AWS Directory Service FAQs

AWS Directory Service is a managed service offering, providing directories that contain information about your organization, including users, groups, computers, and other resources. As a managed offering, AWS Directory Service is designed to reduce management tasks, thereby allowing you to focus more of your time and resources on your business. There is no need to build out your own complex, highly-available directory topology because each directory is deployed across multiple Availability Zones, and monitoring automatically detects and replaces domain controllers that fail. In addition, data replication and automated daily snapshots are configured for you. There is no software to install and AWS handles all of the patching and software updates.

AWS Directory Service enables you to rapidly lift and shift AD-dependent workloads to the cloud and simplifies application modernization via seamless integrations with AWS Services.

With AWS Directory Services you can create a new AD Directory, extend or connect your existing directory, and seamlessly deploy workloads into Amazon EC2 which are automatically connected to your AD or to managed services like RDS and FSx. AWS Directory Service also integrates with AWS applications like WorkSpaces, enabling your end users to use their existing corporate credentials directly.

Additionally, you can manage users and groups, provide single sign-on to applications and services, create and apply group policy, join Amazon EC2 instances to a domain, and simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads. You can also use your existing corporate credentials to administer AWS resources via AWS Identity and Access Management (IAM) role-based access to the AWS Management Console.

You can use the AWS Management Console or the API to create a directory. All you need to provide is some basic information such as a fully qualified domain name (FQDN) for your directory, Administrator account name and password, and the VPC you want the directory to be attached to.

Yes, you can use the AWS Management Console or the API to add existing EC2 instances running Linux or Windows to an AWS Managed Microsoft AD directory.

Public APIs are supported for creating and managing directories. You can now programmatically manage directories using public APIs. The APIs are available via the AWS CLI and SDK . Learn more about the APIs in the AWS Directory Service documentation .

Yes. Actions performed via the AWS Directory Service APIs or management console will be included in your CloudTrail audit logs.

Yes. You can configure Amazon Simple Notification Service (SNS) to receive email and text messages when the status of your AWS Directory Service changes. Amazon SNS uses topics to collect and distribute messages to subscribers. When AWS Directory Service detects a change in your directory’s status, it will publish a message to the associated topic, which is then sent to topic subscribers. Visit the documentation to learn more.

See the pricing page for more information.

Yes. AWS Directory Service supports cost allocation tagging. Tags make it easier for you to allocate costs and optimize spending by categorizing and grouping AWS resources. For example, you can use tags to group resources by administrator, application name, cost center, or a specific project.

Refer to Regional Products and Services for details of AWS Directory Service availability by region.

Effective 05/31/2020, client computers can use only SMB version 2.0 (SMBv2) or newer to access files stored on the SYSVOL and NETLOGON shares of the domain controllers for their AWS Managed Microsoft AD directories. However, AWS recommends customers use only SMBv2 or newer on all SMB-based file services.

You can launch the AWS Directory Service console from the AWS Management Console to create an AWS Managed Microsoft AD directory. Alternatively, you can use the AWS SDK or AWS CLI.

AWS Managed Microsoft AD directories are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.

As part of the fully managed service, AWS provides the compute, storage, and memory resources. As a customer, you declare your requirements when selecting your edition (Standard, Enterprise, or Hybrid), and AWS handles the infrastructure management. If you need more resources, you can add additional domain controllers to your directory.

With AWS Managed Microsoft AD, the approach to user and group management differs across editions. In Hybrid Edition, you retain your administrative rights to your existing AD domain since AWS Managed Microsoft AD domain controllers become part of your existing forest, allowing you to continue using your familiar AD administration tools while changes replicate to AWS in real time. 

While Standard and Enterprise editions create new AD domains on AWS where you don't have domain admin rights, but you can still manage your users and groups using your existing Active Directory tools on Windows computers joined to the AWS Managed Microsoft AD domain. You can also manage users and groups in the AWS Console or via APIs. No special tools, policies, or behavior changes are required. 

