Getting started with Amazon Managed Microsoft AD - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting started with Amazon Managed Microsoft AD

Amazon Managed Microsoft AD creates a fully managed, Microsoft Active Directory in the Amazon Web Services Cloud and is powered by Windows Server 2019 and operates at the 2012 R2 Forest and Domain functional levels. When you create a directory with Amazon Managed Microsoft AD, Amazon Directory Service creates two domain controllers and adds the DNS service on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensure that your directory remains accessible even if a failure occurs. If you need more domain controllers, you can add them later. For more information, see Deploy additional domain controllers.

Amazon Managed Microsoft AD prerequisites

To create a Amazon Managed Microsoft AD Active Directory, you need an Amazon VPC with the following:

  • At least two subnets. Each of the subnets must be in a different Availability Zone.

  • The VPC must have default hardware tenancy.

  • You cannot create a Amazon Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.

If you need to integrate your Amazon Managed Microsoft AD domain with an existing on-premises Active Directory domain, you must have the Forest and Domain functional levels for your on-premises domain set to Windows Server 2003 or higher.

Amazon Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside of your Amazon account, and are managed by Amazon. They have two network adapters, ETH0 and ETH1. ETH0 is the management adapter, and exists outside of your account. ETH1 is created within your account.

The management IP range of your directory's ETH0 network is 198.18.0.0/15.

Amazon IAM Identity Center prerequisites

If you plan to use IAM Identity Center with Amazon Managed Microsoft AD, you need to ensure that the following are true:

  • Your Amazon Managed Microsoft AD directory is set up in your Amazon organization’s management account.

  • Your instance of IAM Identity Center is in the same Region where your Amazon Managed Microsoft AD directory is set up.

For more information, see IAM Identity Center prerequisites in the Amazon IAM Identity Center User Guide.

Multi-factor authentication prerequisites

To support multi-factor authentication with your Amazon Managed Microsoft AD directory, you must configure either your on-premises or cloud-based Remote Authentication Dial-In User Service (RADIUS) server in the following way so that it can accept requests from your Amazon Managed Microsoft AD directory in Amazon.

  1. On your RADIUS server, create two RADIUS clients to represent both of the Amazon Managed Microsoft AD domain controllers (DCs) in Amazon. You must configure both clients using the following common parameters (your RADIUS server may vary):

    • Address (DNS or IP): This is the DNS address for one of the Amazon Managed Microsoft AD DCs. Both DNS addresses can be found in the Amazon Directory Service Console on the Details page of the Amazon Managed Microsoft AD directory in which you plan to use MFA. The DNS addresses displayed represent the IP addresses for both of the Amazon Managed Microsoft AD DCs that are used by Amazon.

      Note

      If your RADIUS server supports DNS addresses, you must create only one RADIUS client configuration. Otherwise, you must create one RADIUS client configuration for each Amazon Managed Microsoft AD DC.

    • Port number: Configure the port number for which your RADIUS server accepts RADIUS client connections. The standard RADIUS port is 1812.

    • Shared secret: Type or generate a shared secret that the RADIUS server will use to connect with RADIUS clients.

    • Protocol: You might need to configure the authentication protocol between the Amazon Managed Microsoft AD DCs and the RADIUS server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is recommended because it provides the strongest security of the three options.

    • Application name: This may be optional in some RADIUS servers and usually identifies the application in messages or reports.

  2. Configure your existing network to allow inbound traffic from the RADIUS clients (Amazon Managed Microsoft AD DCs DNS addresses, see Step 1) to your RADIUS server port.

  3. Add a rule to the Amazon EC2 security group in your Amazon Managed Microsoft AD domain that allows inbound traffic from the RADIUS server DNS address and port number defined previously. For more information, see Adding rules to a security group in the EC2 User Guide.

For more information about using Amazon Managed Microsoft AD with MFA, see Enable multi-factor authentication for Amazon Managed Microsoft AD.

Create your Amazon Managed Microsoft AD

To create a new directory, perform the following steps. Before starting this procedure, make sure that you have completed the prerequisites identified in Amazon Managed Microsoft AD prerequisites.

To create an Amazon Managed Microsoft AD directory
  1. In the Amazon Directory Service console navigation pane, choose Directories and then choose Set up directory.

