Getting started with AWS Managed Microsoft AD - AWS Directory Service

Getting started with AWS Managed Microsoft AD

AWS Managed Microsoft AD creates a fully managed, Microsoft Active Directory in the AWS Cloud and is powered by Windows Server 2019 and operates at the 2012 R2 Forest and Domain functional levels. When you create a directory with AWS Managed Microsoft AD, AWS Directory Service creates two domain controllers and adds the DNS service on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensure that your directory remains accessible even if a failure occurs. If you need more domain controllers, you can add them later. For more information, see Deploy additional domain controllers.

AWS Managed Microsoft AD prerequisites

To create a AWS Managed Microsoft AD Active Directory, you need an Amazon VPC with the following:

  • At least two subnets. Each of the subnets must be in a different Availability Zone.

  • The VPC must have default hardware tenancy.

  • You cannot create a AWS Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.

If you need to integrate your AWS Managed Microsoft AD domain with an existing on-premises Active Directory domain, you must have the Forest and Domain functional levels for your on-premises domain set to Windows Server 2003 or higher.

AWS Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside of your AWS account, and are managed by AWS. They have two network adapters, ETH0 and ETH1. ETH0 is the management adapter, and exists outside of your account. ETH1 is created within your account.

The management IP range of your directory's ETH0 network is 198.18.0.0/15.

AWS IAM Identity Center prerequisites

If you plan to use IAM Identity Center with AWS Managed Microsoft AD, you need to ensure that the following are true:

  • Your AWS Managed Microsoft AD directory is set up in your AWS organization’s management account.

  • Your instance of IAM Identity Center is in the same Region where your AWS Managed Microsoft AD directory is set up.

For more information, see IAM Identity Center prerequisites in the AWS IAM Identity Center User Guide.

Multi-factor authentication prerequisites

To support multi-factor authentication with your AWS Managed Microsoft AD directory, you must configure either your on-premises or cloud-based Remote Authentication Dial-In User Service (RADIUS) server in the following way so that it can accept requests from your AWS Managed Microsoft AD directory in AWS.

  1. On your RADIUS server, create two RADIUS clients to represent both of the AWS Managed Microsoft AD domain controllers (DCs) in AWS. You must configure both clients using the following common parameters (your RADIUS server may vary):

    • Address (DNS or IP): This is the DNS address for one of the AWS Managed Microsoft AD DCs. Both DNS addresses can be found in the AWS Directory Service Console on the Details page of the AWS Managed Microsoft AD directory in which you plan to use MFA. The DNS addresses displayed represent the IP addresses for both of the AWS Managed Microsoft AD DCs that are used by AWS.

      Note

      If your RADIUS server supports DNS addresses, you must create only one RADIUS client configuration. Otherwise, you must create one RADIUS client configuration for each AWS Managed Microsoft AD DC.

    • Port number: Configure the port number for which your RADIUS server accepts RADIUS client connections. The standard RADIUS port is 1812.

    • Shared secret: Type or generate a shared secret that the RADIUS server will use to connect with RADIUS clients.

    • Protocol: You might need to configure the authentication protocol between the AWS Managed Microsoft AD DCs and the RADIUS server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is recommended because it provides the strongest security of the three options.

    • Application name: This may be optional in some RADIUS servers and usually identifies the application in messages or reports.

  2. Configure your existing network to allow inbound traffic from the RADIUS clients (AWS Managed Microsoft AD DCs DNS addresses, see Step 1) to your RADIUS server port.

  3. Add a rule to the Amazon EC2 security group in your AWS Managed Microsoft AD domain that allows inbound traffic from the RADIUS server DNS address and port number defined previously. For more information, see Adding rules to a security group in the EC2 User Guide.

For more information about using AWS Managed Microsoft AD with MFA, see Enable multi-factor authentication for AWS Managed Microsoft AD.

Create your AWS Managed Microsoft AD Active Directory

To create a new directory, perform the following steps. Before starting this procedure, make sure that you have completed the prerequisites identified in AWS Managed Microsoft AD prerequisites.

To create an AWS Managed Microsoft AD directory
  1. In the AWS Directory Service console navigation pane, choose Directories and then choose Set up directory.

