1. How many domains in all, are in play? If there are multiple domains, what is the purpose of each domain?
  2. How may Domain Controllers per domain (in general, it is recommended to have at least 2 DCs per domain)?   How many of these DCs are primary and how many secondary?
  3. Is there a separate ADFS Server (or Servers)?
  4. Are these all standalone domains, part of a domain tree or part of a forest with multiple trees?
  5. How many total objects (user objects, computer objects…) in all?
  6. How does DNS currently work ? Is the AD server and DNS server the same?
  7. Are there any custom schema modifications?
  8. What are the types of Apps being authenticated via AD (Internal versus External – and technology stacks involved – ASP.NET (version), LAMP, J2EE (version)…).  Do these apps use a claims based Identity model for authenticating against AD (e.g.. Windows Identity Foundation)?
  9. How is SSO currently being achieved (AD connect etc.)?
  10. Is there an Azure AD tenant in place? What is currently being handled by the Azure AD tenant?
  11. What are the primary requirements/needs around the MFA and Password Reset process being defined?

AWS Managed AD – and AD Connector

  • Private AD for your VPC instances.
  • Is it publicly accessible ? – For authentication purposes, you create an access URL from the AWS Directory Service console.
  • Can create TRUST relationship between on prem AD and this managed AD
  • No need to federate – you can use your existing corporate credentials to administer AWS resources via AWS Identity and Access Management (IAM) role-based access to the AWS Management Console, so you do not need to build out more identity federation infrastructure.
  • HA – Multi Region Replication – A new feature that allows customers to deploy a single AWS Managed Microsoft AD across multiple AWS Regions. This new feature called multi-region replication automatically configures inter-region networking connectivity, deploys domain controllers, and replicates all the Active Directory data across multiple Regions
  • AWS can now synchronize all customer directory data, including users, groups, Group Policy Objects (GPOs), and schema across multiple Regions. AWS handles automated software updates, monitoring, recovery, and the security of the underlying AD infrastructure across all Regions, enabling customers to focus on building their applications. Integrating with Amazon CloudWatch Logs and Amazon Simple Notification Service (SNS), AWS Managed Microsoft AD makes it easy for customers to monitor the directory’s health, and security logs globally.

AD Connector

AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. You can spread application loads across multiple AD Connectors to scale to your performance needs. There are no enforced user or connection limits.

For redirecting authentication requests to on prem AD. AD Connector does not support AD transitive trusts. AD Connectors and your on-premises AD domains have a 1-to-1 relationship. That is, for each on-premises domain, including child domains in an AD forest that you want to authenticate against, you must create a unique AD Connector.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.