Directory Service
π What is AWS Directory Service?¶
AWS Directory Service allows you to set up and run Microsoft Active Directory (AD) on AWS. It supports:
-
User and group management
-
Integration with Microsoft applications
-
Seamless domain join for EC2 instances
-
Authentication for AWS apps like WorkSpaces, QuickSight, and RDS for SQL Server
𧱠Types of AWS Directory Service¶
| Type | Description |
|---|---|
| AWS Managed Microsoft AD | Fully managed, actual Microsoft AD |
| Simple AD | Lightweight, Samba-based AD-compatible directory |
| AD Connector | Proxy for on-premises AD |
| Microsoft AD via EC2 | Manual setup on Windows Server |
π― When to Use Which?¶
-
Managed Microsoft AD: For full compatibility and enterprise features.
-
Simple AD: For dev/test or small workloads.
-
AD Connector: When you already have an on-prem AD and want to extend it to AWS.
-
Self-managed AD on EC2: Full control, but more overhead.
π οΈ Tutorial: Set Up AWS Managed Microsoft AD¶
β Prerequisites¶
-
AWS account
-
VPC with at least two subnets in different AZs (for high availability)
-
Internet access / NAT for updates
Step 1: Create a Directory¶
-
Go to AWS Directory Service in the console.
-
Click Set up directory.
-
Choose AWS Managed Microsoft AD.
-
Select Standard or Enterprise edition.
-
Fill in:
-
Directory DNS name (e.g.,
corp.example.com) -
NetBIOS name (e.g.,
CORP) -
Admin password
-
-
Choose VPC and two subnets in different AZs.
-
Review and create.
π Wait ~20β40 minutes for provisioning.
Step 2: Join an EC2 Instance to the Domain¶
-
Launch a Windows EC2 in the same VPC/subnet.
-
Ensure security group allows:
-
DNS (UDP/TCP 53)
-
AD ports: TCP/UDP 88, 389, 445, 464
-
-
Log into the instance.
-
Go to System > Change settings > Domain, and join the domain.
-
Reboot when prompted.
Step 3: Create Users and Groups¶
-
Install Remote Server Administration Tools (RSAT) on your EC2 (Windows).
-
Open Active Directory Users and Computers.
-
Connect to your domain.
-
Create OUs, users, and groups as needed.
π‘ Common Integrations¶
β Amazon WorkSpaces¶
-
Create a directory in Directory Service.
-
Launch WorkSpaces and select the domain for user login.
-
Users log in with domain credentials.
β RDS for SQL Server¶
-
Create RDS SQL Server instance.
-
Enable Directory Authentication and choose your domain.
-
Add users/groups in AD for access.
β EC2 Linux with SSSD¶
-
Use SSSD and realmd to join Linux instances to the domain.
-
Manage SSH logins with AD credentials.
π Monitoring and Logs¶
-
CloudWatch logs
-
Directory Service events
-
Use AWS Config to track changes
π§ͺ Testing & Troubleshooting¶
π Useful commands¶
-
nltest /dsgetdc:<domain>β check domain controller -
ipconfig /allβ verify DNS settings -
dcdiagβ diagnose domain controller health
π Security Best Practices¶
-
Use IAM policies to restrict access to Directory Service
-
Rotate the AD administrator password
-
Enable AWS Backup for directory snapshots
-
Use AWS KMS for encryption
𧩠Cost¶
-
Standard Edition: ~~$0.15/hr (~~$110/month)
-
Enterprise Edition: ~~$0.40/hr (~~$290/month)
-
AD Connector and Simple AD are cheaper alternatives
π Resources¶
Integrating AWS Managed Microsoft AD with Amazon RDS for SQL Server. This setup allows Windows Authentication for RDS, meaning users from your domain can log into SQL Server using their AD credentials.
β Goal¶
Join Amazon RDS for SQL Server to your AWS Managed Microsoft AD so you can:
-
Use Windows Authentication (via AD) for RDS logins
-
Control access through AD users and groups
𧱠Prerequisites¶
-
β AWS Managed Microsoft AD is already set up
-
β A SQL Server-compatible RDS instance (not Aurora)
-
β The RDS and AD must be in the same VPC
-
β At least 2 subnets in different AZs (required by AD)
-
β An EC2 instance (domain-joined) for managing the database via SSMS (SQL Server Management Studio)
π οΈ Step-by-Step Setup¶
πΉ Step 1: Create or Use an AWS Managed Microsoft AD¶
If you havenβt already:
-
Go to Directory Service
-
Choose AWS Managed Microsoft AD
-
Set up with a domain like
corp.example.com
π Note the Directory ID
πΉ Step 2: Launch RDS for SQL Server¶
-
Go to RDS > Create database
-
Engine: Microsoft SQL Server
-
Choose Standard or Enterprise (Windows Auth not available in Express/Web)
-
In Settings:
-
DB instance identifier
-
Master username and password
-
-
In Connectivity:
-
Select same VPC as your AD
-
Enable public access if needed (for testing)
-
-
Under Microsoft SQL Server Windows Authentication, select your Directory.
π‘ RDS will join the domain during creation β this takes longer than normal DB launch (~20 minutes).
πΉ Step 3: Create a SQL Login Mapped to AD User¶
From your domain-joined EC2, install SSMS:¶
-
Open SSMS
-
Connect to the RDS instance using the SQL admin login
-
Run the following to add an AD user/group:
π‘ You can now assign roles:
πΉ Step 4: Test Domain Login¶
-
From the same domain-joined EC2, open SSMS
-
In login prompt:
-
Server name:
your-rds-endpoint -
Authentication: Windows Authentication
-
You should be able to log in using your AD credentials.
π§ͺ Bonus: Group-based Access¶
Instead of assigning users individually:
Then just add users to SqlAdmins group in AD.
π Security Best Practices¶
-
Use IAM roles to control RDS and Directory access
-
Use TLS encryption for SQL Server connections
-
Rotate admin credentials regularly
-
Restrict RDS to private subnets in production
π Cost Considerations¶
-
RDS SQL Server Standard/Enterprise editions have licensing costs
-
AWS Managed Microsoft AD adds cost per hour depending on edition
-
Domain-joined EC2 for SSMS is optional (but often needed for GUI)