Amazon Directory Service Documentation

Amazon Directory Service for Microsoft Active Directory, also known as Amazon Managed Microsoft Active Directory (AD), enables your directory-aware workloads and Amazon Web Services resources to use managed AD in Amazon Web Services Cloud. Amazon Managed Microsoft AD is built on actual Microsoft AD and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use the standard AD administration tools and take advantage of the built-in AD features. With Amazon Managed Microsoft AD, you can join Amazon Elastic Cloud Compute (EC2) and Amazon Managed Relational Database Service (RDS) for SQL Server instances to your domain, and use Amazon End User Computing services with AD users and groups.

Amazon Managed Microsoft AD is actual Microsoft AD running on Amazon Web Services -managed infrastructure. This enables you to administer your users and devices in Amazon Managed Microsoft AD by using the tools you already know, such as Active Directory Administrative Center and Active Directory Users and Computers.

Amazon Managed Microsoft AD is deployed in high availability and across multiple Availability Zones. You can also scale out your Amazon Managed Microsoft AD directory by deploying additional domain controllers to increase the resiliency of your managed directory for even higher availability. 

Amazon Managed Microsoft AD runs on Amazon Web Services managed infrastructure with monitoring designed to detect and replace domain controllers that fail. In addition, data replication and automated snapshots are configured for you. You do not need to install software, and we handle patching and software updates.

Multi-region replication enables you to deploy and use a single Amazon Managed Microsoft AD directory across multiple Amazon Web Services China Regions. This allows you to easily and efficiently deploy and manage your Microsoft Windows and Linux workloads With the automated multi-region replication capability, your applications use a local directory for optimal performance.

You can integrate Amazon Managed Microsoft AD with your existing AD by using AD trust relationships. Using trusts enables you to use your existing Active Directory to control which AD users can access your Amazon Web Services resources.

Amazon Managed Microsoft AD allows you to manage users and devices using native Active Directory Group Policy objects (GPOs). You can create GPOs with existing tools, such as the Group Policy Management Console (GPMC).

Amazon Managed Microsoft AD is designed to use the same Kerberos-based authentication as your existing on-premises AD. Integrating your Amazon Web Services resources with Amazon Managed Microsoft AD will enable your AD users to sign in with SSO to Amazon Web Services applications and resources using a single set of credentials.

Amazon Managed Microsoft AD enables you to use seamless domain join for new and existing Amazon EC2 for Windows Server and Amazon EC2 for Linux instances. 

Amazon Managed Microsoft AD enables you to use a single directory for your directory-aware workloads in Amazon Web Services resources such as Amazon EC2 instances, Amazon RDS for SQL Server instances, and Amazon End User Computing services, such as Amazon WorkSpaces. Sharing a directory allows your directory-aware workloads to manage Amazon EC2 instances across multiple Amazon Web Services accounts and Amazon VPCs within a China Region. 

You can grant your on-premises AD users access to sign in to the Amazon Web Services  Management Console and Amazon CLI with their existing AD credentials with Amazon IAM Identity Center (successor to Amazon Single Sign-On) by selecting Amazon Managed Microsoft AD as the identity source. This enables your users to assume one of their assigned roles at sign-in, and to access and take action on the resources according to the permissions defined for the role. An alternative option is using Amazon Managed Microsoft AD to enable your users to assume an Amazon Identity and Access Management (IAM) role.

Amazon Managed Microsoft AD provides built-in automated snapshots. You can also take additional snapshots before critical application updates to make sure you have the most recent data in case you need to roll back a change.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.