Setup Domain Controller and Active Directory on Amazon EC2 as Primary AD

Question

I am planning to deploy an Active Directory and Domain Controller on AWS for my company. It will primarily be used for these:

1. User Authorization (Login/Logoff Process)
2. File Sharing / Management (Employee can share files with eachother)
3. Deploying GPO (To enforce some IT policy i.e. USB Access, etc).

In addition to that, the Server will be acting as Sharepoint Server as well (that means it will need SQL and IIS).

What i am asking is.... [Please see edit]?

If it is a physical server, what i would do is:

1. Buy the PC server.
2. Install Windows Server (if it is not already there).
3. Configure DHCP/DNS (and all other networking stuff).
4. Install and Configure Domain Controller.
5. Install and Configure Active Directory.
6. Configure and Enforce GPO as needed.

And i will be doing all those stuff mentioned from above either from the physical machine or from remote connection.

PS: Yes i am aware of the implication of losing access to the Domain Controller (i.e Network outage). One way to mitigate this is by deploying a local cache storage on premise i suppose.

EDIT I really need AD/DC to manage logins, organizational hierarchy and policy (GPO). This seems to be the reverse of most server setup. I'd like to use a cloud based service to act as the primary Domain controller and in the future, also to provide local authentication to manage print/file service (if this is possible).

But i'd really like to know if it is possible? More importantly is it a good practice?

I don't mind using either Amazon or Azure.

Answer 1

Hosting Active Directory (AD) off-site is a pretty atypical configuration, even with the most current versions of Windows. You're not going to find a lot of people who recommend it.

From a security perspective, AD wasn't designed with the threat model of being directly exposed to the Internet. You're going to need some kind of secure tunnel from clients to the Domain Controller (DC) if you want to prevent direct exposure of the DC to the Internet. This is going to complicate your configuration and will probably make joining the domain somewhat complicated. (I've heard talk, over the years, of using mandatory transport mode IPSEC between clients and DCs but I've never actually seen anybody implement it. Likewise, DirectAccess is supposed to solve this problem, too.)

You're going to see reduced performance, particularly with respect to Group Policy application, as compared to having an on-site Domain Controller. The interaction between clients and DCs during boot and logon isn't so much bandwidth intensive as it is composed of a large number of round trips. Latency is going to be a killer. Off-site hosting will probably never beay sub-1ms latency on a LAN.

If you've got geographically distributed clients an off-site hosted AD may be a "win" if you can make it work. If your clients are mainly centralized, though, I'd be willing to bet your long-term expense would be less to host AD on-site. Begin hosted off-site doesn't alleviate the need for backups, additional replica domain controllers, or systems administration.

Certainly, if you're doing anything significant with Group Policy factoring in performance will be a "win" for on-site hosting unless you have some kind of ultra-low latency connection to the hosted DC.