AWS Managed Active Directory vs. Self-Hosted AD: Which Solution is Best For Your Company?

Network Security

In this article, we’ll explore what you need to take into account when moving workloads that require a directory service like Active Directory (AD) on Amazon Web Services (AWS). As we’ll see, there are currently two options for deploying Active Directory-dependent workloads on AWS, using AWS Managed Active Directory or self-hosting Active Directory on AWS EC2 instances.

Active Directory is a widely-used directory service that helps to manage the authentication of user and device objects. Workloads migrated to SaaS (Software as a Service) platforms are likely to take advantage of modern directory services such as Azure Active Directory.

However, workloads remaining on IaaS that are directory-aware are likely to still require a traditional directory service such as Active Directory. If you want to use Amazon Web Services to host IaaS (Infrastructure as a Service) workloads, we’ll explain what you need to know about AWS Managed AD and how it differs from a self-hosted AD.

What is AWS Managed Active Directory?

Amazon Web Services provides Active Directory as a managed service for customers using its platform. Once provisioned, at least 2 domain controllers are provisioned into your Virtual Private Cloud (VPC) network. Directory-aware applications are then able to join this domain and use AD features as they normally would.

A service built on actual Active Directory

AWS Managed Active Directory is underpinned by Windows Server 2012 R2 servers, which although now several versions behind and due to reach end-of-life in October 2023, include the bulk of new AD features used in a modern enterprise (group managed service accounts and Kerberos constrained delegation for example). One would assume Amazon will upgrade the underlying operating systems that support the managed AD service well ahead of the end of life date.

Availability of the Active Directory service is managed by AWS, which means all software updates, replication, and recovery processes are managed.

For IT pros, the same Active Directory management tools are available using the Remote Service Administration Toolkit (RSAT). This allows the familiar management of users and groups, site and services, and Group Policy expected by administrators.

While you can’t combine an existing on-premises Active Directory and an AWS Managed AD into the same domain, you’re to create trusts between the two to extend your on-premise directory services into the AWS cloud.

AWS Managed Active Directory lets you migrate AD-dependent applications and Windows workloads to AWS.
AWS Managed Active Directory lets you migrate AD-dependent applications and Windows workloads to AWS. (Source: Amazon.com)

AWS Managed Active Directory editions and pricing

The service is available in two versions, Standard and Enterprise. The main difference between the two versions is the number of directory objects that can be managed: 30,000 and 500,000, respectively.

Pricing is all-inclusive, negating the need to license Windows Server and CAL licenses as it would normally be required:

  • The Standard version costs $0.132 per hour (~$98.21 per month), and it includes 2 domain controllers in different availability zones. Additional domain controllers can be added to the managed service for $0.066 per hour / per domain controller.
  • The Enterprise version costs $0.428 per hour ($318.43 per month) and $0.214 per additional domain controller / per month.

Self-Hosted AD

To migrate AD-dependent workloads on AWS, the more traditional approach is to provision domain controllers onto customer-managed EC2 instances, which are managed just like on-premises domain controllers.

The benefits of hosting DCs on EC2 instances

This approach has the benefit of extending your existing Active Directory infrastructure by adding additional domain controllers into an existing domain, rather than having to create a trust to what is a separate domain provided by AWS Managed AD. This approach will benefit organizations that are maintaining a hybrid infrastructure, with some directory-aware workloads running in the AWS cloud and the rest remaining on-premises.

It is not possible to add on-premises domain controllers to an AWS Managed AD. To avoid the complexity of AD trusts and to prevent directory-aware workloads from having to authenticate over a WAN connection to AWS, it is optimal to extend the existing domain.

Costs of a self-hosting AD

Of course, hosting domain controllers in AWS has consumption costs as well. The costs of providing two EC2 instances to host Windows Active Directory will be ~$270.64 per month (with a t3a.xlarge VM size). In addition, these EC2 instances will still carry the same operational overhead as traditional domain controllers (patching, replication monitoring, and so on).

Conclusion

To conclude, AWS Managed AD provides a viable alternative to extending an existing on-premises domain in the AWS cloud. It is cost-effective in comparison to extending an existing domain onto EC2 IaaS instances. However, it won’t be the perfect solution for all organizations.

Before reviewing whether AWS Managed AD is right for your company, you should find the answer to the following questions:

  • Will my application workloads continue to work in a domain trust model?
  • Do I want more control over my Active Directory infrastructure than what a managed service will offer?
  • Will I continue to operate a hybrid infrastructure with directory-aware workloads in both the cloud and on-premises resources?