Microsoft Workloads on AWS

Extend your Active Directory domain to AWS with AWS Managed Microsoft AD (Hybrid Edition)

Introduction

Today, we are announcing the general availability of the Hybrid Edition of AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). This new edition lets you extend your existing self-managed Active Directory (AD) domain to AWS Managed Microsoft AD while preserving your current identity and access infrastructure. AWS Managed Microsoft AD (Hybrid Edition) facilitates the migration of your Active Directory–dependent workloads to AWS and natively integrates with AWS applications and services. This capability enables the integration of your existing Active Directory with AWS’ fully managed infrastructure, offering additional monitoring capabilities for your Active Directory.

Evolving needs for hybrid Active Directory

AWS customers rely on Active Directory to centralize user authentication and authorization for their applications and services. Customers consider a hybrid Active Directory when managing access to applications running across both on-premises data centers and AWS. Another common scenario involves migrating customers’ Active Directory-dependent workloads from on-premises or multi-cloud environments to AWS. For these use cases, customers have told us they want a service that enables them to extend their AD infrastructure to AWS while preserving their existing AD domain namespace, retaining security principals and permissions, ensuring uninterrupted operations, and removing the undifferentiated heavy lifting of managing domain controllers in the cloud. Hybrid Edition helps you meet these requirements and simplifies the migration of your AD-dependent workloads to AWS.

Why AWS Managed Microsoft AD (Hybrid Edition)?

Hybrid Edition enables customers to extend and maintain their existing Active Directory infrastructure across on-premises and multi-cloud deployment environments. If you have a self-managed Active Directory domain (such as “example.com”), AWS Managed Microsoft AD (Hybrid Edition) allows you to extend the same domain, simplifying your existing AD operations on AWS.

AWS Managed Microsoft AD (Hybrid Edition) offers the following core capabilities:

  1. Integrates your existing self-managed Active Directory with the cloud while preserving your identity and access infrastructure. This integration maintains complete compatibility with standard Active Directory features and AWS applications.
  2. Provides managed scalability through AWS’s infrastructure, letting you share directories across accounts and expand your infrastructure as needed, all while maintaining full Active Directory functionality.
  3. Gives you operational control of your directory while AWS handles infrastructure management and provides enhanced monitoring for your Active Directory through regular assessments and reporting. You have the option of returning to a fully self-managed AD environment if required.
  4. Centralizes authentication, group policies, and domain trust relationships across hybrid environments. Throughout this integration, you keep your existing AD forest name and organizational structure intact.

Hybrid Edition provides a fully managed AD service on AWS while allowing you to extend your existing AD environment to AWS.

AWS Managed Microsoft AD (Hybrid Edition) architectural patterns

There are two options for extending your self-managed AD to Hybrid Edition.

First, you can extend your existing self-managed Active Directory directly from domain controllers in your on-premises or multi-cloud to AWS Managed Microsoft AD. This option is ideal for customers who are not interested in managing any domain controllers on Amazon EC2 and prefer AWS to manage them. In this architecture, you need to register two on-premises domain controllers with AWS Systems Manager through hybrid activation as managed nodes. AWS Managed Microsoft AD uses AWS Systems Manager (SSM) to assess your self-managed AD domain environment and ensure it can support a hybrid directory configuration. After a successful assessment of your AD environment and creation of the hybrid directory, you will have two default AWS managed domain controllers as part of your domain that fully replicate to and from your on-premises domain controllers, as shown in Figure 1.

Figure 1: Extend from on-premises Domain Controllers to Hybrid Edition.

Figure 1: Extend from on-premises Domain Controllers to Hybrid Edition.

The second option applies to customers running domain controllers on Amazon EC2. Domain controllers running on Amazon EC2 are part of a hybrid setup extending Active Directory across on-premises, AWS, and multi-cloud or they operate as part of an Active Directory domain running exclusively on Amazon EC2. In either case, you register your Amazon EC2 domain controllers with AWS Systems Manager. The purpose is to assess the AD environment and to create the Hybrid Edition directory as shown in Figure 2.

Figure 2: Extend from Amazon EC2 domain controllers to Hybrid Edition.

Figure 2: Extend from Amazon EC2 domain controllers to Hybrid Edition.

