Self-managed Active Directory on
Amazon EC2
Overview
This section provides recommendations for reducing the cost of running Active Directory on Amazon Elastic Compute Cloud (Amazon EC2). The primary focus is on making sure that you can size the Active Directory domain controllers appropriately and use the flexibility of the AWS Cloud to adjust as needed for your environment. AWS can help you easily stop an instance and resize it to meet your changing needs, or downsize the instance if you scale up too fast. Choosing the right instance size and type can result in significant savings.
Cost impact
The following table shows the difference between choosing a burstable instance family instance over a general purpose instance. This choice can save you a considerable amount of money each month. Appropriate planning and sizing of your instance can help you to manage costs.
| Instance type | Number of instances | vCPU | Memory | Cost |
|---|---|---|---|---|
| t3a.medium | 2 | 2 | 8 | $81.76/month |
| m5a.large | 2 | 2 | 8 | $259.88/month |
For more information about costs, see the AWS Pricing Calculator estimate
A savings of $178.12 per month ends up being over $2,000 in savings per year for your domain controllers. Keep in mind that is for a small footprint of just two domain controllers in one account. At scale with multiple accounts and additional domain controllers, such savings can add up to a significant cost reduction.
Cost optimization
recommendations
Microsoft provides capacity planning recommendations
-
Memory
-
Network
-
Storage
-
Processor
While keeping these main components in mind, you can work through selecting an instance type that makes sense for your Active Directory environment on AWS. This section covers a few example Active Directory to AWS deployment scenarios. These scenarios make it clear that it's not necessary to replicate your on-premises environment in AWS, if you don't plan to handle the same number of users and computers as you do in your on-premises environment.
The following table highlights important components regarding vCPU, memory, and disk for your AWS footprint.
| Component | Estimates |
|---|---|
| Storage/database size | 40–60 KB for each user |
| RAM | Database size Base operating system recommendations Third-party applications |
| Network | 1 GB |
| CPU | 1,000 concurrent users for each core |
Hybrid deployment scenario
The following diagram shows an example architecture for a hybrid deployment of Active Directory.
As the diagram shows, you typically have an on-premises footprint and then expand this into the AWS Cloud. In the initial phases of a migration, you typically won't have all your users and servers deployed in AWS. That's why it's important to initially deploy a smaller sized footprint to save money on the migration efforts.
If you're going to maintain an on-premises footprint with servers and users
authenticating on premises, then you won't need the same footprint for domain
controllers in AWS. By following Active Directory best practices, you can
implement proper Active Directory sites and services
Optimize for an AWS migration by right sizing
If you're deploying a new instance of Active Directory for your users or plan to fully migrate to AWS for your Active Directory infrastructure, we recommend that you plan the sizing against Microsoft's recommendations for vCPU, memory, and disk space for the instances choice in the preceding table.
If this is a new footprint, you can start small and take advantage of the ability to easily change instance types to resize your environment as it grows on AWS. The Windows on Amazon EC2 section of this guide shows you how to monitor and review your CPU and memory utilization on AWS. That way, you know when to increase size of your EC2 instance.
If you're fully migrating your on-premises Active Directory environment to AWS, you can implement the same sizing plans to ensure proper performance. Before duplicating what you have on premises in AWS, we recommend that you complete a thorough review of your Active Directory environment. This can help you prevent overprovisioning. Be sure to use Performance Monitor to collect information about the amount of traffic and utilization for your existing domain controllers. This can give you an understanding of the overall usage so that you can right size and ultimately reduce your costs.
Optimize Active Directory on AWS
If you're running Active Directory on AWS, it's important to also continuously monitor utilization and change instance sizes as needed to reduce your spending. You can use AWS Compute Optimizer to get information about the resources that you're running in AWS. For information about using Compute Optimizer to right size your Windows workloads, see the Windows on Amazon EC2 section of this guide. For a more comprehensive deep dive, you can use Performance Monitor to monitor the utilization of your Active Directory domain controllers, assess performance, and then resize accordingly.
You can also use CloudWatch to monitor the performance of domain controllers. To
optimize your domain controllers (scaling up or down), you can use the metrics
available in CloudWatch to help you make the right decisions. You can use the CloudWatch
agent to configure custom Performance Monitor metrics to be sent for data
collection. For instructions, see How can I use the CloudWatch agent to view metrics for Performance Monitor on a
Windows server?
After you deploy the CloudWatch agent, you can configure the following metrics
within the agent configuration file under metrics_collected:
| Metric category | Metric name |
|---|---|
| Database to instances (NTDSA) | Database cache % hit |
| I/O database reads average latency | |
| I/O database reads/sec | |
| I/O log writes average latency | |
| DirectoryServices (NTDS) | LDAP bind time |
| DRA pending replication operations | |
| DRA pending replication synchronizations | |
| DNS | Recursive queries/sec |
| Recursive query failure/sec | |
| TCP query received/sec | |
| Total query received/sec | |
| Total response sent/sec | |
| UDP query received/sec | |
| LogicalDisk | Avg. disk queue length |
| % free space | |
| Memory | % committed bytes in use |
| Long-term average standby cache lifetime(s) | |
| Network interface | Bytes sent/sec |
| Bytes Received/sec | |
| Current bandwidth | |
| NTDS | ATQ estimated queue delay |
| ATQ request latency | |
| DS directory reads/sec | |
| DS directory searches/sec | |
| DS directory writes/sec | |
| LDAP client sessions | |
| LDAP searches/sec | |
| LDAP successful binds/sec | |
| Processor | % processor time |
| Security system-wide statistics | Kerberos authentications |
| NTLM authentications |
Additional
resources
-
Active Directory Domain Services on AWS: Partner Solution Deployment Guide
(AWS documentation) -
Capacity planning for Active Directory Domain Services
(Microsoft documentation) -
Design considerations for running Active Directory on EC2 instances (AWS Whitepapers)
