Deploying Active Directory (AD) Domain Controllers in AWS provides centralized authentication for SAP workloads across multi-account environments. High-availability DCs in private subnets, synchronized with on-premises AD via VPN/Direct Connect, enable SSO, GPO enforcement, and consistent identity management for SAP HANA, application servers, and supporting infrastructure.
Key Benefits
Centralized SSO across hybrid environments.
HA across AZs prevents authentication outages.
GPOs enforce security/compliance consistently.
Automatic DNS resolution via DHCP options.
Objective
Deploy redundant AD DCs for SAP workloads ensuring:
Multi-AZ high availability.
On-premises synchronization via VPN/Direct Connect.
EC2 domain join for SAP tiers.
Integrated monitoring and GPO enforcement.
Deployment Architecture
Technical Implementation Steps
Step 1: Launch AD Domain Controller EC2 Instances
Instance Configuration:
Parameter Value
AMI Windows Server 2022 Base
Type m5.large (min)
Subnets Private subnets, 2+ AZs
Storage 100GB EBS gp3
IAM Role SSM-Agent, CloudWatchAgentServer
User Data Script (for automated AD setup):
# Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-WindowsFeature -Name DNS -IncludeManagementTools
# Promote to DC (additional DC scenario)
Install-ADDSDomainController -DomainName "corp.yourcompany.com" `
-SafeSystemRestart -Credential (Get-Credential) `
-DatabasePath "C:\Windows\NTDS" -LogPath "C:\Windows\NTDS"
Step 2: Configure Static Private IPs
Assign IPs outside DHCP range for replication stability:
AZ1 DC1: 10.0.1.10
AZ1 DC2: 10.0.1.11
AZ2 DC1: 10.0.3.10
AZ2 DC2: 10.0.3.11
Step 3: VPC DHCP Options Set
VPC Console → DHCP options sets → Create:
Domain name: corp.yourcompany.com
DNS resolution: Yes
DNS servers: 10.0.1.10,10.0.1.11,10.0.3.10,10.0.3.11
NTP servers: AmazonTimeSyncService (optional)
Step 4: AD Sites and Services Configuration
On DC Manager:
Active Directory Sites and Services → New Site: AWS-Prod-APAC
Subnet objects: 10.0.0.0/16 → AWS-Prod-APAC
Cost: 100 (prefer over on-prem)
Replication: Bridgehead servers = all DCs
Step 5: Join SAP EC2 Instances to Domain
SAP Application Servers (via SSM Run Command):
# Add to domain
Add-Computer -DomainName "corp.yourcompany.com" -Credential $domainCred -Restart
# Verify
nltest /dsgetdc:corp.yourcompany.com
Step 6: Group Policy Objects (GPOs)
Security Baseline GPO:
Computer Configuration:
├── Windows Settings → Security Settings → Account Policies
│ ├── Password Policy: 14+ chars, 90-day expiry
│ └── Account Lockout: 5 attempts, 15-min lock
├── Restricted Groups: SAP admins only
└── Windows Firewall: SAP ports only
Step 7: AWS Integration
SSM → AD Auth (IAM roles assume domain credentials)
RDS SQL Server → AD Authentication
WorkSpaces → AD Join
Step 8: Monitoring & Health Checks
CloudWatch Agent Config:
json
{
"metrics": {
"metrics_collected": {
"Processor": {"totalcpu": true},
"LogicalDisk": [{"free": true}]
}
},
"logs": {
"logs_collected": {
"windows_events": {
"collect_list": [
{"eventname": "Directory Service", "event_levels": ["ERROR","WARNING"]}
]
}
}
}
}
Active Directory Health Alarms:
Metric Threshold Action
DCDiag failures >0 Critical alert
Replication latency >15 min Warning
NTDS CPU >80% Scale concern
DNS query failures >5% Immediate
Validation Commands (from bastion/jumpbox):
# DC Health
dcdiag /test:replications
repadmin /replsummary
# Client connectivity
nltest /dsgetdc:corp.yourcompany.com
nltest /sc_query:corp.yourcompany.com
# DNS Resolution
nslookup sap-app01.corp.yourcompany.com 10.0.1.10
Architecture Diagram
Best Practices
DC Passwords: AWS Secrets Manager rotation.
Backup: Regular ntdsutil snapshots to EBS → S3.
Time Sync: Disable Windows NTP, use Amazon Time Sync Service.
Scaling: Auto Scaling Group with warm pool for DC replacement.
Disaster Recovery: Read-only DCs in DR region.
Multi-Account Strategy
Security OU → Logging Account (centralized Event Logs)
Production OU → SAP Prod DCs
Non-Prod OU → Dev/QA DCs (separate forest)
No comments:
Post a Comment