Getting started with Simple AD
Simple AD creates a fully managed, Samba-based directory in the Amazon cloud. When you create a directory with Simple AD, Amazon Directory Service creates two domain controllers and DNS servers on your behalf. The domain controllers are created in different subnets in an Amazon VPC this redundancy helps ensures that your directory remains accessible even if a failure occurs.
Simple AD prerequisites
To create a Simple AD Active Directory, you need an Amazon VPC with the following:
-
The VPC must have default hardware tenancy.
-
The VPC must not be configured with the following VPC endpoint(s)
: -
Route53 VPC endpoints
that include DNS conditional overrides for *.amazonaws.com which resolve to non public Amazon IP addresses
-
-
At least two subnets in two different Availability Zones. The subnets must be in the same Classless Inter-Domain Routing (CIDR) range. If you want to extend or resize the VPC for your directory, then make sure to select both of the domain controller subnets for the extended VPC CIDR range. When you create a Simple AD, Amazon Directory Service creates two domain controllers and DNS servers on your behalf.
-
For more information about the CIDR range, see IP addressing for your VPCs and subnets in the Amazon VPC User Guide.
-
-
If you require LDAPS support with Simple AD, we recommend that you configure it using a Network Load Balancer connected to port 389. This model enables you to use a strong certificate for the LDAPS connection, simplify access to LDAPS through a single NLB IP address, and have automatic fail-over through the NLB. Simple AD does not support the use of self-signed certificates on port 636. For more information about how to configure LDAPS with Simple AD, see How to configure an LDAPS endpoint for Simple AD
in the Amazon Security Blog. -
The following encryption types must be enabled in the directory:
-
RC4_HMAC_MD5
-
AES128_HMAC_SHA1
-
AES256_HMAC_SHA1
-
Future encryption types
Note
Disabling these encryption types can cause communication issues with RSAT (Remote Server Administration Tools) and impact the availability or your directory.
-
-
For more information, see What is Amazon VPC? in the Amazon VPC User Guide.
Amazon Directory Service uses a two VPC structure. The EC2 instances which make up your directory run outside
of your Amazon account, and are managed by Amazon. They have two network adapters,
ETH0
and ETH1
. ETH0
is the management adapter, and
exists outside of your account. ETH1
is created within your account.
The management IP range of your directory's ETH0
network is chosen
programmatically to ensure it does not conflict with the VPC where your directory is deployed.
This IP range can be in either of the following pairs (as Directories run in two
subnets):
-
10.0.1.0/24 & 10.0.2.0/24
-
169.254.0.0/16
-
192.168.1.0/24 & 192.168.2.0/24
We avoid conflicts by checking the first octet of the ETH1
CIDR. If it starts
with a 10, then we choose a 192.168.0.0/16 VPC with 192.168.1.0/24 and 192.168.2.0/24 subnets.
If the first octet is anything else other than a 10 we choose a 10.0.0.0/16 VPC with
10.0.1.0/24 and 10.0.2.0/24 subnets.
The selection algorithm does not include routes on your VPC. It is therefore possible to have an IP routing conflict result from this scenario.
Important
If any of the Simple AD prerequisites are altered after your Simple AD is created,
your Simple AD can become Impaired. To resolve your Simple AD
Impaired status, you'll need to contact Amazon Web Services Support
Create your Simple AD
This procedure walks you through all the necessary steps to create a Simple AD. It is intended to get you started with Simple AD quickly and easily, but is not intended to be used in a large-scale production environment.
Steps
Prerequisites
This procedure assumes the following:
-
You have an active Amazon Web Services account.
-
Your account has not reached its limit of Amazon VPCs for the Region in which you want to use Simple AD. For more information about VPC, see What is Amazon VPC? and Subnets in your VPC in the Amazon VPC User Guide.
-
You do not have an existing VPC in the Region with a CIDR of
10.0.0.0/16
. -
You are in a Region where Simple AD is available. For more information, see Region availability for Amazon Directory Service.
For more information, see Simple AD prerequisites.
Creating and configuring your Amazon VPC for your Simple AD
First, you'll create and configure an Amazon VPC for use with your Simple AD. Before starting this procedure, make sure you have completed the Prerequisites.
The VPC you'll create will have two public subnets. Amazon Directory Service requires two subnets in your VPC, and each subnet must be in a different Availability Zone.
Create a VPC
Open the Amazon VPC console at https://console.amazonaws.cn/vpc/
. -
In the VPC Dashboard, choose Create VPC.
-
Under VPC settings, choose VPC and more.
-
Complete these fields as follows:
-
Keep Auto-generated selected under Name tag auto-generation. Change project to
ADS VPC
. -
The IPv4 CIDR block should be
10.0.0.0/16
. -
Keep No IPv6 CIDR block option selected.
-
The Tenancy should remain Default.
-
Select 2 for the Number of Availability Zones (AZs).
-
Select 2 for the Number of public subnets. The number of private subnets can be changed to 0.
-
Choose Customize subnet CIDR blocks to configure the public subnet IP address range. The public subnet CIDR blocks should be
10.0.0.0/20
and10.0.16.0/20
.
-
-
Choose Create VPC. It takes several minutes for the VPC to be created.
Creating your Simple AD
To create a new Simple AD, perform the following steps. Before starting this procedure, make sure you have completed the following in Prerequisites and Creating and configuring your Amazon VPC for your Simple AD.
Create a Simple AD
-
In the Amazon Directory Service console
navigation pane, choose Directories and then choose Set up directory. -
On the Select directory type page, choose Simple AD, and then choose Next.
-
On the Enter directory information page, provide the following information:
- Directory size
-
Choose from either the Small or Large size option. For more information about sizes, see Simple AD.
- Organization name
-
A unique organization name for your directory that will be used to register client devices.
This field is only available if you are creating your directory as part of launching WorkSpaces.
- Directory DNS name
-
The fully qualified name for the directory, such as
corp.example.com
. - Directory NetBIOS name
-
The short name for the directory, such as
CORP
. - Administrator password
-
The password for the directory administrator. The directory creation process creates an administrator account with the username
Administrator
and this password.The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:
-
Lowercase letters (a-z)
-
Uppercase letters (A-Z)
-
Numbers (0-9)
-
Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
-
- Confirm password
-
Retype the administrator password.
Important
Be sure to save this password. Amazon Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the Amazon Directory Service console or by using the ResetUserPassword API.
- Directory description
-
An optional description for the directory.
-
On the Choose VPC and subnets page, provide the following information, and then choose Next.
- VPC
-
The VPC for the directory.
- Subnets
-
Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.
-
On the Review & create page, review the directory information and make any necessary changes. When the information is correct, choose Create directory. It takes several minutes for the directory to be created. Once created, the Status value changes to Active.
For more information on what is created with your Simple AD, see What gets created with your Simple AD.