Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand
General
Q: What is Amazon Directory Service?
Amazon Directory Service is a managed service offering, providing directories that contain information about your organization, including users, groups, computers, and other resources. As a managed offering, Amazon Directory Service is designed to reduce management tasks, thereby allowing you to focus more of your time and resources on your business. There is no need to build out your own complex, highly-available directory topology because each directory is deployed across multiple Availability Zones, and monitoring automatically detects and replaces domain controllers that fail. In addition, data replication and automated daily snapshots are configured for you. There is no software to install and we handle all of the patching and software updates.
Q: How do I create a directory?
You can use the Amazon Web Services Management Console or the API to create a directory. All you need to provide is some basic information such as a fully qualified domain name (FQDN) for your directory, Administrator account name and password, and the VPC you want the directory to be attached to.
Q: Can I join an existing Amazon EC2 instance to an Amazon Directory Service directory?
Yes, you can use the Amazon Web Services Management Console or the API to add existing EC2 instances running Linux or Windows to an Amazon Web Services Managed Microsoft AD directory.
Q: Are APIs supported for Amazon Directory Service?
Public APIs are supported for creating and managing directories. You can now programmatically manage directories using public APIs.
Q: Does Amazon Directory Service support CloudTrail logging?
Yes. Actions performed via the Amazon Directory Service APIs or management console will be included in your CloudTrail audit logs.
Q: Can I receive notifications when the status of my directory changes?
Yes. You can configure Amazon Simple Notification Service (SNS) to receive email and text messages when the status of your Amazon Directory Service changes. Amazon SNS uses topics to collect and distribute messages to subscribers. When Amazon Directory Service detects a change in your directory’s status, it will publish a message to the associated topic, which is then sent to topic subscribers. Visit the documentation to learn more.
Q: How much does Amazon Directory Service cost?
See the pricing page for more information.
Q: Can I tag my directory?
Yes. Amazon Directory Service supports cost allocation tagging. Tags make it easier for you to allocate costs and optimize spending by categorizing and grouping Amazon Web Services resources. For example, you can use tags to group resources by administrator, application name, cost center, or a specific project.
Amazon Web Services Managed Microsoft AD
Q: How do I create an Amazon Web Services Managed Microsoft AD directory?
You can launch the Amazon Directory Service console from the Amazon Web Services Management Console to create an Amazon Web Services Managed Microsoft AD directory. Alternatively, you can use the Amazon SDK or Amazon CLI.
Q: How are Amazon Web Services Managed Microsoft AD directories deployed?
Amazon Web Services Managed Microsoft AD directories are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.
Q: Can I configure the storage, CPU, or memory parameters of my Amazon Web Services Managed Microsoft AD directory?
No. This functionality is not supported at this time.
Q: How do I manage users and groups for Amazon Web Services Managed Microsoft AD?
You can use your existing Active Directory tools—running on Windows computers that are joined to the Amazon Web Services Managed Microsoft AD domain—to manage users and groups in Amazon Web Services Managed Microsoft AD directories. No special tools, policies, or behavior changes are required.
Q: How are my administrative permissions different between Amazon Web Services Managed Microsoft AD and running Active Directory in my own Amazon EC2 Windows instances?
In order to deliver a managed-service experience, Amazon Web Services Managed Microsoft AD must disallow operations by customers that would interfere with managing the service. Therefore, we do not provide Windows PowerShell access to directory instances, and it restricts access to directory objects, roles, and groups that require elevated privileges. Amazon Web Services Managed Microsoft AD does not allow direct host access to domain controllers via Telnet, Secure Shell (SSH), or Windows Remote Desktop Connection. When you create an Amazon Web Services Managed Microsoft AD directory, you are assigned an organizational unit (OU) and an administrative account with delegated administrative rights for the OU.
Q: Can I use Microsoft Network Policy Server (NPS) with Amazon Web Services Managed Microsoft AD?
Yes. The administrative account created for you when Amazon Web Services Managed Microsoft AD is set up has delegated management rights over the Remote Access Service (RAS) and Internet Authentication Service (IAS) security group. This enables you to register NPS with Amazon Web Services Managed Microsoft AD and manage network access policies for accounts in your domain.
Q: Does Amazon Web Services Managed Microsoft AD support schema extensions?
Yes. Amazon Web Services Managed Microsoft AD supports schema extensions that you submit to the service in the form of a LDAP Data Interchange Format (LDIF) file. You may extend but not modify the core Active Directory schema.
Q: Which third party software is compatible with Amazon Web Services Managed Microsoft AD?
Amazon Web Services Managed Microsoft AD is based on actual Active Directory and provides the broadest range of native AD tools and third party apps support such as:Active Directory-Based Activation (ADBA)Active Directory Certificate Services (AD CS): Enterprise Certificate AuthorityActive Directory Federation Services (AD FS)Active Directory Users and Computers (ADUC)Application Server (.NET)Azure Active Directory (Azure AD)Azure Active Directory (AD) ConnectDistributed File System Replication (DFSR)Distributed File System Namespaces (DFSN)Microsoft Remote Desktop Services Licensing ServerMicrosoft SharePoint ServerMicrosoft SQL Server (including SQL Server Always On Availability Groups)Microsoft System Center Configuration Manager (SCCM)Microsoft Windows and Windows Server OSOffice 365
Q: Which third party software is NOT compatible with Amazon Web Services Managed Microsoft AD?
