4

I have a small on premise AD environment comprising two Windows Server 2012 domain controllers. They run AD, DNS, DHCP, GP etc.

I want to migrate this to the AWS Managed Microsoft AD.

All the articles I have read suggest that the two AD environments need to be in different domains and you have to use a migration tool, and then re-add all your user PCs to this new domain.

Ideally I want to do the following:

  1. Configure AWS Managed AD in the same domain as my on prem AD
  2. Make the AWS AD servers part of the on prem domain, and promote them to domain controllers
  3. All users start using the AWS AD servers
  4. Demote and decom the old on prem AD servers

Is this possible, or am I being stupid?

Andrew Harris
  • 41
  • 2

2 Answers2

2

Short answer is no. One thing to realize is that the managed AD in AWS has specific use cases and isn't meant to be a replacement of your AD that sits onprem: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_use_cases.html

You can't just go into managed AD and start promoting DCs and extending the schema - you won't have those privileges. indeed that's why it's managed by AWS and you have a delegated privileged account with which you can work that has limited permissions.

What I would recommend is setting up a managed AD in AWS and orienting yourself and you will quickly realize what you can't and can do. My clients mainly use it to create a one way trust back on the on-prem AD to provide SSO for workspaces and other services such as RDS.

Juraj Lišiak
  • 76
  • 7
  • Thanks for the quick and concise answer. It makes a lot of sense and was kinda what I was thinking of in the back of my head. If I wanted to completely remove my on prem AD, then my options would be to a) migrate my VMs from VMWare on EC2 or b) build from scratch in EC2? – Andrew Harris Nov 27 '19 at 16:28
  • Usually you would just extend your AD into AWS by creating a DC using an EC2 instance in your VPC... I'm assuming you have a VPN connection to your VPCfrom on prem. then if you don't want any onprem DCs you would just promote your DC in AWS... I'm simplifying here..would have to look at your particular goals and setup. – Juraj Lišiak Nov 27 '19 at 16:33
  • Yeah will be VPN to start with and hopefully DirectConnect going forward. I will do some more testing and investigating. Appreciate the comments – Andrew Harris Nov 27 '19 at 16:45
0

Yeah we have such configuration. DC on EC2 and connected via S2SVPN to on-prem. No problem there as long as you have stable and resiliant internet connection. Otherwise you will have problems. We have 2 leased lines primary and backup.

patrykk
  • 11
  • 1