AWS Directory Service FAQs

General

AWS Directory Service is a managed service offering, providing directories that contain information about your organization, including users, groups, computers, and other resources. As a managed offering, AWS Directory Service is designed to reduce management tasks, thereby allowing you to focus more of your time and resources on your business. There is no need to build out your own complex, highly-available directory topology because each directory is deployed across multiple Availability Zones, and monitoring automatically detects and replaces domain controllers that fail. In addition, data replication and automated daily snapshots are configured for you. There is no software to install and AWS handles all of the patching and software updates.

AWS Directory Service makes it easy for you to setup and run directories in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it to manage users and groups, provide single sign-on to applications and services, create and apply group policy, join Amazon EC2 instances to a domain, as well as simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads. AWS Directory Service enables your end users to use their existing corporate credentials when accessing AWS applications, such as Amazon WorkSpaces, Amazon WorkDocs and Amazon WorkMail, as well as directory-aware Microsoft workloads, including custom .NET and SQL Server-based applications. Finally, you can use your existing corporate credentials to administer AWS resources via AWS Identity and Access Management (IAM) role-based access to the AWS Management Console, so you do not need to build out more identity federation infrastructure.

You can use the AWS Management Console or the API to create a directory. All you need to provide is some basic information such as a fully qualified domain name (FQDN) for your directory, Administrator account name and password, and the VPC you want the directory to be attached to.

Yes, you can use the AWS Management Console or the API to add existing EC2 instances running Linux or Windows to an AWS Managed Microsoft AD directory.

Public APIs are supported for creating and managing directories. You can now programmatically manage directories using public APIs. The APIs are available via the AWS CLI and SDK . Learn more about the APIs in the AWS Directory Service documentation .

Yes. Actions performed via the AWS Directory Service APIs or management console will be included in your CloudTrail audit logs.

Yes. You can configure Amazon Simple Notification Service (SNS) to receive email and text messages when the status of your AWS Directory Service changes. Amazon SNS uses topics to collect and distribute messages to subscribers. When AWS Directory Service detects a change in your directory’s status, it will publish a message to the associated topic, which is then sent to topic subscribers. Visit the documentation to learn more.

See the pricing page for more information.

Yes. AWS Directory Service supports cost allocation tagging. Tags make it easier for you to allocate costs and optimize spending by categorizing and grouping AWS resources. For example, you can use tags to group resources by administrator, application name, cost center, or a specific project.

Refer to Regional Products and Services for details of AWS Directory Service availability by region.

Effective 05/31/2020, client computers can use only SMB version 2.0 (SMBv2) or newer to access files stored on the SYSVOL and NETLOGON shares of the domain controllers for their AWS Managed Microsoft AD directories. However, AWS recommends customers use only SMBv2 or newer on all SMB-based file services.

AWS Managed Microsoft AD

You can launch the AWS Directory Service console from the AWS Management Console to create an AWS Managed Microsoft AD directory. Alternatively, you can use the AWS SDK or AWS CLI.

AWS Managed Microsoft AD directories are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

No. This functionality is not supported at this time.

You can use your existing Active Directory tools—running on Windows computers that are joined to the AWS Managed Microsoft AD domain—to manage users and groups in AWS Managed Microsoft AD directories. No special tools, policies, or behavior changes are required.

In order to deliver a managed-service experience, AWS Managed Microsoft AD must disallow operations by customers that would interfere with managing the service. Therefore, AWS restricts access to directory objects, roles, and groups that require elevated privileges. AWS Managed Microsoft AD does not allow direct host access to domain controllers via Windows Remote Desktop Connection, PowerShell Remoting, Telnet, or Secure Shell (SSH). When you create an AWS Managed Microsoft AD directory, you are assigned an organizational unit (OU) and an administrative account with delegated administrative rights for the OU. You can create user accounts, groups, and policies within the OU by using standard Remote Server Administration Tools such as Active Directory Users and Groups or the PowerShell ActiveDirectory module.

Yes. The administrative account created for you when AWS Managed Microsoft AD is set up has delegated management rights over the Remote Access Service (RAS) and Internet Authentication Service (IAS) security group. This enables you to register NPS with AWS Managed Microsoft AD and manage network access policies for accounts in your domain.

Yes. AWS Managed Microsoft AD supports schema extensions that you submit to the service in the form of a LDAP Data Interchange Format (LDIF) file. You may extend but not modify the core Active Directory schema.

Amazon Chime

Amazon Connect

Amazon EC2 Instances

Amazon FSx for Windows File Server

Amazon QuickSight

Amazon RDS for MySQL

Amazon RDS for Oracle

Amazon RDS for PostgreSQL

Amazon RDS for SQL Server

Amazon Single Sign On

Amazon WorkDocs

Amazon WorkMail

Amazon WorkSpaces

AWS Client VPN

AWS Management Console

Note that not all configurations of these applications may be supported.

