Directory Services: Introduction and Working System

by | Nov 16, 2022 | AWS | 0 comments

Introduction to Directory Services.

A directory service is a database that stores and maintains user and resource information. Directory Services are often referred to as directories, user stores, Identity Stores, or LDAP Directories, and they store information such as usernames, passwords, user preferences, information about devices, and more. Network and system administrators use directory services to onboard users, manage access privileges, and monitor and control access to applications and infrastructure resources. For example, when a user visits an application, the program will consult the directory service to confirm the user is authentic and has the appropriate credentials to access and use that application.

Directory services are fundamental elements of an Identity Security strategy. Many identities and access management (IAM) solutions use directory services in conjunction with single sign-on (SSO), multi-factor authentication (MFA), or identity lifecycle management functionality.

 

Why are Directory Services important? 

Directory services are designed to serve as the authoritative identity provider (IdP) for all of an organization’s IT infrastructure, therefore the directory you select is critical. It becomes the source of truth for authentication and authorization throughout your digital workspace. 

Microsoft Active Directory (AD) is the most well-known on-prem directory service in existence today. For decades it served as the premier choice for identity and access management (IAM), as it authenticated users to all on-prem, Windows resources through a single interface. We will discuss Microsoft AD and its integration with cloud-based directory services further in this document.

 

What is Microsoft Active Directory?

Image Source: Microsoft

Active Directory (AD) is a directory service that runs on Microsoft Windows Server. Active Directory’s primary job is to allow administrators to manage permissions and limit access to network resources. In Active Directory, data is stored as objects, which include users, groups, applications, and devices, and these objects are categorized according to their names and attributes.

However, as cloud-based software has exploded in popularity, AD has struggled to natively connect users to resources some organizations find vital. AD only natively authenticates to Windows systems.

In addition, without the implementation of cloud-based SSO solutions (such as AWS Directory Service), AD does not natively authenticate user credentials to web applications like Salesforce®, G Suite™, Office 365™, Slack®, and Dropbox. 

 

What is Amazon Web Services(AWS) Directory Service?

AWS Directory Service is a service of AWS that provides multiple identity management solutions for AWS such as Microsoft Active Directory (AD), AWS AD Connector, Simple AD, and Amazon Cognito to suit different use cases that can be integrated with other AWS services.  Administrators use directories to control who has access to what information and resources. Directories hold information about users, groups, and devices. Customers that want to use existing Microsoft AD or Lightweight Directory Access Protocol (LDAP)-aware apps in the cloud can choose from a variety of directories through AWS Directory Service. Developers that require a directory to manage users, groups, devices, and access have the same options available to them.

 

Which AWS Directory Service to use?

AWS Directory Service for Microsoft Active Directory (Standard Edition or Enterprise Edition) can be used if you need an actual Microsoft Active Directory in the AWS Cloud that supports Active Directory–aware workloads or AWS applications and services such as Amazon WorkSpaces and Amazon QuickSight, or you need LDAP support for Linux applications.

AD Connector can be used if you only need to allow your on-premises users to log in to AWS applications and services with their Active Directory credentials. You can also use AD Connector to join Amazon EC2 instances to your existing Active Directory domain.

Simple AD can be used if you need a low-scale, low-cost directory with basic Active Directory compatibility that supports Samba 4–compatible applications, or if you need LDAP compatibility for LDAP-aware applications.

Amazon Cognito can be used if you develop high-scale SaaS applications and need a scalable directory to manage and authenticate your subscribers that work with social media identities.

 

How to create AWS Directory Service For Microsoft Active Directory.

Prerequisites to create AWS Managed Microsoft AD 

To create an AWS Managed Microsoft AD directory, you need a VPC with the following:

  • At least two subnets. Each of the subnets must be in a different Availability Zone.
  • The VPC must have default hardware tenancy.
  • You cannot create an AWS Managed Microsoft AD in a VPC using addresses in the 198.18.0.0/15 address space.

If you plan to use IAM Identity Center with AWS Managed Microsoft AD, you need to ensure that the following are true:

  • Your AWS Managed Microsoft AD directory is set up in your AWS organization’s management account.
  • Your instance of IAM Identity Center is in the same Region where your AWS Managed Microsoft AD directory is set up.

 

Create your AWS Managed Microsoft AD directory

To create an AWS Managed Microsoft AD directory

  1. In the AWS Directory Service console navigation panel, choose Directories and then choose Set up directory.
  2. On the Select directory type page, choose AWS Managed Microsoft AD, and then choose Next.

3. On the Enter directory information page, provide the following information:

  • Edition

Choose from either the Standard Edition or Enterprise Edition of AWS Managed Microsoft AD. For more information about editions, see AWS Directory Service for Microsoft Active Directory.

  • Directory DNS name

The fully qualified name for the directory, such as corp.example.com.

  • Directory NetBIOS name

The short name for the directory, such as CORP.

  • Directory Description

An optional description for the directory.

  • Admin password

The password for the directory administrator. The directory creation process creates an administrator account with the user name Admin and this password.

Note: The password cannot include the word “admin”

The directory administrator password is case-sensitive and must be between 8 and 64 characters in length, inclusive. It must also contain at least one character from three of the following four categories:

Lowercase letters (a-z)

Uppercase letters (A-Z)

Numbers (0-9)

Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/)

  • Confirm password

Retype the administrator password.

4. On the Choose VPC and subnets page, provide the following information, and then choose Next.

  • VPC

The VPC for the directory.

  • Subnets

Choose the subnets for the domain controllers. The two subnets must be in different Availability Zones.

5. Create the page, review the directory information and make any necessary changes. 

6. When the information is correct, choose Create directory.

 7. Creating the directory takes 20 to 40 minutes. Once created the Status value changes to Active.

Now, you have an AWS Managed Microsoft AD directory.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.