Active Directory Certificate Services (AD CS): Certificate Enrollment Web ServiceActive Directory Certificate Services (AD CS): Certificate Enrollment Policy Web ServiceMicrosoft Exchange ServerMicrosoft Skype for Business Server
Q: Can I migrate my existing, on-premises Microsoft Active Directory to Amazon Web Services Managed Microsoft AD?
We do not provide any migration tools to migrate a self-managed Active Directory to Amazon Web Services Managed Microsoft AD. You must establish a strategy for performing migration including password resets, and implement the plans using Remote Server Administration Tools.
Q: Can I configure conditional forwarders and trusts in the Directory Service console?
Yes. You can configure conditional forwarders and trusts for Amazon Web Services Managed Microsoft AD using the Directory Service console.
Q: Can I add additional domain controllers manually to my Amazon Web Services Managed Microsoft AD?
Yes. You can add additional domain controllers to your managed domain using the Amazon Directory Service console or API. Note that promoting Amazon EC2 instances to domain controllers manually is not supported.
Q: Can I use Microsoft Office 365 with user accounts managed in Amazon Web Services Managed Microsoft AD?
Yes. You can synchronize identities from Amazon Web Services Managed Microsoft AD to Azure AD using Azure AD Connect and use Microsoft Active Directory Federation Services (AD FS) for Windows 2016 with Amazon Web Services Managed Microsoft AD to authenticate Office 365 users.
Q: Can I use Security Assertion Markup Language (SAML) 2.0–based authentication with cloud applications using Amazon Web Services Managed Microsoft AD?
Yes. You can use Microsoft Active Directory Federation Services (AD FS) for Windows 2016 with your Amazon Web Services Managed Microsoft AD managed domain to authenticate users to cloud applications that support SAML.
Q: Can I encrypt communication between my applications and Amazon Web Services Managed Microsoft AD using LDAPS?
Yes. Amazon Web Services Managed Microsoft AD supports Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS, in both client and server roles. When acting as a server, Amazon Web Services Managed Microsoft AD supports LDAPS over ports 636 (SSL) and 389 (TLS). You enable server-side LDAPS communication by installing a certificate on your Amazon Web Services Managed Microsoft AD domain controllers from an Amazon Web Services-based Active Directory Certificate Services certificate authority (CA). To learn more, see Enable Secure LDAP (LDAPS).
Q: Can I encrypt LDAP communications between Amazon Web Services applications and my self-managed AD using Amazon Web Services Managed Microsoft AD?
Yes. Amazon Web Services Managed Microsoft AD supports Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS, in both client and server roles. When acting as a client, Amazon Web Services Managed Microsoft AD supports LDAPS over ports 636 (SSL). You enable client-side LDAPS communication by registering certification authority (CA) certificates from your server certificate issuer into Amazon Web Services. To learn more, see Enable Secure LDAP (LDAPS).
Q: How many users, groups, computers, and total objects does Amazon Web Services Managed Microsoft AD support?
Amazon Web Services Managed Microsoft AD (Standard Edition) includes 1 GB of directory object storage. This capacity can support up to 5,000 users or 30,000 directory objects, including users, groups, and computers. Amazon Web Services Managed Microsoft AD (Enterprise Edition) includes 17 GB of directory object storage, which can support up to 100,000 users or 500,000 objects.
Q: Can I use Amazon Web Services Managed Microsoft AD as a resource forest?
Yes. You can use Amazon Web Services Managed Microsoft AD as a resource forest that contains primarily computers and groups with trust relationships to your on-premises directory. This enables your users to access Amazon Web Services applications and resources with their on-premises AD credentials.
Seamless domain join
Q: What is seamless domain join?
Seamless domain join is a feature that allows you to join your Amazon EC2 for Windows Server and Amazon EC2 for Linux instances seamlessly to a domain, at the time of launch and from the Amazon Web Services Management Console. You can join instances to Amazon Web Services Managed Microsoft AD that you launch in the Amazon Web Services Cloud.
Q: How do I join an instance seamlessly to a domain?
When you create and launch an EC2 for Windows or an EC2 for Linux instance from the Amazon Web Services Management Console, you have the option to select which domain your instance will join. To learn more, see the documentation.
Q: Can I join existing EC2 for Windows Server instances seamlessly to a domain?
You cannot use the seamless domain join feature from the Amazon Web Services Management Console for existing EC2 for Windows Server and EC2 for Linux instances, but you can join existing instances to a domain using the EC2 API or by using PowerShell on the instance. To learn more, see the documentation. Which distributions and versions of Linux does the seamless domain join feature support?
The seamless domain join feature is currently available for Linux, Linux 2, CentOS 7 or newer, RHEL 7.5 or newer, and Ubuntu 14 to 18.