Which solution to implement, Migrating to ManagedAD or Connector or Trust?

Question

Hi Friends,   
I am bit new to this AWS Managed AD. Please suggest me the best solution based on below requirements / situation.   
  
I have an EC2 instance where I am running Microsoft Windows AD with approx. 500 users and 50 domain joined computers. Now I want my existing users to use AWS hosted applications with their same credentials and I want other EC2 also to get domain joined and also want to use AWS resources.   
Presently EC2 AD is synced with Okta, but later on Okta will get synced from AWS managed AD (if required) or operate as it is.  
  
1. Now with this requirements what is the best solutions?? Entirely Migrating to Managed AD, or AD Connector or trust between EC2 AD and Managed AD.  
2. Also in order to achieve the above goal if we at all have to migrate from EC2 AD to AWS Managed AD (with ADMT tool) , **Can we keep the same domain name in AWS Managed AD as EC2 Windows AD?**  
3. Or its not required, we can simply extend our EC2 AD to Managed AD (with different domain name) with AD Trust??  
4. Also whats the ideal situation where we migrate from OnPrem AD to AWS Managed AD with tools like ADMT.??  
  
PS. A detailed answer would be appreciated rather than sharing AWS tutorials links.  
  
Edited by: Swaprakash on Jul 8, 2021 1:54 AM

Accepted Answer

Yes, the situation you describe would be my recommendation.  This blog post describes the process.  
https://aws.amazon.com/blogs/security/how-to-migrate-your-on-premises-domain-to-aws-managed-microsoft-ad-using-admt/

Answer

Thanks for your detailed answer, it was really helpful and informative.  
  
Another situation, if we completely want to get rid of EC2 hosted Microsoft AD, then can we first create a AWS managed AD with a different domain name and then create a AD trust in between and migrate everything from EC2 AD to AWS AD with ADMT tool and then demote ED hosted AD, will this work? What will be the best approach in this case.

Answer

Hello There,  
  
Thank you for contacting AWS.  
  
Please find the answers below to your questions:  
  
1) As per the use you mentioned it seems AD connector would be a more suitable option as it will allow your self managed AD users to use services like WorkSpaces, WorkDocs and AWS Management Console with same AD credentials. The AD connector will also give you the feature of seamless domain join of your EC2 instances to self managed AD.  
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html  
  
2) When using ADMT the source and destination domain name cannot be same.  
  
3) As per the use case your users and computers are present in self managed AD and creating a AWS Managed AD just for the purpose of trust does not seem efficient. You can go with AD connector as stated above.  
If you want 2 directories and you are going to create users and computers in AWS Managed AD then you can go with this option.  
  
4) The ideal situation to migrate from on-prem AD to AWS Managed AD will be when you are moving your entire on-prem infrastructure to AWS or you no longer want to manage the Active Directory yourself and want AWS to do it for you.  
With AWS Managed Microsoft AD, you can run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications which cannot be done with AD connector.  
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html  
  
I hope this information helps.  
  
Thanks

Answer

Please, if someone can respond to this thread..

Which solution to implement, Migrating to ManagedAD or Connector or Trust?

Relevant content