AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築
-
Upload
amazon-web-services-japan -
Category
Technology
-
view
5.186 -
download
2
Transcript of AWS Black Belt Online Seminar 2016 AWS上でのActive Directory構築
-
AWS Black Belt Online Seminar AWSActive Directory IT
2016.10.18
-
(@gentaw0)
Windows Specialist
AWS Amazon WorkSpaces
-
IT
AWSSMESubject Matter Expert
AWS AWS
S3
3
-
AWS Black Belt Online Seminar AWSJTechAWS
12:00~13:00AWS(IoT etc.)
18:00~19:00AWS(EC2RDSLambda etc.)
& https://aws.amazon.com/jp/about-aws/events/webinars/
4
-
Agenda
AWSActive Directory /
5
-
Agenda
AWSActive Directory /
6
-
LDAPActive DirectoryOpenLDAP
-
Active Directory
Windows
Windows 2000
NT Security Account ManagerSAM40MB
-
Active Directory AD DS
VPC
Active Directory
AD DS GC
Active DirectoryDNS
Remote Desktop
https://s3.amazonaws.com/quickstart-reference/microsoft/activedirectory/latest/doc/Microsoft_Active_Directory_Quick_Start.pdf
-
AWSAWS
CloudFormation
Webinar2 Active Directory Domain Services on the AWS Cloud Web Application Proxy and AD FS on the AWS Cloud
10
https://aws.amazon.com/jp/quickstart/
AWS
-
Agenda
AWSActive Directory /
11
-
Active Directory (AD DS)4
12
AD DS
AWS1:AD DS 2:AD DSAWS 3:AD DSAWS 4:AD DSAWS Directory ServiceAWS
-
1:AD DS
AD AWS /
13
Availability Zone
Availability Zone
DC
-
2:AD DSAWS AD DSAWSVPC VPCVPCDNS
14
DC
RDGW
DC/GC/DNS
Elastic IPs
RDGW
DC/GC/DNS
Elastic IPs
Remote Management & Administration
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
-
3:AD DSAWS
EC2AD DS AD DSVPC/
15
RDGW
DC/GC/DNS
Elastic IPs
RDGW
DC/GC/DNS
Elastic IPs
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
-
4:AD DSAWS Directory ServiceAWS EC2AD DSAWS Directory Service (Microsoft AD) Microsoft ADWindows Server 2012 R2
16
RDGW
Elastic IPs
RDGW
Elastic IPs
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
AWS Directory Service
AWS Directory Service
-
Microsoft AD:
Availability Zone A
Private Subnet
C-DCA
Corporate Network
Seattle
DC1
Tacoma
DC2 Availability Zone B
Private Subnet
C-DCB company.cloud company.local
Direct Connect
-
AWS Directory Service(Microsoft AD) Domain AdminsAWS
Microsoft AD/ Microsoft AD
Microsoft ADDC
URLhttps://aws.amazon.com/jp/directoryservice/schema-extensions/
Windows Server 2012 R2
DNS DNSDNS
Group PolicyOU (GPO)
50,000200,000()
-
Agenda
AWSActive Directory /
19
-
Active Directory
Active Directory
//OU
)AD DS (TechNet)https://technet.microsoft.com/en-us/library/817d84f0-a0c3-4776-8ea3-20054f342a70
20
-
AZ1 VPCAD DSAD DS
21
2
4
1
3
DC DC DC DC
DC DC DC DC
2
4 Availability Zone
Availability Zone
DC DC
-
22
DC
RDGW
DC/GC/DNS
Elastic IPs
RDGW
DC/GC/DNS
Elastic IPs
Remote Management & Administration
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
AD DS(DC/GC/DNS)
VPC
Remote Desktop Gateway
Active Directory
DNSDHCP
FSMO
-
VPC
Private Subnet
Remote Desktop GatewayPublic Subnet
IP
AD DSAWS
23
-
Ingress
EgressIngress
AD DSAWS
Active Directory
Microsoft Active Directory Domain Services on the AWS CloudActive Directory and Active Directory Domain Services Port Requirements
Active Directory and Active Directory Domain Services Port Requirements (Microsoft TechNet Library)
https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd
24
-
VPCDNSDHCP Amazon VPC DHCP Option Set
Amazon provided DNS(DNS) DNSDNSDNS
DHCP Option SetDNS VPCDHCPDHCP
DHCPDHCP
25
Availability Zone
DC/GC/DNS
Amazon Provided DNS
DNS
SubnetDNSDNSDNS
SubnetDNS
DNS
-
Remote Desktop Gateway
Remote Desktop Gateway Remote Desktop Protocol (RDP) over HTTPS WindowsAmazon EC2 VPN
AZAZRemote Desktop Gateway
RDGWRDGW
Public Subnet Public Subnet
