Application compatibility policy for Amazon Managed Microsoft AD - Amazon Directory Service
Compatibility guidelinesKnown incompatible applications
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Application compatibility policy for Amazon Managed Microsoft AD

Amazon Directory Service for Microsoft Active Directory (Amazon Managed Microsoft AD) is compatible with multiple Amazon services and third-party applications.

The following is a list of compatible Amazon applications and services:

Due to the magnitude of custom and commercial off-the-shelf applications that use Active Directory, Amazon does not and cannot perform formal or broad verification of third-party application compatibility with Amazon Directory Service for Microsoft Active Directory (Amazon Managed Microsoft AD). Although Amazon works with customers in an attempt to overcome any potential application installation challenges they might encounter, we are unable to guarantee that any application is or will continue to be compatible with Amazon Managed Microsoft AD.

The following third-party applications are compatible with Amazon Managed Microsoft AD:

  • Active Directory-Based Activation (ADBA)

  • Active Directory Certificate Services (AD CS): Enterprise Certificate Authority

  • Active Directory Federation Services (AD FS)

  • Active Directory Users and Computers (ADUC)

  • Application Server (.NET)

  • Microsoft Entra (formerly known as Azure Active Directory (Azure AD))

  • Microsoft Entra Connect (formerly known as Azure Active Directory Connect)

  • Distributed File System Replication (DFSR)

  • Distributed File System Namespaces (DFSN)

  • Microsoft Remote Desktop Services Licensing Server

  • Microsoft SharePoint Server

  • Microsoft SQL Server (including SQL Server Always On Availability Groups)

  • Microsoft System Center Configuration Manager (SCCM) - The user deploying SCCM must be a member of the Amazon Delegated System Management Administrators group.

  • Microsoft Windows and Windows Server OS

  • Office 365

Note that not all configurations of these applications may be supported.

Compatibility guidelines

Although applications may have configurations that are incompatible, application deployment configurations can often overcome incompatibility. The following describes the most common reasons for application incompatibility. Customers can use this information to investigate compatibility characteristics of a desired application and identify potential deployment changes.

  • Domain administrator or other privileged permissions – Some applications state that you must install them as the domain administrator. Because Amazon must retain exclusive control of this permission level in order to deliver Active Directory as a managed service, you cannot act as the domain administrator to install such applications. However, you can often install such applications by delegating specific, less privileged, and Amazon supported permissions to the person who performs the installation. For more details on the precise permissions that your application requires, ask your application provider. For more information about permissions that Amazon allows you to delegate, see What gets created.

  • Access to privileged Active Directory containers – Within your directory, Amazon Managed Microsoft AD provides an Organizational Unit (OU) over which you have full administrative control. You do not have create or write permissions and may have limited read permissions to containers that are higher in the Active Directory tree than your OU. Applications that create or access containers for which you have no permissions might not work. However, such applications often have an ability to use a container that you create in your OU as an alternative. Check with your application provider to find ways to create and use a container in your OU as an alternative. For more information on managing your OU, see How to administer Amazon Managed Microsoft AD.

  • Schema changes during the install workflow – Some Active Directory applications require changes to the default Active Directory schema, and they may attempt to install those changes as part of the application installation workflow. Due to the privileged nature of schema extensions, Amazon makes this possible by importing Lightweight Directory Interchange Format (LDIF) files through the Amazon Directory Service console, CLI, or SDK only. Such applications often come with an LDIF file that you can apply to the directory through the Amazon Directory Service schema update process. For more information about how the LDIF import process works, see Tutorial: Extending your Amazon Managed Microsoft AD schema. You can install the application in a way to bypass the schema installation during the installation process.

Known incompatible applications

The following lists commonly requested commercial off-the-shelf applications for which we have not found a configuration that works with Amazon Managed Microsoft AD. Amazon updates this list from time to time at its sole discretion as a courtesy to help you avoid unproductive efforts. Amazon provide this information without warranty or claims regarding current or future compatibility.

  • Active Directory Certificate Services (AD CS): Certificate Enrollment Web Service

  • Active Directory Certificate Services (AD CS): Certificate Enrollment Policy Web Service

  • Microsoft Exchange Server

  • Microsoft Skype for Business Server