AWS – Deploying Simple Active Directory service

Installing MySQL On CentOS 8

This recipe will show you how to deploy an AWS Simple Active Directory (Simple AD) service.

Simple AD is powered by Samba 4, and is a Microsoft AD-compatible, managed service. It will work with many applications that require AD support, and provides a large range of the commonly used AD features, including the following:

  • User accounts
  • Single sign-on (Kerberos)
  • Group memberships
  • Domain joining

It also integrates with other services provided by AWS, such as the following:

  • AWS Management Console
  • WorkMail
  • WorkDocs
  • WorkSpaces and WorkSpaces Application Manager

AWS manages the backup and restoration of the directory for you, in the form of daily snapshots, and through its ability to perform point-in-time recovery.

Features that aren’t supported include the following:

  • Trust relationships with other AD domains
  • DNS dynamic updates
  • Schema extensions
  • MFA
  • LDAPS (short for Lightweight Directory Application Protocol Secure)
  • PowerShell AD cmdlets
  • Transfer of FSMO roles

The ideal scenario for Simple AD usage, is when you don’t require advanced AD features and you’re supporting less than 5,000 users. If either of these isn’t true, you will want to look at the full-featured Microsoft AD service. However, brace yourself for some added complexity and much higher costs if you choose this path.

Getting ready

Before going ahead, we’ll need the following pieces of info:

  • The Fully Qualified Domain Name (FQDN) for your directory (for example,
  • A password for administering your directory. This password corresponds to the administrator user that will be created on your behalf. Note that the password needs to be between 8-64 characters, and will also need to contain one character from three of the following four groups:
    • Lowercase letters
    • Uppercase letters
    • Numbers
    • Non-alphanumeric characters
  • The ID of the VPC that we’re deploying to.
  • The IDs of two subnets in this VPC. These subnets need to be in different availability zones.
  • The size of the directory that you’d like to deploy. You can choose between small and large.

A domain controller is going to be deployed in each of the two subnets that you’ve chosen. They’ll be communicating with each other on a fairly large number of ports. Ideally, these subnets would exist in the same tier in your VPC, and by extension, would not have any NACLs (short for Network Access Control Lists), which would stop the controllers from talking with each other.

If for some reason, you’re restricting traffic from using NACLs within your VPC tiers, you will want to refer to the AWS docs for a list of which ports to allow. For more details, visit

How to do it…

  1. Create a new CloudFormation template file. We’ll start by populating it with Parameters that correspond to all the requirements that we previously mentioned:
AWSTemplateFormatVersion: '2010-09-09' 
    Description: The fully qualified name for the directory
    Type: String 
    AllowedPattern: '^([a-zA-Z0-9]+[\\.-])+([a-zA-Z0-9])+$' 
    Description: The password for the directory Administrator 
    Type: String 
    NoEcho: true 
  1. Then, we add parameters for the VPC, subnets, and directory size:
    Description: The ID of the VPC to deploy to 
    Type: AWS::EC2::VPC::Id 
    Description: Subnets where the directory will be deployed to
      (pick at least 2) 
    Type: List<AWS::EC2::Subnet::Id> 
    Description: The size of the directory to deploy 
    Type: String 
      - Small 
      - Large
  1. Next, we define our Resources. Even though two Simple AD domain controllers are being deployed, we only need to create one resource here:
    Type: AWS::DirectoryService::SimpleAD 
      Name: !Ref FullyQualifiedName 
      Password: !Ref Password 
      Size: !Ref DirectorySize 
          - !Select [ 0, Ref: SubnetIds ] 
          - !Select [ 1, Ref: SubnetIds ] 
        VpcId: !Ref VpcId

  1. You can now go ahead and run this template in the CloudFormation web console, or via the CLI, like this:
aws cloudformation create-stack \ 
  --stack-name example-directory \ 
  --template-body file://08-active-directory-as-a-service.yaml \ 
  --parameters \ 
  ParameterKey=FullyQualifiedName,ParameterValue=<fqdn> \ 
  ParameterKey=Password,ParameterValue=<password> \ 
  ParameterKey=VpcId,ParameterValue=<vpd-id> \ 
  "ParameterKey=SubnetIds,ParameterValue='<subnet-1>,<subnet-2>'" \ 

How it works…

It will take several minutes to create the directory. Once the status becomes active, you may proceed with further setup and integration tasks. Your directory listing page will eventually show a directory listing that looks similar to this:

Simple AD details

There’s more…

  • The password for the administrator account can’t be retrieved or reset. Be sure to keep this password somewhere safe.
  • You may notice an additional security group appear in your EC2 console. This group is necessary for the directory controllers (although you won’t see these appear as EC2 instances in your console).
  • The directory will contain an account with the AWSAdminD- prefix. This account is necessary for AWS to perform maintenance tasks, such as backup and FSMO role transfers. Removing this account or changing its password is almost certainly a bad idea.

See also

  • The Building a secure network recipe in  Chapter 7, AWS Networking Essentials

Comments are closed.