What gets created - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What gets created

When you create a directory with Amazon Managed Microsoft AD, Amazon Directory Service performs the following tasks on your behalf:

  • Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and Amazon Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with Amazon Directory Service by the description: "Amazon created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide for Windows Instances.

    Note

    Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

  • Provisions Active Directory within your VPC using two domain controllers for fault tolerance and high availability. More domain controllers can be provisioned for higher resiliency and performance after the directory has been successfully created and is Active. For more information, see Deploy additional domain controllers.

    Note

    Amazon does not allow the installation of monitoring agents on Amazon Managed Microsoft AD domain controllers.

  • Creates an Amazon security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created Amazon Security Group. The default inbound rules allows only traffic through ports that are required by Active Directory from any source (0.0.0.0/0). The 0.0.0.0/0 rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using Amazon Direct Connect, Amazon Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your Amazon Managed Microsoft AD is local VPC and VPC routed traffic. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see Best practices for Amazon Managed Microsoft AD. The following Amazon Security Group rules are created by default:

    Inbound Rules

    Protocol Port range Source Type of traffic Active Directory usage
    ICMP N/A 0.0.0.0/0 Ping LDAP Keep Alive, DFS
    TCP & UDP 53 0.0.0.0/0 DNS User and computer authentication, name resolution, trusts
    TCP & UDP 88 0.0.0.0/0 Kerberos User and computer authentication, forest level trusts
    TCP & UDP 389 0.0.0.0/0 LDAP Directory, replication, user and computer authentication group policy, trusts
    TCP & UDP 445 0.0.0.0/0 SMB / CIFS Replication, user and computer authentication, group policy, trusts
    TCP & UDP 464 0.0.0.0/0 Kerberos change / set password Replication, user and computer authentication, trusts
    TCP 135 0.0.0.0/0 Replication RPC, EPM
    TCP 636 0.0.0.0/0 LDAP SSL Directory, replication, user and computer authentication, group policy, trusts
    TCP 1024 - 65535 0.0.0.0/0 RPC Replication, user and computer authentication, group policy, trusts
    TCP 3268 - 3269 0.0.0.0/0 LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication, group policy, trusts
    UDP 123 0.0.0.0/0 Windows Time Windows Time, trusts
    UDP 138 0.0.0.0/0 DFSN & NetLogon DFS, group policy
    All All sg-################## All Traffic

    Outbound Rules

    Protocol Port range Destination Type of traffic Active Directory usage
    All All sg-################## All Traffic

  • For more information about the ports and protocols used by Active Directory, see Service overview and network port requirements for Windows in Microsoft documentation.

  • Creates a directory administrator account with the user name Admin and the specified password. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your directory in the Amazon Cloud. For more information, see Admin account.

    Important

    Be sure to save this password. Amazon Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the Amazon Directory Service console or by using the ResetUserPassword API.

  • Creates the following three organizational units (OUs) under the domain root:

    OU name Description

    Amazon Delegated Groups

    		Stores all of the groups that you can use to delegate Amazon specific permissions to your users.
    Amazon Reserved Stores all Amazon management specific accounts.
    <yourdomainname> The name of this OU is based off of the NetBIOS name you typed when you created your directory. If you did not specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of corp.example.com, the NetBIOS name would be corp). This OU is owned by Amazon and contains all of your Amazon-related directory objects, which you are granted Full Control over. Two child OUs exist under this OU by default; Computers and Users. For example:

    • Corp

      • Computers

      • Users

  • Creates the following groups in the Amazon Delegated Groups OU:

    Group name Description
    Amazon Delegated Account Operators Members of this security group have limited account management capability such as password resets

    Amazon Delegated Active Directory Based Activation Administrators

    Members of this security group can create Active Directory volume licensing activation objects, which enables enterprises to activate computers through a connection to their domain.
    Amazon Delegated Add Workstations To Domain Users Members of this security group can join 10 computers to a domain.
    Amazon Delegated Administrators Members of this security group can manage Amazon Managed Microsoft AD, have full control of all the objects in your OU and can manage groups contained in the Amazon Delegated Groups OU.
    Amazon Delegated Allowed to Authenticate Objects Members of this security group are provided the ability to authenticate to computer resources in the Amazon Reserved OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).
    Amazon Delegated Allowed to Authenticate to Domain Controllers Members of this security group are provided the ability to authenticate to computer resources in the Domain Controllers OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).