  2. On the Select directory type page, choose Amazon Managed Microsoft AD, and then choose Next.

  3. On the Enter directory information page, provide the following information:

    Edition

    Choose from either the Standard Edition or Enterprise Edition of Amazon Managed Microsoft AD. For more information about editions, see Amazon Directory Service for Microsoft Active Directory.

    Directory DNS name

    The fully qualified name for the directory, such as corp.example.com.

    Note

    If you plan on using Amazon Route 53 for DNS, the domain name of your Amazon Managed Microsoft AD must be different than your Route 53 domain name. DNS resolution issues can occur if Route 53 and Amazon Managed Microsoft AD share the same domain name.

    Directory NetBIOS name

    The short name for the directory, such as CORP.

    Directory description

    An optional description for the directory.

    Admin password

    The password for the directory administrator. The directory creation process creates an administrator account with the user name Admin and this password.

    The password cannot include the word "admin."

    The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:

    • Lowercase letters (a-z)

    • Uppercase letters (A-Z)

    • Numbers (0-9)

    • Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)

    Confirm password

    Retype the administrator password.

  4. On the Choose VPC and subnets page, provide the following information, and then choose Next.

    VPC

    The VPC for the directory.

    Subnets

    Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.

  5. On the Review & create page, review the directory information and make any necessary changes. When the information is correct, choose Create directory. Creating the directory takes 20 to 40 minutes. Once created, the Status value changes to Active.

What gets created with your Amazon Managed Microsoft AD Active Directory

When you create an Active Directory with Amazon Managed Microsoft AD, Amazon Directory Service performs the following tasks on your behalf:

  • Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and Amazon Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with Amazon Directory Service by the description: "Amazon created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide. The default DNS Server of the Amazon Managed Microsoft AD Active Directory is the VPC DNS server at Classless Inter-Domain Routing (CIDR)+2. For more information, see Amazon DNS server in Amazon VPC User Guide.

    Note

    Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon VPC (VPC). Backups are automatically taken once per day, and the Amazon EBS (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

  • Provisions Active Directory within your VPC using two domain controllers for fault tolerance and high availability. More domain controllers can be provisioned for higher resiliency and performance after the directory has been successfully created and is Active. For more information, see Deploy additional domain controllers.

    Note

    Amazon does not allow the installation of monitoring agents on Amazon Managed Microsoft AD domain controllers.

  • Creates an Amazon security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created Amazon Security Group. The default inbound rules allows only traffic through ports that are required by Active Directory from any source (0.0.0.0/0). The 0.0.0.0/0 rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using Amazon Direct Connect, Amazon Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your Amazon Managed Microsoft AD is local VPC and VPC routed traffic. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see Best practices for Amazon Managed Microsoft AD. The following Amazon Security Group rules are created by default:

    Inbound Rules

    Protocol Port range Source Type of traffic Active Directory usage
    ICMP N/A 0.0.0.0/0 Ping LDAP Keep Alive, DFS
    TCP & UDP 53 0.0.0.0/0 DNS User and computer authentication, name resolution, trusts
    TCP & UDP 88 0.0.0.0/0 Kerberos User and computer authentication, forest level trusts
    TCP & UDP 389 0.0.0.0/0 LDAP Directory, replication, user and computer authentication group policy, trusts
    TCP & UDP 445 0.0.0.0/0 SMB / CIFS Replication, user and computer authentication, group policy, trusts
    TCP & UDP 464 0.0.0.0/0 Kerberos change / set password Replication, user and computer authentication, trusts
    TCP 135 0.0.0.0/0 Replication RPC, EPM
    TCP 636 0.0.0.0/0 LDAP SSL Directory, replication, user and computer authentication, group policy, trusts
    TCP 1024 - 65535 0.0.0.0/0 RPC Replication, user and computer authentication, group policy, trusts
    TCP 3268 - 3269 0.0.0.0/0 LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication, group policy, trusts
    UDP 123 0.0.0.0/0 Windows Time Windows Time, trusts
    UDP 138 0.0.0.0/0 DFSN & NetLogon DFS, group policy
    All All sg-################## All Traffic

    Outbound Rules

    Protocol Port range Destination Type of traffic Active Directory usage
    All All sg-################## All Traffic
  • For more information about the ports and protocols used by Active Directory, see Service overview and network port requirements for Windows in Microsoft documentation.

  • Creates a directory administrator account with the user name Admin and the specified password. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your directory in the Amazon Cloud. For more information, see Permissions for the Administrator account.

    Important

    Be sure to save this password. Amazon Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the Amazon Directory Service console or by using the ResetUserPassword API.

