Getting started with Simple AD - AWS Directory Service

Getting started with Simple AD

Simple AD creates a fully managed, Samba-based directory in the AWS cloud. When you create a directory with Simple AD, AWS Directory Service creates two domain controllers and DNS servers on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensures that your directory remains accessible even if a failure occurs.

Simple AD prerequisites

To create a Simple AD Active Directory, you need an Amazon VPC with the following:

  • The VPC must have default hardware tenancy.

  • The VPC must not be configured with the following VPC endpoint(s):

  • At least two subnets in two different Availability Zones. The subnets must be in the same Classless Inter-Domain Routing (CIDR) range. If you want to extend or resize the VPC for your directory, then make sure to select both of the domain controller subnets for the extended VPC CIDR range. When you create a Simple AD, AWS Directory Service creates two domain controllers and DNS servers on your behalf.

  • If you require LDAPS support with Simple AD, we recommend that you configure it using a Network Load Balancer connected to port 389. This model enables you to use a strong certificate for the LDAPS connection, simplify access to LDAPS through a single NLB IP address, and have automatic fail-over through the NLB. Simple AD does not support the use of self-signed certificates on port 636. For more information about how to configure LDAPS with Simple AD, see How to configure an LDAPS endpoint for Simple AD in the AWS Security Blog.

  • The following encryption types must be enabled in the directory:

    • RC4_HMAC_MD5

    • AES128_HMAC_SHA1

    • AES256_HMAC_SHA1

    • Future encryption types

      Note

      Disabling these encryption types can cause communication issues with RSAT (Remote Server Administration Tools) and impact the availability or your directory.

  • For more information, see What is Amazon VPC? in the Amazon VPC User Guide.

AWS Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside of your AWS account, and are managed by AWS. They have two network adapters, ETH0 and ETH1. ETH0 is the management adapter, and exists outside of your account. ETH1 is created within your account.

The management IP range of your directory's ETH0 network is chosen programmatically to ensure it does not conflict with the VPC where your directory is deployed. This IP range can be in either of the following pairs (as Directories run in two subnets):

  • 10.0.1.0/24 & 10.0.2.0/24

  • 192.168.1.0/24 & 192.168.2.0/24

We avoid conflicts by checking the first octet of the ETH1 CIDR. If it starts with a 10, then we choose a 192.168.0.0/16 VPC with 192.168.1.0/24 and 192.168.2.0/24 subnets. If the first octet is anything else other than a 10 we choose a 10.0.0.0/16 VPC with 10.0.1.0/24 and 10.0.2.0/24 subnets.

The selection algorithm does not include routes on your VPC. It is therefore possible to have an IP routing conflict result from this scenario.

Create your Simple AD Active Directory

To create a new Simple AD Active Directory, perform the following steps. Before starting this procedure, make sure you have completed the prerequisites identified in Simple AD prerequisites.

To create a Simple AD Active Directory
  1. In the AWS Directory Service console navigation pane, choose Directories and then choose Set up directory.

  2. On the Select directory type page, choose Simple AD, and then choose Next.

  3. On the Enter directory information page, provide the following information:

    Directory size

    Choose from either the Small or Large size option. For more information about sizes, see Simple AD.

    Organization name

    A unique organization name for your directory that will be used to register client devices.

    This field is only available if you are creating your directory as part of launching WorkSpaces.

    Directory DNS name

    The fully qualified name for the directory, such as corp.example.com.

    Directory NetBIOS name

    The short name for the directory, such as CORP.

    Administrator password

    The password for the directory administrator. The directory creation process creates an administrator account with the user name Administrator and this password.

    The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:

    • Lowercase letters (a-z)

    • Uppercase letters (A-Z)

    • Numbers (0-9)

    • Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

    Confirm password

    Retype the administrator password.

    Directory description

    An optional description for the directory.

  4. On the Choose VPC and subnets page, provide the following information, and then choose Next.

    VPC

    The VPC for the directory.

    Subnets

    Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.

  5. On the Review & create page, review the directory information and make any necessary changes. When the information is correct, choose Create directory. It takes several minutes for the directory to be created. Once created, the Status value changes to Active.

What gets created with your Simple AD Active Directory

When you create a Active Directory with Simple AD, AWS Directory Service performs the following tasks on your behalf:

  • Sets up a Samba-based directory within the VPC.

  • Creates a directory administrator account with the user name Administrator and the specified password. You use this account to manage your directory.

    Important

    Be sure to save this password. AWS Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the AWS Directory Service console or by using the ResetUserPassword API.

  • Creates a security group for the directory controllers.

  • Creates an account with the name AWSAdminD-xxxxxxxx that has domain admin privileges. This account is used by AWS Directory Service to perform automated operations for directory maintenance operations, such as taking directory snapshots and FSMO role transfers. The credentials for this account are securely stored by AWS Directory Service.

  • Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and AWS Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with AWS Directory Service by the description: "AWS created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide for Windows Instances.

    Note

    Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

Configure DNS for Simple AD

Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your Amazon VPC. These DNS servers will resolve names configured in your Amazon Route 53 private hosted zones. By pointing your on-premises computers to your Simple AD, you can now resolve DNS requests to the private hosted zone. For more information on Route 53, see What is Route 53.

Note that to enable your Simple AD to respond to external DNS queries, the network access control list (ACL) for the VPC containing your Simple AD must be configured to allow traffic from outside the VPC.

  • If you are not using Route 53 private hosted zones, your DNS requests will be forwarded to public DNS servers.

  • If you're using custom DNS servers that are outside of your VPC and you want to use private DNS, you must reconfigure to use custom DNS servers on EC2 instances within your VPC. For more information, see Working with private hosted zones.

  • If you want your Simple AD to resolve names using both DNS servers within your VPC and private DNS servers outside of your VPC, you can do this using a DHCP options set. For a detailed example, see this article.

Note

DNS dynamic updates are not supported in Simple AD domains. You can instead make the changes directly by connecting to your directory using DNS Manager on an instance that is joined to your domain.