What are the limitations when running Active Directory in AWS?
AWS Directory Service provides three options for running Active Directory in the cloud: Microsoft AD, Simple AD and AD Connector. What are the drawbacks of each AD option?
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Step 2 of 2:
limitations and caveats.
Microsoft AD, for example, is the enterprise-class version of AWS Directory Service and one of three options for running Active Directory in AWS. Microsoft AD currently handles up to 50,000 users or about 200,000 objects, which includes users, groups and computers. That's typically not an issue for most businesses, but that could constrain larger enterprises that have huge Active Directory user or object bases.
While the AWS Directory Service was intended to provide flexible support for Active Directory in AWS, it has several limitations and caveats.
In addition, users cannot change the compute performance of Microsoft AD on AWS; there is no way to change storage, processor or memory resources for the AD instance. This can make it difficult to fix performance issues. There is also no current way to migrate the on-premises Active Directory database to the cloud.
Simple AD, another option for operating Active Directory in AWS, offers a subset of features found in Microsoft AD. Simple AD supports users, groups, single sign-on access and domain-joining Linux and Windows instances. But Simple AD does not support trust relationships with other domains nor does it manually add domain controllers to an instance. It also doesn't support tools like AD Administrative Center, AD Recycle Bin, PowerShell, detailed password policies, schema extensions and group-managed service accounts. Organizations that depend on these features need to deploy the full-featured Microsoft AD.
The third AWS Directory Service option, AD Connector, offers a gateway that handles directory requests as a proxy and does not cache information in the AWS public cloud. Users of this option can enforce current logon credentials to access AWS tools or manage AWS resources. But AD Connector is a limited-privilege service -- depending on a non-administrative account and password for read-only permissions. So admins can't make changes to Active Directory in AWS through the AD Connector.
As with any public cloud service, developers and infrastructure architects must stay up to date on the latest service offerings, such as changes to APIs, features and pricing. Architects must also consider the limitations of each platform, taking the time to test deployments and evaluate performance before making a production commitment.
Next Steps
AWS tagging enables better performance monitoring
Integrate Active Directory with AWS to manage a cloud directory
Use AWS push notifications to keep an eye on resources
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ...
Continue Reading
There are advantages and disadvantages to using NAS or object storage for unstructured data. Find out what to consider when it comes to scalability, ...
Continue Reading
Knowing hardware maximums and VM limits ensures you don't overload the system. Learn hypervisor scalability limits for Hyper-V, vSphere, ESXi and ...
Continue Reading