    Amazon Delegated Deleted Object Lifetime Administrators

    Members of this security group can modify the msDS-DeletedObjectLifetime object, which defines how long a deleted object will be available to recover from the AD Recycle Bin.
    Amazon Delegated Distributed File System Administrators Members of this security group can add and remove FRS, DFS-R, and DFS name spaces.
    Amazon Delegated Domain Name System Administrators Members of this security group can manage Active Directory integrated DNS.
    Amazon Delegated Dynamic Host Configuration Protocol Administrators Members of this security group can authorize Windows DHCP servers in the enterprise.
    Amazon Delegated Enterprise Certificate Authority Administrators Members of this security group can deploy and manage Microsoft Enterprise Certificate Authority infrastructure.
    Amazon Delegated Fine Grained Password Policy Administrators Members of this security group can modify precreated fine-grained password policies.
    Amazon Delegated FSx Administrators Members of this security group are provided the ability to manage Amazon FSx resources.
    Amazon Delegated Group Policy Administrators Members of this security group can perform group policy management tasks (create, edit, delete, link).
    Amazon Delegated Kerberos Delegation Administrators Members of this security group can enable delegation on computer and user account objects.
    Amazon Delegated Managed Service Account Administrators Members of this security group can create and delete Managed Service Accounts.
    Amazon Delegated MS-NPRC Non-Compliant Devices Members of this security group will be provided an exclusion from requiring secure channel communications with domain controllers. This group is for computer accounts.
    Amazon Delegated Remote Access Service Administrators Members of this security group can add and remove RAS servers from the RAS and IAS Servers group.
    Amazon Delegated Replicate Directory Changes Administrators Members of this security group can synchronize profile information in Active Directory with SharePoint Server.
    Amazon Delegated Server Administrators Members of this security group are included in the local administrators group on all domain joined computers.
    Amazon Delegated Sites and Services Administrators Members of this security group can rename the Default-First-Site-Name object in Active Directory Sites and Services.
    Amazon Delegated System Management Administrators Members of this security group can create and manage objects in the System Management container.
    Amazon Delegated Terminal Server Licensing Administrators Members of this security group can add and remove Terminal Server License Servers from the Terminal Server License Servers group.
    Amazon Delegated User Principal Name Suffix Administrators Members of this security group can add and remove user principal name suffixes.

  • Creates and applies the following Group Policy Objects (GPOs):

    Note

    You do not have permissions to delete, modify, or unlink these GPOs. This is by design as they are reserved for Amazon use. You may link them to OUs that you control if needed.

    Group policy name Applies to Description
    Default Domain Policy Domain Includes domain password and Kerberos policies.
    ServerAdmins All non domain controller computer accounts Adds the 'Amazon Delegated Server Administrators' as a member of the BUILTIN\Administrators Group.
    Amazon Reserved Policy:User Amazon Reserved user accounts Sets recommended security settings on all user accounts in the Amazon Reserved OU.
    Amazon Managed Active Directory Policy All domain controllers Sets recommended security settings on all domain controllers.
    TimePolicyNT5DS All non PDCe domain controllers Sets all non PDCe domain controllers time policy to use Windows Time (NT5DS).
    TimePolicyPDC The PDCe domain controller Sets the PDCe domain controller's time policy to use Network Time Protocol (NTP).
    Default Domain Controllers Policy Not used Provisioned during domain creation, Amazon Managed Active Directory Policy is used in its place.

    If you would like to see the settings of each GPO, you can view them from a domain joined Windows instance with the Group policy management console (GPMC) enabled.