AWS Active Directory

Learn via video courses
Topics Covered


AWS Directory Service allows you to store information and control resource access. You can select the directory type based on your requirements. Customers that rely on Microsoft Active Directory Domain Services have three alternatives for migrating Active Directory-dependent applications to the AWS Cloud. These solutions also allow users to utilize their AWS Active Directory credentials to sign into AWS apps such as Amazon WorkSpaces and QuickSight.

How it Works

working of aws directory service


  • Official Microsoft Active Directory

AWS Managed Microsoft Active Directory is a Microsoft Active Directory instance hosted on AWS infrastructure. This enables you to control your devices and users in AWS Directory Service with tools you're already acquainted with, such as Active Directory Administrative Center and AWS Active Directory Users and Computers.

  • Extremely convenient

Because directories are mission-critical infrastructure, AWS Managed Microsoft Active Directory is deployed in highly available and throughout several Availability Zones. You also can ramp up your Amazon Managed Microsoft Active Directory directory by deploying extra domain controllers to increase the resilience of your managed directory and improve availability.

  • AWS Infrastructure

Microsoft Active Directory runs on AWS Directory Service architecture, with surveillance that automatically detects and replaces faulty domain controllers. Data replication and automatic daily snapshots are also set up for you. There is no application to install, and all patching and software updates are handled by AWS.

  • Multiple region replication

With multi-region replication, you may install and use a single AWS Managed Microsoft Active Directory across multiple AWS Regions. This simplifies and reduces the cost of international deployment and maintenance of Windows and Linux workloads. Automatic multi-region replication increases reliability, while the applications use a local directory for optimal speed.

  • Compliance with HIPAA and PCI

AWS Managed Microsoft Active Directory can be utilized to create and manage Active Directory-aware cloud storage which must adhere to the US HIPAA or the PCI DSS. AWS Directory Service Microsoft Active Directory reduces the work required to construct compliance AWS Active Directory infrastructures for your cloud apps while you conduct your HIPAA risk management initiatives or PCI DSS compliant certification.

  • Confidently support

You may easily connect AWS Managed Microsoft Active Directory to your old Active Directory by using AWS Active Directory trust relationships. Using your current AWS Active Directory, you may utilize trusts to govern which AWS Active Directory users have access to your AWS services.

  • Group-based policies Using native Active Directory Group Policy objects, you may control devices and individuals in Microsoft Active Directory (GPOs). GPOs may be produced with existing tools such as the GPMC.
  • SSO

AWS Managed Microsoft Active Directory uses the very same Kerberos-based authorization as your previous on-premises AWS Active Directory. When you combine your AWS resources with AWS Directory Service Microsoft Active Directory, your AWS Active Directory clients will be able to login into AWS services and apps to use a single pair of credentials.

  • Easy domain joining

You may use AWS Managed Microsoft Active Directory to use smooth domain connection for new and old EC2 instances for Windows Server and EC2 instances for Linux Operating systems with AWS Directory Service Microsoft Active Directory. When deploying new EC2 instances, you may choose which domain to join by using AWS Management Console. You may use the EC2Config service to provide smooth domain join for preexisting AWS EC2 instances.

  • A centralized directory for all workloads requiring directories

AWS Managed Microsoft Active Directory enables customers to use a unified directory for all of the directory-aware operations on AWS resources such as Amazon EC2, and AWS End Customer Computation solutions such as Amazon WorkSpaces.

  • Access to the Federated AWS Management Console

By choosing AWS Managed Microsoft Active Directory as the identifier, you can give your on-premises AWS Active Directory users access to the AWS Management Console and CLI via AWS Identity Center using their current AWS Active Directory credentials(the successor to AWS SSO). This enables your account to log in among their designated duties and can reach and act just on resources based on the permissions set for the role.

  • Daily Snapshots AWS Directory Service Microsoft Active Directory takes daily snapshots. Extra snapshots can also be taken before major program updates to guarantee that you retain the latest data in case you have to reverse back a change.

Use Cases

  • Managed services simplify administration.

Change to a high-availability, planned infrastructure with patching and software updates, as well as automatic domain controller replacement.

  • Workloads that are directory-aware should be migrated.

Reduce time to market by making both Microsoft Active Directory-aware and non-Microsoft directory of AWS Directory Service aware applications on demand

  • Enter your on-premises credentials here.

Allow users to easily access your Amazon Web Services (AWS) capabilities such as Amazon Connect, Amazon QuickSight, Amazon WorkSpaces, and 3rd party apps.

