Active Directory remains the backbone of identity management for most businesses. As organizations move workloads to AWS, the question is not whether to integrate AD with the cloud — it is how. AWS offers multiple options for extending or migrating Active Directory, each with distinct tradeoffs in control, cost, complexity, and integration depth. Choosing the wrong option leads to authentication failures, management overhead, and security gaps that compound over time.
Why Move Active Directory to the Cloud
Several business drivers push organizations to extend or migrate their directory services to AWS.
Remote workforce: With employees distributed across locations, relying solely on on-premise domain controllers creates latency and single points of failure. Cloud-hosted directory services provide authentication closer to cloud-hosted applications and remote users, improving login speeds and reliability.
Hybrid infrastructure needs: When workloads run in both on-premise data centers and AWS, applications in the cloud need directory access for authentication and authorization. Routing all authentication back to on-premise controllers over VPN adds latency, creates a dependency on VPN availability, and complicates disaster recovery.
Disaster recovery: If your only domain controllers are on-premise, a site failure means no authentication for any system. Extending AD to AWS provides automatic failover for identity services, ensuring users can still authenticate even during on-premise outages.
Options Overview
AWS provides three primary approaches for Active Directory in the cloud. Your choice depends on your requirements for control, integration, and operational overhead.
AWS Managed Microsoft AD: A fully managed Active Directory running on Windows Server 2019. AWS handles patching, replication, monitoring, and daily snapshots. Supports trust relationships with on-premise AD for hybrid scenarios. Best for organizations that need a full AD environment in AWS without managing domain controller infrastructure.
AD Connector: A lightweight directory proxy that redirects authentication requests to your existing on-premise Active Directory. No data is stored in AWS — it simply forwards requests over your VPN or Direct Connect connection. Best for organizations that want to use their existing AD without extending it to the cloud.
Self-managed AD on EC2: Deploy your own Windows Server domain controllers on EC2 instances. You manage everything — patching, replication, backup, monitoring, and availability. Best for organizations with specific AD configurations, schema extensions, or compliance requirements that managed services cannot accommodate.
AWS Managed Microsoft AD
AWS Managed Microsoft AD is the most popular choice for organizations that need Active Directory capabilities in AWS without the operational burden of managing domain controllers.
What it provides: A pair of domain controllers deployed across two Availability Zones for high availability. Supports Group Policy, LDAP, Kerberos, NTLM, and standard AD administrative tools. You get organizational unit-level access for managing users, groups, and computers within your delegated OU.
When to use it: When you need AD-aware applications in AWS (SQL Server with Windows Authentication, .NET applications using integrated auth), when deploying Amazon WorkSpaces, or when you need a trust relationship between on-premise AD and a cloud-based directory for hybrid access.
Limitations: You do not have domain admin or enterprise admin access. Schema extensions are supported but limited to what AWS allows. You cannot access the underlying domain controller instances. Some GPO settings that require domain-level access are unavailable. If you need full control over every AD feature, self-managed on EC2 may be necessary.
AD Connector
AD Connector is a directory gateway that forwards authentication requests to your existing on-premise Active Directory without caching or storing any directory data in AWS.
How it works: AD Connector creates a pair of elastic network interfaces in your VPC that proxy LDAP and Kerberos requests back to your on-premise domain controllers over VPN or Direct Connect. AWS services that need directory authentication (WorkSpaces, WorkDocs, SSO) send requests to AD Connector, which forwards them to your existing AD.
When to use it: When you want to keep all directory data on-premise, when you have a reliable low-latency connection to your data center, or when you have a small AWS footprint that does not justify running additional domain controllers in the cloud.
Limitations: Entirely dependent on VPN or Direct Connect connectivity. If the network connection to on-premise fails, all AWS authentication fails. Does not support multi-factor authentication natively. Cannot be used for domain-joining EC2 instances without network connectivity to on-premise DCs. Not suitable for environments where authentication latency is critical.
Self-Managed AD on EC2
For organizations that need complete control over their Active Directory environment, deploying domain controllers on EC2 instances provides maximum flexibility.
Full control: You have domain admin and enterprise admin access. You can modify the schema, implement any Group Policy configuration, install any AD-integrated software, and configure replication exactly as needed. This mirrors your on-premise AD deployment but runs on AWS infrastructure.
When necessary: When you need custom schema extensions that Managed AD does not support, when compliance requires full administrative control over directory infrastructure, when you need specific AD Forest or Domain functional levels, or when you are running AD-dependent applications that require domain admin access for installation.
Hybrid Identity Strategy
Most organizations operate in a hybrid model during and after migration, maintaining on-premise AD while extending identity to the cloud.
Trust relationships: Establish a two-way forest trust between your on-premise AD and AWS Managed Microsoft AD. This allows users in either directory to access resources in both environments seamlessly. Configure selective authentication to limit which on-premise users can access cloud resources.
Replication considerations: If running self-managed DCs on EC2, configure AD Sites and Services to manage replication topology between on-premise and cloud domain controllers. Place cloud DCs in their own AD site to control replication traffic over your VPN or Direct Connect link. Monitor replication health continuously.
DNS resolution: Active Directory depends heavily on DNS. Configure conditional forwarders or Route 53 Resolver endpoints so that on-premise clients can resolve cloud-hosted AD records and vice versa. Broken DNS resolution is the most common cause of AD authentication failures in hybrid environments.
Integration with AWS Services
Active Directory in AWS integrates with numerous services, making it a foundational component for Windows-based cloud environments.
Amazon WorkSpaces: Virtual desktops authenticate directly against your directory. Users log in with their AD credentials and receive their desktop with domain-joined Group Policy settings applied. Both Managed AD and AD Connector support WorkSpaces integration.
Amazon RDS: SQL Server and Oracle on RDS support Windows Authentication through Managed AD integration. Applications can connect to databases using their domain credentials without managing separate database passwords. This simplifies credential management and aligns with existing security policies.
IAM Identity Center (SSO): Connect your AD to IAM Identity Center to provide single sign-on access to AWS accounts, business applications, and the AWS Management Console. Users authenticate with their existing AD credentials and receive temporary AWS credentials based on their group membership.
Migration Planning and Common Mistakes
Moving AD to AWS requires careful planning to avoid disruption to authentication services that every user and application depends on.
Start with extension, not migration: Extend your existing AD to AWS first by establishing trust relationships or adding cloud-based domain controllers. Run both environments in parallel before considering a full cutover. This provides fallback if issues arise and gives applications time to validate against cloud-hosted DCs.
Common mistake — ignoring network latency: AD authentication is sensitive to network latency. If cloud applications authenticate against on-premise DCs over high-latency connections, users experience slow logins and application timeouts. Place domain controllers (managed or self-hosted) in the same region as your workloads.
Common mistake — insufficient DNS configuration: AD depends on SRV records, CNAME records, and proper zone delegation. Incomplete DNS configuration causes intermittent authentication failures that are difficult to troubleshoot. Test DNS resolution from every VPC and subnet before relying on cloud-hosted AD.
Common mistake — no monitoring: Directory services must be monitored for replication failures, LDAP response times, and authentication errors. Configure CloudWatch metrics and alarms for Managed AD health, or deploy your own monitoring stack for self-managed DCs. Undetected replication failures lead to split-brain scenarios and data inconsistency.
Identity Is the Foundation of Cloud Security
Active Directory is not just an authentication system — it is the foundation of access control for your entire environment. Plan your AD extension to AWS with the same rigor you would apply to any security-critical infrastructure migration. Test thoroughly, monitor continuously, and always maintain a fallback path.