  2. On the Select directory type page, choose AWS Managed Microsoft AD, and then choose Next.

  3. On the Enter directory information page, provide the following information:

    Edition

    Choose from either the Standard Edition or Enterprise Edition of AWS Managed Microsoft AD. For more information about editions, see AWS Directory Service for Microsoft Active Directory.

    Directory Domain Name System (DNS) name

    The fully qualified name for the directory, such as corp.example.com.

    Note

    If you plan on using Amazon Route 53 for DNS, the domain name of your AWS Managed Microsoft AD must be different than your Route 53 domain name. DNS resolution issues can occur if Route 53 and AWS Managed Microsoft AD share the same domain name.

    Directory NetBIOS name

    The short name for the directory, such as CORP.

    Directory description

    An optional description for the directory.

    Admin password

    The password for the directory administrator. The directory creation process creates an administrator account with the user name Admin and this password.

    The password cannot include the word "admin."

    The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:

    • Lowercase letters (a-z)

    • Uppercase letters (A-Z)

    • Numbers (0-9)

    • Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

    Confirm password

    Retype the administrator password.

  4. On the Choose VPC and subnets page, provide the following information, and then choose Next.

    VPC

    The VPC for the directory.

    Subnets

    Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.

  5. On the Review & create page, review the directory information and make any necessary changes. When the information is correct, choose Create directory. Creating the directory takes 20 to 40 minutes. Once created, the Status value changes to Active.

What gets created with your AWS Managed Microsoft AD Active Directory

When you create an Active Directory with AWS Managed Microsoft AD, AWS Directory Service performs the following tasks on your behalf:

  • Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and AWS Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with AWS Directory Service by the description: "AWS created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide for Windows Instances. The default DNS Server of the AWS Managed Microsoft AD Active Directory is the VPC DNS server at Classless Inter-Domain Routing (CIDR)+2. For more information, see Amazon DNS server in Amazon VPC User Guide.

    Note

    Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon VPC (VPC). Backups are automatically taken once per day, and the Amazon EBS (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

  • Provisions Active Directory within your VPC using two domain controllers for fault tolerance and high availability. More domain controllers can be provisioned for higher resiliency and performance after the directory has been successfully created and is Active. For more information, see Deploy additional domain controllers.

    Note

    AWS does not allow the installation of monitoring agents on AWS Managed Microsoft AD domain controllers.

  • Creates an AWS security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created AWS Security Group. The default inbound rules allows only traffic through ports that are required by Active Directory from any source (0.0.0.0/0). The 0.0.0.0/0 rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using AWS Direct Connect, AWS Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC and VPC routed traffic. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see Best practices for AWS Managed Microsoft AD. The following AWS Security Group rules are created by default:

    Inbound Rules

    Protocol Port range Source Type of traffic Active Directory usage
    ICMP N/A 0.0.0.0/0 Ping LDAP Keep Alive, DFS
    TCP & UDP 53 0.0.0.0/0 DNS User and computer authentication, name resolution, trusts
    TCP & UDP 88 0.0.0.0/0 Kerberos User and computer authentication, forest level trusts
    TCP & UDP 389 0.0.0.0/0 LDAP Directory, replication, user and computer authentication group policy, trusts
    TCP & UDP 445 0.0.0.0/0 SMB / CIFS Replication, user and computer authentication, group policy, trusts
    TCP & UDP 464 0.0.0.0/0 Kerberos change / set password Replication, user and computer authentication, trusts
    TCP 135 0.0.0.0/0 Replication RPC, EPM
    TCP 636 0.0.0.0/0 LDAP SSL Directory, replication, user and computer authentication, group policy, trusts
    TCP 1024 - 65535 0.0.0.0/0 RPC Replication, user and computer authentication, group policy, trusts
    TCP 3268 - 3269 0.0.0.0/0 LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication, group policy, trusts
    UDP 123 0.0.0.0/0 Windows Time Windows Time, trusts
    UDP 138 0.0.0.0/0 DFSN & NetLogon DFS, group policy
    All All sg-################## All Traffic

    Outbound Rules

    Protocol Port range Destination Type of traffic Active Directory usage
    All All sg-################## All Traffic
  • For more information about the ports and protocols used by Active Directory, see Service overview and network port requirements for Windows in Microsoft documentation.

  • Creates a directory administrator account with the user name Admin and the specified password. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your directory in the AWS Cloud. For more information, see Permissions for the Administrator account.

    Important

    Be sure to save this password. AWS Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the AWS Directory Service console or by using the ResetUserPassword API.

