Begin Your Cloud Journey by Modernizing Active Directory in the AWS Cloud

Active Directory(AD) is very popular with enterprise on-premises customers. IT teams that have invested in building out roles and privileges in AD would like to continue to use them, even as they consider a migration to the cloud. Customers want an identity and access management (IAM) strategy for on-premises and cloud, and they want to minimize the cost of managing AD. That means figuring out how to make the most of existing investments in AD, while showing a path forward for integrating with modern IAM tools and easier-to-operate managed services. 

The move to the cloud also offers companies an opportunity to modernize their AD deployments. We see many customers going all in on the cloud, with fewer customers investing in on-premises identity and directory. While many would love to jump to cloud-native identity solutions, the reality is that the easiest way to get your feet wet (and move the most important workloads to the cloud) is to move your Active Directory to the cloud as a first step to modernization. The good news is that they are numerous benefits to moving your existing Active Directory to the cloud including cost savings and agility.

 Modernization Considerations for AD in the Cloud

Things you should consider for cloud-based Active Directory: compatibility, functionality, and flexibility. First, a cloud-based AD deployment should be compatible with existing, on-premises AD. Customers want to ensure that their existing investments will work with all future migrated cloud instances – and that administrators don’t need to learn a completely new tool or give up control.

Second, customers require a greater breadth and depth of functionality. At the enterprise level, a cloud-based AD should not trade off the ability to customize identities and privileges across a complex organization. Customers also stressed the importance of security where they have spent years honing and developing patterns and practices leveraging a full-featured Active Directory. For example, Microsoft recommends not joining Azure AD with a workstation without a mobile device management solution to secure the workstation. This is because they do not support group policy in Azure AD and are relying on another service to manage the workstation.

Third, customers cited flexibility in implementing their AD deployment as a necessary component. AD deployments can vary even within a company, based on corporate history and recent mergers. Organizations may have very different future plans regarding AD, and IT teams need optionality – as their requirements for a modern AD deployment may change as they migrated more workloads to the cloud.

 AWS Offerings to Help Modernize your AD

Given the needs described previously, AWS offers three services for modernizing AD, and delivering connectivity – in the cloud.

The first is our AD Connector. AD Connector is designed to make it easy for our customers to link Windows Server and SQL Server workloads running on EC2 to an AD instance running on-premises. This makes AD Connector an ideal option for customers who prefer to keep AD on-premises, while being able to lift and shift Windows workloads to EC2 immediately.

The second is our AWS Managed Microsoft AD offering. This enables customers to use a managed Microsoft AD on the AWS Cloud. It does not require you to synchronize or replicate data from on-premises AD to AWS, and reduces the customer’s administrative costs. Customers can set up an AD instance quickly and easily. AWS Managed Microsoft AD, takes care of backups, domain controller and DNS creation, and software updates and patching. AWS Managed Microsoft AD works with all Microsoft workloads on AWS, from Amazon Relational Database Service (RDS) for SQL Server to running Windows on EC2. In addition, you can use AWS Managed Microsoft AD to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications.

If your company is using Office 365, you may be using Azure AD. But Azure AD does not have the full functionality of Active Directory. Did you know that Azure AD does not support many feature including Group Policy, Organizational Units and Authentication for traditional on premises applications? This may work for some basic use cases, however, most Enterprise companies that I work with have far more complex workloads. For example, if your workload needs to communicate with traditional workloads, you will need Kerberos or NTLM authentication which requires the full Active Directory. AWS Managed AD is a complete implementation of AD in a fully-managed environment, and can be used to enable users to access Office 365 without the need for Azure AD. You can read this blog to learn how to enable your users to access Office 365 with AWS Microsoft Active Directory credentials. 

Finally, we support AD on EC2. This is an option for the customers who really want to “lift and shift” AD to the cloud, or who want to deploy a self-managed AD instance on AWS versus our Managed AD offering. This is ideal for customers who need the most control over their deployments.

