Questions[aws-directory-service](server)

I have somewhat of a unique challenge, I'm trying to migrate a old legacy server from a locally installed version of Active Directory Domain Service to a centrally managed AWS Directory Service. As part of this migration I will be replicating the user accounts over from this same server to this new service (via a series of powershell scripts). While this process won't bring over the users passwords, most of the structures will be brought over automatically (Users/Groups/OU's/etc...) via the scripts.

I'd like to integrate this migration into my DevOps framework (this includes the need to create a automated rollback script). However as part of the migration process via a powershell script I will need to remove the locally installed version of AD and join the server to the new centrally managed service. As part of that process, I believe that I will lose any information currently stored in the AD's (preventing me from rolling back).

Is there any way to save this information (including passwords) short of imaging the whole server, or this complicated process involving other servers and ADMT etc.., so that if I wanted to undo my migration to the new service I could simply run some sort of script and have the server restored to the pre-migrated version, with the local AD server still installed and my credentials still preserved.

I feel that this should be possible, what I'd really like is to somehow disable (but not uninstall) the AD service on the local server, then join it to my centralized domain service, then if I need to rollback, re-enable my AD service and rejoin to it locally.

Searching around doesn't appear to generate any leads on "disabling" the "Active Directory Domain Services" Role, however there is certainly allot of discussion around the uninstallation process. Maybe one of these options will preserve the AD's configuration somewhere (so that if I reinstall it, it will still be there)?

I have a small on premise AD environment comprising two Windows Server 2012 domain controllers. They run AD, DNS, DHCP, GP etc.

I want to migrate this to the AWS Managed Microsoft AD.

All the articles I have read suggest that the two AD environments need to be in different domains and you have to use a migration tool, and then re-add all your user PCs to this new domain.

Ideally I want to do the following:

1. Configure AWS Managed AD in the same domain as my on prem AD
2. Make the AWS AD servers part of the on prem domain, and promote them to domain controllers
3. All users start using the AWS AD servers
4. Demote and decom the old on prem AD servers

Is this possible, or am I being stupid?

I am moving my local AD domain to AWS and I am not sure the best way to do it.

Scenario: I have 2 on-prem domains (.local and .net). I am retiring one of them and moving to the other. Both are considered production as they are both actively used. Before I start moving everything from one to the other, I want to have AD extended into AWS. In addition, we eventually want to be out of the data center.

Option 1: Spin up 2 EC2 instances and configure them as DCs. This seems like the simplest option however the most expensive (something like $0.99/hr for 2 m4.xlarge machines).

Option 2: Use AWS Directory Service (looks pretty new). The problem with this is they don't allow you to extend your current domain to it. They only allow you to create a brand new domain. The advantages are that its cheaper ($0.40/hr I believe) and that they configure everything for you. I suppose if I went this way I'd need to set up a trust with my current domains.

Does anyone have experience with the AWS directory service? I just can't seem to find anything on the Internet about comparing these 2 options.

If anyone has a better option than the 2 listed above I'd love to hear about it too.

Reference links:

Extending on-prem domain to AWS: http://docs.aws.amazon.com/quickstart/latest/active-directory-ds/scenario-2.html

AWS Directory Service: http://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html

Thanks for the help!

I want to use cloudformation to automatically join new instances to AD.

When I googled this it looks like many people just use scripts in there cloudformation templates and pass in credentials- I don't want to do that.

This article shows how this is seamless if you have the AWS Directory setup.

I already have an AD Domain setup with my own DCs, can I just use the AD Connector or something so I can seamlessly join new instances to that like I can with the AWS Directory Service?

I've setup a Simple AD on AWS that I can finally authenticate against with LDAP. I don't understand why I was unable to use dc= which is widely suggested everywhere but am able to use @domain.

ldap_bind($ldapconn, "cn=Administrator,dc=ldap,dc=patontheback,dc=org", "<password>");
ldap_bind($ldapconn, "[email protected]", "<password>");

Are these not supposed to be equivalent? Will @domain always work or it specific to Simple AD?