iTranslated by AI
re:Invent 2025: Streamlining Active Directory Migration with AWS Hybrid Managed AD
Introduction
By transcribing various overseas presentations into Japanese articles, we aim to make hidden valuable information more accessible. The presentation we're featuring in this project, driven by that concept, is this one!
For re:Invent 2025 transcription articles, information is compiled in this Spreadsheet. Please refer to it.
📖re:Invent 2025: AWS re:Invent 2025 - Streamlining Active Directory Migration with AWS Hybrid Managed AD (SEC232)
In this video, Rodney Underkoffler from AWS and Alex Guenther from Deloitte explain how to streamline Active Directory migration using AWS Managed Microsoft AD Hybrid Edition. They look back at over 25 years of Active Directory integration history and describe three integration paths: AD Connector, self-managed AD on EC2, and AWS Managed Microsoft AD. They then detail how the Hybrid Edition addresses traditional challenges such as trust management, reconfiguring permissions, and complex migration processes. As a beta test partner, Deloitte focused on the trend of AD minimization, demonstrating concrete benefits such as the potential to reduce migrations that previously took months to 2-4 weeks, and the automation of manual provisioning through Amazon RDS integration.
※ This article is automatically generated, aiming to preserve the information from the original presentation as much as possible. Please note that there may be typos or incorrect information.
Main Content
Challenges of Active Directory Migration and AWS Integration Pathways
Hello everyone. Welcome to day four. Thank you for taking the time to join us today. We're going to talk about streamlining Active Directory migration with AWS Managed Microsoft AD Hybrid Edition by AWS and Deloitte. My name is Rodney Underkoffler. I'm a specialist solutions architect with AWS. I've been working with Active Directory for over 25 years. It sounds like a long time when I say it out loud, but yes, over 25 years. I speak to customers almost every day about Active Directory. Different topics, whether it's implementation with AWS, migration, optimization, and then my colleague from Deloitte is also here.
Yes, my name is Alex Guenther. I work in our digital controls audit and assurance practice. I automate risks and controls from manual processes. Typically leveraging AWS, a lot of cloud native services. So I want to talk a little bit about why Deloitte is here. Deloitte and AWS have a long-standing relationship and partnership. We're working together, of course, to bring this Hybrid Edition of AD to market today. My audit and assurance team, as well as teams within our cyber practice, performed an extensive beta test or pre-evaluation of this service. And I'm going to talk a little bit about what we learned, what we saw, and how we anticipate this will impact our customers, our clients, and AWS customers in the future.
Alright, and over the next 20 minutes, we're going to cover what you see here. The Active Directory migration pathways, the various ways and means for integrating Active Directory with AWS. We're going to dive into the challenges with the various implementations, and then ultimately talk about how Active Directory as an identity has evolved over these 25 years, and how various challenges have been solved with AWS solutions, and then ultimately with Hybrid Edition. We'll talk a little bit about Deloitte's involvement in our long-standing partnership with Hybrid Active Directory, the beta testing that we did with them. And then we'll describe the benefits of Hybrid AD, so the solutions that Hybrid AD brings to these challenges, and then finally, just a brief touch on the Hybrid AD architecture.
So first, there are three common paths that customers typically take when migrating or integrating Active Directory to AWS. The first one is AD Connector. You can think of AD Connector as almost a proxy service from Active Directory into AWS native services. So you don't have to deploy any hardware. You don't have to move any domain controllers. You're simply using AWS native services to proxy authentication back to your Active Directory domain controllers that are either on-premises or virtualized within AWS. Just a network path back to the AD Connector with a service account. So typically, this is a first step. It's often used for a proof of concept or if you have limited service integration that you want with Active Directory.
However, ultimately, it's recommended to use EC2. So, as a first step, you extend with EC2. This way, you no longer depend on connections to your on-premises environment. All authentication takes place within AWS, right? However, all the associated management is also required. In other words, you'll be operating Active Directory on EC2 in the cloud in the same way you would operate it on-premises. You get all the necessary controls, but what you don't get is integration with AWS native services. To integrate with those native services, you still need to use AD Connector or AWS Managed Microsoft AD.
Now, it's not the case that you must use only one of these. Many, many customers use all three. Sometimes they extend with EC2, use AD Connector for specific use cases, and also use Managed Microsoft AD for broader integration with managed services. So, you can simply think of Managed Microsoft AD as Active Directory, but with all the power of the cloud. We handle all the heavy lifting of operations, patching, administration, and maintenance, and you can leverage Active Directory's features on top of that. This is a single or separate forest, a separate domain, so you can either set up trust relationships to bring authentication back, or you can create users and groups on Managed Active Directory.
Now, let's look at the evolution of identity management around Active Directory over time. As I said, it's been 25 years since Active Directory first appeared. Almost every organization still has some foundation of Active Directory.
In many cases, it has become the trusted source for workforce identities. It truly solved the problem of centralized authentication. It provided a means to achieve this with a multi-master model, so changes could be made on any domain controller, and they would be replicated. It also provided the ability to run Group Policy, allowing for standardization of policy enforcement across an organization. So, it did a lot of good things 25 years ago, and it still does today.
