Beruflich Dokumente
Kultur Dokumente
service so this is a very Microsoft Centric topic and if you're not that
familiar with Microsoft Technologies especially services like active directory
don't worry we'll break it all down for you so let's Jump Right In so what is
AWS directory service well it's actually not a single service it's a family of
managed services and these allow me to connect AWS Resources with existing
on-premises Microsoft active directory this is a standalone directory in the
cloud and it allows users to access AWS resources and applications with your
existing corporate credentials you can also log into the AWS Management console
using those same existing corporate credentials directory service also enables
single sign-on across any domain-joined ec2 instance so if you have your Fleet
of ec2 instances all joined to an active directory domain you don't need to
manage the credentials on any individual so if you don't come from a Microsoft
background you might be wondering what is active directory well this is an
on-premises directory service that's used by most Enterprises it's a
hierarchical database of users groups than computers organized in trees and
forests and you can apply what a cold brew policies to help you manage users and
devices on a network under the hood active directory is based on two protocols
and DNS lightweight directory access protocol and domain name service and it
supports Kerberos ldap in ntlm Authentication Protocol an active directory is
intended to be configured in a highly-available configuration requiring multiple
servers so the downside of that is that there is typically lots of management
overhead which is one reason why you would want to use a managed service Amana
service like AWS managed Microsoft ID so this provides a d domain controllers
running on real Windows servers so by default you get to domain controllers for
high availability each of those in its own availability Zone these domain
controllers are reachable by applications in your V PCS you can add additional
domain controllers to increase availability or transaction rates and you have
exclusive access to these domain controllers no other AWS users will share those
two main controllers so you can be confident about the security you can also
extend your existing active directory to your on-premises infrastructure using
what's called in a d trust now when working with managed services like this
there's some things you need to keep in mind AWS will manage some aspects of the
service for you while you was the customer or responsible for some other aspects
first AWS is going to perform a multi AZ deployment for you so you don't have to
worry about high availability he'll take care of patching monitoring and
recovering your domain controllers the before many kind of instance rotation for
you making sure that you're always on the latest version of the software will
also perform backup operations like snapshotting and restoring for you now is
the customer you need to be concerned with users groups and your group policy
objects AWS will not manage those for you you can use standard 80 tools that
you're already familiar with and if you want to stay out of your domain
controllers that's your responsibility and like I mentioned before you can
employ a d trust to form a resource Forest this again is your responsibility and
management of any certificate authorities using ldap S and finally if you want
to create any kind of 80 Federation that's also your responsibilities the
customer so that's AWS managed Microsoft EDI let's take a look at his baby
brother has a standalone directory in the cloud to support Windows workloads
that need basic 80 features and there are two sizes that you can deploy You're
simply D small which is for less than 500 users or large which is up to five
thousand users typically make it easier to manage things like what do you want
to use your existing corporate credentials to log into those ec2 instances
rather than having to provision usernames and passwords on all of those
instances or manage any kind of keys and again any kind that might need a simple
led to your on-premises 80 infrastructure so that's simple e d let's take a look
at the a D connector when would you want to use this well 80 connector is your
best choice when you want to use your existing on-premises directory with
compatible AWS Services LTD connector is a directory Gateway or proxy for your
on-premises Sadie this helps you avoid cashing information in the cloud using a
d so you can join your ec2 instances in AWS existing on-premises ad domain
compatible Services Microsoft managed a d simply d&ad connector take a look at
Cloud directory this is a directory-based or intended for developers it supports
multiple hierarchies with hundreds of millions of object and some places you
might want to use this or applications that Implement org charts course catalogs
for device Registries and this is a fully managed service so no infrastructure
for you to manage so that's Cloud directory finally we have Amazon Cognito user
pool now it's kind of interesting to me that AWS include Cognito user pools in
directory service because it really has absolutely nothing to do with any of
those of the services I just mentioned what for the sake of completeness will
cover here so Cognito user pools are a managed user directory for SAS or
software-as-a-service applications it's intended to sign up & in for web or
mobile applications typically used with social media identities so for example
you can log into a SAS application using your Facebook Google or Amazon
credentials so for the exam it's important that you keep straight which of these
services are compatible and which are not a d compatible so for the ADT
compatible Services we have managed Microsoft ad also known as directory service
for Microsoft active directory a D connector and Simple 80d Solutions also
enables users to sign into AWS applications like Amazon workspaces and
quicksight with your active directory credential exam question that asks you
about logging into work spaces or quicksight with a d credentials now for the
non LED compatible Services we have Cloud directory and Cognito user pool so if
you're a developer and you don't need active directory you can use cloud
directory to create directories that organize and manage hierarchical
information and Cognito user pools work with mobile and web applications all
right so that's everything you need to know about AWS directory service and I'll
see you in the next lesson