If configured to manage AWS Managed Microsoft AD, Active Roles offers a feature set similar to managing an on-premises AD service. This includes:
-
Performing the day-to-day administration tasks of AD objects (users, contacts, computers, distribution and security groups, Organizational Units, shared folders) in the Active Roles Console or the Web Interface.
-
Rule-based and role-based administrative views and permissions for AD objects (Managed Units and Access Templates).
-
Automation and approval workflows for AD objects.
-
Importing the Management History database and/or Configuration database from an on-premises Active Roles installation of the same version. This is useful if you want to migrate the configuration of an existing on-premises Active Roles installation to your Active Roles installation running in an EC2 instance to manage AWS Managed Microsoft AD.
When using Active Roles to manage AWS Managed Microsoft AD resources, consider the following limitations.
Amazon Web Services limitations
For Active Roles installations deployed in Amazon Elastic Compute Cloud (EC2) instances and SQL Servers hosted on Amazon Relational Database Service for SQL Server (RDS for SQL Server) instances, the known EC2 and RDS limitations apply.
AD LDS, Azure AD, Exchange and Exchange Online support
Active Roles components (such as the Active Roles Console or Web Interface) that also support directory services other than AD (AD LDS, Azure AD, Exchange, or Exchange Online) were only tested to support AD-related configuration and administration tasks.
Likewise, Active Roles features (such as Managed Units or Access Templates) that also support managing objects from directory services other than AD (AD LDS, Azure AD, Exchange, or Exchange Online) were only tested to support AD object and permission management.
Domain Admin account management
As AWS has exclusive control over Domain Admin accounts, managing such accounts with Active Roles is not possible in AWS Managed Microsoft AD.
For more information, see Admin account in the AWS Directory Service documentation.
Federated authentication support
Federated authentication with WS-Fed was not tested to work with AWS Managed Microsoft AD.
Non-AD specific Active Roles features
Active Roles features used to manage non-AD directory services (such as Exchange Resource Forest Management) were not tested to work with AWS Managed Microsoft AD.
Service Connection Point discovery
Active Roles connected services (such as the Active Roles Console) rely on AD Discovery to create Service Connection Points (SCPs) and find other Active Roles services.
As AWS Directory Service does not support AD Discovery, Active Roles services installed on an EC2 instance to manage AWS Managed Microsoft AD may not be able to automatically discover the Active Roles Administration Service, impacting the user experience.
limitations
-
When synchronizing directory data or passwords from on-premises Active Directory to AWS Managed Microsoft AD, Active Roles has the following limitations:
-
Active Roles was only tested to work with connections and sync workflows based on the following connectors:
Sync workflows and connections based on other connectors are not officially supported.
-
When synchronizing passwords from an on-premises Active Directory to AWS Managed Microsoft AD, synchronizing the pwdHash attribute and synchronizing then populating the SIDHistory attribute to AWS Managed Microsoft AD is not supported. This is because the Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.
-
Synchronizing passwords from AWS Managed Microsoft AD to on-premises AD with Active Roles is not supported. This is because the Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.
SQL Server replication support
As Active Roles uses RDS for SQL Server when managing AWS Managed Microsoft AD, the SQL server replication feature of Active Roles is not supported.
Usable Organizational Unit in the AD domain
After you connect the Active Roles Console to your AWS Managed Microsoft AD environment, the AD domain and its containers will appear in the Active Roles Console (and if configured, in the Web Interface as well). By default, the AWS Managed Microsoft AD environment contains three types of containers:
-
AWS-specific containers.
-
The default AD-specific containers (such as Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, and so on).
-
An Organizational Unit container matching the NetBIOS (or shortname) of the AWS Managed Microsoft AD deployment. For example, if the shortname of your AD domain is ARDEMO, the name of this container will also be ARDEMO.
Consider that out of these three container types, you can manage AD resources only in the Organizational Unit with the name matching the shortname of your AWS Managed Microsoft AD environment. All other containers will be read-only.
Active Roles 8.1.3 supports cryptography libraries and algorithms compliant with Federal Information Processing Standards (FIPS) 140-2. For more information on FIPS-compliant libraries and algorithms, see FIPS 140-2: Security Requirements for Cryptographic Modules.
NOTE: Consider the following when planning to use FIPS-compliant cryptography libraries or algorithms:
-
Although Active Roles continues to support non-FIPS compliant cryptography libraries and algorithms, it will not work properly if it is configured to use non-FIPS compliant solutions in a FIPS-compliant environment.
-
If you already use FIPS-compliant security algorithms in your environment (such as the TripleDES security algorithm, or the SHA256 hash algorithm), you must export your existing configuration, and import it in a new Active Roles installation.
The Active Roles Capture Agent supports Local Security Authority (LSA). For more information, see Configuring Additional LSA Protection in the Microsoft Windows Server documentation.
