AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)
-
Upload
amazon-web-services -
Category
Technology
-
view
102 -
download
1
Transcript of AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)
![Page 1: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ron Cully, AWS Directory Service
November, 30 2016
Best Practices for Integrating Active
Directory with AWS Workloads
WIN305
![Page 2: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/2.jpg)
What to Expect from the Session
Running Windows applications and
workloads in the AWS Cloud
• Why Windows workloads in AWS need Active Directory (AD)
• AD options for cloud workloads
AWS Directory Service for Microsoft Active Directory
(Enterprise Edition) – “Microsoft AD”
Other AWS Directory Service solutions
![Page 3: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/3.jpg)
![Page 4: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/4.jpg)
AWS Managed
Service VPC
AWS Microsoft
AD DC
AD
VPC
EC2 Windows
Server DC
AD
On-premises
Windows
Server DC
AD
![Page 5: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/5.jpg)
Application
Availability Zone
Private Subnet
10.0.2.0/24
SQL
ServerApp
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
SQL
ServerApp
Server
IIS
Server
Remote
Users / Admins
Example: Domain join
EC2 to on-premises AD
Domain
Controllers
DC
corporate data center
VPN
Connection
DBAPPWEB
DBAPPWEB
Auth/
LDAP
Auth/
LDAP
![Page 6: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/6.jpg)
Availability Zone
Private Subnet
10.0.2.0/24
DBAPPWEB
SQL
ServerApp
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
DBAPPWEB
SQL
ServerApp
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Example: AD on
EC2 with replication
or AD trust
DC
Domain
Controller
DC
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Auth/
LDAP
Application
![Page 7: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/7.jpg)
Auth/
LDAP
Auth/
LDAP
DBRDS
SQL Server
Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
App
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Example: AWS
Microsoft AD with AD
trust to on-premises
DBRDS
SQL Server
AWS Managed Services
AWS Managed Services
DCDomain
Controller
DCDomain
Controller
Trust
Application
![Page 8: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/8.jpg)
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.0.0/24 10.0.2.0/24
APPWEB
App
Server
IIS
Server
RDGW
Availability Zone
Private SubnetPublic Subnet
NAT
10.0.1.0/24 10.0.3.0/24
APPWEB
App
Server
IIS
Server
RDGW
DC
DB
Microsoft
AD DC
RDS
SQL
Server
DC
AWS Managed Services
Microsoft
AD DC
DBRDS
SQL
Server
AWS Managed Services
Example: AWS
Microsoft AD with
everything in the
cloud
VDI
WorkSpaces
VDI
WorkSpaces
![Page 9: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/9.jpg)
AWS Microsoft AD EC2 AD Instance On-Premises AD
Operation
ManagementAWS managed
in the cloud
Customer managed
in the cloud
Customer managed
own hardware
AvailabilityBuilt-in redundancy and
replication
Customer must design
for high availability
Customer must design
for high availability
NetworkingTrust1 ports from cloud
to on-premises
(least exposed)
Trust1 or replication2
ports from cloud to
on-premises AD
Ports to support cloud to
on-premises AD3 (most
exposed)
Admin ControlDesignated OU control;
some apps unsupportedFull control Full control
1
2
3
![Page 10: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/10.jpg)
Selecting an Active Directory option
AWS Microsoft AD EC2 AD Instances On-Premises AD
• Minimize cost, effort to run AD
• Amazon RDS SQL Server
• AWS Enterprise Applications1
• Windows workloads on
Amazon EC22
• Require a replicated, multi-
region AD solution
• Need NetBIOS name
resolution support
• You require permissions not
yet delegated by AWS
Microsoft AD
• E.g., Exchange, Sharepoint,
SQL Server AlwaysOn
Availability Groups
• Minimal EC2 instances require
access to AD
• Latency to AD over on-
premises link is acceptable
• Security policies allow AD
ports to be exposed to internet
• Comfortable architecting
highly available connectivity to
on-premises AD
1If users are on premises via trust, application requires update; otherwise AD Connector will be needed2Subject to delegation constraints
![Page 11: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/11.jpg)
AD Connector
• AD proxy for Amazon WorkSpaces, Amazon WorkDocs, and Amazon
WorkMail• Authentication and LDAP forwarded to on-premises AD
• Applications can look up on-premises users and groups
• Users authenticate using existing corporate credentials