  • Creates the following three organizational units (OUs) under the domain root:

    OU name Description

    AWS Delegated Groups

    Stores all of the groups that you can use to delegate AWS specific permissions to your users.
    AWS Reserved Stores all AWS management specific accounts.
    <yourdomainname> The name of this OU is based off of the NetBIOS name you typed when you created your directory. If you did not specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of corp.example.com, the NetBIOS name would be corp). This OU is owned by AWS and contains all of your AWS-related directory objects, which you are granted Full Control over. Two child OUs exist under this OU by default; Computers and Users. For example:
    • Corp

      • Computers

      • Users

  • Creates the following groups in the AWS Delegated Groups OU:

    Group name Description
    AWS Delegated Account Operators Members of this security group have limited account management capability such as password resets

    AWS Delegated Active Directory Based Activation Administrators

    Members of this security group can create Active Directory volume licensing activation objects, which enables enterprises to activate computers through a connection to their domain.

    AWS Delegated Add Workstations To Domain Users Members of this security group can join 10 computers to a domain.
    AWS Delegated Administrators Members of this security group can manage AWS Managed Microsoft AD, have full control of all the objects in your OU and can manage groups contained in the AWS Delegated Groups OU.
    AWS Delegated Allowed to Authenticate Objects Members of this security group are provided the ability to authenticate to computer resources in the AWS Reserved OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).
    AWS Delegated Allowed to Authenticate to Domain Controllers Members of this security group are provided the ability to authenticate to computer resources in the Domain Controllers OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).

    AWS Delegated Deleted Object Lifetime Administrators

    Members of this security group can modify the msDS-DeletedObjectLifetime object, which defines how long a deleted object will be available to recover from the AD Recycle Bin.

    AWS Delegated Distributed File System Administrators Members of this security group can add and remove FRS, DFS-R, and DFS name spaces.
    AWS Delegated Domain Name System Administrators Members of this security group can manage Active Directory integrated DNS.
    AWS Delegated Dynamic Host Configuration Protocol Administrators Members of this security group can authorize Windows DHCP servers in the enterprise.
    AWS Delegated Enterprise Certificate Authority Administrators Members of this security group can deploy and manage Microsoft Enterprise Certificate Authority infrastructure.
    AWS Delegated Fine Grained Password Policy Administrators Members of this security group can modify precreated fine-grained password policies.
    AWS Delegated FSx Administrators Members of this security group are provided the ability to manage Amazon FSx resources.
    AWS Delegated Group Policy Administrators Members of this security group can perform group policy management tasks (create, edit, delete, link).
    AWS Delegated Kerberos Delegation Administrators Members of this security group can enable delegation on computer and user account objects.
    AWS Delegated Managed Service Account Administrators Members of this security group can create and delete Managed Service Accounts.
    AWS Delegated MS-NPRC Non-Compliant Devices Members of this security group will be provided an exclusion from requiring secure channel communications with domain controllers. This group is for computer accounts.
    AWS Delegated Remote Access Service Administrators Members of this security group can add and remove RAS servers from the RAS and IAS Servers group.
    AWS Delegated Replicate Directory Changes Administrators Members of this security group can synchronize profile information in Active Directory with SharePoint Server.
    AWS Delegated Server Administrators Members of this security group are included in the local administrators group on all domain joined computers.
    AWS Delegated Sites and Services Administrators Members of this security group can rename the Default-First-Site-Name object in Active Directory Sites and Services.
    AWS Delegated System Management Administrators Members of this security group can create and manage objects in the System Management container.
    AWS Delegated Terminal Server Licensing Administrators Members of this security group can add and remove Terminal Server License Servers from the Terminal Server License Servers group.
    AWS Delegated User Principal Name Suffix Administrators Members of this security group can add and remove user principal name suffixes.
  • Creates and applies the following Group Policy Objects (GPOs):

    Note

    You do not have permissions to delete, modify, or unlink these GPOs. This is by design as they are reserved for AWS use. You may link them to OUs that you control if needed.

