Configure Microsoft Active Directory using Amazon Directory Service - Amazon Relational Database Service
Network connectivity configuration for Amazon Managed Microsoft ADDNS resolution with Amazon Managed Microsoft AD
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure Microsoft Active Directory using Amazon Directory Service

Amazon Managed Microsoft AD creates a fully managed Microsoft Active Directory in Amazon that is powered by Windows Server 2019 and operates at the 2012 R2 Forest and Domain functional levels. Amazon Directory Service creates the domain controllers in different subnets in an Amazon VPC, making your directory highly available even in the event of failure.

To create a directory with Amazon Managed Microsoft AD, see Getting started with Amazon Managed Microsoft AD in the Amazon Directory Service Administration Guide.

Configure your network connectivity

Enable cross-VPC traffic between the directory and the DB instance

To locate the directory and the DB instance in the same VPC, skip this step and move on to next step in Network configuration port rules.

To locate the directory and the DB instance in different VPCs, configure cross-VPC traffic using VPC peering or Amazon Transit Gateway. For more information about using VPC peering, see What is VPC peering? in the Amazon VPC Peering Guide and What is Amazon Transit Gateway? in the Amazon VPC Transit Gateways.

Enable cross-VPC traffic using VPC peering

  1. Set up appropriate VPC routing rules to ensure that network traffic can flow both ways.

  2. Allow the DB instance's security group to recieve inbound traffic from the directory's security group. For more information, see Network configuration port rules.

  3. Network access control list (ACL) must not block traffic.

If a different Amazon Web Services account owns the directory, you must share the directory. To share the directory with Amazon Web Services account within which the RDS Custom for SQL Server instance is by following the Tutorial: Sharing your Amazon Managed Microsoft AD for seamless EC2 domain-join in the Amazon Directory Service Administration Guide.

Sharing a directory betweens Amazon Web Services accounts

  1. Sign in to the Amazon Directory Service console using the account for the DB instance and check if the domain has the SHARED status before proceeding.

  2. After signing in to the Amazon Directory Service console using the account for the DB instance, note the Directory ID value. You use this ID to join the DB instance to the domain.

Configure DNS resolution

When you create a directory with Amazon Managed Microsoft AD, Amazon Directory Service creates two domain controllers and adds the DNS service on your behalf.

If you have an existing Amazon Managed Microsoft AD or plan on launching one in a VPC other than your RDS Custom for SQL Server DB instance, configure the VPC DNS resolver to forward queries for certain domains with a Route 53 outbound and resolver rule, see Configure a Route 53 Resolver outbound endpoint to resolve DNS records.