Amazon Managed Microsoft AD - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Managed Microsoft AD

Amazon Directory Service lets you run Microsoft Active Directory (AD) as a managed service. Amazon Directory Service for Microsoft Active Directory, also referred to as Amazon Managed Microsoft AD, is powered by Windows Server 2019. When you select and launch this directory type, it is created as a highly available pair of domain controllers connected to your virtual private cloud (Amazon VPC). The domain controllers run in different Availability Zones in a Region of your choice. Host monitoring and recovery, data replication, snapshots, and software updates are automatically configured and managed for you.

With Amazon Managed Microsoft AD, you can run directory-aware workloads in the Amazon Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications. You can also configure a trust relationship between Amazon Managed Microsoft AD in the Amazon Cloud and your existing on-premises Microsoft Active Directory, providing users and groups with access to resources in either domain, using Amazon IAM Identity Center.

Amazon Directory Service makes it easy to set up and run directories in the Amazon Cloud, or connect your Amazon resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it for a variety of tasks:

  • Manage users and groups

  • Provide single sign-on to applications and services

  • Create and apply group policy

  • Simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads

  • You can use Amazon Managed Microsoft AD to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access Amazon applications

  • Securely connect to Amazon EC2 Linux and Windows instances


Amazon manages the licensing of your Windows Server instances for you; all you need to do is pay for the instances you use. There is also no need to buy additional Windows Server Client Access Licenses (CALs), as access is included in the price. Each instance comes with two remote connections for admin purposes only. If you require more than two connections, or need those connections for purposes other than admin, you may have to bring in additional Remote Desktop Services CALs for use on Amazon.

Read the topics in this section to get started creating a Amazon Managed Microsoft AD directory, creating a trust relationship between Amazon Managed Microsoft AD and your on-premises directories, and extending your Amazon Managed Microsoft AD schema.

Related Amazon Security blog articles