To synchronize data to and from AWS Managed Microsoft AD, you must deploy Active Roles in Amazon Web Services (AWS) in the following configuration:
Active Roles must be deployed on an Amazon Elastic Compute Cloud (EC2) instance or instances. For more information, see the Amazon Elastic Compute Cloud documentation.
The SQL Server required by Active Roles must run on a separate Amazon Relational Database Service for Microsoft SQL Server (RDS for SQL Server) instance. For more information, see the Amazon RDS documentation.
The Active Directory environment must be hosted in AWS via AWS Directory Service. For more information, see the AWS Directory Service documentation.
NOTE: Support for AWS Managed Microsoft AD by Active Roles was tested only in this configuration. Active Roles does not officially support managing AWS Managed Microsoft AD environments in a hybrid deployment, that is, using an on-premises Active Roles and/or SQL Server installation and hosting AD via AWS Directory Service.
If configured to manage AWS Managed Microsoft AD in the Amazon cloud, Active Roles offers the following features:
However, when using in an EC2 instance in the Amazon cloud, also consider the following limitations.
Amazon Web Services limitations
For Active Roles installations deployed in Amazon Elastic Compute Cloud (EC2) instances and SQL Servers hosted on Amazon Relational Database Service for SQL Server (RDS for SQL Server) instances, the known EC2 and RDS limitations apply.
When synchronizing directory data or passwords from on-premises Active Directory to AWS Managed Microsoft AD, Active Roles has the following limitations:
Active Roles was only tested to work with connections and sync workflows based on the following connectors:
Sync workflows and connections based on other connectors are not officially supported.
When synchronizing passwords from an on-premises Active Directory to AWS Managed Microsoft AD, synchronizing the pwdHash attribute and synchronizing then populating the SIDHistory attribute to AWS Managed Microsoft AD is not supported. This is because the Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.
Synchronizing passwords from AWS Managed Microsoft AD to on-premises AD with Active Roles is not supported. This is because the Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.
Before starting the deployment and configuration of Active Roles to manage AWS Managed Microsoft AD via AWS Directory Service, make sure that the following requirements are met.
NOTE: When setting up a virtual environment, carefully consider the configuration aspects such as CPU, memory availability, I/O subsystem, and network infrastructure to ensure the virtual layer has the necessary resources available. Please consult One Identity's Product Support Policies for more information on environment virtualization.
You must have:
Stable network connectivity to Amazon Web Services (AWS).
Port 1433 open and available for the Amazon Relational Database Service (RDS) service.
Access to the AWS service with the AWSAdministratorAccess permission.
NOTE: Make sure that you have AWSAdministratorAccess permission, as it is required for certain configuration steps. The AWSPowerUserAccess permission is not sufficient for completing the entire configuration procedure.
To deploy and configure Active Roles for AWS Managed Microsoft AD, you must have access to the following AWS services and resources:
AWS Managed Microsoft AD deployed via AWS Directory Service.
One or more Amazon Elastic Compute Cloud (EC2) instance(s) hosting the Active Roles services and components.
The EC2 instance(s) must have, at minimum:
NOTE: AWS Managed Microsoft AD support was tested with a single t2.large EC2 instance.
An Amazon Relational Database Service for SQL Server (RDS for SQL Server).
NOTE: AWS Managed Microsoft AD support was tested with an RDS instance running the latest version of Microsoft SQL Server.
Make sure that all these components are discoverable or visible to each other.