Share your Amazon Managed Microsoft AD
Amazon Managed Microsoft AD integrates tightly with Amazon Organizations to allow seamless directory sharing across multiple Amazon Web Services accounts. You can share a single directory with other trusted Amazon Web Services accounts within the same organization or share the directory with other Amazon Web Services accounts that are outside your organization. You can also share your directory when your Amazon Web Services account is not currently a member of an organization.
Key directory sharing concepts
You'll get more out of the directory sharing feature if you become familiar with the following key concepts.
Directory owner account
A directory owner is the Amazon Web Services account holder that owns the originating directory in the shared directory relationship. An administrator in this account initiates the directory sharing workflow by specifying which Amazon Web Services accounts to share their directory with. Directory owners can see who they've shared a directory with using the Scale & Share tab for a given directory in the Amazon Directory Service console.
Directory consumer account
In a shared directory relationship, a directory consumer represents the Amazon Web Services account to which the directory owner shared the directory with. Depending on the sharing method used, an administrator in this account may need to accept an invite sent from the directory owner before they can start using the shared directory.
The directory sharing process creates a shared directory in the directory consumer account. This shared directory contains the metadata that enables the EC2 instance to seamlessly join the domain, which locates the originating directory in the directory owner account. Each shared directory in the directory consumer account has a unique identifier (Shared directory ID).
Sharing methods
Amazon Managed Microsoft AD provides the following two directory sharing methods:
-
Amazon Organizations – This method makes it easier to share the directory within your organization because you can browse and validate the directory consumer accounts. To use this option, your organization must have All features enabled, and your directory must be in the organization management account. This method of sharing simplifies your setup because it doesn’t require the directory consumer accounts to accept your directory sharing request. In the console, this method is referred to as Share this directory with Amazon Web Services accounts inside your organization.
-
Handshake – This method enables directory sharing when you aren’t using Amazon Organizations. The handshake method requires the directory consumer account to accept the directory sharing request. In the console, this method is referred to as Share this directory with other Amazon Web Services accounts.
Network connectivity
Network connectivity is a prerequisite to use a directory sharing relationship across
Amazon Web Services accounts. Amazon supports many solutions to connect your VPCs, some of these include
VPC
peering
Considerations
The following are some considerations when using directory share with your Amazon Managed Microsoft AD:
Pricing
-
Amazon charges an additional fee for directory sharing. The Amazon Web Services account that is using the shared Amazon Managed Microsoft AD is the account charged the sharing fees. To learn more, see the Pricing
page on the Amazon Directory Service website. -
Directory sharing makes Amazon Managed Microsoft AD a more cost-effective way of integrating with Amazon EC2 in multiple accounts and VPCs.
Region availability
Directory sharing is available in all Amazon regions where Amazon Managed Microsoft AD is offered.
In the Amazon China (Ningxia), this feature is available only when using Amazon Systems Manager
(SSM) to seamlessly join your Amazon EC2 instances.
For more information about directory sharing and how to extend the reach of your Amazon Managed Microsoft AD directory across Amazon account boundaries, see the following topics.
Topics
Additional resources