In addition to the previous architecture patterns, AWS Managed Microsoft AD enables centralized directory management by allowing a single Active Directory domain to be shared across multiple AWS accounts. With AWS Managed Microsoft AD’s tight integration with AWS Organizations, you can share your Hybrid Edition directory with other trusted accounts within the same organization to support Active Directory-dependent workloads across your AWS environments. Also, you can share your Hybrid directory with accounts outside your AWS Organization or with standalone AWS accounts that are not currently members of any organization. This approach eliminates the need for multiple directory instances while maintaining consistent access control and user authentication across your accounts, as shown in Figure 3.

Figure 3: Share your AWS Managed Microsoft AD (Hybrid Edition) with other AWS accounts.

Figure 3: Share your AWS Managed Microsoft AD (Hybrid Edition) with other AWS accounts.

Prerequisites

The following prerequisites are necessary to create a Hybrid Edition directory

  1. Connectivity between the self-managed Active Directory network and the AWS account where Hybrid Directory is being created.
  2. The existing Active Directory Forest must have at least two domain controllers. For testing, follow the steps in AWS Launch Wizard to deploy a self-managed AD Forest on Amazon EC2.
  3. The Active Directory must be a single forest, single domain.
    • The first step is to have the AD domain controllers managed by AWS Systems Manager. If the domain controllers are on Amazon EC2, set them up for AWS Systems Manager. If the domain controllers are on-premises or non-EC2 machines, set them up by creating an AWS Systems Manager hybrid activation. Make sure the SSM Managed nodes have the latest agent version and an agent status showing online.
  4. Complete a directory assessment of your self-managed domain controllers before extending to AWS Managed Microsoft AD (Hybrid Edition). This assessment verifies that your self-managed Active Directory environment meets the requirements to extend your domain.
  5. AWS Secrets Manager secret that stores credentials of a user account with administrator permissions in your self-managed AD. These credentials will only be used during the creation of Hybrid directory and will not be stored.
    • Note that when creating the secret, the Secret Keys must be “customerAdAdminDomainUsername” and “customerAdAdminDomainPassword“, corresponding to the AD username and password respectively.

Walkthrough

Follow these steps to create an AWS Managed Microsoft AD (Hybrid Edition) directory with your self-managed AD.

    1. Open the AWS Directory Service console.
    2. On the Select directory type page, choose AWS Managed Microsoft AD. Under Getting started with AWS Managed Microsoft AD, select Extend your AD domain with a hybrid directory and then choose Next.

      Figure 4 – AWS Managed Microsoft AD (Hybrid Edition) deployment console page.

      Figure 4 – AWS Managed Microsoft AD (Hybrid Edition) deployment console page.

    3. On the Create Directory assessment page, provide the following information:
      a. Your self-managed Active Directory DNS name, such as example.com
      b. Two DNS IP addresses for your self-managed Active Directory are required. (The DNS server IP addresses must be reachable from your VPC.)
      c. In the Networking section, select the appropriate VPC and Subnets. Each subnet must be in a different Availability Zone.
      d. In the Systems Manager nodes section, select two self-managed domain controllers managed nodes. Choose Next.

      Figure 5 – Create assessment for Hybrid directory.

      Figure 5 – Create assessment for Hybrid directory.

    4. On the Review and create directory assessment, review the directory assessment information and make any necessary changes, then choose Create assessment.
      Figure 6 – AWS Managed Microsoft AD (Hybrid Edition) review assessment console page.

      Figure 6 – AWS Managed Microsoft AD (Hybrid Edition) review assessment console page.

      Note: Creating the directory assessment can take up to 30 minutes. After submitting the assessment, you will be redirected to the Directory Details page. A green banner will appear once the directory assessment enters a Success state, which is required to create the Hybrid Directory. The assessment will run on each domain controller using the provided managed nodes. Download the directory assessment report containing information on any errors for the domain controllers.

    5. Navigate to the View Assessment option. Within the Hybrid Directory Assessments section, select the directory assessment that passed. Upon accessing the Assessment Details, choose the Create hybrid directory option as seen in Figure 7.
      Figure 7 – AWS Managed Microsoft AD (Hybrid Edition) review assessment result.

      Figure 7 – AWS Managed Microsoft AD (Hybrid Edition) review assessment result.

      On the Set-up Hybrid directory page, provide the Amazon Resource Name (ARN) of the secret that stores the admin user credentials for the self-managed Active Directory.

