Working with Self Managed Active Directory with an Amazon RDS for SQL Server DB instance - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with Self Managed Active Directory with an Amazon RDS for SQL Server DB instance

You can join your RDS for SQL Server DB instances directly to your self-managed Active Directory (AD) domain, regardless of where your AD is hosted: in corporate data centers, on Amazon EC2, or with other cloud providers. With self-managed AD, you use NTLM authentication to directly control authentication of users and services on your RDS for SQL Server DB instances without using intermediary domains and forest trusts. When users authenticate with an RDS for SQL Server DB instance joined to your self-managed AD domain, authentication requests are forwarded to a self-managed AD domain that you specify.

Region and version availability

Amazon RDS supports Self Managed AD for SQL Server using NTLM in all Amazon Web Services Regions.

Limitations

The following limitations apply for Self Managed AD for SQL Server.

  • NTLM is the only supported authentication type. Kerberos authentication is not supported. If you need to use kerberos authentication, you can use Amazon Managed AD instead of self-managed AD.

  • The Microsoft Distributed Transaction Coordinator (MSDTC) service isn't supported, as it requires Kerberos authentication.

  • Your RDS for SQL Server DB instances do not use the Network Time Protocol (NTP) server of your self-managed AD domain. They use an Amazon NTP service instead.

  • SQL Server linked servers must use SQL authentication to connect to other RDS for SQL Server DB instances joined to your self-managed AD domain.

  • Microsoft Group Policy Object (GPO) settings from your self-managed AD domain are not applied to RDS for SQL Server DB instances.

Overview of setting up Self Managed Active Directory

To set up self-managed AD for an RDS for SQL Server DB instance, take the following steps, explained in greater detail in Setting up Self Managed Active Directory:

In your AD domain:

  • Create an Organizational Unit (OU).

  • Create an AD domain user.

  • Delegate control to the AD domain user.

From the Amazon Web Services Management Console or API:

  • Create a Amazon KMS key.

  • Create a secret using Amazon Secrets Manager.

  • Create or modify an RDS for SQL Server DB instance and join it to your self-managed AD domain.

Understanding self-managed Active Directory Domain membership

After you create or modify your DB instance, the instance becomes a member of the self-managed AD domain. The Amazon console indicates the status of the self-managed Active Directory domain membership for the DB instance. The status of the DB instance can be one of the following:

  • joined – The instance is a member of the AD domain.

  • joining – The instance is in the process of becoming a member of the AD domain.

  • pending-join – The instance membership is pending.

  • pending-maintenance-join – Amazon will attempt to make the instance a member of the AD domain during the next scheduled maintenance window.

  • pending-removal – The removal of the instance from the AD domain is pending.

  • pending-maintenance-removal – Amazon will attempt to remove the instance from the AD domain during the next scheduled maintenance window.

  • failed – A configuration problem has prevented the instance from joining the AD domain. Check and fix your configuration before reissuing the instance modify command.

  • removing – The instance is being removed from the self-managed AD domain.

A request to become a member of a self-managed AD domain can fail because of a network connectivity issue. For example, you might create a DB instance or modify an existing instance and have the attempt fail for the DB instance to become a member of a self-managed AD domain. In this case, either reissue the command to create or modify the DB instance or modify the newly created instance to join the self-managed AD domain.

Restoring a SQL Server DB instance and then adding it to a self-managed Active Directory domain

You can restore a DB snapshot or do point-in-time recovery (PITR) for a SQL Server DB instance and then add it to a self-managed Active Directory domain. Once the DB instance is restored, modify the instance using the process explained in Step 6: Create or modify a SQL Server DB instance to add the DB instance to a self-managed AD domain.