AWS Summit 2019 - Session 5: Active Directory

3 models

• Simple AD - Samba, less than 5k, no custom extension/AD features
• On EC2 - regular, us
  • Direct Connect - fiber to Amazon I think
  • VPN - what we use
  • set VPC options for DNS and DHCP
• Managed AD - can trust, more than 5k, on 2012r2
  • ~3 click setup
  • minimum 2 DCs
  • standalone or connected by trust
  • Active Directory Connector
    • does not work with RDS, RDS requires fully managed
  • OU admin rights only, not full Domain Admin, but a lot of permissions given
    • allows extension of schema through console, not directly - import LDIFF file if you want
    • can create GPOs on own OU or nested
  • - can sync with Azure users too
  • Managed works with certain AWS services naturally:
  • is SAML endpoint too, manages ADFS for you
    • but doesn't do some detail that he went too fast on
  • CAN DO TRUST/passthrough authentication to Existing AD but then enables ADFS/SAML #todo #important
    • actually interesting, could be super worth it, would provide SSO for all AD people including members!!!

Most errors in AD are DNS (85% according to him)
Forest Trust has name suffix routing table
AMAD does not support suffic routing, needs single root contiguous namespace
but supports multple domain trusts instead of Forest Trust to get around it
can combine forest trust and domain trusts to accomodate all

Notes on securing trusts:

SID filtering makes cleaner connection between forests, helps with security too
!!CloudWatch can eat Windows Event Logs!! #todo #important

Can share AD across Organizations, can add a Transit Gateway for other accounts

Check FSMO redudnacy?