However, we still face some challenges. There's no cloud integration. Do you remember I mentioned that if you're running EC2 and running domain controllers, you don't get cloud integration unless it's through other services like SAML authentication, ADFS, or other identity providers? You have to add something to get at least some level of cloud integration. There's hardware refreshing that you have to continuously do. There are manual disaster recovery changes. FSMO role transfers or forced seizures, DR testing, and so on. And there are physical boundaries. Domain controllers are available where they are, whether in a data center, an office, or via VPN.
There's the extension of self-managed AD on EC2. This solves some problems and removes the hardware refreshing we had to worry about, but you still face many of the same challenges you faced on-premises. You face those challenges on EC2 as well, because you're still patching it yourself, backing it up yourself, and doing other maintenance and operations on the EC2 instances. You can script it the same way you do on-premises, but it's the same heavy lifting you're doing on-premises. You're just doing it on EC2.
And then, I believe yesterday was the 10th anniversary of AWS Managed Microsoft AD. So, this is not a new service. It has matured over time and is very reliable, but it now provides the ability to integrate with multiple domains, multiple forests, and trusts, and to integrate those domains with AWS services. You can do RDS integration, FSx, WorkSpaces, and many other integrations. We handle the disaster recovery part, backup, and patching, and you can see this in the console, so you can receive SNS notifications when failures occur and we're replacing domain controllers, for example.
However, we still face some challenges. Even with 10 years of history and having solved many past problems, trust management is still required. Because you still need to maintain a separate forest, a separate domain, there's still a bit of complexity there. So, let's look further at the challenges we still face regarding Managed AD and workforce identity. Let's look at it from a migration perspective. When you do a migration, and I've done many over the years, it requires a lot of planning. Probably more time than the migration itself. Because of the complexity of moving those identities, re-permissioning, and doing it in a way that doesn't impact users. You want to keep the system up and running and ensure authentication works during the migration.
And I also touched on maintaining access. When the migration is complete, if you migrate to, say, our Managed Active Directory, it's a separate forest, a separate domain, so you have to re-permission. This means you can't retain that AD forest name. If you want to do that, you need to use third-party tools or vendor products like Active Directory Migration Tools, and many of these tools require trusts to be set up, so you can't have the same forest, the same domain name on both sides. As a result, you end up doing a double hop, which doubles the complexity of the migration.
Introduction of AWS Managed Microsoft AD Hybrid Edition and Partnership with Deloitte
Given these challenges, which we've consistently heard from customers over the years, we've taken all that feedback and created the AWS Managed Microsoft AD Hybrid Edition. It was released in August, and we were able to release it based on the existing Managed Active Directory we currently offer. This means it uses many of the same features, many of the same automations, and many of the same mature services and applications already implemented in our existing service.
This allows you to simply extend rather than perform a migration. This means you no longer have to worry about SID history or re-permissioning. You use the same users, the same groups, the same SIDs, so you don't lose or change access when extending with Hybrid Edition.
Regarding trusts, you no longer need to set up trusts because it's the same domain, the same forest. So, there's no management required to set up one-way or two-way trusts. Again, you're just using the same authentication you use today with your existing self-managed Active Directory. So, you can think of it as your Active Directory domain controllers, but enhanced with AWS operations. We take on the heavy lifting, you maintain control over your self-managed side, and we handle all the management of the domain controllers that are part of the Hybrid Edition instance.
And you can also look at it from a scalability perspective. When we talk about scalability, it has two different viewpoints. The first is that you can scale out these two domain controllers in Hybrid Edition to three, four, five, or however many you need. You can do this with a click of a button from the console, or you can automate it. There are blogs and workshops available that explain how to do this in an automated way. So, when the load reaches a certain point and you're looking at your metrics, you can scale up or scale down as needed. This was not easily possible, especially with physical hardware in your own data center.
The second aspect of scalability is account access. This means you can take that Hybrid Edition and share that directory with 10, 100, or however many accounts you have. And when I say share, you're not extending additional hardware. There are no additional Hybrid Edition instances being deployed. All you're doing is making that Hybrid Edition instance available to all the accounts as needed.
So, why Deloitte? We've been working with Deloitte, and we had a beta version about nine months before launch. This beta version existed, and Deloitte, being a long-standing partner of ours, helped us not only with insights from their internal use of the beta but also from their experience and access to other customers.
Deloitte's Beta Testing Results and Practical Benefits of Hybrid Edition
Yes, thank you very much, Rodney. I appreciate the opportunity to speak here. This has been a great experience. Coming to re:Invent, meeting a lot of different people, and learning what it's like to be here. So, thank you, thank you, AWS. So, why Deloitte? Why are we here? From our perspective and our relationship with AWS, as a consulting and advisory partner across multiple practices and multiple industries, we have the ability to look at these new technologies, new products, and where things are going, and evaluate them in a way that helps us best serve our clients and best serve AWS customers.
Now, one of the things we are fully recognizing now, with the maturity and evolution of identity and cloud identity, driven by providers and Entra ID, is the fact that many of the technical components in a typical enterprise have a significantly reduced need to directly connect to Active Directory. In other words, whereas before, when the cloud was more widely adopted, there was a time when you wanted to maintain authentication and identity. Now, with the ability to remove these direct connections, you can actually start to reduce the footprint of Active Directory infrastructure managed by a typical enterprise.