AWS Managed Microsoft AD is based on actual Active Directory and provides the broadest range of native AD tools and third party apps support such as:

Active Directory-Based Activation (ADBA)

Active Directory Certificate Services (AD CS): Enterprise Certificate Authority

Active Directory Federation Services (AD FS)

Active Directory Users and Computers (ADUC)

Application Server (.NET)

Azure Active Directory (Azure AD)

Azure Active Directory (AD) Connect

Distributed File System Replication (DFSR)

Distributed File System Namespaces (DFSN)

Microsoft Remote Desktop Services Licensing Server

Microsoft SharePoint Server

Microsoft SQL Server (including SQL Server Always On Availability Groups)

Microsoft System Center Configuration Manager (SCCM)

Microsoft Windows and Windows Server OS

Office 365

Active Directory Certificate Services (AD CS): Certificate Enrollment Web Service

Active Directory Certificate Services (AD CS): Certificate Enrollment Policy Web Service

Microsoft Exchange Server

Microsoft Skype for Business Server

AWS does not provide any migration tools to migrate a self-managed Active Directory to AWS Managed Microsoft AD. You must establish a strategy for performing migration including password resets, and implement the plans using Remote Server Administration Tools.

Yes. You can configure conditional forwarders and trusts for AWS Managed Microsoft AD using the Directory Service console as well as the API

Yes. You can add additional domain controllers to your managed domain using the AWS Directory Service console or API . Note that promoting Amazon EC2 instances to domain controllers manually is not supported. 

Yes. You can synchronize identities from AWS Managed Microsoft AD to Azure AD using Azure AD Connect and use Microsoft Active Directory Federation Services (AD FS) for Windows 2016 with AWS Managed Microsoft AD to authenticate Office 365 users. For step-by-step instructions, see How to Enable Your Users to Access Office 365 with AWS Microsoft Active Directory Credentials.  

Yes. You can use Microsoft Active Directory Federation Services (AD FS) for Windows 2016 with your AWS Managed Microsoft AD managed domain to authenticate users to cloud applications that support SAML. 

Yes. AWS Managed Microsoft AD supports Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS, in both client and server roles. When acting as a server, AWS Managed Microsoft AD supports LDAPS over ports 636 (SSL) and 389 (TLS). You enable server-side LDAPS communication by installing a certificate on your AWS Managed Microsoft AD domain controllers from an AWS-based Active Directory Certificate Services certificate authority (CA). To learn more, see Enable Secure LDAP (LDAPS)

Yes. AWS Managed Microsoft AD supports Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS, in both client and server roles. When acting as a client, AWS Managed Microsoft AD supports LDAPS over ports 636 (SSL). You enable client-side LDAPS communication by registering certification authority (CA) certificates from your server certificate issuer into AWS. To learn more, see Enable Secure LDAP (LDAPS)

AWS Managed Microsoft AD supports both LDAP signing and LDAP over SSL/TLS (LDAPS) when acting as LDAP clients communicating with self-managed Active Directory. Client-side LDAP signing requires no customer action to enable, and provides data integrity. Client-side LDAPS requires configuration, and provides data integrity and confidentiality. For more information, see this AWS Forums post

AWS Managed Microsoft AD (Standard Edition) includes 1 GB of directory object storage. This capacity can support up to 5,000 users or 30,000 directory objects, including users, groups, and computers. AWS Managed Microsoft AD (Enterprise Edition) includes 17 GB of directory object storage, which can support up to 100,000 users or 500,000 objects. 

Yes. You can use it as a primary directory to manage users, groups, computers, and Group Policy objects (GPOs) in the cloud. You can manage access and provide single sign-on (SSO) to AWS applications and services, and to third-party directory-aware applications running on Amazon EC2 instances in the AWS Cloud. In addition, you can use Azure AD Connect and AD FS to support SSO to cloud applications, including Office 365. 

Yes. You can use AWS Managed Microsoft AD as a resource forest that contains primarily computers and groups with trust relationships to your on-premises directory. This enables your users to access AWS applications and resources with their on-premises AD credentials. 

Multi-region replication

Multi-region replication is a feature that enables you to deploy and use a single AWS Managed Microsoft AD directory across multiple AWS Regions. This makes it easier and more cost-effective for you to deploy and manage your Microsoft Windows and Linux workloads globally. With the automated multi-region replication capability you get higher resiliency, while your applications use a local directory for optimal performance. This feature is available in AWS Managed Microsoft AD (Enterprise Edition) only. You can use the feature for new and existing directories.

