AWS SA Professional – Practice Question 11


An enterprise customer is starting their migration to the cloud, their main reason for migrating is agility, and they want to make their internal Microsoft Active Directory available to any applications running on AWS; this is so internal users only have to remember one set of credentials and as a central point of user control for leavers and joiners. How could they make their Active Directory secure, and highly available, with minimal on-premises infrastructure changes, in the most cost and time-efficient way? (Choose 1)

a. Using Amazon Elastic Cloud Compute (EC2), they could create a DMZ using a security group; within the security group they could provision two smaller Amazon EC2 instances that are running Openswan for resilient IPSEC tunnels, two larger instances that are domain controllers, they would use multiple availability zones.

b. Using VPC, they could create an extension to their data centre and make use of resilient hardware IPSEC tunnels; they could then have two domain controller instances that are joined to their existing domain and reside within different subnets, in different availability zones.

c. Within the customer’s existing infrastructure, they could provision new hardware to run Active Directory Federation Services; this would present Active Directory as a SAML2 endpoint on the internet; any new application on AWS could be written to authenticate using SAML2.

d. The customer could create a stand-alone VPC with its own Active Directory Domain Controllers; two domain controller instances could be configured, one in each availability zone; new applications would authenticate with those domain controllers.

This question is testing your understanding of how to extend your existing on-premises Active Directory Service into AWS as well as the varying options that AWS offers. There are a few fundamentals of Active Directory that are worth knowing in order to know how you might begin with answering this question.

What is Active Directory?

Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed (AD Certificate Services, AD Federated Services, etc). It is an LDAP compliant database that contains objects such user accounts & groups as well as a raft of other functionality.

At a very high level Active Directory utilizes a replication model in order to synchronize objects between Domain Controllers that may be located in multiple geographical locations. Should you want to read more on this read the following:

How the Active Directory Replication Model Works

If I was to recommend anything then I’d suggest watching the following video from the re:Invent 2016 sessions and the AWS blog post.:

So back to the question at hand and lets rule out the obvious answers.

“Answer D” is incorrect.  Whilst creating a couple of Domain Controllers within the VPC would be a good idea (and obviously 1 in each Availability Zone for resilience) this is only going to setup a new Active Directory Forest meaning that the end users would end up having to remember multiple sets of access credentials.  As the proposed solution mentions nothing about establishing connectivity between the AWS VPC and the on-premises DC then this would not be able to communicate with the existing Domain Controllers.

“Answer A” is also incorrect.  Whilst the solution is recommending to provision resilient VPN connections to the on-premises facility where the existing domain controllers, in my opinion this isn’t a cost & time efficient solution.  You’d be having to provision EC2 Instances to setup the Openswan VPN at a cost as these would need to be permanently running when they should really make use of both Customer Gateway’s and Virtual Private Gateways which when a VPN connection is created would provision two IPSEC tunnels anyway at a fraction of the cost of the EC2 Instances being used for the Openswan solution.  The part of the Solution that recommends to provision EC2 Instances in different Availability Zones that would then function as Domain Controllers would be correct since these instances could be joined to the existing on-premises Active Directory Forest and then promoted to Domain Controllers by running a ‘dcpromo’.

“Answer C” is recommending to provision new hardware to implement Active Directory Federation Services which wouldn’t be cost efficient.  Similarly from previous experience Federation Services can be rather a time consuming process for configuring and securing (since you should really use a SSL certificate obtained from a reputable source such as Verisign, GoDaddy etc..) although the installation of Federation Services itself is relatively simple.  Also the solution is also implying that you’d only configure new applications to authenticate via SAML when the question is clearly asking for all applications to be authenticated with the existing Active Directory.   For these reasons I believe this is also incorrect.

“Answer B” is the correct answer.  The solution is establishing connectivity to the on-premises via a VPN.  It’s then recommending to provision two Domain Controllers that would be joined to the existing Active Directory Domain in different Availability Zones.  This therefore extends the existing Active Directory into AWS whilst allowing end users to maintain a single set of credentials to authenticate with all the applications both within AWS and on-premises.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s