To deliver a managed-service experience, AWS Managed Microsoft AD (Standard, Enterprise, and Hybrid editions) must disallow operations by customers that would interfere with managing the service. Therefore, AWS restricts access to directory objects, roles, and groups that require elevated privileges. AWS Managed Microsoft AD does not allow direct host access to domain controllers via Windows Remote Desktop Connection, PowerShell Remoting, Telnet, or Secure Shell (SSH).

When you create an AWS Managed Microsoft AD directory, you are assigned an organizational unit (OU) and an administrative account with delegated administrative rights for the OU. You can create user accounts, groups, and policies within the OU by using standard Remote Server Administration Tools such as Active Directory Users and Groups or the PowerShell ActiveDirectory module.

With Hybrid Edition, however, you maintain your existing administrative control over your existing AD environment, while AWS still manages the underlying infrastructure of the domain controllers deployed in AWS like how (Standard and Enterprise) editions are managed.

Yes. The administrative account created for you when AWS Managed Microsoft AD is set up has delegated management rights over the Remote Access Service (RAS) and Internet Authentication Service (IAS) security group. This enables you to register NPS with AWS Managed Microsoft AD and manage network access policies for accounts in your domain.

Yes. AWS Managed Microsoft AD (Standard and Enterprise editions) supports schema extensions that you submit to the service in the form of a LDAP Data Interchange Format (LDIF) file. You may extend but not modify the core Active Directory schema.

For Hybrid Edition, you can make schema extensions directly in your self-managed AD, and they will replicate to your hybrid directory on AWS.

Compatible with Standard, Enterprise, and Hybrid editions:

• Amazon EC2 Instances

• Amazon FSx for Windows File Server

• Amazon RDS for MySQL 

• Amazon RDS for Oracle

• Amazon RDS for PostgreSQL

• Amazon RDS for SQL Server

• Amazon RDS for Db2 

Compatible with Standard and Enterprise editions:

• Amazon QuickSight

• Amazon Chime

• Amazon Connect 

• Amazon WorkMail

• Amazon WorkSpaces

• AWS IAM Identity Center

• AWS Client VPN 

• AWS Management Console

Note that not all configurations of these applications may be supported.

AWS Managed Microsoft AD is based on actual Active Directory and provides the broadest range of native AD tools and third-party apps support such as:

• Active Directory-Based Activation (ADBA)

• Active Directory Certificate Services (AD CS): Enterprise Certificate Authority

• Active Directory Federation Services (AD FS) 

• Active Directory Users and Computers (ADUC)

• Application Server (.NET)

• Azure Active Directory (Azure AD)

• Azure Active Directory (AD) Connect 

• Distributed File System Replication (DFSR)

• Distributed File System Namespaces (DFSN)

• Microsoft Remote Desktop Services Licensing Server

• Microsoft SharePoint Server 

• Microsoft SQL Server (including SQL Server Always On Availability Groups)

• Microsoft System Center Configuration Manager (SCCM)

• Microsoft Windows and Windows Server OS

• Office 365 

• Active Directory Certificate Services (AD CS): Certificate Enrollment Web Service (Hybrid edition only)

• Microsoft Exchange Server (Hybrid editions only)

• Active Directory Certificate Services (AD CS): Certificate Enrollment Web Service (Standard and Enterprise editions only)

• Microsoft Exchange Server (Standard and Enterprise editions only)

For Hybrid Edition, you can extend your existing Active Directory to AWS without fully migrating. Your AWS Managed Microsoft AD domain controllers become part of your existing AD forest, and your AD data is replicated from your AD environments into AWS, creating a unified directory experience across environments.

For Standard and Enterprise Editions, AWS does not provide any migration tools to migrate your existing Active Directory to AWS Managed Microsoft AD. You must establish a strategy for performing migration including password resets and implement the plans using Remote Server Administration Tools.

Yes. You can configure conditional forwarders and trusts for AWS Managed Microsoft AD using the Directory Service console as well as the API .

Yes. You can add additional domain controllers to your managed domain using the AWS Directory Service console or API . Note that promoting Amazon EC2 instances to domain controllers manually is not supported.

