What gets created with your AWS Managed Microsoft AD

Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and AWS Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with AWS Directory Service by the description: "AWS created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide. The default DNS Server of the AWS Managed Microsoft AD Active Directory is the VPC DNS server at Classless Inter-Domain Routing (CIDR)+2. For more information, see Amazon DNS server in Amazon VPC User Guide.

Note

Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon VPC (VPC). Backups are automatically taken once per day, and the Amazon EBS (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

Provisions Active Directory within your VPC using two domain controllers for fault tolerance and high availability. More domain controllers can be provisioned for higher resiliency and performance after the directory has been successfully created and is Active. For more information, see Deploying additional domain controllers for your AWS Managed Microsoft AD.

Note

AWS does not allow the installation of monitoring agents on AWS Managed Microsoft AD domain controllers.

Creates an AWS security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created AWS Security Group. The default inbound rules allows only traffic through ports that are required by Active Directory from your VPC CIDR for your AWS Managed Microsoft AD. These rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using AWS Direct Connect, AWS Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC and VPC routed traffic. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see AWS Managed Microsoft AD best practices. The following AWS Security Group rules are created by default:

Inbound Rules

Protocol	Port range	Source	Type of traffic	Active Directory usage
ICMP	N/A	AWS Managed Microsoft AD VPC IPv4 CIDR	Ping	LDAP Keep Alive, DFS
TCP & UDP	53	AWS Managed Microsoft AD VPC IPv4 CIDR	DNS	User and computer authentication, name resolution, trusts
TCP & UDP	88	AWS Managed Microsoft AD VPC IPv4 CIDR	Kerberos	User and computer authentication, forest level trusts
TCP & UDP	389	AWS Managed Microsoft AD VPC IPv4 CIDR	LDAP	Directory, replication, user and computer authentication group policy, trusts
TCP & UDP	445	AWS Managed Microsoft AD VPC IPv4 CIDR	SMB / CIFS	Replication, user and computer authentication, group policy, trusts
TCP & UDP	464	AWS Managed Microsoft AD VPC IPv4 CIDR	Kerberos change / set password	Replication, user and computer authentication, trusts
TCP	135	AWS Managed Microsoft AD VPC IPv4 CIDR	Replication	RPC, EPM
TCP	636	AWS Managed Microsoft AD VPC IPv4 CIDR	LDAP SSL	Directory, replication, user and computer authentication, group policy, trusts
TCP	1024 - 65535	AWS Managed Microsoft AD VPC IPv4 CIDR	RPC	Replication, user and computer authentication, group policy, trusts
TCP	3268 - 3269	AWS Managed Microsoft AD VPC IPv4 CIDR	LDAP GC & LDAP GC SSL	Directory, replication, user and computer authentication, group policy, trusts
UDP	123	AWS Managed Microsoft AD VPC IPv4 CIDR	Windows Time	Windows Time, trusts
UDP	138	AWS Managed Microsoft AD VPC IPv4 CIDR	DFSN & NetLogon	DFS, group policy
All	All	AWS Managed Microsoft AD VPC IPv4 CIDR	All Traffic

Outbound Rules

Protocol	Port range	Destination	Type of traffic	Active Directory usage
All	All	0.0.0.0/0	All Traffic

For more information about the ports and protocols used by Active Directory, see Service overview and network port requirements for Windows in Microsoft documentation.

Creates a directory administrator account with the user name Admin and the specified password. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your directory in the AWS Cloud. For more information, see AWS Managed Microsoft AD Administrator account permissions.

Important

Be sure to save this password. AWS Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the AWS Directory Service console or by using the ResetUserPassword API.

Creates the following three organizational units (OUs) under the domain root:

OU name	Description
AWS Delegated Groups	Stores all of the groups that you can use to delegate AWS specific permissions to your users.
AWS Reserved	Stores all AWS management specific accounts.
<yourdomainname>	The name of this OU is based off of the NetBIOS name you typed when you created your directory. If you did not specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of corp.example.com, the NetBIOS name would be corp). This OU is owned by AWS and contains all of your AWS-related directory objects, which you are granted Full Control over. Two child OUs exist under this OU by default; Computers and Users. For example: Corp Computers Users

Creates the following groups in the AWS Delegated Groups OU:

