What gets created - AWS Directory Service

What gets created

When you create a directory with AWS Managed Microsoft AD, AWS Directory Service performs the following tasks on your behalf:

  • Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and AWS Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with AWS Directory Service by the description: "AWS created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide for Windows Instances.

    Note

    Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

  • Provisions Active Directory within your VPC using two domain controllers for fault tolerance and high availability. More domain controllers can be provisioned for higher resiliency and performance after the directory has been successfully created and is Active. For more information, see Deploy additional domain controllers.

    Note

    AWS does not allow the installation of monitoring agents on AWS Managed Microsoft AD domain controllers.

  • Creates an AWS security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created AWS Security Group. The default inbound rules allows only traffic through ports that are required by Active Directory from any source (0.0.0.0/0). The 0.0.0.0/0 rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using AWS Direct Connect, AWS Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your AWS Managed Microsoft AD is local VPC and VPC routed traffic. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. The following AWS Security Group rules are created by default:

    Inbound Rules

    Protocol Port range Source Type of traffic Active Directory usage
    ICMP N/A 0.0.0.0/0 Ping None
    TCP & UDP 53 0.0.0.0/0 DNS User and computer authentication, name resolution, trusts
    TCP & UDP 88 0.0.0.0/0 Kerberos User and computer authentication, forest level trusts
    TCP & UDP 389 0.0.0.0/0 LDAP Directory, replication, user and computer authentication group policy, trusts
    TCP & UDP 445 0.0.0.0/0 SMB / CIFS Replication, user and computer authentication, group policy, trusts
    TCP & UDP 464 0.0.0.0/0 Kerberos change / set password Replication, user and computer authentication, trusts
    TCP 135 0.0.0.0/0 Replication RPC, EPM
    TCP 636 0.0.0.0/0 LDAP SSL Directory, replication, user and computer authentication, group policy, trusts
    TCP 1024 - 65535 0.0.0.0/0 RPC Replication, user and computer authentication, group policy, trusts
    TCP 3268 - 3269 0.0.0.0/0 LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication, group policy, trusts
    UDP 123 0.0.0.0/0 Windows Time Windows Time, trusts
    UDP 138 0.0.0.0/0 DFSN & NetLogon DFS, group policy
    All All sg-################## All Traffic

    Outbound Rules

    Protocol Port range Destination Type of traffic Active Directory usage
    All All sg-################## All Traffic
  • Creates a directory administrator account with the user name Admin and the specified password. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your directory in the AWS Cloud. For more information, see Admin account.

    Important

    Be sure to save this password. AWS Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the AWS Directory Service console or by using the ResetUserPassword API.

  • Creates the following three organizational units (OUs) under the domain root:

    OU name Description

    AWS Delegated Groups

    Stores all of the groups that you can use to delegate AWS specific permissions to your users.
    AWS Reserved Stores all AWS management specific accounts.
    <yourdomainname> The name of this OU is based off of the NetBIOS name you typed when you created your directory. If you did not specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of corp.example.com, the NetBIOS name would be corp). This OU is owned by AWS and contains all of your AWS-related directory objects, which you are granted Full Control over. Two child OUs exist under this OU by default; Computers and Users. For example:
    • Corp

      • Computers

      • Users

  • Creates the following groups in the AWS Delegated Groups OU:

    Group name Description
    AWS Delegated Account Operators Members of this security group have limited account management capability such as password resets and unlocks

    AWS Delegated Active Directory Based Activation Administrators

    Members of this security group can create Active Directory volume licensing activation objects, which enables enterprises to activate computers through a connection to their domain.

    AWS Delegated Add Workstations To Domain Users Members of this security group can join 10 computers to a domain.
    AWS Delegated Administrators Members of this security group can manage AWS Managed Microsoft AD, have full control of all the objects in your OU and can manage groups contained in the AWS Delegated Groups OU.
    AWS Delegated Allowed to Authenticate Objects Members of this security group are provided the ability to authenticate to computer resources in the AWS Reserved OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).
    AWS Delegated Allowed to Authenticate to Domain Controllers Members of this security group are provided the ability to authenticate to computer resources in the Domain Controllers OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).

    AWS Delegated Deleted Object Lifetime Administrators

    Members of this security group can modify the msDS-DeletedObjectLifetime object, which defines how long a deleted object will be available to recover from the AD Recycle Bin.

    AWS Delegated Distributed File System Administrators Members of this security group can add and remove FRS, DFS-R, and DFS name spaces.
    AWS Delegated Domain Name System Administrators Members of this security group can manage Active Directory integrated DNS.
    AWS Delegated Dynamic Host Configuration Protocol Administrators Members of this security group can authorize Windows DHCP servers in the enterprise.
    AWS Delegated Enterprise Certificate Authority Administrators Members of this security group can deploy and manage Microsoft Enterprise Certificate Authority infrastructure.
    AWS Delegated Fine Grained Password Policy Administrators Members of this security group can modify precreated fine-grained password policies.
    AWS Delegated FSx Administrators Members of this security group are provided the ability to manage Amazon FSx resources.
    AWS Delegated Group Policy Administrators Members of this security group can perform group policy management tasks (create, edit, delete, link).
    AWS Delegated Kerberos Delegation Administrators Members of this security group can enable delegation on computer and user account objects.
    AWS Delegated Managed Service Account Administrators Members of this security group can create and delete Managed Service Accounts.
    AWS Delegated MS-NPRC Non-Compliant Devices Members of this security group will be provided an exclusion from requiring secure channel communications with domain controllers. This group is for computer accounts.
    AWS Delegated Remote Access Service Administrators Members of this security group can add and remove RAS servers from the RAS and IAS Servers group.
    AWS Delegated Replicate Directory Changes Administrators Members of this security group can synchronize profile information in Active Directory with SharePoint Server.
    AWS Delegated Server Administrators Members of this security group are included in the local administrators group on all domain joined computers.
    AWS Delegated Sites and Services Administrators Members of this security group can rename the Default-First-Site-Name object in Active Directory Sites and Services.
    AWS Delegated System Management Administrators Members of this security group can create and manage objects in the System Management container.
    AWS Delegated Terminal Server Licensing Administrators Members of this security group can add and remove Terminal Server License Servers from the Terminal Server License Servers group.
    AWS Delegated User Principal Name Suffix Administrators Members of this security group can add and remove user principal name suffixes.
  • Creates and applies the following Group Policy Objects (GPOs):

    Note

    You do not have permissions to delete, modify, or unlink these GPOs. This is by design as they are reserved for AWS use. You may link them to OUs that you control if needed.

    Group policy name Applies to Description
    Default Domain Policy Domain Includes domain password and Kerberos policies.
    ServerAdmins All non domain controller computer accounts Adds the 'AWS Delegated Server Administrators' as a member of the BUILTIN\Administrators Group.
    AWS Reserved Policy:User AWS Reserved user accounts Sets recommended security settings on all user accounts in the AWS Reserved OU.
    AWS Managed Active Directory Policy All domain controllers Sets recommended security settings on all domain controllers.
    TimePolicyNT5DS All non PDCe domain controllers Sets all non PDCe domain controllers time policy to use Windows Time (NT5DS).
    TimePolicyPDC The PDCe domain controller Sets the PDCe domain controller's time policy to use Network Time Protocol (NTP).
    Default Domain Controllers Policy Not used Provisioned during domain creation, AWS Managed Active Directory Policy is used in its place.

    If you would like to see the settings of each GPO, you can view them from a domain joined Windows instance with the Group policy management console (GPMC) enabled.