Steps to configure AD connector AWS

aws-adconnector-banner

In this article I will show steps to configure AD connector on AWS, before that let us know brief description about AD connector.

AD Connector is designed to give you an easy way to establish a trusted relationship between your on-premise Active Directory and AWS. When AD Connector is configured, the trust allows you to:

  • Sign in to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials.
  • Seamlessly join Windows instances to your Active Directory domain either through the Amazon EC2 launch wizard or programmatically through the EC2 Simple System Manager (SSM) API.
  • Provide federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles.

AD Connector cannot be used with your custom applications, as it is only used for secure AWS integration for the three use-cases mentioned above. Custom applications relying on your on-premises Active Directory should communicate with your domain controllers directly. 

How AD connector works!

  • AD Connector is a dual Availability Zone proxy service that connects AWS apps to your on-premises directory.
  • AD Connector forwards sign-in requests to your Active Directory domain controllers for authentication and provides the ability for applications to query the directory for data.
  • When you configure AD Connector, you provide it with service account credentials that are securely stored by AWS. This account is used by AWS to enable seamless domain join, single sign-on (SSO), and AWS Applications (WorkSpaces, WorkDocs, and WorkMail) functionality.
  • Given AD Connector’s role as a proxy, it does not store or cache user credentials. Rather, all authentication, lookup, and management requests are handled by your Active Directory.

Pre-requiste and Limitations :

  • Active Directory
  • A VPN connection if its a on-premise Active Directory you’ll be using
  • A VPC with two subnets on different availability zones (IMP)
  • DNS IP
  • SRV Record (for ldap and kerberos) on DNS
  • A username and credentials of that Active Directory

To connect with AD Connector :

  1. In the AWS Directory Service console navigation pane, select Directories and choose Set up Directory.
  2. In the Connect using AD Connector area, choose Create AD Connector.create-adconnector
  3. Provide the following information:
    adconnector-details
  4. Provide the following information in the VPC Details section and choose Next Step.
    adconnector-vpcdetails

 

It takes several minutes for your directory to be connected. When it has been successfully extended, the Status value changes to Active.

adconnector-active

 

If you recieve Status value as Failed  then look for detailed error description.

For in-dept information on error please refer following link while you configure AD connector again if needed :

http://docs.aws.amazon.com/directoryservice/latest/admin-guide/admin_troubleshooting.html

 

Thank you for reading!

Feel free to comment all your queries below, will try to answer them asap. 🙂

-Bhargav

Blogger & Assc Cloud Architect

Site Footer