Basically, in that sense, what we're seeing is what we call AD minimization. It's very simple. It's a strategic reduction of the footprint. So, how do we ensure that only what needs to connect to the directory actually connects? How do we minimize overhead? All those good things. This was the main lens through which we approached this beta program. There are a few others we mentioned.
I mentioned alliances earlier. When we talk about alliances with AWS, it's about how we best serve our customers, how we stay at the forefront of trends. Identity modernization, cloud migration strategies, these are things we must excel at, and things we must do to achieve these goals.
Another lens is related to my personal service delivery within digital controls, and that's the impact these new services have on an organization's control framework. Because risk and controls are often an afterthought in cloud migrations, you set everything up and get ready for production, and then you realize, wait, there are so many compliance requirements affected by expanding infrastructure. Attack surface, cloud controls, how identity and access management is managed, provisioning, de-provisioning, network controls, etc.
As Rodney mentioned, with the AWS Managed Microsoft AD service, if you needed to extend with trusts, it required additional network controls and monitoring for identity synchronization and such. The final lens here was technical validation. We wanted to open up the service and try it out. We heard about all these cool features and cool things, but AWS really wanted feedback on our impressions using it, not just as a customer, but as a strategic advisor to clients. In that sense, we're talking about whether permissions are working, whether the domain is extended in a simplified way, and what the management is like for us as beta testers or AWS customers. We needed to determine if we could maintain security boundaries and control frameworks.
Our main point was precisely that. We talk about AD minimization as a trend, and this is the culmination of it. At least from our experience and my team's experience working on the beta test. I'm not a domain administrator. I'm a Deloitte consultant, but within a week of starting and kicking off this project, I had set up an entire mock directory representing a client environment. Within a few days, we were able to launch this new Hybrid Managed Microsoft AD service in our mock directory. It was amazing. Clearly, there's huge potential for migration speed and velocity, and this service truly aligns with the trend of AD minimization.
From a risk and control perspective, it allows for platform diversification and minimizes extraneous trust and maintenance in trust and forest relationships. For example, imagine a disaster recovery event or some incident that affects the connection between trust relationships. That is eliminated with Hybrid Managed Microsoft AD. Because, as I mentioned, you don't need to set up these additional trust relationships. It's all automatic. Just click and run. I know Rodney will talk a bit more about Amazon RDS integration. I briefly touched on it, but before Hybrid Managed Microsoft AD, you had to set up these additional forests, synchronize identities, and continuously perform these permission mappings for each individual aspect of the database. At a high level, the point is exactly what we've been talking about here.
Considering how our experience with this service impacts customers, what are the potential use cases? What challenges or requirements they face can benefit? We thought about it and listed a few here. I know we'll talk a bit about timelines and M&A. If I need to onboard someone into my environment quickly and efficiently with minimal effort, can I retain all existing access controls? Can I achieve leadership goals for a multi-account strategy, expansion, or some kind of transformation to start distributing AWS environments? I wanted to give a few comparisons here. If I can show a table, from my perspective, again, from a risk and control background, the biggest point is that security teams can simply extend their directory using Hybrid Managed Microsoft AD with minimal overhead.
If you're synchronizing identities, as I mentioned, you need to monitor that. You need to ensure that provisioning and de-provisioning are working automatically, and that authorization is actually being passed in a way that keeps things in sync. You don't need to spin up additional infrastructure. You also don't need to enhance network controls in a way that monitors any new infrastructure you've set up. I want to talk a bit about speed and velocity, but at a high level, the beta test was a huge success, and we had a great experience. I know Rodney will talk a bit more about the timeline.
Thanks to all of this, it's truly an accelerator. We see things that used to take months being shortened. Migrations typically take months, especially in complex environments, but here we're talking about two to four weeks. And that includes testing. Because you're simply extending and using what you already have. No re-permissioning or anything like that. Most importantly, it's very fast in the end, but it's also a two-way door, which allows for such quick decisions. With controlled rollback, you can simply de-provision and clean up Active Directory and go back and forth as needed. So, it's not a one-way door decision. It's not a complex migration. It's truly an accelerator for implementation, thanks to all of this.
One example that comes to mind particularly is Amazon RDS. This is a huge deal for our customers. Many customers are doing local logons to Amazon RDS, and they do so until they realize it's all manual. De-provisioning also has to be done manually. So, access that shouldn't exist remains. Therefore, the integration of Amazon RDS with AWS Managed Microsoft AD significantly simplifies this. Thank you for your time. Finally, let me introduce a few resources. We have Deloitte's guide to managed cloud security. In the middle, there's the launch blog for Hybrid Managed Microsoft AD, and on the right, a link to the documentation. Thank you very much for your time. If you have any additional questions, we'll be off to the side, so please feel free to approach us. We'd be happy to talk.
※ This article was automatically generated using Amazon Bedrock, aiming to maintain the information from the original video as much as possible. Please note that there may be typos or incorrect information.
Discussion