Most enterprises have come to rely upon Active Directory for authentication and authorization-for users, workstations, servers, and business applications. Among your first considerations when planning a major implementation initiative will be how best to architect Active Directory-and take advantage of the benefits of the AWS cloud. This session will focus on best practice implementation patterns including AD Backup and Recovery in AWS, Region and Availability Zone design considerations for AD replication, and Security. To finish, we selected the three most common design patterns to discuss: Single Forest, Federate and Disconnected. We will talk about when each is appropriate to use, how it is designed and the practical implications of that choice. While each AD implementation is unique, these three patterns represent the fundamental building blocks upon which you will design your own Directory. You will leave the session knowing how to best to architect AWS to support the Active Directory your enterprise relies upon.
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014
1.
2.
3.
4.
5.
6.
7. AWS CloudOn Premise DatacenterVPN Connection1Authenticate User and Request Kerberos TicketActive Directory Forest2Get Kerberos Tocket4Use Information in TicketEC2 InstancesUser3Submit Ticket
8. AWS CloudRemote OfficeVPN Connection1Authenticate User and Request Kerberos TicketActive Directory Forest2Get Kerberos Tocket4Use Information in TicketEC2 InstancesUser3Submit Ticket
9.
10.
11. On-Premise Datacenter AWS Cloud
User
ADFS 2.0 Server
EC2 Instance
Windows Identity
Foundation
Active Directory
Domain Services
Application
VPN Connection
1,2
Login and
receive Kerberos
Ticket
3,4
Query For Token
Requirements
5
Request Token,
Send Kerberos
Ticket
8
Return Token
9
Forward Token to
Application
10,11, 12
Resolve Token
and Evaluate
Claim
13
Get the Data
6,7
Find and Return
Claim
12.
13. AWS CloudOn-Premise DatacenterUser8. User is authenticated to appADFS 2.0 ServerEC2 InstanceActive Directory Domain ServicesApplicationSecurity Token Service1: Log into AD/ Get Kerberos TGT2. Establish Session with App3. App needs tokenredirect to STS4. STS sends tokenrequest to Identity Provider5. ADFS gets authuser info from AD createsSAML Tioken6. ADFS redirects user to STS with SAML token7. Redirect user back to app with token
14.
15.
16.
17.
18.
19.
20.
21.
22. Characteristic
RODC
WriteableDC
AD Database Access
RODCis Read-Only. Certain write operations are forwarded and referrals can be given
All operationssupported
Data Replication
Only replicateddata FROM a writable DC
Replicate all changes
Data Stored in DB
Contains copy of all data except for credentialsand like attributes
Completecopy of the entire database
Administration
Administrationcan be delegated to non-Domain Admins
Only a DomainAdmin can administer