  • Creates the following three organizational units (OUs) under the domain root:

    OU name Description

    Amazon Delegated Groups

    Stores all of the groups that you can use to delegate Amazon specific permissions to your users.
    Amazon Reserved Stores all Amazon management specific accounts.
    <yourdomainname> The name of this OU is based off of the NetBIOS name you typed when you created your directory. If you did not specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of corp.example.com, the NetBIOS name would be corp). This OU is owned by Amazon and contains all of your Amazon-related directory objects, which you are granted Full Control over. Two child OUs exist under this OU by default; Computers and Users. For example:
    • Corp

      • Computers

      • Users

  • Creates the following groups in the Amazon Delegated Groups OU:

    Group name Description
    Amazon Delegated Account Operators Members of this security group have limited account management capability such as password resets

    Amazon Delegated Active Directory Based Activation Administrators

    Members of this security group can create Active Directory volume licensing activation objects, which enables enterprises to activate computers through a connection to their domain.

    Amazon Delegated Add Workstations To Domain Users Members of this security group can join 10 computers to a domain.
    Amazon Delegated Administrators Members of this security group can manage Amazon Managed Microsoft AD, have full control of all the objects in your OU and can manage groups contained in the Amazon Delegated Groups OU.
    Amazon Delegated Allowed to Authenticate Objects Members of this security group are provided the ability to authenticate to computer resources in the Amazon Reserved OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).
    Amazon Delegated Allowed to Authenticate to Domain Controllers Members of this security group are provided the ability to authenticate to computer resources in the Domain Controllers OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).

    Amazon Delegated Deleted Object Lifetime Administrators

    Members of this security group can modify the msDS-DeletedObjectLifetime object, which defines how long a deleted object will be available to recover from the AD Recycle Bin.

    Amazon Delegated Distributed File System Administrators Members of this security group can add and remove FRS, DFS-R, and DFS name spaces.
    Amazon Delegated Domain Name System Administrators Members of this security group can manage Active Directory integrated DNS.
    Amazon Delegated Dynamic Host Configuration Protocol Administrators Members of this security group can authorize Windows DHCP servers in the enterprise.
    Amazon Delegated Enterprise Certificate Authority Administrators Members of this security group can deploy and manage Microsoft Enterprise Certificate Authority infrastructure.
    Amazon Delegated Fine Grained Password Policy Administrators Members of this security group can modify precreated fine-grained password policies.
    Amazon Delegated FSx Administrators Members of this security group are provided the ability to manage Amazon FSx resources.
    Amazon Delegated Group Policy Administrators Members of this security group can perform group policy management tasks (create, edit, delete, link).
    Amazon Delegated Kerberos Delegation Administrators Members of this security group can enable delegation on computer and user account objects.
    Amazon Delegated Managed Service Account Administrators Members of this security group can create and delete Managed Service Accounts.
    Amazon Delegated MS-NPRC Non-Compliant Devices Members of this security group will be provided an exclusion from requiring secure channel communications with domain controllers. This group is for computer accounts.
    Amazon Delegated Remote Access Service Administrators Members of this security group can add and remove RAS servers from the RAS and IAS Servers group.
    Amazon Delegated Replicate Directory Changes Administrators Members of this security group can synchronize profile information in Active Directory with SharePoint Server.
    Amazon Delegated Server Administrators Members of this security group are included in the local administrators group on all domain joined computers.
    Amazon Delegated Sites and Services Administrators Members of this security group can rename the Default-First-Site-Name object in Active Directory Sites and Services.
    Amazon Delegated System Management Administrators Members of this security group can create and manage objects in the System Management container.
    Amazon Delegated Terminal Server Licensing Administrators Members of this security group can add and remove Terminal Server License Servers from the Terminal Server License Servers group.
    Amazon Delegated User Principal Name Suffix Administrators Members of this security group can add and remove user principal name suffixes.
  • Creates and applies the following Group Policy Objects (GPOs):

    Note

    You do not have permissions to delete, modify, or unlink these GPOs. This is by design as they are reserved for Amazon use. You may link them to OUs that you control if needed.

