

The most common scenario for extending your on-premises network to your VPC is through IPSec VPN tunnels. Within the VPC, you can create a virtual private gateway that acts as a VPN concentrator on the Amazon side of the VPN tunnel. A customer gateway is the anchor on your side of that connection. The customer gateway can be a physical device or a software appliance.


                        Single VPN connection from your on-premises network to your VPC

Figure 9: Single VPN connection from your on-premises network to your VPC

Multiple VPN configuration options are available, including the ability to use multiple on-premises customer gateways and configuring redundant VPN connections to provide failover. For details, see VPN Configuration Examples in the Amazon VPC User Guide. Details about which hardware or software appliances you can use are available in the Customer Gateway Devices We've Tested and Requirements for Your Customer Gateway sections of the Amazon VPC Network Administrator Guide.

Using AWS Direct Connect

AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router. With this connection in place, you can create virtual interfaces directly to the AWS Cloud (for example, to Amazon EC2, to Amazon S3, and to Amazon VPC), bypassing Internet service providers in your network path.


                        How AWS Direct Connect interfaces with your network

Figure 10: How AWS Direct Connect interfaces with your network

When you choose AWS Direct Connect to extend your on-premises network to the cloud, you should consider configuring two dedicated connections for maximum redundancy. There are different configuration choices available when you provision two dedicated connections, including active/active (BGP multipath) and active/passive (failover).

In a failover configuration, only one connection link handles traffic. If that link becomes unavailable, the standby connection link becomes active. We recommend that you configure both connection links as active, because this will help ensure that network traffic is load-balanced across both connections. In an active configuration, if one connection link becomes unavailable, all traffic is routed through the other link.

For implementation details, see Getting Started in the AWS Direct Connect User Guide.

Deploying Additional Domain Controllers in the AWS Cloud

Although you can use AWS Direct Connect or a VPN connection to provide access to on-premises resources from the VPC, we recommend that you also add domain controllers to the AWS Cloud. Additional domain controllers provide a reliable, low-latency network connection for resources in AWS that need access to your AD DS. They can also maintain availability for AD DS in the AWS Cloud if there is an on-premises infrastructure outage.

In the architecture shown in Figure 11, a single Active Directory forest has been extended from an on-premises deployment into a VPC using a VPN connection. Within the VPC, additional domain controllers configured as global catalog and DNS servers are deployed in the existing Active Directory forest.


                    Single AD forest with a domain controller on premises and in a
                        VPC

Figure 11: Single AD forest with a domain controller on premises and in a VPC

In this type of environment, the customer network will already be defined in Active Directory Sites and Services. For example, there will already be a site definition that corresponds to the on-premises network, along with a subnet definition for the 192.168.1.0/24 network. The next step is to configure Active Directory Sites and Services to support the network components located in the VPC.

Configuring Active Directory Sites and Services

Additional Active Directory sites should be created to reference the Availability Zones in AWS. The 10.0.0.0/19 and 10.0.32.0/19 CIDR blocks used by the VPC subnets should be added to Active Directory Sites and Services. The subnets can then be associated with the AD DS site definition for each AWS Availability Zone. Additional subnets for web, application, and database tiers in the VPC can be mapped to each AWS site object. Both the on-premises site and the site in the AWS Cloud can be mapped to a site link, which can be configured to replicate at custom intervals or during a specific time of day, if needed.

By properly configuring Active Directory Sites and Services, you can help ensure that the AD DS queries and authentication requests that originate from the VPC are serviced by a local domain controller in the same AWS Availability Zone. This configuration reduces network latency and minimizes traffic that may otherwise need to travel across the VPN back to the on-premises infrastructure.

Configuring DNS Resolution

After you've created a VPC and established connectivity to your on-premises network by using AWS Direct Connect or a VPN connection, your next step is to launch Windows instances to act as domain controllers. In order to join the on-premises Active Directory domain and promote your Windows instances to domain controllers, you'll need to ensure that DNS resolution is configured appropriately.

As discussed previously, by default, instances launched into the VPC will be assigned an Amazon-provided DNS server, which will not provide DNS resolution for your on-premises infrastructure. To address this, you can do one of two things:

  • Manually assign DNS server settings on the Windows instances. This static DNS setting would initially point to the on-premises Active Directory DNS server. After promoting the instance to a domain controller, you could modify the setting to use a cloud-based Active Directory DNS server IP address to prevent subsequent DNS queries from traversing the link back to the on-premises environment.

    —or—

  • Initially configure the VPC DHCP options set to assign your on-premises Active Directory DNS server IP address to your instances launched into the VPC. After the Windows instances have been joined to the domain and promoted to domain controllers, you can create a new DHCP options set to assign the IP address of the Active Directory DNS server instances running in AWS.