    Group policy name Applies to Description
    Default Domain Policy Domain Includes domain password and Kerberos policies.
    ServerAdmins All non domain controller computer accounts Adds the 'AWS Delegated Server Administrators' as a member of the BUILTIN\Administrators Group.
    AWS Reserved Policy:User AWS Reserved user accounts Sets recommended security settings on all user accounts in the AWS Reserved OU.
    AWS Managed Active Directory Policy All domain controllers Sets recommended security settings on all domain controllers.
    TimePolicyNT5DS All non PDCe domain controllers Sets all non PDCe domain controllers time policy to use Windows Time (NT5DS).
    TimePolicyPDC The PDCe domain controller Sets the PDCe domain controller's time policy to use Network Time Protocol (NTP).
    Default Domain Controllers Policy Not used Provisioned during domain creation, AWS Managed Active Directory Policy is used in its place.

    If you would like to see the settings of each GPO, you can view them from a domain joined Windows instance with the Group policy management console (GPMC) enabled.

Permissions for the Administrator account

When you create an AWS Directory Service for Microsoft Active Directory directory, AWS creates an organizational unit (OU) to store all AWS related groups and accounts. For more information about this OU, see What gets created with your AWS Managed Microsoft AD Active Directory. This includes the Admin account. The Admin account has permissions to perform the following common administrative activities for your OU:

The Admin account also has rights to perform the following domainwide activities:

  • Manage DNS configurations (add, remove, or update records, zones, and forwarders)

  • View DNS event logs

  • View security event logs

Only the actions listed here are allowed for the Admin account. The Admin account also lacks permissions for any directory-related actions outside of your specific OU, such as on the parent OU.

Important

AWS Domain Administrators have full administrative access to all domains hosted on AWS. See your agreement with AWS and the AWS data protection FAQ for more information about how AWS handles content, including directory information, that you store on AWS systems.

Note

We recommend that you do not delete or rename this account. If you no longer want to use the account, we recommend you set a long password (at most 64 random characters) and then disable the account.

Enterprise and domain administrator privileged accounts

AWS automatically rotates the built-in Administrator password to a random password every 90 days. Anytime the built in Administrator password is requested for human use an AWS ticket is created and logged with the AWS Directory Service team. Account credentials are encrypted and handled over secure channels. Also the Administrator account credentials can only be requested by the AWS Directory Service management team.

To perform operational management of your directory, AWS has exclusive control of accounts with Enterprise Administrator and Domain Administrator privileges. This includes exclusive control of the Active Directory administrator account. AWS protects this account by automating password management through the use of a password vault. During automated rotation of the administrator password, AWS creates a temporary user account and grants it Domain Administrator privileges. This temporary account is used as a back-up in the event of password rotation failure on the administrator account. After AWS successfully rotates the administrator password, AWS deletes the temporary administrator account.

Normally AWS operates the directory entirely through automation. In the event that an automation process is unable to resolve an operational problem, AWS may need to have a support engineer sign in to your domain controller (DC) to perform diagnosis. In these rare cases, AWS implements a request/notification system to grant access. In this process, AWS automation creates a time-limited user account in your directory that has Domain Administrator permissions. AWS associates the user account with the engineer who is assigned to work on your directory. AWS records this association in our log system and provides the engineer with the credentials to use. All actions taken by the engineer are logged in the Windows event logs. When the allocated time elapses, automation deletes the user account.

You can monitor administrative account actions by using the log forwarding feature of your directory. This feature enables you to forward the AD Security events to your CloudWatch system where you can implement monitoring solutions. For more information, see Enable log forwarding.

Security Event IDs 4624, 4672 and 4648 are all logged when someone logs onto a DC interactively. You can view each DC’s Windows Security event log using the Event Viewer Microsoft Management Console (MMC) from a domain joined Windows computer. You can also Enable log forwarding to send all of the Security event logs to CloudWatch Logs in your account.

You might occasionally see users created and deleted within the AWS Reserved OU. AWS is responsible for the management and security of all objects in this OU and any other OU or container where we have not delegated permissions for you to access and manage. You may see creations and deletions in that OU. This is because AWS Directory Service uses automation to rotate the Domain Administrator password on a regular basis. When the password is rotated, a backup is created in the event that the rotation fails. Once the rotation is successful, the backup account is automatically deleted. Also in the rare event that interactive access is needed on the DCs for troubleshooting purposes, a temporary user account is created for an AWS Directory Service engineer to use. Once an engineer has completed their work, the temporary user account will be deleted. Note that every time interactive credentials are requested for a directory, the AWS Directory Service management team is notified.