Group name	Description
AWS Delegated Account Operators	Members of this security group have limited account management capability such as password resets
AWS Delegated Active Directory Based Activation Administrators	Members of this security group can create Active Directory volume licensing activation objects, which enables enterprises to activate computers through a connection to their domain.
AWS Delegated Add Workstations To Domain Users	Members of this security group can join 10 computers to a domain.
AWS Delegated Administrators	Members of this security group can manage AWS Managed Microsoft AD, have full control of all the objects in your OU and can manage groups contained in the AWS Delegated Groups OU.
AWS Delegated Allowed to Authenticate Objects	Members of this security group are provided the ability to authenticate to computer resources in the AWS Reserved OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).
AWS Delegated Allowed to Authenticate to Domain Controllers	Members of this security group are provided the ability to authenticate to computer resources in the Domain Controllers OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).
AWS Delegated Deleted Object Lifetime Administrators	Members of this security group can modify the msDS-DeletedObjectLifetime object, which defines how long a deleted object will be available to recover from the AD Recycle Bin.
AWS Delegated Distributed File System Administrators	Members of this security group can add and remove FRS, DFS-R, and DFS name spaces.
AWS Delegated Domain Name System Administrators	Members of this security group can manage Active Directory integrated DNS.
AWS Delegated Dynamic Host Configuration Protocol Administrators	Members of this security group can authorize Windows DHCP servers in the enterprise.
AWS Delegated Enterprise Certificate Authority Administrators	Members of this security group can deploy and manage Microsoft Enterprise Certificate Authority infrastructure.
AWS Delegated Fine Grained Password Policy Administrators	Members of this security group can modify precreated fine-grained password policies.
AWS Delegated FSx Administrators	Members of this security group are provided the ability to manage Amazon FSx resources.
AWS Delegated Group Policy Administrators	Members of this security group can perform group policy management tasks (create, edit, delete, link).
AWS Delegated Kerberos Delegation Administrators	Members of this security group can enable delegation on computer and user account objects.
AWS Delegated Managed Service Account Administrators	Members of this security group can create and delete Managed Service Accounts.
AWS Delegated MS-NPRC Non-Compliant Devices	Members of this security group will be provided an exclusion from requiring secure channel communications with domain controllers. This group is for computer accounts.
AWS Delegated Remote Access Service Administrators	Members of this security group can add and remove RAS servers from the RAS and IAS Servers group.
AWS Delegated Replicate Directory Changes Administrators	Members of this security group can synchronize profile information in Active Directory with SharePoint Server.
AWS Delegated Server Administrators	Members of this security group are included in the local administrators group on all domain joined computers.
AWS Delegated Sites and Services Administrators	Members of this security group can rename the Default-First-Site-Name object in Active Directory Sites and Services.
AWS Delegated System Management Administrators	Members of this security group can create and manage objects in the System Management container.
AWS Delegated Terminal Server Licensing Administrators	Members of this security group can add and remove Terminal Server License Servers from the Terminal Server License Servers group.
AWS Delegated User Principal Name Suffix Administrators	Members of this security group can add and remove user principal name suffixes.

Creates and applies the following Group Policy Objects (GPOs):

Note

You do not have permissions to delete, modify, or unlink these GPOs. This is by design as they are reserved for AWS use. You may link them to OUs that you control if needed.

Group policy name	Applies to	Description
Default Domain Policy	Domain	Includes domain password and Kerberos policies.
ServerAdmins	All non domain controller computer accounts	Adds the 'AWS Delegated Server Administrators' as a member of the BUILTIN\Administrators Group.
AWS Reserved Policy:User	AWS Reserved user accounts	Sets recommended security settings on all user accounts in the AWS Reserved OU.
AWS Managed Active Directory Policy	All domain controllers	Sets recommended security settings on all domain controllers.
TimePolicyNT5DS	All non PDCe domain controllers	Sets all non PDCe domain controllers time policy to use Windows Time (NT5DS).
TimePolicyPDC	The PDCe domain controller	Sets the PDCe domain controller's time policy to use Network Time Protocol (NTP).
Default Domain Controllers Policy	Not used	Provisioned during domain creation, AWS Managed Active Directory Policy is used in its place.

If you would like to see the settings of each GPO, you can view them from a domain joined Windows instance with the Group policy management console (GPMC) enabled.

Creates the following default local accounts for AWS Managed Microsoft AD management:

Important

Be sure to save the admin password. AWS Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the AWS Directory Service console or by using the ResetUserPassword API.

Admin: The admin is the directory administrator account created when the AWS Managed Microsoft AD is first created. You provide a password for this account when you create an AWS Managed Microsoft AD. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your Active Directory in the AWS. For more information, see AWS Managed Microsoft AD Administrator account permissions.
AWS_11111111111: Any account name starting with AWS followed by an underscore and located in AWS Reserved OU is a service-managed account. This service-managed account is used by AWS to interact with the Active Directory. These accounts are created when AWS Directory Service Data is enabled and with each new AWS application is authorized on Active Directory. These accounts are only accessible by AWS services.