AWS Directory Service
Administration Guide (Version 1.0)

Best Practices for AD Connector

Here are some suggestions and guidelines you should consider to avoid problems and get the most out of AD Connector.

Setting Up: Prerequisites

Consider these guidelines before creating your directory.

Verify You Have the Right Directory Type

AWS Directory Service provides multiple ways to use Microsoft Active Directory with other AWS services. You can choose the directory service with the features you need at a cost that fits your budget:

  • AWS Directory Service for Microsoft Active Directory is a feature-rich managed Microsoft Active Directory hosted on the AWS cloud. AWS Managed Microsoft AD is your best choice if you have more than 5,000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories.

  • AD Connector simply connects your existing on-premises Active Directory to AWS. AD Connector is your best choice when you want to use your existing on-premises directory with AWS services.

  • Simple AD is an inexpensive Active Directory–compatible service with the common directory features. In most cases, Simple AD is the least expensive option and your best choice if you have 5,000 or fewer users and don’t need the more advanced Microsoft Active Directory features.

For a more detailed comparison of AWS Directory Service options, see Which to Choose.

Ensure Your VPCs and Instances are Configured Correctly

In order to connect to, manage, and use your directories, you must properly configure the VPCs that the directories are associated with. See either AWS Managed Microsoft AD Prerequisites, AD Connector Prerequisites, or Simple AD Prerequisites for information about the VPC security and networking requirements.

If you are adding an instance to your domain, ensure that you have connectivity and remote access to your instance as described in Join an EC2 Instance to Your AWS Managed Microsoft AD Directory.

Be Aware of Your Limits

Learn about the various limits for your specific directory type. The available storage and the aggregate size of your objects are the only limitations on the number of objects you may store in your directory. See either Limits for AWS Managed Microsoft AD, Limits for AD Connector, or Limits for Simple AD for details about your chosen directory.

Understand Your Directory’s AWS Security Group Configuration and Use

AWS creates a security group and attaches it to your directory’s elastic network interfaces that are accessible from within your peered or resized VPCs. AWS configures the security group to block unnecessary traffic to the directory and allows necessary traffic.

Modifying the Directory Security Group

If you want to modify the security of your directories’ security groups, you can do so. Make such changes only if you fully understand how security group filtering works. For more information, see Amazon EC2 Security Groups for Linux Instances in the Amazon EC2 User Guide. Improper changes can result in loss of communications to intended computers and instances. AWS recommends that you do not attempt to open additional ports to your directory as this decreases the security of your directory. Please carefully review the AWS Shared Responsibility Model.

Warning

It is technically possible for you to associate the directory’s security group with other EC2 instances that you create. However, AWS recommends against this practice. AWS may have reasons to modify the security group without notice to address functional or security needs of the managed directory. Such changes affect any instances with which you associate the directory security group and may disrupt operation of the associated instances. Furthermore, associating the directory security group with your EC2 instances may create a potential security risk for your EC2 instances.

Configure On-premises Sites and Subnets Correctly When Using AD Connector

If your on-premises network has Active Directory sites defined, you must make sure the subnets in the VPC where your AD Connector resides are defined in an Active Directory site, and that no conflicts exist between the subnets in your VPC and the subnets in your other sites.

To discover domain controllers, AD Connector uses the Active Directory site whose subnet IP address ranges are close to those in the VPC that contain the AD Connector. If you have a site whose subnets have the same IP address ranges as those in your VPC, AD Connector will discover the domain controllers in that site, which may not be physically close to your region.

Programming Your Applications

Before you program your applications, consider the following:

Load Test Before Rolling Out to Production

Be sure to do lab testing with applications and requests that are representative of your production workload to confirm that the directory scales to the load of your application. Should you require additional capacity, spread your loads across multiple AD Connector directories.

Using Your Directory

Here are some suggestions to keep in mind when using your directory.

Rotate Admin Credentials Regularly

Change your AD Connector service account Admin password regularly, and make sure that the password is consistent with your existing Active Directory password policies. For instructions on how to change the service account password, see Update Your AD Connector Service Account Credentials in AWS Directory Service.

Use Unique AD Connectors for Each Domain

AD Connectors and your on-premises domains have a 1-to-1 relationship. That is, for each on-premises domain you want to authenticate against, you must create a unique AD Connector. Each AD Connector that you create must use a different service account, even if they are connected to the same directory.

Check for compatibility

When using AD Connector, you must ensure that your on-premises directory is and remains compatible with AWS Directory Services. For more information on your responsibilities, please see our shared responsibility model.