Enterprise prospects usually have to architect a hybrid Energetic Listing resolution to assist working functions within the present on-premises company information facilities and AWS cloud. There are numerous causes for this, resembling sustaining the combination with on-premises legacy functions, protecting the management of infrastructure sources, and assembly with particular business compliance necessities.
To increase on-premises Energetic Listing environments to AWS, some prospects select to deploy Energetic Listing service on self-managed Amazon Elastic Compute Cloud (EC2) cases after establishing connectivity for each environments. This setup works fantastic, however it additionally presents administration and operations challenges with regards to EC2 occasion operation administration, Home windows working system, and Energetic Listing service patching and backup. That is the place AWS Listing Service for Microsoft Energetic Listing (AWS Managed Microsoft AD) helps.
Advantages of utilizing AWS Managed Microsoft AD
With AWS Managed Microsoft AD, you possibly can launch an AWS-managed listing within the cloud, leveraging the scalability and excessive availability of an enterprise listing service whereas including seamless integration into different AWS providers.
As well as, you possibly can nonetheless entry AWS Managed Microsoft AD utilizing present administrative instruments and strategies, resembling delegating administrative permissions to pick out teams in your group. The complete checklist of permissions that may be delegated is described within the AWS Listing Service Administration Information.
Energetic Listing service design consideration with a single AWS account
A single AWS account is the place the journey begins: a easy use case is likely to be when you’ll want to deploy a brand new resolution within the cloud from scratch (Determine 1).
In a single AWS account and single-region mannequin, the on-premises Energetic Listing has “firm.com” area configured within the on-premises information heart. AWS Managed Microsoft AD is ready up throughout two availability zones within the AWS area for prime availability. It has a single area, “na.firm.com”, configured. The on-premises Energetic Listing is configured to belief the AWS Managed Microsoft AD with community connectivity through AWS Direct Join or VPN. Functions which can be Energetic-Listing–conscious and run on EC2 cases have joined na.firm.com area, as do the chosen AWS managed providers (for instance, Amazon Relational Database Service for SQL server).
As your cloud footprint expands to extra AWS areas, you’ve gotten two choices additionally to develop AWS Managed Microsoft AD, relying on which version of AWS Managed Microsoft AD is used (Determine 2):
- With AWS Managed Microsoft AD Enterprise Version, you possibly can activate the multi-region replication function to configure mechanically inter-regional networking connectivity, deploy area controllers, and replicate all of the Energetic Listing information throughout a number of areas. This ensures that Energetic-Listing–conscious workloads residing in these areas can hook up with and use AWS Managed Microsoft AD with low latency and excessive efficiency.
- With AWS Managed Microsoft AD Commonplace Version, you will have so as to add a site by creating impartial AWS Managed Microsoft AD directories per-region. In Determine 2, “eu.firm.com” area is added, and AWS Transit Gateway routes visitors amongst Energetic-Listing–conscious functions inside two AWS areas. The on-premises Energetic Listing is configured to belief the AWS Managed Microsoft AD, both by Direct Join or VPN.
Energetic Listing Service Design consideration with a number of AWS accounts
Massive organizations use a number of AWS accounts for administrative delegation and billing functions. That is generally applied by way of AWS Management Tower service or AWS Management Tower touchdown zone resolution.
You possibly can share a single AWS Managed Microsoft AD with a number of AWS accounts inside one AWS area. This functionality makes it easier and cheaper to handle Energetic-Listing–conscious workloads from a single listing throughout accounts and Amazon Digital Non-public Cloud (VPC). This selection additionally permits you seamlessly be part of your EC2 cases for Home windows to AWS Managed Microsoft AD.
As a finest apply, place AWS Managed Microsoft AD in a separate AWS account, with restricted administrator entry however sharing the service with different AWS accounts. After sharing the service and configuring routing, Energetic Listing conscious functions, resembling Microsoft SharePoint, can seamlessly be part of Energetic Listing Area Companies and preserve management of all administrative duties. Discover extra particulars on sharing AWS Managed Microsoft AD within the Share your AWS Managed AD listing tutorial.
With a number of AWS Accounts and a number of–AWS-regions mannequin, we suggest utilizing AWS Managed Microsoft AD Enterprise Version. In Determine 3, AWS Managed Microsoft AD Enterprise Version helps automating multi-region replication in all AWS areas the place AWS Managed Microsoft AD is out there. In AWS Managed Microsoft AD multi-region replication, Energetic-Listing–conscious functions use the native listing for prime efficiency however stay multi-region for prime resiliency.
Area Identify System decision design
To allow Energetic-Listing–conscious functions talk between your on-premises information facilities and the AWS cloud, a dependable resolution for Area Identify System (DNS) decision is required. You possibly can set the Amazon VPC Dynamic Host Configuration Protocol (DHCP) choice units to both AWS Managed Microsoft AD or on-premises Energetic Listing; then, assign it to every VPC by which the required Energetic-Listing–conscious functions reside. The complete checklist of choices working with DHCP choice units is described in Amazon Digital Non-public Cloud Person Information.
The advantage of configuring DHCP choice units is to permit any EC2 cases in that VPC to resolve their domains by pointing to the desired area and DNS servers. This prevents the necessity for guide configuration of DNS on EC2 cases. Nevertheless, as a result of DHCP choice units can’t be shared throughout AWS accounts, this requires a DHCP choice units additionally to be created in further accounts.
Another choice is creating an Amazon Route 53 Resolver. This permits prospects to leverage Amazon-provided DNS and Route 53 Resolver endpoints to ahead a DNS question to the on-premises Energetic Listing or AWS Managed Microsoft AD. That is excellent for multi-account setups and prospects needing hub/spoke DNS administration.
This different resolution replaces the necessity to create and handle EC2 cases working as DNS forwarders with a managed and scalable resolution, as Route 53 Resolver forwarding guidelines will be shared with different AWS accounts. Determine 5 demonstrates a Route 53 resolver forwarding a DNS question to on-premises Energetic Listing.
On this publish, we described the advantages of utilizing AWS Managed Microsoft AD to combine with on-premises Energetic Listing. We additionally mentioned a spread of design concerns to discover when architecting hybrid Energetic Listing service with AWS Managed Microsoft AD. Totally different design eventualities had been reviewed, from a single AWS account and area, to a number of AWS accounts and multi-regions. We’ve got additionally mentioned selecting between the Amazon VPC DHCP choice units and Route 53 Resolver for DNS decision.