Explore scaling options for AWS Directory Service for Microsoft Active Directory

AWS Directory Service provides a seamless path for organizations to migrate their Active Directory-dependent workloads to the cloud. By delivering a fully managed, native Windows Server-based Active Directory, the service empowers IT teams to leverage their existing AD skills and applications, while benefiting from enhanced security, reliability, and scalability. Organizations can easily integrate their on-premises AD with cloud-hosted services like Amazon RDS, FSx, and EC2, enabling a consistent AD management experience across environments.

Introduction

Customers can deploy on AWS Managed AD as their primary Active Directory Forest, hosting all of their user’s identities. Customers can also run AWS Managed AD as a “resource forest.” In this configuration, AWS Managed AD serves supported AWS services while users’ identities remain under exclusive control of the organization on their self-managed Active Directory. As organizations grow and scale, so do their AWS Managed AD deployments. Monitoring key performance metrics becomes crucial for maintaining optimal directory services availability and scaling timely. Amazon CloudWatch dashboards provide a centralized way to track and analyze a directory's performance over time.

Solution overview

When customers deploy an AWS Managed AD, the service initially creates two domain controller instances in two separate subnets of the same VPC. This architecture provides resiliency and high availability with a minimal set of resources and optimal cost. This initial configuration enables all the features that AWS Managed AD offers. As organizations grow, their workflows become larger, more complex and demanding. To fully support the demand of growing workflows, organizations have to scale their directories timely. AWS Managed AD makes the scaling process simple, secure and, requiring minimal administrative effort. When it is time to scale a directory, AWS Managed AD offers two options: Scale-up or scale-out.

Prerequisites

• An AWS account.
• An AWS Identity and Access Management (IAM) user or role with permissions to perform Directory Service operations and CloudWatch operations.
• A Virtual Private Cloud (VPC) configured in each Region.
• At least two private subnets in the VPC.

Understanding scale-up and scale-out

Scale-up: Also called Upgrading your AWS Managed Microsoft AD means changing the edition of an AWS Managed AD from Standard to Enterprise. Enterprise Edition delivers larger domain controller instances, with higher compute capacity and larger storage for Active directory objects. When a directory scales-Up, it retains the same number of domain controller instances that it previously had, but these are replaced with large ones. Instances are replaced one at a time in order to minimize disruptions to production workflows.

Important: Scaling-Up a directory from Standard to Enterprise is a one-way operation that cannot be reverted.

Scale-out: means Deploying additional domain controllers for your AWS Managed Microsoft AD. Customers can scale-out both Standard or Enterprise directories and, can scale-out different regions independently. There is no need to scale all regions to the same number of domain controller instances but, the directory version is one for all regions.

Understanding what each scaling operation means is essential to make the right scaling decision. It is preferable to scale-out the number of domain controllers first, as this is a two-way door. Consider scaling-up first only if in need a feature that is available in Enterprise Edition exclusively (more about this later).

Making and informed decision

Since December 2021, AWS Managed Microsoft AD helps optimize scaling decisions with directory metrics in Amazon CloudWatch. Amazon CloudWatch metrics are a time-ordered set of data-points about performance indicators of a system, enabling organizations to monitor and analyze performance over time. Metrics are stored as a time-series set and, each data-point has an associated timestamp. CloudWatch allows administrators to visualize and analyze these metrics, create alarms, and perform metric math to derive new insights.

In order to understand the performance of a Directory over time, define key performance metrics at the time of the directory’s creation. Record key metrics such as: CPU and, Network interface and; directory-specific metrics, such as: LDAP searches and, DNS queries to create a performance baseline. Periodically revisit and compare data-points for the same metrics to understand trends and utilization of resources along time. Through performance baseline and periodic follow-ups, administrators decide when it is the right time to scale their directory and what scaling path to go (figure 1).

To facilitate tracking and analyzing performance of AWS Managed AD over time, create a custom dashboard including relevant metrics in Amazon CloudWatch.

To create a CloudWatch Dashboard

1. Log in to the AWS Management Console and navigate to the CloudWatch service.
2. In the navigation pane, click on "Dashboards" and then click on "Create dashboard".
3. Enter a name for the dashboard and click on "Create".
4. Click on "Add metric".
5. Search for "AWS Directory Service" in the search bar and select the desired metric.
6. Add the metric to the dashboard by clicking on "Add to dashboard".
7. Repeat steps 4-6 for all the metrics you want to include in the dashboard.
8. Once all the metrics are added, click on "Save".

(Optional) To create an alarm in CloudWatch

1. Navigate to the CloudWatch service and click on "Alarms" in the navigation pane.
2. Click on "Create alarm".
3. Select the metric you want to create an alert for.
4. Set the evaluation period and threshold for the alert.
5. Configure the actions to be taken when the alert is triggered.
6. Click on "Create alarm".

Figure 1: A graphical representation of the decision-making process

Post scaling tasks

After a scale-out operation that deploys additional domain controller instances on a directory, update the relevant network components to maintain full functionality of workflows. Update firewall rules that allow traffic to and from the IP addresses of domain controller instances to include IP addresses of the newly deployed instances. Also update Route53 resolver endpoint rules and DNS conditional forwarders that forward queries to the directory instances. Update CloudWatch dashboards that display metric data about the directory to include dimensions for the new IP addresses.

A note on Enterprise features

A few features offered by the service are not suitable for the size and compute power of Standard Edition AWS Managed AD, and hence, are only available in Enterprise Edition. Ability to extend the same AWS Managed AD to additional regions is available in Enterprise Edition only. Also, the Enterprise Edition allows sharing with up to 125 additional accounts, while Standard Edition allows up to 5.

Cleaning up resources

In this blog, you created components that generate costs. Please ensure you clean up these services when no longer required. Follow these steps to remove the components that make up this solution.

• Remove any additional domain controller’s IP addresses from firewall rules, resolver endpoint rules and DNS conditional forwarders.
• Delete any custom CloudWatch dashboards.
• Scale back in any directories to the previous number of domain controller instances.

Conclusion

As organizations grow and thrive, their infrastructure also needs to grow in order to support the needs of a successful business. This blog presents the different scaling options available in AWS Managed AD and tools to measure a directory’s performance along time thanks to Amazon CloudWatch. Combining performance baselines, monitoring and planning, administrators make informed decisions about when and how to scale a directory safely and efficiently. By scaling directories in time, organizations optimize efficiency and reduce the risk of outages by having a rightly sized directory service to support their workloads. Ability to scale out or in and, to scale additional regions individually enable organizations to maintain optimal costs for the right level of service.

Additional resources

To learn more about monitoring AWS Managed Microsoft AD with Amazon CloudWatch, visit the following contents:

• Determining when to add domain controllers with CloudWatch metrics
• Using CloudWatch to monitor your AWS Managed Microsoft AD domain controllers' performance