AWS Directory Services
AWS Directory Services provides managed services that provide directories that include information about an organization, including users and groups, as well as other resources.
AWS Directory Services offers multiple options, includingSimple AD – a standalone directory service
AD Connector – acts like a proxy to use On Premise Microsoft Active Directory with other AWS Services
AWS Directory Service for Microsoft Active Directory Enterprise Edition, also known as Microsoft ADSimple AD
This is a Microsoft Active Directory compatible directory that is powered by Samba 4 from AWS Directory Service.
If you have fewer than 5,000 users and don’t require the more advanced Microsoft Active Directory features, this is the best option.
Supports common Active Directory features like user accounts, group memberships and domain-joining EC2 instances under Linux and Windows. Kerberos-based single-sign-on (SSO) is also available.
Features like schema extensions, DNS dynamic update, multi-factor authentication and communication over LDAPS, PowerShell AD cmdlets and the transfer of FSMO role roles are not supported.
Provides daily automated snapshots that allow point-in-time recovery
Trust relationships between Simple AD domains and Active Directory domains can’t be established.
Does not support MFA, RDS SOL Server or AWS SSO.AD Connector
Connect to an existing Active Directory on-premises to AWS
AWS services are the best way to leverage an existing directory on-premises.
Needs VPN or Direct Connect connection
This proxy service connects on-premises Microsoft Active Directory to AWS. It does not require complex directory synchronization technologies nor the cost and complexity associated with hosting a federation network.
Forwards sign-in requests and authentication requests to Active Directory domain controllers. This allows applications to query the directory for information.
It allows consistent enforcement of existing security policies such as password expiration, history, and account lockouts. This applies regardless of whether users access resources on-premises or in AWS cloudMicrosoft Active Directory Enterprise Edition.
A feature-rich managed Microsoft Active Directory hosted by AWS
If there are more than 5K users, is the best option
Supports trust relationship (foresttrust) between AWS-hosted directories and on-premises directories. Users and groups have access to resources in both domains using single sign-on.
Needs VPN or Direct Connect connection
It offers many of the same functionality as Microsoft Active Directory, plus integration with AWS apps
Provides a highly available pair domain controllers that are connected to the VPC in a Region you choose.
Supports MFA by integrating an existing RADIUS-based MFA infrastructure. This will provide an additional layer security for users who access AWS applications.
Automatically configures and manages host monitoring, recovery, data replication and snapshots. Software updates are also managed.
supports RDS for SQL Server, AWS Workspaces, Quicksight, WorkDocs, etc.
Microsoft AD Connectivity Options
If the VGW used to connect to the On Premise AD is unstable or has connectivity problems, there are two options: Simple ADlower cost, low-scale, basic AD compatible or LDAP compatibility
This is a standalone instance of the Microsoft AD in AWS
There is no single point of authentication or authorization. Each copy must be kept separately
Trust relationships between Simple AD domains and Active Directory domains cannot be established
Read-only Domain Controllers, (RODCs), work out as a Read Only Active Directory
Holds a copy the Active Directory Domain Service database (AD DS), and responds to authentication requests.
They are often deployed in areas where physical security is not possible to guarantee