AWS Black Belt Online Seminar AWSActive Directory IT

2016.10.18

(@gentaw0)

Windows Specialist

AWS Amazon WorkSpaces

IT

AWSSMESubject Matter Expert

AWS AWS

S3

3

AWS Black Belt Online Seminar AWSJTechAWS

12:00~13:00AWS(IoT etc.)

18:00~19:00AWS(EC2RDSLambda etc.)

& https://aws.amazon.com/jp/about-aws/events/webinars/

4

Agenda

AWSActive Directory /

5

Agenda

AWSActive Directory /

6

LDAPActive DirectoryOpenLDAP

Active Directory

Windows

Windows 2000

NT Security Account ManagerSAM40MB

Active Directory AD DS

VPC

Active Directory

AD DS GC

Active DirectoryDNS

Remote Desktop

https://s3.amazonaws.com/quickstart-reference/microsoft/activedirectory/latest/doc/Microsoft_Active_Directory_Quick_Start.pdf

AWSAWS

CloudFormation

Webinar2 Active Directory Domain Services on the AWS Cloud Web Application Proxy and AD FS on the AWS Cloud

10

https://aws.amazon.com/jp/quickstart/

AWS

Agenda

AWSActive Directory /

11

Active Directory (AD DS)4

12

AD DS

AWS1:AD DS 2:AD DSAWS 3:AD DSAWS 4:AD DSAWS Directory ServiceAWS

1:AD DS

AD AWS /

13

Availability Zone

Availability Zone

DC

2:AD DSAWS AD DSAWSVPC VPCVPCDNS

14

DC

RDGW

DC/GC/DNS

Elastic IPs

RDGW

DC/GC/DNS

Elastic IPs

Remote Management & Administration

Private SubnetPrivate Subnet

Public SubnetPublic Subnet

3:AD DSAWS

EC2AD DS AD DSVPC/

15

RDGW

DC/GC/DNS

Elastic IPs

RDGW

DC/GC/DNS

Elastic IPs

Private SubnetPrivate Subnet

Public SubnetPublic Subnet

4:AD DSAWS Directory ServiceAWS EC2AD DSAWS Directory Service (Microsoft AD) Microsoft ADWindows Server 2012 R2

16

RDGW

Elastic IPs

RDGW

Elastic IPs

Private SubnetPrivate Subnet

Public SubnetPublic Subnet

AWS Directory Service

AWS Directory Service

Microsoft AD:

Availability Zone A

Private Subnet

C-DCA

Corporate Network

Seattle

DC1

Tacoma

DC2 Availability Zone B

Private Subnet

C-DCB company.cloud company.local

Direct Connect

AWS Directory Service(Microsoft AD) Domain AdminsAWS

Microsoft AD/ Microsoft AD

Microsoft ADDC

URLhttps://aws.amazon.com/jp/directoryservice/schema-extensions/

Windows Server 2012 R2

DNS DNSDNS

Group PolicyOU (GPO)

50,000200,000()

Agenda

AWSActive Directory /

19

Active Directory

Active Directory

//OU

)AD DS (TechNet)https://technet.microsoft.com/en-us/library/817d84f0-a0c3-4776-8ea3-20054f342a70

20

AZ1 VPCAD DSAD DS

21

2

4

1

3

DC DC DC DC

DC DC DC DC

2

4 Availability Zone

Availability Zone

DC DC

22

DC

RDGW

DC/GC/DNS

Elastic IPs

RDGW

DC/GC/DNS

Elastic IPs

Remote Management & Administration

Private SubnetPrivate Subnet

Public SubnetPublic Subnet

AD DS(DC/GC/DNS)

VPC

Remote Desktop Gateway

Active Directory

DNSDHCP

FSMO

VPC

Private Subnet

Remote Desktop GatewayPublic Subnet

IP

AD DSAWS

23

Ingress

EgressIngress

AD DSAWS

Active Directory

Microsoft Active Directory Domain Services on the AWS CloudActive Directory and Active Directory Domain Services Port Requirements

Active Directory and Active Directory Domain Services Port Requirements (Microsoft TechNet Library)

https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd

24

VPCDNSDHCP Amazon VPC DHCP Option Set

Amazon provided DNS(DNS) DNSDNSDNS

DHCP Option SetDNS VPCDHCPDHCP

DHCPDHCP

25

Availability Zone

DC/GC/DNS

Amazon Provided DNS

DNS

SubnetDNSDNSDNS

SubnetDNS

DNS

Remote Desktop Gateway

Remote Desktop Gateway Remote Desktop Protocol (RDP) over HTTPS WindowsAmazon EC2 VPN

AZAZRemote Desktop Gateway

RDGWRDGW

Public Subnet Public Subnet

Internet GatewayRemote Management & Administration

Elastic IPs Elastic IPs

AD DS

AZAZ (GC)DNSAZ AZAD DS

AZAZ

27

Availability Zone

DC/GC/DNS

Availability Zone

DC/GC/DNS

Active Directory

28

AWS PCDC

DC/GC/ DNS

RDGW

DC/GC/DNS

Elastic IPs

RDGW

DC/GC/DNS

Elastic IPs

Private SubnetPrivate Subnet

Public SubnetPublic Subnet

FSMO

FSMOVPCDC

DRVPCFSMO

29

Availability Zone

Availability Zone

DC(FSMO)