  • Scale your directory globally

Install a single directory across several AWS Regions and AWS accounts to gain access to Active Directory-aware applications and AWS services.


You only pay for the kind and size of managed directory that you utilize with AWS Directory Service. There are no upfront costs or minimum fees. You have the option to remove your managed directory at any moment.

  • Editions

AWS Directory Service for Microsoft Active Directory is available in two versions to assist you in creating a managed AWS Active Directory that suits the needs of your company. Both the Standard Edition and the Enterprise Edition may be used as the principal directory for your company to control customers, applications, and machines.

  • Standard Edition

AWS Managed Microsoft Active Directory is designed to serve as a principal directory for small and medium-sized enterprises (up to 5,000 employees). It has the storage capacity to accommodate up to 30,000 directory items such as customers, organizations, and so on.

  • Enterprise Edition

AWS Managed Microsoft Active Directory (Enterprise Edition) is intended for enterprises with up to 500,000 directory items.

Standard EditionEnterprise Edition
Storage space for directory items is available1 GB17 GB
Total number of directory objects30,000500,000
  • Directory Sharing

You may use AWS Directory Service for Microsoft Active Directory to utilize a directory in one account and share it with many accounts and VPCs.

Each extra account with whom you shared a directory incurs an hourly sharing fee. There is no sharing fee for extra VPCs to which you transfer a directory or for the accounts in which the directory is installed.

  • Multi-region replication

You may install and utilize a single directory across many AWS Regions using AWS Active Directory Service for Microsoft Active Directory.

There is a fee per GB for data transported "out" of the domain controllers to certain other AWS Regions when your directory is installed. The price table below shows the data transfer expenses for each location. Data transmission for multi-region replication is ineligible for a free trial.

  • 30-day limited free trial

During your first free 30 days as a AWS Active Directory Service subscriber, you will receive 1,500 domain controller hours across all  Directory Service managed directories as part of the 30-day restricted free trial.

The AWS Active Directory Service 30-day restricted free trial hours are calculated by AWS based on the kind of managed directory and the number of domain controllers which users install.

AWS Active Directory Service for Microsoft Active Directory (Standard Edition)AWS Active Directory Service for Microsoft Active Directory (Enterprise Edition)
Base price
Two domain controllers are included for maximum availability. Each domain controller is billed for $0.06 per hour by AWS.$0.12 per hour$0.40 per hour
Each extra domain controller$0.06 per hour$0.20 per hour
Price per extra account to whom the directory is shared for directory sharing$0.018 per hour$0.06 per hour

Which AWS Directory Option would be Suitable for You

Directory services can be chosen depending on the functionality and scalability that meet your specific requirements. Choose the AWS Active Directory Service directory choice that best suits your company using the table below.

If you require LDAP support for Linux applications, an actual Microsoft Active Directory in the AWS Cloud that supports workloads that require Active Directory awareness, or AWS applications and services like Amazon WorkSpaces and Amazon QuickSight, choose AWS Active Directory Service for Microsoft Active Directory (Standard Edition or Enterprise Edition).

If you just need to let your on-premises users connect to AWS apps and services using their AWS Active Directory credentials, utilize Active Directory Connector. Additionally, you may connect Amazon EC2 instances to your current Active Directory domain using Active Directory Connector.

Use Simple Active Directory if you want an inexpensive, low-scale directory that supports Samba 4-compatible apps and has rudimentary AWS Active Directory service compatibility, or if you require LDAP compatibility for LDAP-aware applications.

If you create large-scale SaaS apps and want a scalable directory to handle and identify your subscriber base that supports social media IDs, use Amazon Cognito.

Options in AWS Directory Service

AWS Directory Service for Microsoft Active Directory

The actual Microsoft Windows Server Active Directory (Active Directory) that powers AWS Active Directory Service for Microsoft Active Directory is handled by AWS in the AWS Cloud. You may move a variety of Active Directory-aware programs to the AWS Cloud using this.

Managed by AWS Microsoft SharePoint, Microsoft SQL Server Always On Availability Groups, and numerous .NET apps all function with Microsoft Active Directory. Additionally, it offers compatibility for AWS-managed services and applications such as Amazon WorkSpaces, Amazon WorkDocs, Amazon QuickSight, Amazon Chime, Amazon Connect, and Amazon Relational Database Service for Microsoft SQL Server (Amazon RDS for SQL Server, Amazon RDS for Oracle, and Amazon RDS for PostgreSQL).

