AWS Directory Service
管理指南 (版本 1.0)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

Simple AD 先决条件

要创建 Simple AD 目录,需要一个满足以下条件的 VPC:

  • 至少两个子网。要正确安装 Simple AD,您必须将两个域控制器安装在位于不同可用区的单独子网中。另外,这两个子网必须处于同一无类别域间路由 (CIDR) 范围内。如果您想针对您的目录扩展或调整 VPC 大小,请确保为扩展的 VPC CIDR 范围同时选择这两个域控制器子网。

  • VPC 必须具有默认硬件租户。

  • 如果 Simple AD 需要 LDAPS 支持,我们建议您使用在 EC2 实例上运行的 Elastic Load Balancer 和 HA 代理进行配置。通过此模型,可以针对 LDAPS 连接使用强证书,通过单个 ELB IP 地址简化对 LDAPS 的访问,并通过 HA 代理自动进行故障转移。有关如何针对 Simple AD 配置 LDAPS 的更多信息,请参阅 AWS 安全博客中的如何为 Simple AD 配置 LDAPS 终端节点

  • 在目录中,必须启用下列加密类型:

    • RC4_HMAC_MD5

    • AES128_HMAC_SHA1

    • AES256_HMAC_SHA1

    • 未来的加密类型

      注意

      禁用这些加密类型会导致与 RSAT (远程服务器管理工具) 的通信问题,并影响可用性或您的目录。

AWS Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside of your AWS account, and are managed by AWS. They have two network adapters, ETH0 and ETH1. ETH0 is the management adapter, and exists outside of your account. ETH1 is created within your account.

The management IP range of your directory's ETH0 network is chosen programmatically to ensure it does not conflict with the VPC where your directory is deployed. This IP range can be in either of the following pairs (as Directories run in two subnets):

  • 10.0.1.0/24 & 10.0.2.0/24

  • 192.168.1.0/24 & 192.168.2.0/24

We avoid conflicts by checking the first octet of the ETH1 CIDR. If it starts with a 10, then we choose a 192.168.0.0/16 VPC with 192.168.1.0/24 and 192.168.2.0/24 subnets. If the first octet is anything else other than a 10 we choose a 10.0.0.0/16 VPC with 10.0.1.0/24 and 10.0.2.0/24 subnets.

The selection algorithm does not include routes on your VPC. It is therefore possible to have an IP routing conflict result from this scenario.