• Supports EC2 seamless domain join• EC2 discovers domain name from AD Connector
• EC2 by-passes AD Connector for everything else
Proxy solution to use on-premises AD accounts with AWS Enterprise Applications
![Page 12: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/12.jpg)
AWS Microsoft AD
![Page 13: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/13.jpg)
![Page 14: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/14.jpg)
AD AD
On-premises
NetworkVPC
Trust
AWS Microsoft
AD DC
Windows
AD DC
![Page 15: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/15.jpg)
Setting up AWS Directory Service
1) Select Directory Service
in the AWS Console
3) Select Create Microsoft AD
for the directory type
2) Select Set up directory
from the menu
4) Configure the Directory
and VPC details
User, group, policy management via Microsoft tools
on domain-joined computers
![Page 16: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/16.jpg)
![Page 17: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/17.jpg)
![Page 18: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/18.jpg)
AD On EC2 Windows
![Page 19: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/19.jpg)
![Page 20: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/20.jpg)
Active Directory instance on EC2
Customer-managed Active Directory server running on EC2• Customer responsible for patching, monitoring, snapshots, and high availability
• Connectivity via VPN or AWS Direct Connect
• Security groups must allow traffic to and from on-premises data center
• AD sites and subnets must be properly defined
• Site-link costs must be configured
• Enable domain members for "Try Next Closest Site“ group policy setting
Supports use cases and applications that require schema extension• Microsoft SQL Server
• Microsoft SharePoint
• Microsoft Exchange
• Microsoft Lync/Skype for Business
Use when AWS Microsoft AD does not support use case
![Page 21: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/21.jpg)
Microsoft workloads in Amazon VPC
![Page 22: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/22.jpg)
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle
DC1
VPN
AD forest spanning AWS and corporate
data center
Tacoma
DC2
![Page 23: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/23.jpg)
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle
DC1
VPN
AD forest spanning AWS and corporate
data center
Tacoma
DC2
X
DC1 goes down, where do clients in Seattle go for
Directory Services?
![Page 24: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/24.jpg)
Availability Zone
Private Subnet
DC3
Corporate Network
Seattle / AD Site 1
DC1
VPN
AD forest spanning AWS and corporate
data center
Tacoma / AD Site 2
DC2
AD Site 3
Cost 50
Properly implemented site topology and “Try Next Closest
Site” policy enabled. Clients use least cost path to DC.
![Page 25: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/25.jpg)
Availability Zone
Private Subnet
10.0.2.0/24
APPWEB
App
Server
IIS
Server
Availability Zone
Private Subnet
10.0.3.0/24
APPWEB
App
Server
IIS
Server
Remote
Users / Admins
Domain
Controllers
DC
corporate data center
VPN
Connection
Adding Microsoft
AD for AWS apps
and services
DC
Domain
Controller
DC
Domain
Controller
Trust or Replication
Auth/
LDAP
Auth/
LDAP
Auth/
LDAP
Application
DC
DB
RDS
SQL
Server
Microsoft
AD DC
AWS Managed Services
VDI
WorkSpaces
DC
DBRDS
SQL
Server
AWS Managed Services
VDI
WorkSpaces Microsoft
AD DCTrust
Trust
![Page 26: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/26.jpg)
Related Sessions
WIN303 – How to Launch a 100K-User Corporate Back
Office with Microsoft Servers and AWS
WIN403 – How to Migrate Microsoft Windows Applications
to AWS Quickly, with Less Risk, Using Multisite Replication
and SQL HA
![Page 27: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/27.jpg)
ReferencesDocumentation
• AWS Directory Service – aws.amazon.com/directoryservice
• Microsoft AD - aws.amazon.com/documentation/directory-service/
• Amazon RDS SQL Server - aws.amazon.com/documentation/rds/
Quick Starts - aws.amazon.com/quickstart/• Active Directory DS (Microsoft AD)
• Exchange Server 2013
• SharePoint 2016 Enterprise
• Lync Server 2013
• SQL Server 2014 AlwaysOn
• PowerShell DSC
![Page 28: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/28.jpg)
Thank you!
![Page 29: AWS re:Invent 2016: Best Practices for Integrating Active Directory with AWS Workloads (WIN305)](https://reader034.fdocuments.us/reader034/viewer/2022042723/587543231a28abb8208b5677/html5/thumbnails/29.jpg)
Remember to complete
your evaluations!