Support for AWS Managed Microsoft AD
NOTE: This feature is officially supported starting from Active Roles 8.1.3 SP1 (build 8.1.3.10). It is not supported on Active Roles 8.1.3 (build 8.1.3.2) and earlier versions.
Active Roles supports deployment and configuration in the Amazon cloud to manage AWS Managed Microsoft AD instances hosted via AWS Directory Service.
This allows you to:
-
Synchronize directory data from an on-premises AD environment to AWS Managed Microsoft AD.
-
Synchronize passwords from an on-premises Active Directory to AWS Managed Microsoft AD (with certain limitations).
For more information on configuring Active Roles to manage AWS Managed Microsoft AD environments, see Configuring Active Roles for AWS Managed Microsoft AD in the Active RolesInstallation Guide or Active RolesAdministration Guide documents.
For more information on configuring Active Roles to synchronize resources to or from AWS Managed Microsoft AD, see Installing and configuring for use with AWS Managed Microsoft AD in the Active RolesAdministration Guide.
To manage AWS Managed Microsoft AD environments, you must deploy Active Roles in Amazon Web Services (AWS) in the following configuration:
-
Active Roles must be deployed on an Amazon Elastic Compute Cloud (EC2) instance or instances. For more information, see the Amazon Elastic Compute Cloud documentation.
-
The SQL Server required by Active Roles Administration Service must run on a separate Amazon Relational Database Service for Microsoft SQL Server (RDS for SQL Server) instance. For more information, see the Amazon RDS documentation.
-
The Active Directory environment must be hosted in AWS via AWS Directory Service. For more information, see the AWS Directory Service documentation.
NOTE: Support for AWS Managed Microsoft AD by Active Roles was tested only in this configuration. Active Roles does not officially support managing AWS Managed Microsoft AD environments in a hybrid deployment, that is, using an on-premises Active Roles and/or SQL Server installation and hosting AD via AWS Directory Service.
If configured to manage AWS Managed Microsoft AD, Active Roles offers a feature set similar to managing an on-premises AD service. This includes:
-
Performing the day-to-day administration tasks of AD objects (users, contacts, computers, distribution and security groups, Organizational Units, shared folders) in the Active Roles Console or the Web Interface.
-
Rule-based and role-based administrative views and permissions for AD objects (Managed Units and Access Templates).
-
Automation and approval workflows for AD objects.
-
Importing the Management History database and/or Configuration database from an on-premises Active Roles installation of the same version. This is useful if you want to migrate the configuration of an existing on-premises Active Roles installation to your Active Roles installation running in an EC2 instance to manage AWS Managed Microsoft AD.
When using Active Roles to manage AWS Managed Microsoft AD resources, consider the following limitations.
Amazon Web Services limitations
For Active Roles installations deployed in Amazon Elastic Compute Cloud (EC2) instances and SQL Servers hosted on Amazon Relational Database Service for SQL Server (RDS for SQL Server) instances, the known EC2 and RDS limitations apply.
AD LDS, Azure AD, Exchange and Exchange Online support
Active Roles components (such as the Active Roles Console or Web Interface) that also support directory services other than AD (AD LDS, Azure AD, Exchange, or Exchange Online) were only tested to support AD-related configuration and administration tasks.
Likewise, Active Roles features (such as Managed Units or Access Templates) that also support managing objects from directory services other than AD (AD LDS, Azure AD, Exchange, or Exchange Online) were only tested to support AD object and permission management.
Domain Admin account management
As AWS has exclusive control over Domain Admin accounts, managing such accounts with Active Roles is not possible in AWS Managed Microsoft AD.
For more information, see Admin account in the AWS Directory Service documentation.
Federated authentication support
Federated authentication with WS-Fed was not tested to work with AWS Managed Microsoft AD.
Non-AD specific Active Roles features
Active Roles features used to manage non-AD directory services (such as Exchange Resource Forest Management) were not tested to work with AWS Managed Microsoft AD.
Service Connection Point discovery
Active Roles connected services (such as the Active Roles Console) rely on AD Discovery to create Service Connection Points (SCPs) and find other Active Roles services.
As AWS Directory Service does not support AD Discovery, Active Roles services installed on an EC2 instance to manage AWS Managed Microsoft AD may not be able to automatically discover the Active Roles Administration Service, impacting the user experience.
limitations
-
When synchronizing directory data or passwords from on-premises Active Directory to AWS Managed Microsoft AD, Active Roles has the following limitations:
-
Active Roles was only tested to work with connections and sync workflows based on the following connectors:
Sync workflows and connections based on other connectors are not officially supported.
-
When synchronizing passwords from an on-premises Active Directory to AWS Managed Microsoft AD, synchronizing the pwdHash attribute and synchronizing then populating the SIDHistory attribute to AWS Managed Microsoft AD is not supported. This is because the Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.
-
Synchronizing passwords from AWS Managed Microsoft AD to on-premises AD with Active Roles is not supported. This is because the Capture Agent cannot be installed in an AWS Managed Microsoft AD environment.
SQL Server replication support
As Active Roles uses RDS for SQL Server when managing AWS Managed Microsoft AD, the SQL server replication feature of Active Roles is not supported.
Usable Organizational Unit in the AD domain
After you connect the Active Roles Console to your AWS Managed Microsoft AD environment, the AD domain and its containers will appear in the Active Roles Console (and if configured, in the Web Interface as well). By default, the AWS Managed Microsoft AD environment contains three types of containers:
-
AWS-specific containers.
-
The default AD-specific containers (such as Builtin, Computers, Domain Controllers, ForeignSecurityPrincipals, and so on).
-
An Organizational Unit container matching the NetBIOS (or shortname) of the AWS Managed Microsoft AD deployment. For example, if the shortname of your AD domain is ARDEMO, the name of this container will also be ARDEMO.
Consider that out of these three container types, you can manage AD resources only in the Organizational Unit with the name matching the shortname of your AWS Managed Microsoft AD environment. All other containers will be read-only.