Active Directory Connector

AWS Active Directory Service Connector is a proxy service that connects suitable AWS apps to your current on-premises Microsoft Active Directory, such as AWS WorkSpaces, QuickSight, and EC2 for Windows Server instances.

You may easily add one account to the Active Directory using Active Directory Connector. Additionally, Active Directory Connector eliminates the necessity for directory synchronization as well as the cost and complexity of running a federation infrastructure in AWS Active Directory Service.

When you add users to AWS services like Amazon QuickSight, Active Directory Connector scans your current Active Directory to generate lists of users and groups from which to choose. Active Directory Connector passes the sign-in request to the on-premises Active Directory domain controllers for verification when users check in to AWS apps.

Simple Active Directory Connector

Simple Active Directory is an AWS Active Directory Service Microsoft Active Directory-compatible directory driven by Samba 4. User accounts, group memberships, joining a Linux domain or Windows-based EC2 instances, Kerberos-based SSO, and group rules are all supported by Simple Active Directory. As part of the service, AWS offers monitoring, daily snapshots, and recovery.

Simple Active Directory is a cloud-based standalone directory where you can establish and maintain user IDs as well as manage application access. Many known Active Directory-aware programs and utilities that want basic Active Directory functionalities can be used.

Amazon WorkSpaces, WorkDocs, QuickSight, and WorkMail are all compatible with Simple Active Directory. You may also access the AWS Management Console using the AWS Directory Service Simple Active Directory user credentials.

Amazon Cognito

Amazon Cognito is a user directory that uses Amazon Cognito User Pools to add sign-up and sign-in to your smartphone app or online application.

Amazon Cognito may also be used to build customized register fields and save that metadata in the user's directory. This managed service can handle hundreds of millions of concurrent users.

AWS Managed Microsoft Active Directory

AWS Active Directory Service enables you to run Microsoft Active Directory (Active Directory) as a managed service. Windows Server 2019 powers AWS Directory Service for Microsoft Active Directory, commonly known as AWS Managed Microsoft Active Directory. When you choose and activate this directory type, a high-availability set of domain controllers linked to your formed VPC. The domain controllers are located in several Availability Zones in the Region of your choice. Monitoring and recovery of hosts, data replication, snapshots, and software upgrades are all configured and managed automatically.

You may operate directory-aware workloads on the AWS Cloud, such as Microsoft SharePoint and custom . NET and SQL Server-based apps, using AWS Managed Microsoft Active Directory. Using AWS IAM Identity Center, you may also build a trust connection between AWS Managed Microsoft Active Directory in the AWS Cloud and your current on-premises Microsoft Active Directory, granting users and groups access to resources in either domain (successor to AWS Single Sign-On).

AWS Directory Service makes it simple to set up and manage directories in the AWS Cloud, as well as connect your AWS resources to a preexisting on-premises Microsoft Active Directory. Once your directory has been built, you may utilize it for a wide range of purposes, including:

  • Manage users and groups
  • Provide single sign-on to applications and services
  • Create and apply group policy
  • Simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads
  • You can use AWS Managed Microsoft Active Directory to enable multi-factor authentication by integrating with your existing RActive DirectoryIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications.
  • Securely connect to Amazon EC2 Linux and Windows instances

Concepts of AWS Managed Microsoft Active Directory

Active Directory Schema

A schema is the definition of characteristics and classes in a distributed directory, which is analogous to fields and tables in a database. Schemas are a collection of rules that govern the kind and structure of data that may be added to or stored in a database. One class that is saved in the database is the User class.

Schema Components

The essential pieces utilized to generate object definitions in the schema are attributes, classes, and objects. The following section contains information regarding schema elements that you should be aware of before beginning the process of extending your AWS Directory Service Microsoft Active Directory schema.


Each schema attribute, which is equivalent to a database field, has various properties that determine the attribute's features. For example, the property LDAPDisplayName is utilized by LDAP clients to both read and write the attribute. All attributes and classes must use the same LDAPDisplayName property. 


The classes are similar to database tables in that they must have multiple characteristics specified. The object class category, for example, defines the class category

Be Aware of The Patching Schedule

AWS Directory Service uses Microsoft updates to keep the Microsoft Windows Server software on your DCs up to date. As Microsoft releases monthly Windows Server rollup fixes, AWS takes every effort to test and deliver the rollup to all client DCs within three calendar weeks. Furthermore, AWS evaluates updates released by Microsoft outside of the monthly rollup based on their relevance to DCs and urgency

OID (object identifier)

Each class and property must have a unique OID across all of your objects. To ensure uniqueness, software suppliers must establish their OID. When the same characteristic is utilized by many applications for different reasons, uniqueness prevents conflicts. A root OID can be obtained from an ISO Name Registration Authority to assure uniqueness. You may also receive a basic OID from Microsoft.

