AWS Directory Service
管理指南 (版本 1.0)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

AD Connector 的最佳实践

为避免问题并充分利用 AD Connector,您应该考虑以下建议和准则。



Verify You Have the Right Directory Type

AWS Directory Service provides multiple ways to use Microsoft Active Directory with other AWS services. You can choose the directory service with the features you need at a cost that fits your budget:

  • AWS Directory Service for Microsoft Active Directory is a feature-rich managed Microsoft Active Directory hosted on the AWS cloud. AWS Managed Microsoft AD is your best choice if you have more than 5,000 users and need a trust relationship set up between an AWS hosted directory and your on-premises directories.

  • AD Connector simply connects your existing on-premises Active Directory to AWS. AD Connector is your best choice when you want to use your existing on-premises directory with AWS services.

  • Simple AD is an inexpensive Active Directory–compatible service with the common directory features. In most cases, Simple AD is the least expensive option and your best choice if you have 5,000 or fewer users and don’t need the more advanced Microsoft Active Directory features.

For a more detailed comparison of AWS Directory Service options, see 选择哪一个.

Ensure Your VPCs and Instances are Configured Correctly

In order to connect to, manage, and use your directories, you must properly configure the VPCs that the directories are associated with. See either AWS Managed Microsoft AD 先决条件, AD Connector 先决条件, or Simple AD 先决条件 for information about the VPC security and networking requirements.

If you are adding an instance to your domain, ensure that you have connectivity and remote access to your instance as described in 将 EC2 实例加入 AWS Managed Microsoft AD 目录.

Be Aware of Your Limits

Learn about the various limits for your specific directory type. The available storage and the aggregate size of your objects are the only limitations on the number of objects you may store in your directory. See either AWS Managed Microsoft AD 的限制, AD Connector 的限制, or Simple AD 的限制 for details about your chosen directory.

使用 AD Connector 时正确配置本地站点和子网

如果您的本地网络中已定义 Active Directory 站点,您必须确保在 Active Directory 站点中您 AD Connector 所在的 VPC 内定义了子网,并且 VPC 中的子网与您其他站点中的子网之间不存在冲突。

为发现域控制器,AD Connector 将使用子网 IP 地址范围与包含 AD Connector 的 VPC 中的子网 IP 地址范围接近的 Active Directory 站点。如果您的一个站点具有 IP 地址范围与您 VPC 中的 IP 地址范围相同的子网,则 AD Connector 将发现该站点中的域控制器,但该站点的实际地点不一定靠近您的区域。



对每个域使用唯一的 AD Connector

AD Connector 和本地域具有 1 对 1 关系。也就是说,对于要针对其进行身份验证的每个本地域,必须创建唯一的 AD Connector。您创建的每个 AD Connector 都必须使用不同的服务账户,即使将它们连接到同一目录时也是如此。


在使用 AD Connector 时,必须确保您的本地目录与 AWS Directory Services 始终兼容。有关您的责任的更多信息,请参阅我们的责任共担模型