# Getting started with Amazon Managed Microsoft AD
Amazon Managed Microsoft AD creates a fully managed, Microsoft Active Directory in the Amazon Web Services Cloud and is powered by Windows Server 2019 and operates at the 2016 Forest and Domain functional levels. When you create a directory with Amazon Managed Microsoft AD, Amazon Directory Service creates two domain controllers and adds the DNS service on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensure that your directory remains accessible even if a failure occurs. If you need more domain controllers, you can add them later. For more information, see [Deploying additional domain controllers for your Amazon Managed Microsoft AD](ms_ad_deploy_additional_dcs.md).
For a demo and overview of Amazon Managed Microsoft AD, see the following YouTube video.
**Topics**
+ [Prerequisites for creating a Amazon Managed Microsoft AD](#ms_ad_getting_started_prereqs)
+ [Amazon IAM Identity Center prerequisites](#prereq_aws_sso_ms_ad)
+ [Multi-factor authentication prerequisites](#prereq_mfa_ad)
+ [Creating your Amazon Managed Microsoft AD](#ms_ad_getting_started_create_directory)
+ [What gets created with your Amazon Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md)
+ [Amazon Managed Microsoft AD Administrator account and group permissions](ms_ad_getting_started_admin_account.md)
## Prerequisites for creating a Amazon Managed Microsoft AD
To create an Amazon Managed Microsoft AD Active Directory, you need an Amazon VPC with the following:
+ At least two subnets. Each of the subnets must be in a different Availability Zone and must be of same network type.
You can use IPv6 for your VPC. For more information, see [IPv6 support for your VPC](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-migrate-ipv6.html) in the *Amazon Virtual Private Cloud User Guide*.
+ The VPC must have default hardware tenancy.
+ You cannot create a Amazon Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.
If you need to integrate your Amazon Managed Microsoft AD domain with an existing on-premises Active Directory domain, you must have the Forest and Domain functional levels for your on-premises domain set to Windows Server 2003 or higher.
Amazon Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside of your Amazon account, and are managed by Amazon. They have two network adapters, `ETH0` and `ETH1`. `ETH0` is the management adapter, and exists outside of your account. `ETH1` is created within your account.
The management IP range of your directory's ETH0 network is 198.18.0.0/15.
For a tutorial on how to create the Amazon environment and Amazon Managed Microsoft AD, see [Amazon Managed Microsoft AD test lab tutorials](ms_ad_tutorial_test_lab.md).
## Amazon IAM Identity Center prerequisites
If you plan to use IAM Identity Center with Amazon Managed Microsoft AD, you need to ensure that the following are true:
+ Your Amazon Managed Microsoft AD directory is set up in your Amazon organization's management account.
+ Your instance of IAM Identity Center is in the same Region where your Amazon Managed Microsoft AD directory is set up.
For more information, see [IAM Identity Center prerequisites](https://docs.amazonaws.cn/singlesignon/latest/userguide/prereqs.html) in the *Amazon IAM Identity Center User Guide*.
## Multi-factor authentication prerequisites
To support multi-factor authentication with your Amazon Managed Microsoft AD directory, you must configure either your on-premises or cloud-based [Remote Authentication Dial-In User Service](https://en.wikipedia.org/wiki/RADIUS) (RADIUS) server in the following way so that it can accept requests from your Amazon Managed Microsoft AD directory in Amazon.
1. On your RADIUS server, create two RADIUS clients to represent both of the Amazon Managed Microsoft AD domain controllers (DCs) in Amazon. You must configure both clients using the following common parameters (your RADIUS server may vary):
+ **Address (DNS or IP)**: This is the DNS address for one of the Amazon Managed Microsoft AD DCs. Both DNS addresses can be found in the Amazon Directory Service Console on the **Details** page of the Amazon Managed Microsoft AD directory in which you plan to use MFA. The DNS addresses displayed represent the IP addresses for both of the Amazon Managed Microsoft AD DCs that are used by Amazon.
**Note**
If your RADIUS server supports DNS addresses, you must create only one RADIUS client configuration. Otherwise, you must create one RADIUS client configuration for each Amazon Managed Microsoft AD DC.
+ **Port number**: Configure the port number for which your RADIUS server accepts RADIUS client connections. The standard RADIUS port is 1812.
+ **Shared secret**: Type or generate a shared secret that the RADIUS server will use to connect with RADIUS clients.
+ **Protocol**: You might need to configure the authentication protocol between the Amazon Managed Microsoft AD DCs and the RADIUS server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is recommended because it provides the strongest security of the three options.
+ **Application name**: This may be optional in some RADIUS servers and usually identifies the application in messages or reports.
1. Configure your existing network to allow inbound traffic from the RADIUS clients (Amazon Managed Microsoft AD DCs DNS addresses, see Step 1) to your RADIUS server port.
1. Add a rule to the Amazon EC2 security group in your Amazon Managed Microsoft AD domain that allows inbound traffic from the RADIUS server DNS address and port number defined previously. For more information, see [Adding rules to a security group](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule) in the *EC2 User Guide*.
For more information about using Amazon Managed Microsoft AD with MFA, see [Enabling multi-factor authentication for Amazon Managed Microsoft AD](ms_ad_mfa.md).
## Creating your Amazon Managed Microsoft AD
To create a new Amazon Managed Microsoft AD Active Directory, perform the following steps. Before starting this procedure, make sure that you have completed the prerequisites identified in [Prerequisites for creating a Amazon Managed Microsoft AD](#ms_ad_getting_started_prereqs).
