🔄 Active Directory Migrations to AWS
1. Common Migration Scenarios
- On-Prem AD to AWS Managed Microsoft AD (AWS MAD)
- On-Prem AD to Self-managed AD on EC2
- On-Prem AD to Hybrid (extend AD into AWS)
2. Migration Steps
A. Assessment & Planning
- Inventory current domain/forest structure
- Analyze DNS, GPOs, Sites and Services, FSMO roles
- Identify trusts, replication topology, and schema versions
- Use Azure AD Connect Health or AD Assessment tools (e.g., MAP Toolkit)
B. Prepare AWS Environment
- VPC with multiple Availability Zones (AD requires at least 2 subnets)
- AWS Direct Connect / VPN if hybrid
- Security groups and NACLs for LDAP, Kerberos, RPC, etc.
- Route 53 Resolver rules for DNS forwarding (from AWS to on-prem and vice versa)
C. Deploy AD in AWS
- Option 1: AWS Managed Microsoft AD
- Fully managed by AWS
- Multi-AZ deployment
- Supports trust with on-prem domains
- Option 2: AD on EC2
- Full control over domain controllers
- Join to existing domain or promote new forest
D. Data Migration
- Use ADMT (Active Directory Migration Tool) or QMM (Quest Migration Manager) for:
- Users
- Groups
- OUs
- SIDHistory
- Migrate GPOs using GPMC or PowerShell (
Backup-GPO,Import-GPO) - DNS zone migration with
dnscmd.exeor PowerShell
E. Testing and Validation
- Validate authentication, trust relationships
- Test DNS resolution
- Confirm GPO and replication functionality
F. FSMO Role Transfer & Cleanup
- Transfer FSMO roles if doing a full move
- Decommission old domain controllers carefully
- Validate SYSVOL replication and RID Master health
🧩 Active Directory Consolidations
Use Cases
- Merging domains or forests post-M&A
- Simplifying management (flattening OU structure)
- Reducing licensing costs or infrastructure overhead
Tools & Strategies
- ADMT + SIDHistory: Migrate users while preserving access
- Forest Trusts: Interim step before merging
- Group Policy consolidation: Centralize and audit overlapping policies
- Consolidated UPN suffixes and DNS namespaces
AWS Tip: In a hybrid environment, consolidate on-prem domains into AWS Managed AD to centralize identity for EC2, RDS, FSx, WorkSpaces, and Amazon Connect.
🌉 Active Directory Integration in AWS
1. AWS Services with Native AD Integration
- Amazon FSx for Windows File Server: Requires AD join
- Amazon RDS for SQL Server (Windows Authentication)
- Amazon WorkSpaces: Uses AD for user logins
- Amazon Connect: Uses AD for user federation
- SSO via AWS IAM Identity Center (formerly AWS SSO)
2. Identity Federation
- Use ADFS or AWS IAM Identity Center + AD Connector
- Supports SAML 2.0 for single sign-on into AWS Console
- Use Cases:
- Conditional Access
- Role-based access to AWS services
- Identity lifecycle from AD to IAM roles
3. AWS AD Connector
- Lightweight proxy that connects on-prem AD to AWS services
- No need to replicate/migrate AD
- Used when you want:
- AD-based auth for AWS WorkSpaces or RDS
- Minimal AWS footprint
4. DNS Considerations
- Use Route 53 Resolver to forward DNS queries from VPC to on-prem AD DNS
- Bi-directional DNS forwarding recommended in hybrid setups
🛡️ Security & Best Practices
- Use AWS Security Groups and NACLs to tightly control AD traffic
- Monitor AD using CloudWatch + AWS CloudTrail (if integrated via CloudWatch Agent)
- Enable AWS Config Rules to track compliance with directory-integrated services
- Implement Kerberos pre-authentication and auditing
- Regularly review IAM roles mapped to AD groups (especially in federated setups)
⚙️ Automation & Scripting
- CloudFormation / Terraform for setting up AD-integrated AWS resources
- PowerShell (AWS Tools for Windows):
Import-Module AWS.Tools.DirectoryService New-DSDirectory -Name "corp.example.com" -Password (ConvertTo-SecureString ...) -Size Small- Automate AD Join for EC2 via:
- EC2 Launch Templates
- Systems Manager State Manager
📐 1. Active Directory Hybrid Architecture (On-Prem ↔ AWS MAD)
Diagram Overview
Use Case: Hybrid identity for FSx, RDS, WorkSpaces, and EC2
🗂️ Components:
- On-prem AD (2 DCs)
- AWS Managed Microsoft AD (Multi-AZ)
- Site-to-Site VPN or Direct Connect
- Route 53 Resolver DNS forwarding
- EC2 joined to domain
- AWS SSO integrated with AD
