AWS Directory Service
Administration Guide (Version 1.0)

Simple AD Prerequisites

To create a Simple AD directory, you need a VPC with the following:

  • At least two subnets. For Simple AD to install correctly, you must install your two domain controllers in separate subnets that must be in a different Availability Zone. In addition, the subnets must be in the same Classless Inter-Domain Routing (CIDR) range. If you want to extend or resize the VPC for your directory, then make sure to select both of the domain controller subnets for the extended VPC CIDR range.

  • The following ports must be open between the two subnets that you deploy your directory into. This is necessary to allow the domain controllers that AWS Directory Service creates for you to communicate with each other.

    • TCP/UDP 53 - DNS

    • TCP/UDP 88 - Kerberos authentication

    • UDP 123 - NTP

    • TCP 135 - RPC

    • UDP 137-138 - Netlogon

    • TCP 139 - Netlogon

    • TCP/UDP 389 - LDAP

    • TCP/UDP 445 - SMB

    • TCP 636 - LDAPS (LDAP over TLS/SSL)

    • TCP 873 - Rsync

    • TCP 3268 - Global Catalog

    • TCP/UDP 1024-65535 - Ephemeral ports for RPC

  • The VPC must have default hardware tenancy.

  • If you require LDAPS support with Simple AD, we recommend that you configure it using an Elastic Load Balancer and HA Proxy running on EC2 instances. This model enables you to use a strong certificate for the LDAPS connection, simplify access to LDAPS through a single ELB IP address, and have automatic fail-over through the HA Proxy. For more information about how to configure LDAPS with Simple AD, see How to Configure an LDAPS Endpoint for Simple AD in the AWS Security Blog.

  • The following encryption types must be enabled in the directory:

    • RC4_HMAC_MD5

    • AES128_HMAC_SHA1

    • AES256_HMAC_SHA1

    • Future encryption types


      Disabling these encryption types can cause communication issues with RSAT (Remote Server Administration Tools) and impact the availability or your directory.