**To create an Amazon Managed Microsoft AD**
1. In the [Amazon Directory Service console](https://console.amazonaws.cn/directoryservicev2/) navigation pane, choose **Directories** and then choose **Set up directory**.
1. On the **Select directory type** page, choose **Amazon Managed Microsoft AD**, and then choose **Next**.
1. On the **Enter directory information** page, provide the following information:
**Edition**
Choose from either the **Standard Edition** or **Enterprise Edition** of Amazon Managed Microsoft AD. For more information about editions, see [Amazon Directory Service for Microsoft Active Directory](what_is.md#microsoftad).
**Directory DNS name**
The fully qualified name for the directory, such as `corp.example.com`.
If you plan on using Amazon Route 53 for DNS, the domain name of your Amazon Managed Microsoft AD must be different than your Route 53 domain name. DNS resolution issues can occur if Route 53 and Amazon Managed Microsoft AD share the same domain name.
**Directory NetBIOS name**
The short name for the directory, such as `CORP`.
**Directory description**
An optional description for the directory. This description can be changed after creating your Amazon Managed Microsoft AD.
**Admin password**
The password for the directory administrator. The directory creation process creates an administrator account with the user name `Admin` and this password. You can change the Admin password after creating your Amazon Managed Microsoft AD.
The password cannot include the word "admin."
The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:
+ Lowercase letters (a-z)
+ Uppercase letters (A-Z)
+ Numbers (0-9)
+ Non-alphanumeric characters (\$1\$1@\$1\$1%^&\$1\$1-\$1=`\$1\$1()\$1\$1[]:;"'<>,.?/)
**Confirm password**
Retype the administrator password.
**(Optional) User and group management**
To enable Amazon Managed Microsoft AD user and group management from the Amazon Web Services Management Console, select **Manage user and group management in the Amazon Web Services Management Console**. For more information on how to use user and group management, see [Manage Amazon Managed Microsoft AD users and groups with the Amazon Web Services Management Console, Amazon CLI, or Amazon Tools for PowerShell](ms_ad_manage_users_groups_procedures.md).
1. On the **Choose VPC and subnets** page, provide the following information, and then choose **Next**.
**VPC**
Select the VPC for the directory.
**Network type**
The Internet Protocol (IP) addressing system associated with your VPC and subnets.
Select the CIDR block associated to your existing VPC. Resources in your subnet can be configured to use IPv4 only, IPv6 only, or both IPv4 and IPv6 (dual-stack). For more information, see [Compare IPv4 and IPv6](https://docs.amazonaws.cn/vpc/latest/userguide/ipv4-ipv6-comparison.html) in the *Amazon Virtual Private Cloud User Guide*.
**Subnets**
Select the subnets for the domain controllers. The two subnets must be in different Availability Zones.
1. On the **Review & create** page, review the directory information and make any necessary changes. When the information is correct, choose **Create directory**. Creating the directory takes 20 to 40 minutes. Once created, the **Status** value changes to **Active**.
For more information on what is created with your Amazon Managed Microsoft AD, see the following:
+ [What gets created with your Amazon Managed Microsoft AD](ms_ad_getting_started_what_gets_created.md)
+ [Amazon Managed Microsoft AD Administrator account and group permissions](ms_ad_getting_started_admin_account.md)
**Related Amazon Security blog articles**
+ [How to delegate administration of your Amazon Managed Microsoft AD directory to your on-premises Active Directory users](http://www.amazonaws.cn/blogs/security/how-to-delegate-administration-of-your-aws-managed-microsoft-ad-directory-to-your-on-premises-active-directory-users/)
+ [How to configure even stronger password policies to help meet your security standards by using Amazon Directory Service for Amazon Managed Microsoft AD](http://www.amazonaws.cn/blogs/security/how-to-configure-even-stronger-password-policies-to-help-meet-your-security-standards-by-using-aws-directory-service-for-microsoft-active-directory/)
+ [How to increase the redundancy and performance of your Amazon Directory Service for Amazon Managed Microsoft AD by adding Domain controllers](http://www.amazonaws.cn/blogs/security/how-to-increase-the-redundancy-and-performance-of-your-aws-directory-service-for-microsoft-ad-directory-by-adding-domain-controllers/)
+ [How to enable the use of remote desktops by deploying Microsoft remote desktop licensing manager on Amazon Managed Microsoft AD](http://www.amazonaws.cn/blogs/security/how-to-enable-the-use-of-remote-desktops-by-deploying-microsoft-remote-desktop-licensing-manager-on-aws-microsoft-ad/)
+ [How to access the Amazon Web Services Management Console using Amazon Managed Microsoft AD and your on-premises credentials](http://www.amazonaws.cn/blogs/security/how-to-access-the-aws-management-console-using-aws-microsoft-ad-and-your-on-premises-credentials/)
+ [How to enable multi-factor authentication for Amazon services by using Amazon Managed Microsoft AD and on-premises credentials](http://www.amazonaws.cn/blogs/security/how-to-enable-multi-factor-authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-ad-and-on-premises-credentials/)
+ [How to easily log on to Amazon services by using your on-premises Active Directory](http://www.amazonaws.cn/blogs/security/how-to-easily-log-on-to-aws-services-by-using-your-on-premises-active-directory/)