Welcome back my fellow geeks!
Earlier this year I did a deep dive into Microsoft’s managed Active Directory service, Microsoft Azure Active Directory Domain Services (AAD DS). I found was a service in its infancy and showing some promise, but very far from being an enterprise-ready service. I thought it would be fun to look at Amazon’s (which I’ll refer to as Amazon Web Services (AWS) for the rest of the entries in this series) take on a managed Microsoft Active Directory (or as Microsoft is referring to it these days Windows Active Directory).
Unless your organization popped up in the last year or two and went the whole serverless route you are still managing operating systems that require centralized authentication, authorization, and configuration management. You also more than likely have a ton of legacy/classic on-premises applications that require legacy protocols such as Kerberos and LDAP. Your organization is likely using Windows Active Directory (Windows AD) to provide these capabilities along with Windows AD’s basic domain name system (DNS) service and centralized identity data store.
It’s unrealistic to assume you’re going to shed all those legacy applications prior to beginning your journey into the public cloud. I mean heck, shedding the ownership of data centers alone can be a huge cost driver. Organizations are then faced with the challenge of how to do Windows AD in the public cloud. Is it best to extend an existing on-premises forest into the public cloud? What about creating a resource forest with a trust? Or maybe even a completely new forest with no trust? Each of these options have positives and negatives that need to be evaluated against organizational requirements across the business, technical, and legal arenas.
Whatever choice you make, it means additional infrastructure in the form of more domain controllers. Anyone who has managed Windows AD in an enterprise knows how much overhead managing domain controllers can introduce. Let me clarify that by managing Windows AD, it does not mean opening Active Directory Users and Computers (ADUC) and creating user accounts and groups. I’m talking about examining performance monitor AD counters and LDAP Debug logs to properly size domain controllers, configuring security controls to comply with PCI and HIPAA requirements or aligning with DISA STIGS, managing updates and patches, and troubleshooting the challenges those bring which requires extensive knowledge of how Active Directory works. In this day an age IT staff need to be less focused on overhead such as this and more focused on working closely with its business units to drive and execute upon business strategy. That folks is where managed services shine.
AWS offers an extensive catalog of managed services and Windows AD is no exception. Included within the AWS Directory Services offerings there is a powerful offering named Amazon Web Services Directory Service for Microsoft Active Directory, or more succinctly AWS Managed Microsoft AD. It provides all the wonderful capabilities of Windows AD without all of the operational overhead. An interesting fact is that the service has been around since December 2015 in comparison to Microsoft’s AAD DS which only went into public preview at in 3rd Q 2017. This head start has done AWS a lot of favors and in this engineer’s opinion, has established AWS Managed Microsoft AD as the superior managed Windows AD service over Microsoft’s AAD DS. We’ll see why as the series progresses.
Over the course of this series I’ll be performing a similar analysis as I did in my series on Microsoft AAD DS. I’ll also be examining the many additional capabilities AWS Managed Microsoft AD provides and demoing some of them in action. My goal is that by the end of this series you understand the technical limitations that come with the significant business benefits of leveraging a managed service.
See you next post!
Great to see you back after the summer break with a very interesting topic.
Thanks Franck. It’s great to be back and thanks for reading!