Overview - Active Directory Domain Services on AWS


Active Directory DS on AWS

Amazon Web Services (AWS) provides a comprehensive set of services and tools for deploying Microsoft Windows-based workloads on its reliable and secure cloud infrastructure. Active Directory Domain Services (AD DS) and Domain Name Server (DNS) are core Windows services that provide the foundation for many enterprise class Microsoft-based solutions, including Microsoft SharePoint, Microsoft Exchange, and .NET applications.

This Quick Start is for organizations running workloads in the AWS Cloud that require secure, low-latency connectivity to AD DS and DNS services. After reading this guide, IT infrastructure personnel should have a good understanding of how to design and deploy a solution to launch AD DS in the AWS Cloud, or extend their on-premises AD DS into the AWS Cloud.

This Quick Start assumes that you’re already familiar with Active Directory and DNS. For details, please consult the Microsoft product documentation.

This guide focuses on infrastructure configuration topics that require careful consideration when you are planning and deploying AD DS, domain controller instances, and DNS services in the AWS Cloud. We don't cover general Windows Server installation and software configuration tasks. For general software configuration guidance and best practices, consult the Microsoft product documentation.

Cost and Licenses

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. For cost estimates, see the pricing pages for each AWS service you will be using in this Quick Start.

This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2016 and includes the license for the Windows Server operating system. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI doesn’t require Client Access Licenses (CALs) and includes two Microsoft Remote Desktop Services licenses. For details, see Microsoft Licensing on AWS.

AWS Services

The core AWS components used by this Quick Start include the following AWS services. (If you are new to AWS, see Getting Started with AWS.)

  • Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you provision a private, isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

  • Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you to launch virtual machine instances with a variety of operating systems. You can choose from existing AMIs or import your own virtual machine images.

  • NAT Gateway – NAT gateways are network address translation (NAT) devices, which provide outbound internet access to instances in a private subnets, but prevent the internet from accessing those instances. NAT gateways provide better availability and bandwidth than NAT instances. The NAT Gateway service is a managed service that takes care of administering NAT gateways for you.

  • AWS Direct Connect – The AWS Direct Connect service enables you to establish a private connection between AWS and your on-premises data center. With this connection in place, you can create virtual interfaces to establish private connectivity to multiple VPCs, bypassing internet service providers in your network path.

  • AWS Directory Service – The AWS Directory Service makes it easy to set up and operate a new directory in the AWS Cloud. This Quick Start supports AWS Directory Service for Microsoft Active Directory (Enterprise Edition), which provides most of the features offered by Microsoft Active Directory plus integration with AWS applications.

  • AWS Systems Manager – Systems Manager services make it easier to perform configuration management in the AWS Cloud. In scenario 1 of this Quick Start, we use Systems Manager Automation documents to perform the configuration steps of the domain controllers.

  • AWS Secrets Manager – Secrets Manager services help you protect secrets needed to access your applications, services, and IT resources. In scenario 1 of this Quick Start, we use Secrets Manager to generate and store Active Directory Administrator credentials.

  • Amazon CloudWatch – CloudWatch is a monitoring and management service. In this Quick Start, all logs produced through Systems Manager are pushed to Amazon CloudWatch Logs. CloudWatch Logs allows you to monitor, store, and access your log files from Amazon EC2 instances, AWS CloudTrail, Route 53, and other sources.

Technical Requirements

Before you launch the Quick Start, your account must be configured as specified in the following table. Otherwise, deployment might fail.


If necessary, request service quota increases for the following resources. You might need to do this if you already have an existing deployment that uses these resources, and you think you might exceed the default quotas with this deployment. For default quotas, see the AWS documentation.

Resource This deployment uses
VPCs 1
Elastic IP addresses 2
VPC security groups 2
IAM roles 2
General Purpose instances 2


This deployment includes AWS Secrets Manager and AWS Directory Service, which aren’t currently supported in all AWS Regions. For a current list of supported Regions, see the endpoints and quotas webpage in the AWS documentation. The GitHub repository includes ad-master-1-ssm.template and ad-1-ssm.template, which you can use to deploy in regions without Secrets Manager. The following links will launch these templates: