Upload
amazon-web-services-japan
View
5.186
Download
2
Embed Size (px)
Citation preview
AWS Black Belt Online Seminar AWSActive Directory IT
2016.10.18
(@gentaw0)
Windows Specialist
AWS Amazon WorkSpaces
IT
AWSSMESubject Matter Expert
AWS AWS
S3
3
AWS Black Belt Online Seminar AWSJTechAWS
12:00~13:00AWS(IoT etc.)
18:00~19:00AWS(EC2RDSLambda etc.)
& https://aws.amazon.com/jp/about-aws/events/webinars/
4
Agenda
AWSActive Directory /
5
Agenda
AWSActive Directory /
6
LDAPActive DirectoryOpenLDAP
Active Directory
Windows
Windows 2000
NT Security Account ManagerSAM40MB
Active Directory AD DS
VPC
Active Directory
AD DS GC
Active DirectoryDNS
Remote Desktop
https://s3.amazonaws.com/quickstart-reference/microsoft/activedirectory/latest/doc/Microsoft_Active_Directory_Quick_Start.pdf
AWSAWS
CloudFormation
Webinar2 Active Directory Domain Services on the AWS Cloud Web Application Proxy and AD FS on the AWS Cloud
10
https://aws.amazon.com/jp/quickstart/
AWS
Agenda
AWSActive Directory /
11
Active Directory (AD DS)4
12
AD DS
AWS1:AD DS 2:AD DSAWS 3:AD DSAWS 4:AD DSAWS Directory ServiceAWS
1:AD DS
AD AWS /
13
Availability Zone
Availability Zone
DC
2:AD DSAWS AD DSAWSVPC VPCVPCDNS
14
DC
RDGW
DC/GC/DNS
Elastic IPs
RDGW
DC/GC/DNS
Elastic IPs
Remote Management & Administration
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
3:AD DSAWS
EC2AD DS AD DSVPC/
15
RDGW
DC/GC/DNS
Elastic IPs
RDGW
DC/GC/DNS
Elastic IPs
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
4:AD DSAWS Directory ServiceAWS EC2AD DSAWS Directory Service (Microsoft AD) Microsoft ADWindows Server 2012 R2
16
RDGW
Elastic IPs
RDGW
Elastic IPs
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
AWS Directory Service
AWS Directory Service
Microsoft AD:
Availability Zone A
Private Subnet
C-DCA
Corporate Network
Seattle
DC1
Tacoma
DC2 Availability Zone B
Private Subnet
C-DCB company.cloud company.local
Direct Connect
AWS Directory Service(Microsoft AD) Domain AdminsAWS
Microsoft AD/ Microsoft AD
Microsoft ADDC
URLhttps://aws.amazon.com/jp/directoryservice/schema-extensions/
Windows Server 2012 R2
DNS DNSDNS
Group PolicyOU (GPO)
50,000200,000()
Agenda
AWSActive Directory /
19
Active Directory
Active Directory
//OU
)AD DS (TechNet)https://technet.microsoft.com/en-us/library/817d84f0-a0c3-4776-8ea3-20054f342a70
20
AZ1 VPCAD DSAD DS
21
2
4
1
3
DC DC DC DC
DC DC DC DC
2
4 Availability Zone
Availability Zone
DC DC
22
DC
RDGW
DC/GC/DNS
Elastic IPs
RDGW
DC/GC/DNS
Elastic IPs
Remote Management & Administration
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
AD DS(DC/GC/DNS)
VPC
Remote Desktop Gateway
Active Directory
DNSDHCP
FSMO
VPC
Private Subnet
Remote Desktop GatewayPublic Subnet
IP
AD DSAWS
23
Ingress
EgressIngress
AD DSAWS
Active Directory
Microsoft Active Directory Domain Services on the AWS CloudActive Directory and Active Directory Domain Services Port Requirements
Active Directory and Active Directory Domain Services Port Requirements (Microsoft TechNet Library)
https://technet.microsoft.com/en-us/library/8daead2d-35c1-4b58-b123-d32a26b1f1dd
24
VPCDNSDHCP Amazon VPC DHCP Option Set
Amazon provided DNS(DNS) DNSDNSDNS
DHCP Option SetDNS VPCDHCPDHCP
DHCPDHCP
25
Availability Zone
DC/GC/DNS
Amazon Provided DNS
DNS
SubnetDNSDNSDNS
SubnetDNS
DNS
Remote Desktop Gateway
Remote Desktop Gateway Remote Desktop Protocol (RDP) over HTTPS WindowsAmazon EC2 VPN
AZAZRemote Desktop Gateway
RDGWRDGW
Public Subnet Public Subnet
Internet GatewayRemote Management & Administration
Elastic IPs Elastic IPs
AD DS
AZAZ (GC)DNSAZ AZAD DS
AZAZ
27
Availability Zone
DC/GC/DNS
Availability Zone
DC/GC/DNS
Active Directory
28
AWS PCDC
DC/GC/ DNS
RDGW
DC/GC/DNS
Elastic IPs
RDGW
DC/GC/DNS
Elastic IPs
Private SubnetPrivate Subnet
Public SubnetPublic Subnet
FSMO
FSMOVPCDC
DRVPCFSMO
29
Availability Zone
Availability Zone
DC(FSMO)
DC DCDC
Agenda
AWSActive Directory /
30
DC
31
Volume Shadow Copy(VSS)Active Directory
Windows ServerActive Directory
Amazon EBS
Snapshot
DCVSSEBS
DC DC
USN DC
32
DC 1
DC 2
DC 3
https://technet.microsoft.com/ja-jp/library/dd363545(v=ws.10).aspx
3 DC DBDC
DC DC
DC
DSRM EC2 WindowsDSRM DC (DSRM, Directory Service
Resiliency Mode) DCDC
DCDC
33 http://docs.aws.amazon.com/ja_jp/AWSEC2/latest/WindowsGuide/common-issues.html#boot-dsrm
Agenda
AWSActive Directory /
34
Active DirectoryADFS
IDWebSSO
AD DS/AD LDSSAML 1.1/2.0
Office 365Google AppsSSO
ADFS/WAP
36https://s3.amazonaws.com/quickstart-reference/microsoft/wapadfs/latest/doc/Web_Application_Proxy_and_ADFS_on_the_AWS_Cloud.pdf
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
ADFSWAP
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
ADFSWAP
VPNWeb Application ProxyWAPPrivate SubnetADFS
ADFS
37
1,000 2
AZ1,00015,000 ADFSWAP
WID (Windows Internal Database
15,00060,000 5ADFS2WAPWIDSQL Server
HW8 CPU4GiB RAM1 Gigabit
WAPADFSELB WAPInternet-facing load balancerADFS
Internal load balancer
HEC2C4.2xlarge (8 vCPU15GiB)
HWEBSIOPS
38
1: WAPWeb
WAPWebSharePoint/OWA/LyncWeb
Denial-of-service (DOS) DOS
ADFS
https://technet.microsoft.com/en-us/library/dn383650.aspx
Planning to Publish Applications Using Web Application Proxy
2:
40
AD
ADFS
(1)
(4) AssumeRoleWithSAML
(3) SAML
(6)
AWS IAMActive DirectoryAWS
AWS SAML 2.0 (Security Assertion Markup Language) ID
DC/GC/DNS
ADFS STS
AWS Identity and Access Management (IAM)
AWS
AWS AWS
3 AWS Management ConsoleAssumeRoke
1) IAMAD
2:AD Connector
2) ADaccess URL
2 LDAPKerberosVPN
AD
1 AD
AD
User1 User2
Group1
ReadOnly
Admin
S3-Access
AWS Directory Service mycompany.awsapps.com/console
3: ADFS + Office 365
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
ADFS WAP
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
ADFS WAP
SAML 2.0
Active Directory ADFSIdp Office 365
3: IDaaS + Office 365
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
AD Connector
RDGWDC/GC/DNS
Elastic IP
s
Private Subnet Public Subnet
SAML 2.0
AD Connector
IDaaSOktaOneLoginPingFederation Office 365
SSO
C-DCA C-DCB
AWS Directory Serivice
WS-federation/ SAML 2.0/OAuth2.0/ OpenID Connect
IDaaS SaaS
DC/GC/DNS
Active Directory AD Connector
Agenda
AWSActive Directory /
46
Amazon Web ServicesActive DirectoryWindows
AWSActive Directory
AWS Management ConsoleSSO
47
Active Directory https://technet.microsoft.com/ja-jp/windowsserver/ff699017.aspx#01
Active Directory Domain Services on the AWS Cloud http://docs.aws.amazon.com/ja_jp/quickstart/latest/active-directory-
ds/welcome.html Active Directory Domain Services on the AWS Cloud
http://www.slideshare.net/AmazonWebServices/biz303-active-directory-in-the-aws-cloud-aws-reinvent-2014
Web Application Proxy and AD FS on the AWS Cloud https://s3.amazonaws.com/quickstart-reference/microsoft/wapadfs/
latest/doc/Web_Application_Proxy_and_ADFS_on_the_AWS_Cloud.pdf
48
AWS
http://aws.amazon.com/jp/aws-jp-introduction/
AWS Solutions Architect Q&A http://aws.typepad.com/sajp/
49
Twitter/FacebookAWS
@awscloud_jp
http://on.fb.me/1vR8yWm
50
AWS AWShttps://aws.amazon.com/jp/contact-us/aws-sales/
AWS