AWS recommend an AD site per Availability Zone within a VPC, they recommend this to "help ensure that domain joined instances will primarily use a Domain Controller closest to them". As bandwidth is high and latency is low between them, I'm inclined to disregard this advise in favor of one site per VPC. This would help make site links from the branch offices to AWS simpler. What are your thoughts on the matter?
Sites and Services with AWS Availability Zones
- 414 Views
- Last Post 01 June 2016
This is on my mind right now, too. So far just one site per VPC, but it’s not production yet. The thinking is that we’ll probably have another VPC in another
region (as another site with its own DC), rather than focusing on multiple AZ’s in one region. Although we do have multiple AZ’s in our first region, required by the database service.
Re: “help make site links from the branch offices to AWS simpler” – can you elaborate your thinking here? With just one VPN gateway for the entire VPC it shouldn’t
matter how many AZ’s are behind it, right? Meaning you don’t need to set up separate networking for each AZ in a VPC, as far as your branch is concerned. Fewer AD sites and site links, yes..
On a related note, I see the possibility of other areas of our organization having their own AWS accounts and therefore VPCs, VPN gateways, etc. Looking at VPC
peering as an option to give them AD connectivity without standing up a DC in their account. Which would expand the AD site to include additional space in the same region (or AZ).
We will eventually have multiple VPC's each with two AZ's, the design authority for the data centres decision, which I can't comment on, only to say that it seems sensible to have independently available infrastructure within any given region, as we have large a user base in each continent.
Re the point you highlighted; with multiple AZ's, a site for each; I should/would put a DC in each site (AZ), and I would have to split my Branch Office sites to link to one or the other site (unless I'm mistaken). Which means I then have to manage those connections, and balance them out as i add and remove office.
However, I've discovered the answer. I need a site per AZ, that's because there is a cost for data exchange between AZ. In an example where I have DFS File servers and Citrix Servers in each AZ, I would want the Citrix server to look at the DFS node in it's local AZ, and not treat all DFS nodes equal.
Following up on this thread to see if anyone has gotten further in deploying an extension of their AD infrastructure into AWS zones. Did you put your Cloud-based
AD DC’s into its own VPC? Do you have it in a separate AD site? Are you bridgeheading the replication to control the replication topology back to on-premise?
One business concern being expressed to us is replication latency. We spec’d out only 15 minutes for site-to-site replication, but there seems to be grumblings
of some apps wanting it faster (though not necessarily instantaneous). What is your replication latency from on-prem to the cloud? I can only imagine this being a real issue for password changes and authentication.
Senior Manager, Enterprise Systems
Technology Services at Illinois
University of Illinois at Urbana-Champaign
I have implemented an AD environment in a single VPC with multiple AZs in place. I use 3 AZs but they are on single site when it comes to replication. I did tweak the DNS configuration as well as enabled slow link detection for group policy processing. To date I have not seen adverse outcomes. This is a 100% in AWS and no On-Prem connections to it. All the member servers and services function really smooth just as if they are all in one AZ.
Our business is made up of 5 divisions, because of the way the business is run, the datacentre team chose one VPC per division, with two AZ for each VPC. As each VPC is a network boundary and each AZ is a phyiscal boundary, I treat each AZ within each VPC within each Region as a location, and therefore an Active Directory Site. I put Domain Controllers in the two AZ's for the VPC representing our division, you could put DC's in any AZ, it really wouldn't matter, but always put them in at least two different AZ's. I put all the sites in the same site link, along with the the site that they all connect to, to replicate out of AWS.
Remember; your sites are there for more than AD; SCCM and DFS rely on them also, and you pay to send traffic between AZ's and VPC's. FOr example: if you have DFS nodes an Citrix servers accessing files from the DFS farm, you want to map the site out correctly so the data is received from it's cheapest site.
With regards to latentecy, I wouldn't over think it, the AD latency isn't affected by it being in AWS any more then any other site. If your network is quick enough to handle the traffic of instant replication then go ahead and enable if you need it.