Active Directory Domain Services on AWS
Active Directory DS Quick Start

Scenario 1: Deploy and Manage Your Own AD DS on AWS

This scenario is based on a new installation of AD DS in the AWS Cloud without AWS Directory Service. The AWS CloudFormation templates that automate this deployment perform the following tasks to set up the architecture illustrated in Figure 1.

  • Sets up the VPC, including private and public subnets in two Availability Zones.*

  • Configures two NAT gateways in the public subnets.*

  • Configures private and public routes.*

  • Enables ingress traffic into the VPC for administrative access to Remote Desktop Gateway.*

  • Creates Systems Manager Automation documents that set up and configure AD DS and AD-integrated DNS.

  • Stores the alternate domain administrator credentials in Secrets Manager.

  • Uses Secrets Manager to generate and store Restore Mode and Domain Administrator passwords.

  • Launches instances using the Windows Server 2016 AMI.

  • Configures security groups and rules for traffic between instances.

  • Sets up and configures Active Directory sites and subnets.

* The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks.


				Quick Start architecture for highly available AD DS on AWS

Figure 1: Quick Start architecture for highly available AD DS on AWS

In this architecture:

  • Domain controllers are deployed into two private VPC subnets in separate Availability Zones, making AD DS highly available.

  • NAT gateways are deployed to public subnets, providing outbound internet access for instances in private subnets.

  • Remote Desktop gateways are deployed in an Auto Scaling group to the public subnets for secure remote access to instances in private subnets.

Windows Server 2016 is used for the Remote Desktop Gateway instances and the domain controller instances. The AWS CloudFormation template deploys AWS resources, including a Systems Manager Automation document. When the second node is deployed, it triggers execution of the Automation document through Amazon EC2 user data. The automation workflow deploys the required components, finalizes the configuration to create a new AD forest, and promotes instances in two Availability Zones to Active Directory domain controllers.

To deploy this stack, follow the step-by-step instructions in the Deployment Steps section. After deploying this stack, you can move on to deploying your AD DS-dependent servers into the VPC. The DNS settings for new instances will be ready via the updated DHCP options set that is associated with the VPC. You’ll also need to associate the new instances with the domain member security group that is created as part of this deployment.