What gets created with your Amazon Managed Microsoft AD - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What gets created with your Amazon Managed Microsoft AD

When you create an Active Directory with Amazon Managed Microsoft AD, Amazon Directory Service performs the following tasks on your behalf:

  • Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and Amazon Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with Amazon Directory Service by the description: "Amazon created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide. The default DNS Server of the Amazon Managed Microsoft AD Active Directory is the VPC DNS server at Classless Inter-Domain Routing (CIDR)+2. For more information, see Amazon DNS server in Amazon VPC User Guide.

    Note

    Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon VPC (VPC). Backups are automatically taken once per day, and the Amazon EBS (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

  • Provisions Active Directory within your VPC using two domain controllers for fault tolerance and high availability. More domain controllers can be provisioned for higher resiliency and performance after the directory has been successfully created and is Active. For more information, see Deploying additional domain controllers for your Amazon Managed Microsoft AD.

    Note

    Amazon does not allow the installation of monitoring agents on Amazon Managed Microsoft AD domain controllers.

  • Creates an Amazon Security group that establishes network rules for traffic in and out of your domain controllers. The default outbound rule permits all traffic ENIs or instances attached to the created Amazon Security group. The default inbound rules allows only traffic through ports that are required by Active Directory from your VPC CIDR for your Amazon Managed Microsoft AD. These rules do not introduce security vulnerabilities as traffic to the domain controllers is limited to traffic from your VPC, from other peered VPCs, or from networks that you have connected using Amazon Direct Connect, Amazon Transit Gateway, or Virtual Private Network. For additional security, the ENIs that are created do not have Elastic IPs attached to them and you do not have permission to attach an Elastic IP to those ENIs. Therefore, the only inbound traffic that can communicate with your Amazon Managed Microsoft AD is local VPC and VPC routed traffic. You can change the Amazon Security group rules. Use extreme caution if you attempt to change these rules as you may break your ability to communicate with your domain controllers. For more information, see Amazon Managed Microsoft AD best practices. The following Amazon Security group rules are created by default:

    Inbound Rules

    Protocol Port range Source Type of traffic Active Directory usage
    ICMP N/A Amazon Managed Microsoft AD VPC IPv4 CIDR Ping LDAP Keep Alive, DFS
    TCP & UDP 53 Amazon Managed Microsoft AD VPC IPv4 CIDR DNS User and computer authentication, name resolution, trusts
    TCP & UDP 88 Amazon Managed Microsoft AD VPC IPv4 CIDR Kerberos User and computer authentication, forest level trusts
    TCP & UDP 389 Amazon Managed Microsoft AD VPC IPv4 CIDR LDAP Directory, replication, user and computer authentication group policy, trusts
    TCP & UDP 445 Amazon Managed Microsoft AD VPC IPv4 CIDR SMB / CIFS Replication, user and computer authentication, group policy, trusts
    TCP & UDP 464 Amazon Managed Microsoft AD VPC IPv4 CIDR Kerberos change / set password Replication, user and computer authentication, trusts
    TCP 135 Amazon Managed Microsoft AD VPC IPv4 CIDR Replication RPC, EPM
    TCP 636 Amazon Managed Microsoft AD VPC IPv4 CIDR LDAP SSL Directory, replication, user and computer authentication, group policy, trusts
    TCP 1024 - 65535 Amazon Managed Microsoft AD VPC IPv4 CIDR RPC Replication, user and computer authentication, group policy, trusts
    TCP 3268 - 3269 Amazon Managed Microsoft AD VPC IPv4 CIDR LDAP GC & LDAP GC SSL Directory, replication, user and computer authentication, group policy, trusts
    UDP 123 Amazon Managed Microsoft AD VPC IPv4 CIDR Windows Time Windows Time, trusts
    UDP 138 Amazon Managed Microsoft AD VPC IPv4 CIDR DFSN & NetLogon DFS, group policy
    All All Amazon Managed Microsoft AD VPC IPv4 CIDR All Traffic

    Outbound Rules

    Protocol Port range Destination Type of traffic Active Directory usage
    All All 0.0.0.0/0 All Traffic
  • For more information about the ports and protocols used by Active Directory, see Service overview and network port requirements for Windows in Microsoft documentation.

  • Creates a directory administrator account with the user name Admin and the specified password. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your directory in the Amazon Cloud. For more information, see Amazon Managed Microsoft AD Administrator account permissions.

    Important

    Be sure to save this password. Amazon Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the Amazon Directory Service console or by using the ResetUserPassword API.

  • Creates the following three organizational units (OUs) under the domain root:

    OU name Description

    Amazon Delegated Groups

    Stores all of the groups that you can use to delegate Amazon specific permissions to your users.
    Amazon Reserved Stores all Amazon management specific accounts.
    <yourdomainname> The name of this OU is based off of the NetBIOS name you typed when you created your directory. If you did not specify a NetBIOS name, it will default to the first part of your Directory DNS name (for example, in the case of corp.example.com, the NetBIOS name would be corp). This OU is owned by Amazon and contains all of your Amazon-related directory objects, which you are granted Full Control over. Two child OUs exist under this OU by default; Computers and Users. For example:
    • Corp

      • Computers

      • Users

  • Creates the following groups in the Amazon Delegated Groups OU:

    Group name Description
    Amazon Delegated Account Operators Members of this security group have limited account management capability such as password resets

    Amazon Delegated Active Directory Based Activation Administrators

    Members of this security group can create Active Directory volume licensing activation objects, which enables enterprises to activate computers through a connection to their domain.

