Building Managed Active Directory with AWS Directory Service - Identity Management for Hybrid Environments

Set up AWS Managed Microsoft AD and design trust relationships with on-premises AD. This article covers hybrid identity management through integration with WorkSpaces, RDS, and FSx.

Overview of Directory Service

Directory Service is a service that provides managed Active Directory on AWS. It offers three options: AWS Managed Microsoft AD, AD Connector, and Simple AD. Managed Microsoft AD provides a fully managed AD with domain controllers deployed across two or more AZs for multi-AZ availability, and it can establish trust relationships with on-premises AD. Domain controller OS patching, data replication, and snapshot-based daily backups are handled automatically by AWS, allowing operations teams to focus on AD schema design and Group Policy.

Hybrid Integration

By establishing a forest trust between on-premises AD and Managed Microsoft AD, on-premises users can access AWS resources with single sign-on. You connect on-premises to the VPC via VPN or Direct Connect and configure DNS conditional forwarders. Trust direction can be one-way (incoming) or two-way; choose two-way trust when AWS-side users also need access to on-premises resources. AD Connector is a proxy to on-premises AD that does not replicate AD data on AWS. It is used as a directory for WorkSpaces and AWS SSO, forwarding authentication requests to on-premises AD. Since AD Connector's authentication latency depends on the network path, low-latency connections like Direct Connect are recommended over VPN.

Integration with WorkSpaces and RDS

Managed Microsoft AD integrates directly with many AWS services, including WorkSpaces, RDS for SQL Server, FSx for Windows File Server, and QuickSight. It uses AD for WorkSpaces user authentication and centrally manages desktop settings with Group Policy. With RDS for SQL Server Windows authentication, AD users can seamlessly log in to SQL Server. FSx for Windows File Server provides file-level access control using AD ACLs, enabling direct use of NTFS permissions. AD Connector functions as a proxy to on-premises AD, delegating authentication without replicating the directory on AWS. Simple AD is a lightweight Samba-based directory suitable for small-scale and development environments. To deepen your understanding of Directory Service, specialized books on Amazon can also be useful.

Design Best Practices and Pitfalls

Several commonly overlooked points in Managed Microsoft AD design require attention. First, VPC subnet selection: domain controllers are placed in two specified subnets (different AZs), so DNS resolution and network access from these subnets must reach all workloads. Second, DHCP option set configuration: for instances in the VPC to join the domain, the DHCP option set's domain name and name servers must be set to the Managed Microsoft AD DNS addresses. Forgetting this causes domain join failures. Third, schema extensions: Managed Microsoft AD supports schema extensions via LDIF files, but schema changes cannot be rolled back, so validate thoroughly in a test environment before applying. Fourth, administrator permission scope: AWS-managed containers (Builtin, Domain Controllers OU, etc.) are not accessible, and users must create custom OUs to manage within.

Choosing Between AD Connector, Simple AD, and IAM Identity Center

The choice between Directory Service's three options and IAM Identity Center (formerly AWS SSO) can be clearly determined based on requirements. When you want to maintain an existing on-premises AD and only need access to AWS resources, AD Connector is the simplest option. When you need a full AD on AWS with Group Policy, LDAP, and Kerberos, choose Managed Microsoft AD. When you only have Linux instances and need a lightweight directory, Simple AD is sufficient. On the other hand, when the primary goal is SSO access to the AWS Management Console and CLI without needing AD, IAM Identity Center's built-in directory is appropriate. IAM Identity Center can also connect Managed Microsoft AD or AD Connector as an identity source, functioning as a hub for assigning AWS account access to AD users.

Directory Service Pricing

Managed Microsoft AD Standard Edition costs approximately $146/month (2 domain controllers), and Enterprise Edition costs approximately $438/month. Additional domain controllers cost approximately $73/month each (Standard). AD Connector comes in Small (approximately $73/month) and Large (approximately $219/month). Simple AD comes in Small (approximately $73/month) and Large (approximately $219/month). The main differences between Standard and Enterprise are the object count limit (Standard: approximately 30,000, Enterprise: approximately 500,000) and domain controller instance size. For most use cases, starting with Standard and migrating to Enterprise when approaching the object limit is the recommended phased approach.

Summary

Directory Service is a service that enables identity management for hybrid environments through managed Active Directory. It integrates directly with WorkSpaces, RDS for SQL Server, and FSx for Windows File Server, and provides seamless authentication through forest trust with on-premises AD. Proxy connectivity to on-premises AD is also available via AD Connector. Combined with IAM Identity Center, you can centralize AWS account access management for AD users.