Internet GatewayRemote Management & Administration
Elastic IPs Elastic IPs
-
AD DS
AZAZ (GC)DNSAZ AZAD DS
AZAZ
27
Availability Zone
DC/GC/DNS
Availability Zone
DC/GC/DNS
-
Active Directory
28
AWS PCDC
DC/GC/ DNS
RDGW
DC/GC/DNS
Elastic IPs
RDGW
DC/GC/DNS
Elastic IPs
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
-
FSMO
FSMOVPCDC
DRVPCFSMO
29
Availability Zone
Availability Zone
DC(FSMO)
DC DCDC
-
Agenda
AWSActive Directory /
30
-
DC
31
Volume Shadow Copy(VSS)Active Directory
Windows ServerActive Directory
Amazon EBS
Snapshot
DCVSSEBS
-
DC DC
USN DC
32
DC 1
DC 2
DC 3
https://technet.microsoft.com/ja-jp/library/dd363545(v=ws.10).aspx
3 DC DBDC
DC DC
DC
-
DSRM EC2 WindowsDSRM DC (DSRM, Directory Service
Resiliency Mode) DCDC
DCDC
33 http://docs.aws.amazon.com/ja_jp/AWSEC2/latest/WindowsGuide/common-issues.html#boot-dsrm
-
Agenda
AWSActive Directory /
34
-
Active DirectoryADFS
IDWebSSO
AD DS/AD LDSSAML 1.1/2.0
Office 365Google AppsSSO
-
ADFS/WAP
36https://s3.amazonaws.com/quickstart-reference/microsoft/wapadfs/latest/doc/Web_Application_Proxy_and_ADFS_on_the_AWS_Cloud.pdf
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
ADFSWAP
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
ADFSWAP
VPNWeb Application ProxyWAPPrivate SubnetADFS
-
ADFS
37
1,000 2
AZ1,00015,000 ADFSWAP
WID (Windows Internal Database
15,00060,000 5ADFS2WAPWIDSQL Server
HW8 CPU4GiB RAM1 Gigabit
-
WAPADFSELB WAPInternet-facing load balancerADFS
Internal load balancer
HEC2C4.2xlarge (8 vCPU15GiB)
HWEBSIOPS
38
-
1: WAPWeb
WAPWebSharePoint/OWA/LyncWeb
Denial-of-service (DOS) DOS
ADFS
https://technet.microsoft.com/en-us/library/dn383650.aspx
Planning to Publish Applications Using Web Application Proxy
-
2:
40
AD
ADFS
(1)
(4) AssumeRoleWithSAML
(3) SAML
(6)
AWS IAMActive DirectoryAWS
AWS SAML 2.0 (Security Assertion Markup Language) ID
DC/GC/DNS
ADFS STS
-
AWS Identity and Access Management (IAM)
AWS
AWS AWS
-
3 AWS Management ConsoleAssumeRoke
1) IAMAD
2:AD Connector
2) ADaccess URL
2 LDAPKerberosVPN
AD
1 AD
AD
User1 User2
Group1
ReadOnly
Admin
S3-Access
AWS Directory Service mycompany.awsapps.com/console
-
3: ADFS + Office 365
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
ADFS WAP
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
ADFS WAP
SAML 2.0
Active Directory ADFSIdp Office 365
-
3: IDaaS + Office 365
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
AD Connector
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
SAML 2.0
AD Connector
IDaaSOktaOneLoginPingFederation Office 365
-
SSO
C-DCA C-DCB
AWS Directory Serivice
WS-federation/ SAML 2.0/OAuth2.0/ OpenID Connect
IDaaS SaaS
DC/GC/DNS
Active Directory AD Connector
-
Agenda
AWSActive Directory /
46
-
Amazon Web ServicesActive DirectoryWindows
AWSActive Directory
AWS Management ConsoleSSO
47
-
Active Directory https://technet.microsoft.com/ja-jp/windowsserver/ff699017.aspx#01
Active Directory Domain Services on the AWS Cloud http://docs.aws.amazon.com/ja_jp/quickstart/latest/active-directory-
ds/welcome.html Active Directory Domain Services on the AWS Cloud
http://www.slideshare.net/AmazonWebServices/biz303-active-directory-in-the-aws-cloud-aws-reinvent-2014
Web Application Proxy and AD FS on the AWS Cloud https://s3.amazonaws.com/quickstart-reference/microsoft/wapadfs/
latest/doc/Web_Application_Proxy_and_ADFS_on_the_AWS_Cloud.pdf
48
-
AWS
http://aws.amazon.com/jp/aws-jp-introduction/
AWS Solutions Architect Q&A http://aws.typepad.com/sajp/
49
-
Twitter/FacebookAWS
@awscloud_jp
http://on.fb.me/1vR8yWm
50
-
AWS AWShttps://aws.amazon.com/jp/contact-us/aws-sales/
AWS