Yes. You can synchronize identities from AWS Managed Microsoft AD to Azure AD using Azure AD Connect and use Microsoft Active Directory Federation Services (AD FS) for Windows 2016 with AWS Managed Microsoft AD to authenticate Office 365 users. For step-by-step instructions, see How to Enable Your Users to Access Office 365 with AWS Microsoft Active Directory Credentials.

Yes. You can use Microsoft Active Directory Federation Services (AD FS) for Windows 2016 with your AWS Managed Microsoft AD managed domain to authenticate users to cloud applications that support SAML.

Yes. AWS Managed Microsoft AD supports Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS, in both client and server roles. When acting as a server, AWS Managed Microsoft AD supports LDAPS over ports 636 (SSL) and 389 (TLS).

With Enterprise and Standard editions, you enable server-side LDAPS communication by installing a certificate on your AWS Managed Microsoft AD domain controllers from an AWS-based Active Directory Certificate Services certificate authority (CA).

With Hybrid edition, you can enable LDAPS by installing certificates on your AD, which will replicate to your hybrid directory on AWS. 

Yes. AWS Managed Microsoft AD supports Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS, in both client and server roles. When acting as a client, AWS Managed Microsoft AD supports LDAPS over ports 636 (SSL). You enable client-side LDAPS communication by registering certification authority (CA) certificates from your server certificate issuer into AWS. To learn more, see Enable Secure LDAP (LDAPS) .

With Hybrid edition, you can enable LDAPS by installing certificates on your AD, which will replicate to your hybrid directory on AWS.

AWS Managed Microsoft AD supports both LDAP signing and LDAP over SSL/TLS (LDAPS) when acting as LDAP clients communicating with self-managed Active Directory. Client-side LDAP signing requires no customer action to enable, and provides data integrity. Client-side LDAPS requires configuration, and provides data integrity and confidentiality. For more information, see this AWS Forums post . 

AWS Managed Microsoft AD (Standard Edition) includes 1 GB of directory object storage. This capacity can support up to 5,000 users or 30,000 directory objects, including users, groups, and computers.

AWS Managed Microsoft AD (Enterprise and Hybrid Editions) includes 17 GB of directory object storage, which can support up to 100,000 users or 500,000 objects.

Note that object sizes vary by company and these numbers are an estimate.

Yes. You can use AWS Managed Microsoft AD (Standard and Enterprise Editions) as a primary directory to manage users, groups, computers, and Group Policy objects (GPOs) in the cloud. You can manage access and provide single sign-on (SSO) to AWS applications and services, and to third-party directory-aware applications running on Amazon EC2 instances in the AWS Cloud. In addition, you can use Azure AD Connect and AD FS to support SSO to cloud applications, including Office 365.

Yes. You can use AWS Managed Microsoft AD (Standard and Enterprise Editions) as a resource forest that contains primarily computers and groups with trust relationships to your directory hosted on-premises or on the cloud. This enables your users to access AWS applications and resources with their AD credentials.

Multi-region replication is a feature that enables you to deploy and use a single AWS Managed Microsoft AD directory across multiple AWS Regions. This makes it easier and more cost-effective for you to deploy and manage your Microsoft Windows and Linux workloads globally. With the automated multi-region replication capability you get higher resiliency, while your applications use a local directory for optimal performance. This feature is available in AWS Managed Microsoft AD (Enterprise Edition) only. You can use the feature for new and existing directories.

First, you open the AWS Directory Service console in the region where your directory is already up and running (primary region). Select the directory you want to expand and choose Add Region. Then, select the Region into which you want to expand, provide the Amazon Virtual Private Cloud (VPC), and the subnets into which you want to deploy your directory. You can also use APIs to expand your directory. To learn more, see the documentation .

AWS Managed Microsoft AD automatically configures inter-region networking connectivity, deploys domain controllers, and replicates all your directory data, including users, groups, Group Policy Objects (GPOs), and schema, across your selected regions. In addition, AWS Managed Microsoft AD configures a new AD site per region which improves user authentication and domain controller replication performance within the region while lowering costs by minimizing data transfers between regions. Your directory identifier (directory_id) remains the same in the new region and is deployed in the same AWS account as your primary Region.

