Getting started with Simple AD
Simple AD creates a fully managed, Samba-based directory in the AWS cloud. When you create a directory with Simple AD, AWS Directory Service creates two domain controllers and DNS servers on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensures that your directory remains accessible even if a failure occurs.
Topics
Simple AD prerequisites
To create a Simple AD Active Directory, you need an Amazon VPC with the following:
-
The VPC must have default hardware tenancy.
-
The VPC must not be configured with the following VPC endpoint(s):
-
Route53 VPC endpoints that include DNS conditional overrides for *.amazonaws.com which resolve to non public AWS IP addresses
-
-
At least two subnets in two different Availability Zones. The subnets must be in the same Classless Inter-Domain Routing (CIDR) range. If you want to extend or resize the VPC for your directory, then make sure to select both of the domain controller subnets for the extended VPC CIDR range. When you create a Simple AD, AWS Directory Service creates two domain controllers and DNS servers on your behalf.
-
For more information about the CIDR range, see IP addressing for your VPCs and subnets in the Amazon VPC User Guide.
-
-
If you require LDAPS support with Simple AD, we recommend that you configure it using a Network Load Balancer connected to port 389. This model enables you to use a strong certificate for the LDAPS connection, simplify access to LDAPS through a single NLB IP address, and have automatic fail-over through the NLB. Simple AD does not support the use of self-signed certificates on port 636. For more information about how to configure LDAPS with Simple AD, see How to configure an LDAPS endpoint for Simple AD
in the AWS Security Blog. -
The following encryption types must be enabled in the directory:
-
RC4_HMAC_MD5
-
AES128_HMAC_SHA1
-
AES256_HMAC_SHA1
-
Future encryption types
Note
Disabling these encryption types can cause communication issues with RSAT (Remote Server Administration Tools) and impact the availability or your directory.
-
-
For more information, see What is Amazon VPC? in the Amazon VPC User Guide.
AWS Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside
of your AWS account, and are managed by AWS. They have two network adapters,
ETH0
and ETH1
. ETH0
is the management adapter, and
exists outside of your account. ETH1
is created within your account.
The management IP range of your directory's ETH0
network is chosen
programmatically to ensure it does not conflict with the VPC where your directory is deployed.
This IP range can be in either of the following pairs (as Directories run in two
subnets):
-
10.0.1.0/24 & 10.0.2.0/24
-
169.254.0.0/16
-
192.168.1.0/24 & 192.168.2.0/24
We avoid conflicts by checking the first octet of the ETH1
CIDR. If it starts
with a 10, then we choose a 192.168.0.0/16 VPC with 192.168.1.0/24 and 192.168.2.0/24 subnets.
If the first octet is anything else other than a 10 we choose a 10.0.0.0/16 VPC with
10.0.1.0/24 and 10.0.2.0/24 subnets.
The selection algorithm does not include routes on your VPC. It is therefore possible to have an IP routing conflict result from this scenario.
Important
If any of the Simple AD prerequisites are altered after your Simple AD is created,
your Simple AD can become Impaired. To resolve your Simple AD
Impaired status, you'll need to contact AWS Support
Create your Simple AD Active Directory
To create a new Simple AD Active Directory, perform the following steps. Before starting this procedure, make sure you have completed the prerequisites identified in Simple AD prerequisites.
To create a Simple AD Active Directory
-
In the AWS Directory Service console
navigation pane, choose Directories and then choose Set up directory. -
On the Select directory type page, choose Simple AD, and then choose Next.
-
On the Enter directory information page, provide the following information:
- Directory size
-
Choose from either the Small or Large size option. For more information about sizes, see Simple AD.
- Organization name
-
A unique organization name for your directory that will be used to register client devices.
This field is only available if you are creating your directory as part of launching WorkSpaces.
- Directory DNS name
-
The fully qualified name for the directory, such as
corp.example.com
. - Directory NetBIOS name
-
The short name for the directory, such as
CORP
. - Administrator password
-
The password for the directory administrator. The directory creation process creates an administrator account with the user name
Administrator
and this password.The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:
-
Lowercase letters (a-z)
-
Uppercase letters (A-Z)
-
Numbers (0-9)
-
Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
-
- Confirm password
-
Retype the administrator password.
- Directory description
-
An optional description for the directory.
-
On the Choose VPC and subnets page, provide the following information, and then choose Next.
- VPC
-
The VPC for the directory.
- Subnets
-
Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.
-
On the Review & create page, review the directory information and make any necessary changes. When the information is correct, choose Create directory. It takes several minutes for the directory to be created. Once created, the Status value changes to Active.
What gets created with your Simple AD Active Directory
When you create a Active Directory with Simple AD, AWS Directory Service performs the following tasks on your behalf:
-
Sets up a Samba-based directory within the VPC.
-
Creates a directory administrator account with the user name
Administrator
and the specified password. You use this account to manage your directory.Important
Be sure to save this password. AWS Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the AWS Directory Service console or by using the ResetUserPassword API.
-
Creates a security group for the directory controllers.
-
Creates an account with the name
AWSAdminD-
that has domain admin privileges. This account is used by AWS Directory Service to perform automated operations for directory maintenance operations, such as taking directory snapshots and FSMO role transfers. The credentials for this account are securely stored by AWS Directory Service.xxxxxxxx
-
Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and AWS Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with AWS Directory Service by the description: "AWS created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide. The default DNS Server of the AWS Managed Microsoft AD Active Directory is the VPC DNS server at Classless Inter-Domain Routing (CIDR)+2. For more information, see Amazon DNS server in Amazon VPC User Guide.
Note
Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.
Configure DNS for Simple AD
Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your Amazon VPC. These DNS servers will resolve names configured in your Amazon Route 53 private hosted zones. By pointing your on-premises computers to your Simple AD, you can now resolve DNS requests to the private hosted zone. For more information on Route 53, see What is Route 53.
Note that to enable your Simple AD to respond to external DNS queries, the network access control list (ACL) for the VPC containing your Simple AD must be configured to allow traffic from outside the VPC.
-
If you are not using Route 53 private hosted zones, your DNS requests will be forwarded to public DNS servers.
-
If you're using custom DNS servers that are outside of your VPC and you want to use private DNS, you must reconfigure to use custom DNS servers on EC2 instances within your VPC. For more information, see Working with private hosted zones.
-
If you want your Simple AD to resolve names using both DNS servers within your VPC and private DNS servers outside of your VPC, you can do this using a DHCP options set. For a detailed example, see this article
.
Note
DNS dynamic updates are not supported in Simple AD domains. You can instead make the changes directly by connecting to your directory using DNS Manager on an instance that is joined to your domain.