    Amazon Delegated Add Workstations To Domain Users Members of this security group can join 10 computers to a domain.
    Amazon Delegated Administrators Members of this security group can manage Amazon Managed Microsoft AD, have full control of all the objects in your OU and can manage groups contained in the Amazon Delegated Groups OU.
    Amazon Delegated Allowed to Authenticate Objects Members of this security group are provided the ability to authenticate to computer resources in the Amazon Reserved OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).
    Amazon Delegated Allowed to Authenticate to Domain Controllers Members of this security group are provided the ability to authenticate to computer resources in the Domain Controllers OU (Only needed for on-premises objects with Selective Authentication enabled Trusts).

    Amazon Delegated Deleted Object Lifetime Administrators

    Members of this security group can modify the msDS-DeletedObjectLifetime object, which defines how long a deleted object will be available to recover from the AD Recycle Bin.

    Amazon Delegated Distributed File System Administrators Members of this security group can add and remove FRS, DFS-R, and DFS name spaces.
    Amazon Delegated Domain Name System Administrators Members of this security group can manage Active Directory integrated DNS.
    Amazon Delegated Dynamic Host Configuration Protocol Administrators Members of this security group can authorize Windows DHCP servers in the enterprise.
    Amazon Delegated Enterprise Certificate Authority Administrators Members of this security group can deploy and manage Microsoft Enterprise Certificate Authority infrastructure.
    Amazon Delegated Fine Grained Password Policy Administrators Members of this security group can modify precreated fine-grained password policies.
    Amazon Delegated FSx Administrators Members of this security group are provided the ability to manage Amazon FSx resources.
    Amazon Delegated Group Policy Administrators Members of this security group can perform group policy management tasks (create, edit, delete, link).
    Amazon Delegated Kerberos Delegation Administrators Members of this security group can enable delegation on computer and user account objects.
    Amazon Delegated Managed Service Account Administrators Members of this security group can create and delete Managed Service Accounts.
    Amazon Delegated MS-NPRC Non-Compliant Devices Members of this security group will be provided an exclusion from requiring secure channel communications with domain controllers. This group is for computer accounts.
    Amazon Delegated Remote Access Service Administrators Members of this security group can add and remove RAS servers from the RAS and IAS Servers group.
    Amazon Delegated Replicate Directory Changes Administrators Members of this security group can synchronize profile information in Active Directory with SharePoint Server.
    Amazon Delegated Server Administrators Members of this security group are included in the local administrators group on all domain joined computers.
    Amazon Delegated Sites and Services Administrators Members of this security group can rename the Default-First-Site-Name object in Active Directory Sites and Services.
    Amazon Delegated System Management Administrators Members of this security group can create and manage objects in the System Management container.
    Amazon Delegated Terminal Server Licensing Administrators Members of this security group can add and remove Terminal Server License Servers from the Terminal Server License Servers group.
    Amazon Delegated User Principal Name Suffix Administrators Members of this security group can add and remove user principal name suffixes.
    Note

    You can add to these Amazon Delegated Groups.

  • Creates and applies the following Group Policy Objects (GPOs):

    Note

    You do not have permissions to delete, modify, or unlink these GPOs. This is by design as they are reserved for Amazon use. You may link them to OUs that you control if needed.

    Group policy name Applies to Description
    Default Domain Policy Domain Includes domain password and Kerberos policies.
    ServerAdmins All non domain controller computer accounts Adds the 'Amazon Delegated Server Administrators' as a member of the BUILTIN\Administrators Group.
    Amazon Reserved Policy:User Amazon Reserved user accounts Sets recommended security settings on all user accounts in the Amazon Reserved OU.
    Amazon Managed Active Directory Policy All domain controllers Sets recommended security settings on all domain controllers.
    TimePolicyNT5DS All non PDCe domain controllers Sets all non PDCe domain controllers time policy to use Windows Time (NT5DS).
    TimePolicyPDC The PDCe domain controller Sets the PDCe domain controller's time policy to use Network Time Protocol (NTP).
    Default Domain Controllers Policy Not used Provisioned during domain creation, Amazon Managed Active Directory Policy is used in its place.

    If you would like to see the settings of each GPO, you can view them from a domain joined Windows instance with the Group policy management console (GPMC) enabled.

  • Creates the following default local accounts for Amazon Managed Microsoft AD management:

    Important

    Be sure to save the admin password. Amazon Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the Amazon Directory Service console or by using the ResetUserPassword API.

    Admin

    The admin is the directory administrator account created when the Amazon Managed Microsoft AD is first created. You provide a password for this account when you create an Amazon Managed Microsoft AD. This account is located under the Users OU (For example, Corp > Users). You use this account to manage your Active Directory in the Amazon. For more information, see Amazon Managed Microsoft AD Administrator account permissions.

    Amazon_11111111111

    Any account name starting with Amazon followed by an underscore and located in Amazon Reserved OU is a service-managed account. This service-managed account is used by Amazon to interact with the Active Directory. These accounts are created when Amazon Directory Service Data is enabled and with each new Amazon application authorized on Active Directory. These accounts are only accessible by Amazon services.

    krbtgt account password

    The krbtgt account plays an important role in the Kerberos ticket exchanges used by your Amazon Managed Microsoft AD. The krbtgt account is a special account used for Kerberos ticket-granting ticket (TGT) encryption, and it plays a crucial role in the security of the Kerberos authentication protocol. For more information, see Microsoft documentation.

    Amazon automatically rotates the krbtgt account password for your Amazon Managed Microsoft AD twice every 90 days. There is a 24 hour waiting period between the two consecutive rotations every 90 days.

For more information about the admin account and other accounts created by Active Directory, see Microsoft documentation.