    Group policy name Applies to Description
    Default Domain Policy Domain Includes domain password and Kerberos policies.
    ServerAdmins All non domain controller computer accounts Adds the 'Amazon Delegated Server Administrators' as a member of the BUILTIN\Administrators Group.
    Amazon Reserved Policy:User Amazon Reserved user accounts Sets recommended security settings on all user accounts in the Amazon Reserved OU.
    Amazon Managed Active Directory Policy All domain controllers Sets recommended security settings on all domain controllers.
    TimePolicyNT5DS All non PDCe domain controllers Sets all non PDCe domain controllers time policy to use Windows Time (NT5DS).
    TimePolicyPDC The PDCe domain controller Sets the PDCe domain controller's time policy to use Network Time Protocol (NTP).
    Default Domain Controllers Policy Not used Provisioned during domain creation, Amazon Managed Active Directory Policy is used in its place.

    If you would like to see the settings of each GPO, you can view them from a domain joined Windows instance with the Group policy management console (GPMC) enabled.

Permissions for the Administrator account

When you create an Amazon Directory Service for Microsoft Active Directory directory, Amazon creates an organizational unit (OU) to store all Amazon related groups and accounts. For more information about this OU, see What gets created with your Amazon Managed Microsoft AD Active Directory. This includes the Admin account. The Admin account has permissions to perform the following common administrative activities for your OU:

The Admin account also has rights to perform the following domainwide activities:

  • Manage DNS configurations (add, remove, or update records, zones, and forwarders)

  • View DNS event logs

  • View security event logs

Only the actions listed here are allowed for the Admin account. The Admin account also lacks permissions for any directory-related actions outside of your specific OU, such as on the parent OU.

Important

Amazon Domain Administrators have full administrative access to all domains hosted on Amazon. See your agreement with Amazon and the Amazon data protection FAQ for more information about how Amazon handles content, including directory information, that you store on Amazon systems.

Note

We recommend that you do not delete or rename this account. If you no longer want to use the account, we recommend you set a long password (at most 64 random characters) and then disable the account.

Enterprise and domain administrator privileged accounts

Amazon automatically rotates the built-in Administrator password to a random password every 90 days. Anytime the built in Administrator password is requested for human use an Amazon ticket is created and logged with the Amazon Directory Service team. Account credentials are encrypted and handled over secure channels. Also the Administrator account credentials can only be requested by the Amazon Directory Service management team.

To perform operational management of your directory, Amazon has exclusive control of accounts with Enterprise Administrator and Domain Administrator privileges. This includes exclusive control of the Active Directory administrator account. Amazon protects this account by automating password management through the use of a password vault. During automated rotation of the administrator password, Amazon creates a temporary user account and grants it Domain Administrator privileges. This temporary account is used as a back-up in the event of password rotation failure on the administrator account. After Amazon successfully rotates the administrator password, Amazon deletes the temporary administrator account.

Normally Amazon operates the directory entirely through automation. In the event that an automation process is unable to resolve an operational problem, Amazon may need to have a support engineer sign in to your domain controller (DC) to perform diagnosis. In these rare cases, Amazon implements a request/notification system to grant access. In this process, Amazon automation creates a time-limited user account in your directory that has Domain Administrator permissions. Amazon associates the user account with the engineer who is assigned to work on your directory. Amazon records this association in our log system and provides the engineer with the credentials to use. All actions taken by the engineer are logged in the Windows event logs. When the allocated time elapses, automation deletes the user account.

You can monitor administrative account actions by using the log forwarding feature of your directory. This feature enables you to forward the AD Security events to your CloudWatch system where you can implement monitoring solutions. For more information, see Enable log forwarding.

Security Event IDs 4624, 4672 and 4648 are all logged when someone logs onto a DC interactively. You can view each DC’s Windows Security event log using the Event Viewer Microsoft Management Console (MMC) from a domain joined Windows computer. You can also Enable log forwarding to send all of the Security event logs to CloudWatch Logs in your account.

You might occasionally see users created and deleted within the Amazon Reserved OU. Amazon is responsible for the management and security of all objects in this OU and any other OU or container where we have not delegated permissions for you to access and manage. You may see creations and deletions in that OU. This is because Amazon Directory Service uses automation to rotate the Domain Administrator password on a regular basis. When the password is rotated, a backup is created in the event that the rotation fails. Once the rotation is successful, the backup account is automatically deleted. Also in the rare event that interactive access is needed on the DCs for troubleshooting purposes, a temporary user account is created for an Amazon Directory Service engineer to use. Once an engineer has completed their work, the temporary user account will be deleted. Note that every time interactive credentials are requested for a directory, the Amazon Directory Service management team is notified.