Extending your AD to AWS - AD on EC2 Instances

Extending your AD to AWS

A very common use case – either to provide ease of addressing of AWS instances or of simply providing a failover lookup node for your Active Directory forest, is to extend your AD to AWS.

In effect, it is a 2 step process. Set up your EC2 domain controllers on AWS (this will serve as a member site for your AD). Configure your Sites and Services (AD Software) to recognize the member site on AWS.

Step 1 – Setup your EC2 domain controllers

Set up 1 or 2 (recommended) DCs on EC2 instances in AWS. The top level domain can be something like mycorp.aws

Step 2 – Extend your local domain (MyCorp.local) to AWS

Simply define Sites and Services in active directory to allow member servers to detect domain controllers configured in the sites and services.

The member site defined in AWS is mycorp.aws.

The EC2 hosting the AD in AWS is defined as a site with appropriate availability zone subnets associated like the example below.

This design unifies the hybrid environment to have the same OUs, group policies, users and computer objects for AWS workloads, just as if they were on an on-premises datacenter.

Summary – Extending your AD to AWS

There’s a few sub steps in each of the above steps, but that’s the high level picture. For an advanced AWS IAM or overall security consultation, please Contact AWS Security Architect

Extending your AD to AWS – AD on EC2 Instances

1 Comment Already

Leave a Reply Cancel reply