Key directory sharing concepts - Amazon Directory Service
Directory owner accountDirectory consumer accountSharing methodsNetwork connectivity
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Key directory sharing concepts

You'll get more out of the directory sharing feature if you become familiar with the following key concepts.

Two Amazon Managed Microsoft AD with directory sharing, domain joins, and Amazon VPC peering.

Directory owner account

A directory owner is the Amazon Web Services account holder that owns the originating directory in the shared directory relationship. An administrator in this account initiates the directory sharing workflow by specifying which Amazon Web Services accounts to share their directory with. Directory owners can see who they've shared a directory with using the Scale & Share tab for a given directory in the Amazon Directory Service console.

Directory consumer account

In a shared directory relationship, a directory consumer represents the Amazon Web Services account to which the directory owner shared the directory with. Depending on the sharing method used, an administrator in this account may need to accept an invite sent from the directory owner before they can start using the shared directory.

The directory sharing process creates a shared directory in the directory consumer account. This shared directory contains the metadata that enables the EC2 instance to seamlessly join the domain, which locates the originating directory in the directory owner account. Each shared directory in the directory consumer account has a unique identifier (Shared directory ID).

Sharing methods

Amazon Managed Microsoft AD provides the following two directory sharing methods:

  • Amazon Organizations – This method makes it easier to share the directory within your organization because you can browse and validate the directory consumer accounts. To use this option, your organization must have All features enabled, and your directory must be in the organization management account. This method of sharing simplifies your setup because it doesn’t require the directory consumer accounts to accept your directory sharing request. In the console, this method is referred to as Share this directory with Amazon Web Services accounts inside your organization.

  • Handshake – This method enables directory sharing when you aren’t using Amazon Organizations. The handshake method requires the directory consumer account to accept the directory sharing request. In the console, this method is referred to as Share this directory with other Amazon Web Services accounts.

Network connectivity

Network connectivity is a prerequisite to use a directory sharing relationship across Amazon Web Services accounts. Amazon supports many solutions to connect your VPCs, some of these include VPC peering, Transit Gateway, and VPN. To get started, see Tutorial: Sharing your Amazon Managed Microsoft AD directory for seamless EC2 domain-join.