First, you open the AWS Directory Service console in the region where your directory is already up and running (primary region). Select the directory you want to expand and choose Add Region. Then, select the Region into which you want to expand, provide the Amazon Virtual Private Cloud (VPC), and the subnets into which you want to deploy your directory. You can also use APIs to expand your directory. To learn more, see the documentation .

AWS Managed Microsoft AD automatically configures inter-region networking connectivity, deploys domain controllers, and replicates all your directory data, including users, groups, Group Policy Objects (GPOs), and schema, across your selected regions. In addition, AWS Managed Microsoft AD configures a new AD site per region which improves user authentication and domain controller replication performance within the region while lowering costs by minimizing data transfers between regions. Your directory identifier (directory_id) remains the same in the new region and is deployed in the same AWS account as your primary Region.

Yes, with multi-region replication you have the flexibility to share your directory with other AWS accounts per Region. Directory sharing configurations are not automatically replicated from the primary region. To learn how to share your directory with other AWS accounts, see the documentation .

Yes, with multi-region replication you have the flexibility to define the number of domain controllers per region. To learn how to add a domain controller, see the documentation .

With multi-region replication, you monitor your directory status per Region independently. You must enable Amazon Simple Notification Service (SNS) in each region where you deployed your directory, using the AWS Directory Service console or API. To learn more, see the documentation .

With multi-region replication, you monitor your directory security logs per Region independently. You must enable Amazon CloudWatch Logs forwarding in each region where you deployed your directory, using the AWS Directory Service console or API. To learn more, see the documentation .

Yes, you can rename your directory’s AD site name per region using standard AD tools. To learn more, see the documentation .

Yes. If you do not have any AWS applications registered to your directory and you have not shared the directory with any AWS account in the Region, AWS Managed Microsoft AD allows you to remove an AWS Region from your directory. You cannot remove the primary Region, unless you delete the directory.

Multi-region replication is compatible with Amazon EC2, Amazon RDS (SQL Server, Oracle, MySQL, PostgreSQL, and MariaDB), Amazon Aurora (MySQL and PostgreSQL), and Amazon FSx for Windows File Server natively. You can also integrate other AWS Applications such as Amazon WorkSpaces, AWS Single Sign-On, AWS Client VPN, Amazon QuickSight, Amazon Connect, Amazon WorkDocs, Amazon WorkMail, and Amazon Chime with your directory in new Regions by configuring AD Connector against your AWS Managed Microsoft AD directory per Region.

Seamless domain join

Seamless domain join is a feature that allows you to join your Amazon EC2 for Windows Server and Amazon EC2 for Linux instances seamlessly to a domain, at the time of launch and from the AWS Management Console. You can join instances to AWS Managed Microsoft AD that you launch in the AWS Cloud.

When you create and launch an EC2 for Windows or an EC2 for Linux instance from the AWS Management Console, you have the option to select which domain your instance will join. To learn more, see the documentation .

You cannot use the seamless domain join feature from the AWS Management Console for existing EC2 for Windows Server and EC2 for Linux instances, but you can join existing instances to a domain using the EC2 API or by using PowerShell on the instance. To learn more, see the documentation .

The seamless domain join feature is currently available for Amazon Linux, Amazon Linux 2, CentOS 7 or newer, RHEL 7.5 or newer, and Ubuntu 14 to 18.

IAM integration

AWS Directory Service allows you to assign IAM roles to AWS Manage Microsoft AD or Simple AD users and groups in the AWS cloud, as well as an existing, on-premises Microsoft Active Directory users and groups using AD Connector. These roles will control users’ access to AWS services based on IAM policies assigned to the roles. AWS Directory Service will provide a customer-specific URL for the AWS Management Console which users can use to sign in with their existing corporate credentials. See our documentation for more information on this feature. 

Compliance

Yes. AWS Managed Microsoft AD has implemented the controls necessary to enable you to meet the U.S. Health Insurance Portability and Accountability Act (HIPAA) requirements and is included as an in-scope service in the Payment Card Industry Data Security Standard (PCI DSS) Attestation of Compliance and Responsibility Summary. 

To access a comprehensive list of documents relevant to compliance and security in the AWS Cloud, see AWS Artifact .

Security, including HIPAA and PCI DSS compliance, is a shared responsibility between AWS and you. For example, it is your responsibility to configure your AWS Managed Microsoft AD password policies to meet PCI DSS requirements when using AWS Managed Microsoft AD. To learn more about the actions you may need to take to meet HIPAA and PCI DSS compliance requirements, see the compliance documentation for AWS Managed Microsoft AD , read the Architecting for HIPAA Security and Compliance on Amazon Web Services whitepaper, and see the AWS Cloud Compliance , HIPAA Compliance , and PCI DSS Compliance.