Active Directory Domain Services on AWS
Active Directory DS Quick Start

Scenario 1: Deploy and Manage Your Own AD DS on AWS

This scenario is based on a new installation of AD DS in the AWS Cloud without AWS Directory Service. The AWS CloudFormation templates that automate this deployment perform the following tasks to set up the architecture illustrated in Figure 1:

  • Sets up the VPC, including private and public subnets in two Availability Zones.*

  • Configures two NAT gateways in the public subnets.*

  • Configures private and public routes.*

  • Enables ingress traffic into the VPC for administrative access to Remote Desktop Gateway.*

  • Launches Windows Server 2016 Amazon Machine Images (AMIs), and sets up and configures AD DS and AD-integrated DNS.

  • Configures security groups and rules for traffic between instances.

  • Sets up and configures Active Directory Sites and Subnets.

* The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks.

				Quick Start architecture for highly available AD DS on AWS

Figure 1: Quick Start architecture for highly available AD DS on AWS

In this architecture:

  • Domain controllers are deployed into two private VPC subnets in separate Availability Zones, making AD DS highly available.

  • NAT gateways are deployed to public subnets, providing outbound internet access for instances in private subnets.

  • Remote Desktop gateways are deployed in an Auto Scaling group to the public subnets for secure remote access to instances in private subnets.

Windows Server 2012 R2 is used for the Remote Desktop Gateway instances, and Windows Server 2016 is used for the domain controller instances. The AWS CloudFormation template bootstraps each instance, deploying the required components, finalizing the configuration to create a new AD forest, and promoting instances in two Availability Zones to Active Directory domain controllers.

To deploy this stack, follow the step-by-step instructions in the Deployment Steps section. After deploying this stack, you can move on to deploying your AD DS-dependent servers into the VPC. The DNS settings for new instances will be ready via the updated DHCP options set that is associated with the VPC. You’ll also need to associate the new instances with the domain member security group that is created as part of this deployment.