AWS Directory Service lets you run Microsoft Active Directory (AD) as a managed service. AWS Directory Service for Microsoft Active Directory, also referred to as AWS Managed Microsoft AD, is powered by Windows Server 2012 R2. When you select and launch this directory type, it is created as a highly available pair of domain controllers connected to your virtual private cloud (VPC). The domain controllers run in different Availability Zones in a Region of your choice. Host monitoring and recovery, data replication, snapshots, and software updates are automatically configured and managed for you. Show With AWS Managed Microsoft AD, you can run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications. You can also configure a trust relationship between AWS Managed Microsoft AD in the AWS Cloud and your existing on-premises Microsoft Active Directory, providing users and groups with access to resources in either domain, using AWS IAM Identity Center (successor to AWS Single Sign-On). AWS Directory Service makes it easy to set up and run directories in the AWS Cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it for a variety of tasks:
AWS manages the licensing of your Windows Server instances for you; all you need to do is pay for the instances you use. There is also no need to buy additional Windows Server CALs, as access is included in the price. Each instance comes with two remote connections for admin purposes only. If you require more than two connections, or need those connections for purposes other than admin, you may have to bring in additional Remote Desktop Services CALs for use on AWS. Read the topics in this section to get started creating a AWS Managed Microsoft AD directory, creating a trust relationship between AWS Managed Microsoft AD and your on-premises directories, and extending your AWS Managed Microsoft AD schema. Topics
Related AWS Security blog articles
Active Directory (AD) is a proprietary directory service developed by Microsoft® to manage the authentication and authorization of users and machines on a Windows domain network. Active Directory was first released in 2000 and runs on Windows Server. Since 2000, it has become the umbrella brand for a broad
assortment of directory-based identity services from Microsoft. The main component of Active Directory is Active Directory Domain Services (AD DS), which verifies access when a user logs in to a system or tries to connect to one over the network, as well as assigns and enforces security policies. A server running Active Directory Domain Services is a Domain Controller. Other Active Directory services include Lightweight Directory Services (AD LDS), Federation Services (AD FS), Rights Management
Services (AD RMS), and Certificate Services (AD CS). In December 2016, Microsoft released Azure AD Connect to join an on-premises Active Directory system with Azure Active Directory (Azure AD) to enable single sign-on (SSO) for Microsoft’s cloud services, such as Microsoft Office 365. Data is stored in Active Directory as objects and organized by name and attributes. A group of objects that share the same Active Directory database is called a domain. One or more domains with a common schema and configuration constitute what is known as a tree. The top tier of Active Directory’s logical structure is a forest, which is made up of a group of trees. A forest constitutes Active Directory’s security boundary. For attackers, Active Directory is the keeper of the crown jewels. When threat actors compromise a network, they typically try to elevate their privileges so they can move to more critical systems, access sensitive data, and gain a broader foothold in the environment to maintain persistence. As a result, attacking Active Directory and obtaining administrator-level access is one of the attackers’ chief goals. This is typically done by using tools such as BloodHound, which is an open-source application used for analyzing the security of Active Directory domains and revealing the potential for escalating access entitlements. Once the cyber-attackers have uncovered hidden or complex attack paths that can potentially compromise the security of the network, they then use tools such as Mimikatz to steal the necessary credentials. The targeting of Active Directory by attackers makes Privileged Access Management (PAM) a vital part of enterprise security. PAM tools fall into three categories: privileged account and session management (PASM), privilege elevation and delegation management (PEDM), and secrets management software. Ideally, these capabilities should be fully integrated into an underlying platform to avoid the silos that come from point solutions. With Privileged Access Management, organizations can use session monitoring, granular access controls, and password vaulting to provide an extra layer of protection for privileged accounts. These protections should be part of a layered approach to security that also involves continuous monitoring of Active Directory for suspicious activity. Other directory services on the market that provide similar functionality to Active Directory, and attract the same attention of cyber adversaries, include IBM Red Hat Directory Server, Apache Directory, and OpenLDAP. What services does Active Directory use?Active Directory services
The main service is Domain Services, but Active Directory also includes Lightweight Directory Services (AD LDS), Lightweight Directory Access Protocol (LDAP), Certificate Services, or AD CS, Federation Services (AD FS) and Rights Management Services (AD RMS).
What is Active Directory system?Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.
How do I run Active Directory domain services?Type Start PowerShell and press Enter within the Command Prompt window to open a new Windows PowerShell console window. Type Add-WindowsFeature AD-Domain-Services and press Enter to install Active Directory Domain Services.
|