Popular Use Cases and Customer Success Stories

In the initial migration phase, customers have the flexibility to decide when and how to run AD on AWS. Most customers at this phase are looking to “lift and shift” Windows Server and SQL Server workloads to run on EC2. Customers who want to continue to run all identities and privileges using their existing AD can use AD Connector, which will connect Microsoft workloads running on EC2 to their on-premises AD. This removes the roadblock to migration for companies with a strong preference for keeping AD data on-premises. Of course, some companies choose to migrate to AWS with an eye towards future workloads. In this case, we offer the option to run AD on AWS from day one – the exact same functionality and codebase as AD on-premises, but running on AWS. Here are a few examples of customers that have achieved their migration goals with AWS and optimized their use of AD on AWS.

First, the International Air Transport Association, or IATA, is the trade association for the world’s airlines. They migrated an on-premises business intelligence (BI) platform to AWS, moving Windows Server and SQL Server workloads to run on EC2. The application dealt with sensitive data, and IATA’s IT department wanted to ensure that the organization could continue to use its on-premises AD while leveraging the flexibility and performance of the cloud. IATA used the AD Connector on AWS to join its SQL Server workloads on EC2 to its on-premises AD, greatly simplifying the migration of the initial BI platform.

Next, we have Capital One, a major American bank and credit card issuer with over $28 billion in revenue. Capital One is using Managed AD across many regions and applications, integrating with managed services like RDS. Capital One started by migrating Microsoft workloads including Windows to EC2, reducing their data center footprint drastically while increasing their agility and flexibility. As a sophisticated AWS customers looking to run new workloads in the cloud, Capital One was able to address security and compliance concerns by running Managed AD instances in multiple regions. Better yet, adopting Managed AD opened the door for Capital One to adopt RDS for SQL Server, moving away from managing their own SQL Server workloads on EC2 towards a lower-overhead solution designed for the cloud.

Lastly, Mary Kay is one of the world's leading direct sellers of skin care products and cosmetics. They have tens of thousands of employees and beauty consultants working outside the office, and they needed a consistent, global solution to managed identities and privileges across the globe. AWS Managed AD provided Mary Kay the features that enabled them to deploy SQL Server Always On availability groups on EC2 Windows. It gave them the control to scale their deployment out to meet their performance requirements, and they could deploy the service in multiple regions while integrating with an on-premises AD. That means that on-premises users get the same experience when using AD-aware services on-premises or in the AWS Cloud.

Better still, with our cross-account and cross-VPC support, Mary Kay is looking at reducing their managed AD infrastructure footprint, thereby saving money and reducing complexity. The end result looks like a truly modern hybrid AD architecture, with lower costs for the customer.

Getting Started

There are numerous other customers who have benefited from leveraging AWS’s expertise in delivering AD as a service. AWS continues to be a leader in this space for 3 reasons:

1. High Compatibility: We are the only major cloud provider to use actual Active Directory on Windows Server for compatibility. What’s unique about AD on AWS is that, because we’ve used this trust model between on-premises and managed AD on the cloud, you can set up a directory in under 2 minutes.
2. Preserves SSO: AWS Managed AD is the only managed AD service that preserves the Windows single sign-on experience for your users when you run AD-aware applications on-premises and in the cloud. As a result, you can migrate applications and your users don’t have to sign-in separately.
3. Richest Set of Features: AWS Managed AD supports all the features of AD customers are accustomed to using on-premises, which allows AWS Managed AD to support the broadest range of AD-aware applications, including SQL Server Always On Availability Groups, SharePoint, and .NET applications.

 Let us help you with Active Directory strategy in the cloud Contact us today! Learn more about our support for key Microsoft workloads, including Windows Server, SQL Server, Active Directory, and .NET at the AWS Summit in New York City on July 11th.

Previous popular blogs by Sandy Carter:

Running the most reliable choice for Windows workloads: Windows on AWS

Fact-checking the truth on TCO for running Windows workloads in the cloud