      Figure 8 – AWS Managed Microsoft AD (Hybrid Edition) configuration console page

      Figure 8 – AWS Managed Microsoft AD (Hybrid Edition) configuration console page

    6. Review and confirm the self-managed AD details and then choose Create hybrid directory.
    7. You’re returned to the Directories page, and a green banner will appear once the hybrid directory is created.

      Figure 9 – AWS Managed Microsoft AD (Hybrid Edition) AD deployment success status.

      Figure 9 – AWS Managed Microsoft AD (Hybrid Edition) AD deployment success status.

    8. Review and examine the Hybrid Managed AD setup using PowerShell or the Active Directory Users and Computers snap-in. 
      Get-ADDomainController -Filter * | select hostname, ipv4Address
      Figure 10 - Listing the domain controllers in AWS Managed Microsoft AD (Hybrid Edition)

      Figure 10 – Listing the domain controllers in AWS Managed Microsoft AD (Hybrid Edition)

      Figure 11 - Viewing the domain controllers in the ADUC snap-in

      Figure 11 – Viewing the domain controllers in the ADUC snap-in

Application integration with AWS Managed Microsoft AD (Hybrid Edition)

Over the years, AWS customers have requested features to help unlock some of their enterprise use cases. One common request was the ability to use applications that require native Active Directory schema extension capabilities. AWS Managed Microsoft AD (Hybrid Edition) helps achieve this requirement.

AWS Managed Microsoft AD (Hybrid Edition) helps you seamlessly integrate your Active Directory with AWS applications and services. It works directly with AWS applications such as Amazon FSx for Windows File Server and Amazon Relational Database Service (RDS). To connect these services, authorize AWS Managed Microsoft AD (Hybrid Edition) to give AWS applications and services access to your Active Directory.

Troubleshooting Tips

  1. If you experience problems running your managed domain controllers nodes, there might be a problem with the Systems Manager Agent (SSM Agent).
  2. View assessment status for domain controllers. You can also review assessment test details by selecting the domain controllers. The Status column for failed assessment tests displays the error codes.
  3. To create a hybrid directory, the directory assessment must enter a Passed state. You’ll be unable to proceed with this procedure without a successful directory assessment. For more information, see Troubleshooting Hybrid directory and directory assessment.
  4. To troubleshoot problems with failed assessments, download the CSV report of the failed directory assessment. This report will include the details and test information for the chosen self-managed domain controllers.
Figure 12 – Failed assessment status and report.

Figure 12 – Failed assessment status and report.

Cleanup

Before deleting your Hybrid Managed AD directory, deregister or disable any AWS applications associated with your directory. Once done, select the directory and delete it from the Actions menu. Follow the steps for deleting a hybrid directory in the documentation.

Conclusion

AWS Managed Microsoft AD (Hybrid Edition) directory capability simplifies how customers use and manage Active Directory across their on-premises, AWS, and multi-cloud environments. Hybrid Edition extends your self-managed AD domain into AWS Managed Microsoft AD, making migration of your Active Directory-dependent workloads to AWS cloud easier, and eliminating Active Directory domain controller management overhead on AWS. Hybrid Edition enhances AD integration with AWS applications and services, provides continuous monitoring of hybrid directory health, and enables seamless deployment of AD-dependent workloads.

To learn more about using AWS Managed Microsoft AD (Hybrid Edition), visit the AWS Directory Service documentation. For general information and pricing, see the AWS Directory Service pricing page. If you have implementation or troubleshooting questions, start a new thread on the Directory Service forum or contact AWS Support.

AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.

TAGS: ,
Tekena Orugbani

Tekena Orugbani

Tekena is a Sr. Specialist Solutions Architect at Amazon Web Services and a technologist of over 20 years, specializing in Microsoft technologies. At AWS, Tekena is focused on helping customers architect, migrate and modernize their Microsoft workloads on the AWS Cloud. Outside work, he enjoys hanging out with his family and watching soccer.

Mangesh Budkule

Mangesh Budkule

Mangesh Budkule is a Senior Specialist Solution Architect at Amazon Web Services (AWS) with over two decades of experience in the technology industry. Driven by his passion for technology and advocate for generative AI, he helps customers leverage cutting-edge AI technologies to drive innovation. His expertise help customers migrate and modernize their workload on AWS to achieve their business outcomes.