AWS Directory Service
Administration Guide (Version 1.0)

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

AWS Managed Microsoft AD Prerequisites

To create a AWS Managed Microsoft AD directory, you need a VPC with the following:

  • At least two subnets. Each of the subnets must be in a different Availability Zone.

  • The VPC must have default hardware tenancy.

  • You cannot create a AWS Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.

  • AWS Directory Service does not support using Network Address Translation (NAT) with Active Directory. Using NAT can result in replication errors.

If you need to integrate your AWS Managed Microsoft AD domain with an existing on-premises Active Directory domain, you must have the functional level for your on-premises domain set to Windows Server 2003 or higher.

AWS Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside of your AWS account, and are managed by AWS. They have two network adapters, ETH0 and ETH1. ETH0 is the management adapter, and exists outside of your account. ETH1 is created within your account.

The management IP range of your directory's ETH0 network is chosen programmatically to ensure it does not conflict with the VPC where your directory is deployed. This IP range can be in either of the following pairs (as Directories run in two subnets):

  • 10.0.1.0/24 & 10.0.2.0/24

  • 192.168.1.0/24 & 192.168.2.0/24

We avoid conflicts by checking the first octet of the ETH1 CIDR. If it starts with a 10, then we choose a 192.168.0.0/16 VPC with 192.168.1.0/24 and 192.168.2.0/24 subnets. If the first octet is anything else other than a 10 we choose a 10.0.0.0/16 VPC with 10.0.1.0/24 and 10.0.2.0/24 subnets.

The selection algorithm does not include routes on your VPC. It is therefore possible to have an IP routing conflict result from this scenario.

Multi-factor Authentication Prerequisites

To support multi-factor authentication with your AWS Managed Microsoft AD directory, you must configure either your on-premises or cloud-based Remote Authentication Dial-In User Service (RADIUS) server in the following way so that it can accept requests from your AWS Managed Microsoft AD directory in AWS.

  1. On your RADIUS server, create two RADIUS clients to represent both of the AWS Managed Microsoft AD domain controllers (DCs) in AWS. You must configure both clients using the following common parameters (your RADIUS server may vary):

    • Address (DNS or IP): This is the DNS address for one of the AWS Managed Microsoft AD DCs. Both DNS addresses can be found in the AWS Directory Service Console on the Details page of the AWS Managed Microsoft AD directory in which you plan to use MFA. The DNS addresses displayed represent the IP addresses for both of the AWS Managed Microsoft AD DCs that are used by AWS.

      Note

      If your RADIUS server supports DNS addresses, you must create only one RADIUS client configuration. Otherwise, you must create one RADIUS client configuration for each AWS Managed Microsoft AD DC.

    • Port number: Configure the port number for which your RADIUS server accepts RADIUS client connections. The standard RADIUS port is 1812.

    • Shared secret: Type or generate a shared secret that the RADIUS server will use to connect with RADIUS clients.

    • Protocol: You might need to configure the authentication protocol between the AWS Managed Microsoft AD DCs and the RADIUS server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is recommended because it provides the strongest security of the three options.

    • Application name: This may be optional in some RADIUS servers and usually identifies the application in messages or reports.

  2. Configure your existing network to allow inbound traffic from the RADIUS clients (AWS Managed Microsoft AD DCs DNS addresses, see Step 1) to your RADIUS server port.

  3. Add a rule to the Amazon EC2 security group in your AWS Managed Microsoft AD domain that allows inbound traffic from the RADIUS server DNS address and port number defined previously. For more information, see Adding Rules to a Security Group in the EC2 User Guide.

For more information about using AWS Managed Microsoft AD with MFA, see Enable Multi-Factor Authentication for AWS Managed Microsoft AD.