Overview
- Running Active Directory
Directory Service for Microsoft Active Directory
- Real AD domain controller
- Windows 2012
- Editions
- Enterprise: 100K+
- Standard: <= 5000
- AWS (managed)
- Multi-AZ, patch, deploy,restore,snapshot
- Restricted administrative access (just like RDS)
- Customer (configuration)
- Password policy
- Trusts (Forest trusts)
- A -(trusts)->B = B -(access)-> A
- Federation
- Certification Authority (LDAPs)
- Administer - users, groups, policies
Simple AD
- Managed Samba 4 AD compatible server
- Not a real Microsoft AD
- Completely independent from on-premise
- Use for brand new directory (users/group policies/joins)
- HA/backups/recovery
- Access to Workspaces, WorkDocs, WorkMail
- Size:
- small (<= 500 users)
- large (<= 5000 users)
- Setup
- Administrator account
- Access Url
- Joining domain
- Linux: use sssd service
- Windows: seamless (parameter in the launch configuration)
- Performed by ec2-agent
- IAM role to make calls to Directory Service and SSM
AD Connector
- Custom Federation Proxy (just a federation mechanism)
- Pure proxy - no information stored
- Helps to connect to on-premise AD
- Requires hardware VPN connection or Direct Connect
- Proxies Kerberos/LDAP requests back to on-premise AD
- Access to WorkSpaces, WorkDocs, WorkMail
- Setup
- Connector account - low privileged account
- Must be created on on-premise AD
- Stored by AWS to make LDAP calls
- Firewall on-premise allows
- DNS
- LDAP
- Kerberos
- Connector account - low privileged account
Bring your Own Directory Service
- Alternative to managed services above
- Domain Controller created in VPC (EC2)
- Replicates with on-premise DC
References
- https://blogs.oracle.com/raghuvir/entry/ldap
- https://www.youtube.com/watch?v=CY-xvo8Cc54&list=WL&index=1
No comments:
Post a Comment