Yes, with multi-region replication you have the flexibility to share your directory with other AWS accounts per Region. Directory sharing configurations are not automatically replicated from the primary region. To learn how to share your directory with other AWS accounts, see the documentation .

Yes, with multi-region replication you have the flexibility to define the number of domain controllers per region. To learn how to add a domain controller, see the documentation .

With multi-region replication, you monitor your directory status per Region independently. You must enable Amazon Simple Notification Service (SNS) in each region where you deployed your directory, using the AWS Directory Service console or API. To learn more, see the documentation .

With multi-region replication, you monitor your directory security logs per Region independently. You must enable Amazon CloudWatch Logs forwarding in each region where you deployed your directory, using the AWS Directory Service console or API. To learn more, see the documentation .

Yes, you can rename your directory’s AD site name per region using standard AD tools. To learn more, see the documentation .

Yes. If you do not have any AWS applications registered to your directory and you have not shared the directory with any AWS account in the Region, AWS Managed Microsoft AD allows you to remove an AWS Region from your directory. You cannot remove the primary Region, unless you delete the directory.

Multi-region replication is compatible with Amazon EC2, Amazon RDS (SQL Server, Oracle, MySQL, PostgreSQL, and MariaDB), Amazon Aurora (MySQL and PostgreSQL), and Amazon FSx for Windows File Server natively. You can also integrate other AWS Applications such as Amazon WorkSpaces, AWS Single Sign-On, AWS Client VPN, Amazon QuickSight, Amazon Connect, Amazon WorkDocs, Amazon WorkMail, and Amazon Chime with your directory in new Regions by configuring AD Connector against your AWS Managed Microsoft AD directory per Region.

Seamless domain join is a feature that allows you to join your Amazon EC2 for Windows Server and Amazon EC2 for Linux instances seamlessly to a domain, at the time of launch and from the AWS Management Console. You can join instances to AWS Managed Microsoft AD that you launch in the AWS Cloud.

When you create and launch an EC2 for Windows or an EC2 for Linux instance from the AWS Management Console, you have the option to select which domain your instance will join. To learn more, see the documentation .

You cannot use the seamless domain join feature from the AWS Management Console for existing EC2 for Windows Server and EC2 for Linux instances, but you can join existing instances to a domain using the EC2 API or by using PowerShell on the instance. To learn more, see the documentation .

The seamless domain join feature is currently available for Amazon Linux, Amazon Linux 2, CentOS 7 or newer, RHEL 7.5 or newer, and Ubuntu 14 to 18.

AWS Directory Service allows you to assign IAM roles to AWS Manage Microsoft AD or Simple AD users and groups in the AWS cloud, as well as an existing, on-premises Microsoft Active Directory users and groups using AD Connector. These roles will control users’ access to AWS services based on IAM policies assigned to the roles. AWS Directory Service will provide a customer-specific URL for the AWS Management Console which users can use to sign in with their existing corporate credentials. See our documentation for more information on this feature. 

Yes. AWS Managed Microsoft AD has implemented the controls necessary to enable you to meet the U.S. Health Insurance Portability and Accountability Act (HIPAA) requirements and is included as an in-scope service in the Payment Card Industry Data Security Standard (PCI DSS) Attestation of Compliance and Responsibility Summary. 

To access a comprehensive list of documents relevant to compliance and security in the AWS Cloud, see AWS Artifact .

Security, including HIPAA and PCI DSS compliance, is a shared responsibility between AWS and you. For example, it is your responsibility to configure your AWS Managed Microsoft AD password policies to meet PCI DSS requirements when using AWS Managed Microsoft AD. To learn more about the actions you may need to take to meet HIPAA and PCI DSS compliance requirements, see the compliance documentation for AWS Managed Microsoft AD as well as review the AWS Cloud Compliance, HIPAA Compliance, and PCI DSS Compliance web pages.