Amazon Managed Microsoft AD prerequisites
To create a Amazon Managed Microsoft AD directory, you need a VPC with the following:
-
At least two subnets. Each of the subnets must be in a different Availability Zone.
-
The VPC must have default hardware tenancy.
-
You cannot create a Amazon Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.
If you need to integrate your Amazon Managed Microsoft AD domain with an existing on-premises Active Directory domain, you must have the Forest and Domain functional levels for your on-premises domain set to Windows Server 2003 or higher.
Amazon Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside
of your Amazon account, and are managed by Amazon. They have two network adapters,
ETH0 and ETH1. ETH0 is the management adapter, and
exists outside of your account. ETH1 is created within your account.
The management IP range of your directory's ETH0 network is 198.18.0.0/15.
Amazon IAM Identity Center prerequisites
If you plan to use IAM Identity Center with Amazon Managed Microsoft AD, you need to ensure that the following are true:
Your Amazon Managed Microsoft AD directory is set up in your Amazon organization’s management account.
Your instance of IAM Identity Center is in the same Region where your Amazon Managed Microsoft AD directory is set up.
For more information, see IAM Identity Center prerequisites in the Amazon IAM Identity Center User Guide.
Multi-factor authentication prerequisites
To support multi-factor authentication with your Amazon Managed Microsoft AD directory, you must
configure either your on-premises or cloud-based Remote Authentication Dial-In User
Service
-
On your RADIUS server, create two RADIUS clients to represent both of the Amazon Managed Microsoft AD domain controllers (DCs) in Amazon. You must configure both clients using the following common parameters (your RADIUS server may vary):
-
Address (DNS or IP): This is the DNS address for one of the Amazon Managed Microsoft AD DCs. Both DNS addresses can be found in the Amazon Directory Service Console on the Details page of the Amazon Managed Microsoft AD directory in which you plan to use MFA. The DNS addresses displayed represent the IP addresses for both of the Amazon Managed Microsoft AD DCs that are used by Amazon.
Note
If your RADIUS server supports DNS addresses, you must create only one RADIUS client configuration. Otherwise, you must create one RADIUS client configuration for each Amazon Managed Microsoft AD DC.
-
Port number: Configure the port number for which your RADIUS server accepts RADIUS client connections. The standard RADIUS port is 1812.
-
Shared secret: Type or generate a shared secret that the RADIUS server will use to connect with RADIUS clients.
-
Protocol: You might need to configure the authentication protocol between the Amazon Managed Microsoft AD DCs and the RADIUS server. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. MS-CHAPv2 is recommended because it provides the strongest security of the three options.
-
Application name: This may be optional in some RADIUS servers and usually identifies the application in messages or reports.
-
-
Configure your existing network to allow inbound traffic from the RADIUS clients (Amazon Managed Microsoft AD DCs DNS addresses, see Step 1) to your RADIUS server port.
-
Add a rule to the Amazon EC2 security group in your Amazon Managed Microsoft AD domain that allows inbound traffic from the RADIUS server DNS address and port number defined previously. For more information, see Adding rules to a security group in the EC2 User Guide.
For more information about using Amazon Managed Microsoft AD with MFA, see Enable multi-factor authentication for Amazon Managed Microsoft AD.