DC DCDC

Agenda

AWSActive Directory /

30

DC

31

Volume Shadow Copy(VSS)Active Directory

Windows ServerActive Directory

Amazon EBS

Snapshot

DCVSSEBS

DC DC

USN DC

32

DC 1

DC 2

DC 3

https://technet.microsoft.com/ja-jp/library/dd363545(v=ws.10).aspx

3 DC DBDC

DC DC

DC

DSRM EC2 WindowsDSRM DC (DSRM, Directory Service

Resiliency Mode) DCDC

DCDC

33 http://docs.aws.amazon.com/ja_jp/AWSEC2/latest/WindowsGuide/common-issues.html#boot-dsrm

Agenda

AWSActive Directory /

34

Active DirectoryADFS

IDWebSSO

AD DS/AD LDSSAML 1.1/2.0

Office 365Google AppsSSO

ADFS/WAP

36https://s3.amazonaws.com/quickstart-reference/microsoft/wapadfs/latest/doc/Web_Application_Proxy_and_ADFS_on_the_AWS_Cloud.pdf

RDGWDC/GC/DNS

Elastic IP

s

Private Subnet Public Subnet

ADFSWAP

RDGWDC/GC/DNS

Elastic IP

s

Private Subnet Public Subnet

ADFSWAP

VPNWeb Application ProxyWAPPrivate SubnetADFS

ADFS

37

1,000 2

AZ1,00015,000 ADFSWAP

WID (Windows Internal Database

15,00060,000 5ADFS2WAPWIDSQL Server

HW8 CPU4GiB RAM1 Gigabit

WAPADFSELB WAPInternet-facing load balancerADFS

Internal load balancer

HEC2C4.2xlarge (8 vCPU15GiB)

HWEBSIOPS

38

1: WAPWeb

WAPWebSharePoint/OWA/LyncWeb

Denial-of-service (DOS) DOS

ADFS

https://technet.microsoft.com/en-us/library/dn383650.aspx

Planning to Publish Applications Using Web Application Proxy

2:

40

AD

ADFS

(1)

(4) AssumeRoleWithSAML

(3) SAML

(6)

AWS IAMActive DirectoryAWS

AWS SAML 2.0 (Security Assertion Markup Language) ID

DC/GC/DNS

ADFS STS

AWS Identity and Access Management (IAM)

AWS

AWS AWS

3 AWS Management ConsoleAssumeRoke

1) IAMAD

2:AD Connector

2) ADaccess URL

2 LDAPKerberosVPN

AD

1 AD

AD

User1 User2

Group1

ReadOnly

Admin

S3-Access

AWS Directory Service mycompany.awsapps.com/console

3: ADFS + Office 365

RDGWDC/GC/DNS

Elastic IP

s

Private Subnet Public Subnet

ADFS WAP

RDGWDC/GC/DNS

Elastic IP

s

Private Subnet Public Subnet

ADFS WAP

SAML 2.0

Active Directory ADFSIdp Office 365

3: IDaaS + Office 365

RDGWDC/GC/DNS

Elastic IP

s

Private Subnet Public Subnet

AD Connector

RDGWDC/GC/DNS

Elastic IP

s

Private Subnet Public Subnet

SAML 2.0

AD Connector

IDaaSOktaOneLoginPingFederation Office 365

SSO

C-DCA C-DCB

AWS Directory Serivice

WS-federation/ SAML 2.0/OAuth2.0/ OpenID Connect

IDaaS SaaS

DC/GC/DNS

Active Directory AD Connector

Agenda

AWSActive Directory /

46

Amazon Web ServicesActive DirectoryWindows

AWSActive Directory

AWS Management ConsoleSSO

47

Active Directory https://technet.microsoft.com/ja-jp/windowsserver/ff699017.aspx#01

Active Directory Domain Services on the AWS Cloud http://docs.aws.amazon.com/ja_jp/quickstart/latest/active-directory-

ds/welcome.html Active Directory Domain Services on the AWS Cloud

http://www.slideshare.net/AmazonWebServices/biz303-active-directory-in-the-aws-cloud-aws-reinvent-2014

Web Application Proxy and AD FS on the AWS Cloud https://s3.amazonaws.com/quickstart-reference/microsoft/wapadfs/

latest/doc/Web_Application_Proxy_and_ADFS_on_the_AWS_Cloud.pdf

48

AWS

http://aws.amazon.com/jp/aws-jp-introduction/

AWS Solutions Architect Q&A http://aws.typepad.com/sajp/

49

Twitter/FacebookAWS

@awscloud_jp

http://on.fb.me/1vR8yWm

50

AWS AWShttps://aws.amazon.com/jp/contact-us/aws-sales/

AWS