Amazon Managed Microsoft AD
Amazon Directory Service for Microsoft Active Directory, also referred to as Amazon Managed Microsoft AD, runs Microsoft Active Directory as a managed service powered by Windows Server 2019. It creates a highly available pair of domain controllers in your Amazon VPC across different Availability Zones, with Amazon automatically managing host monitoring, recovery, data replication, snapshots, and software updates. This service enables you to run directory-aware workloads, manage users and groups, provide single sign-on, create and apply group policies, and securely connect to Amazon EC2 instances.
Amazon Directory Service offers two Microsoft Active Directory solutions: Amazon Directory Service for Microsoft Active Directory provides a fully managed Active Directory service in the Amazon Cloud, while Amazon Managed Microsoft AD (Hybrid Edition) extends your existing self-managed AD to Amazon.
Amazon Managed Microsoft AD (Standard Edition and Enterprise Edition) create new managed AD domains to manage users, devices, and computers on Amazon. These directories establish resource forests that create trust relationships with your existing AD domains on-premises, in Amazon, or in multi-cloud environments. Users can access Amazon resources with their existing credentials from your current AD domains. User identities stay in your existing AD domains while the resource forest manages your Amazon resources, maintaining operational isolation between environments while providing seamless single sign-on.
Amazon Managed Microsoft AD (Hybrid Edition) connects your self-managed Active Directory with Amazon Directory Service for Microsoft Active Directory, creating an integrated identity environment spanning both your infrastructure and the Amazon Web Services Cloud. This solution extends your directory services to Amazon without synchronizing user identities, establishes trust relationships between environments, and provides seamless access using existing credentials.
With Amazon Managed Microsoft AD, you can run directory-aware workloads in the Amazon Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications. You can also configure trust relationships between Amazon Managed Microsoft AD and your existing self-managed Microsoft Active Directory, providing users and groups with access to resources in either domain using Amazon IAM Identity Center.
Which to choose
You can choose between two Amazon Directory Service services with the features and scalability that best meet your needs. The following table helps you determine which Amazon Directory Service option works best for your organization.
| Use case | Recommended solution |
|---|---|
| Run directory-aware workloads, Amazon applications, or Linux applications requiring LDAP support |
Amazon Managed Microsoft AD (Standard Edition and Enterprise Edition) create new managed AD domains to manage users, devices, and computers on Amazon. These directories establish resource forests that create trust relationships with your existing AD domains on-premises, in Amazon, or in multi-cloud environments. Users can access Amazon resources with their existing credentials from your current AD domains. User identities stay in your existing AD domains while the resource forest manages your Amazon resources, maintaining operational isolation between environments while providing seamless single sign-on. |
| Extend existing Active Directory to Amazon |
Amazon Managed Microsoft AD (Hybrid Edition) connects your self-managed Active Directory with Amazon Directory Service for Microsoft Active Directory, creating an integrated identity environment spanning both your infrastructure and the Amazon Web Services Cloud. This solution extends your directory services to Amazon without synchronizing user identities, establishes trust relationships between environments, and provides seamless access using existing credentials. |