What are the limitations when running Active Directory in AWS?

While the AWS Directory Service was intended to provide flexible support for Active Directory in AWS, it has several limitations and caveats.

Microsoft AD, for example, is the enterprise-class version of AWS Directory Service and one of three options for running Active Directory in AWS. Microsoft AD currently handles up to 50,000 users or about 200,000 objects, which includes users, groups and computers. That's typically not an issue for most businesses, but that could constrain larger enterprises that have huge Active Directory user or object bases.

While the AWS Directory Service was intended to provide flexible support for Active Directory in AWS, it has several limitations and caveats.

In addition, users cannot change the compute performance of Microsoft AD on AWS; there is no way to change storage, processor or memory resources for the AD instance. This can make it difficult to fix performance issues. There is also no current way to migrate the on-premises Active Directory database to the cloud.

Simple AD, another option for operating Active Directory in AWS, offers a subset of features found in Microsoft AD. Simple AD supports users, groups, single sign-on access and domain-joining Linux and Windows instances. But Simple AD does not support trust relationships with other domains nor does it manually add domain controllers to an instance. It also doesn't support tools like AD Administrative Center, AD Recycle Bin, PowerShell, detailed password policies, schema extensions and group-managed service accounts. Organizations that depend on these features need to deploy the full-featured Microsoft AD.

The third AWS Directory Service option, AD Connector, offers a gateway that handles directory requests as a proxy and does not cache information in the AWS public cloud. Users of this option can enforce current logon credentials to access AWS tools or manage AWS resources. But AD Connector is a limited-privilege service -- depending on a non-administrative account and password for read-only permissions. So admins can't make changes to Active Directory in AWS through the AD Connector.

As with any public cloud service, developers and infrastructure architects must stay up to date on the latest service offerings, such as changes to APIs, features and pricing. Architects must also consider the limitations of each platform, taking the time to test deployments and evaluate performance before making a production commitment.