Attributes Connected to A Schema

Some properties are connected via forward and back connections between two classes. Groups are the finest illustration. When you look at a group, you can see who the members are; when you look at a user, you can see which groups they belong to. Active Directory generates a forward connection to the group when you add a user to it. The user is then linked back to the group via AWS Directory Service. When generating a connected attribute, a unique link ID must be generated.

Ensuring Accessibility

Each directory is comprised of two DCs, each of which is installed in a distinct Availability Zone. You have the option of adding DCs to improve availability even more. AWS repairs your DCs sequentially, and the DC that AWS is currently patching is inaccessible throughout this period. If one or more of the DCs is momentarily unavailable, AWS delays patching till the directory has had at least two working DCs.

Getting Started with Creating AWS Managed Microsoft Active Directory

Follow the instructions below to establish a new directory. Check that you have fulfilled the prerequisites listed in AWS Directory Service Managed Microsoft Active Directory prerequisites before beginning this method.

To create an AWS Managed Microsoft Active Directory directory

  1. Choose Directories in the AWS Directory Service console navigation pane, followed by Set up directory. directories in aws directory service console
  2. Select AWS Managed Microsoft Active Directory and then Next on the Select directory type page. aws managed microsoft active directory
  3. Enter the following information on the Enter directory information page: enter directory information
    • Edition

AWS Managed Microsoft Active Directory is available in two editions: Standard and Enterprise. * DNS Name for The Directory

The directory's fully qualified name, such as * NetBIOS Directory Name

The directory's abbreviation, such as EXCH. * Directory Synopsis

A description for the directory is optional. * Administrator Password

The directory administrator's password. During the directory creation procedure, an administrator user with the username and password Admin and this password is created. 4. Give all the required information on the Choose VPC and subnets screen, then click Next. selecting vpc and subnets 5. You can review the directory information on the Review & Create page and make any required adjustments. When all of the information is right, select Create a directory. It takes between 20 and 40 minutes to create the directory. The Status variable is changed to Active after the object is created. review and create

AWS Active Directory Domain Service

AWS offers a wide range of products and solutions for hosting AWS Directory Service Microsoft Windows-based applications on its public cloud. Microsoft Active Directory Domain Services (Active Directory DS) and Domain Name System (DNS) are basic Windows services that serve as the foundation for many enterprise-class Microsoft-based solutions, such as MS SharePoint, Exchange, and.NET applications.

This Quick Start is intended for companies that operate workloads on the AWS Cloud and need assistance setting-up secure, low-latency access to Active Directory DS and DNS services. After reading this book, IT infrastructure staff should be able to build and install a solution to start Active Directory DS in the AWS Cloud or expand your on-premises Active Directory DS into the AWS Directory Service in AWS Cloud. The Quick Start installs a two- or one-tier Microsoft Public Key Architecture as an option.

This section focuses on infrastructure configuration concerns that must be carefully considered while designing and implementing Active Directory DS, domain controller instances, and DNS operations in the AWS Environment. Basic Windows Server installation and program configuration activities are not covered. Consult the for general software setup advice and best practices.


  • AWS Managed Microsoft Active Directory enables you to manage your users and devices using familiar tools such as Active Directory Administrative Center and Active Directory Users and Computers.
  • Customers that wish to use current Microsoft Active Directory-aware or Lightweight Directory Access Protocol (LDAP)-aware apps in the cloud can leverage AWS Directory Service's many directory options.
  • With AWS Managed Microsoft Active Directory, you may use a single directory for all directory-aware workloads on AWS resources such as EC2 instances, RDS for SQL Server instances, and AWS End User Computing service.
  • AWS Directory Service enable users to easily access your AWS services like Amazon Connect, Amazon QuickSight, Amazon WorkSpaces, and third-party business apps.
  • AWS Managed Microsoft Active Directory may be used to create and manage Active Directory-aware cloud services that must adhere to the US HIPAA or the PCI DSS.
  • AWS Managed Service Microsoft Active Directory operates on AWS-managed infrastructure, with monitoring that finds and replaces failed domain controllers automatically.