Microsoft Workloads on AWS

Mastering Windows Server migration to HAQM EC2: Key tactics for success – Part 1

Introduction

We will explore key considerations that frequently arise during the Microsoft Windows Server migration process and offer practical insights and solutions to complete a successful transition.

Migrating Windows Server to HAQM Elastic Compute Cloud (HAQM EC2) requires careful planning and decision-making to align with business and technical requirements. HAQM Web Services (AWS) provides the Prescriptive Guidance for Migrating Microsoft Workloads to AWS. This covers a broad perspective and delves into a wide range of technical details for Microsoft workloads on AWS. In this blog post, we take a more focused approach, specifically addressing common considerations in Windows Server migrations. Our goal is to provide concise, practical insights and actionable recommendations tailored to key aspects such as licensing, Microsoft Active Directory integration, selecting EC2 instance types, and critical pre-migration checks.

Solution overview

Our solution addresses those frequent customer challenges when migrating Windows Servers. Part 1 (this post) focuses on licensing and AD integration architecture. Part 2 covers technical aspects like hypervisor selection and configuration before migration, providing practical guidance for continuous AWS operations. You might also refer to the overall agenda as below.

Blog part 1:

  • Windows Server license on AWS
  • Typical strategies for AD integration during migration

Blog part 2:

  • Choosing the right hypervisor between Xen hypervisor and Nitro system
  • Identifying the Boot Mode for Windows Server Migration
  • Verifying Windows OS configuration using the VM Import checker script

Walkthrough

Windows Server license on AWS

AWS offers two options for using Windows Server licenses: License Included (LI) and Bring Your Own License (BYOL). LI is a pay-as-you-go model managed by AWS, supporting Windows Server versions like 2025, 2022 and 2019, with simplified compliance and Auto Scaling for resource optimization. BYOL allows businesses to use existing licenses with Microsoft Software Assurance (SA) or perpetual licenses purchased before October 1, 2019, on HAQM EC2 Dedicated Hosts. Refer to the Windows Server BYOL decision tree (Figure 1) for guidance. If you want to bring in SQL Server licenses, refer to our documentation for SQL Server BYOL.

Figure 1: Windows Server BYOL decision tree

Typical strategies for Microsoft Active Directory (AD) integration during migration

When migrating on-premises Windows Server to HAQM EC2, integrating AD is a critical consideration. As most on-premises Windows Servers operate within an AD domain environment, maintaining the continuity of key services, such as authentication, Domain Name System (DNS) resolution, and domain-based resource access must be a priority. This section explores several AD integration architectural strategies to help enterprises choose the most suitable option during their cloud migration. For more information on architecture and specific implementation steps, read the Migrating Active Directory section from the AWS Prescriptive Guidance website.

Strategy 1: Connect on-premises AD over AWS VPN or AWS Direct Connect

Figure 2: AD integration architectural strategies – connect on-premises AD over AWS VPN or AWS Direct Connect

Architecture overview

This architecture is suitable for enterprises unable or unwilling to change their existing AD structure. By establishing an AWS VPN or AWS Direct Connect, a secure network tunnel exists between the on-premises environment and HAQM Virtual Private Cloud (HAQM VPC).

Advantages

  • Minimizes disruption to existing AD infrastructure
  • Simple implementation without redesigning AD topology

Challenges

  • All AD-related traffic (e.g., DNS queries, Lightweight Directory Access Protocol (LDAP) operations, Kerberos authentication) relies on AWS VPN or AWS Direct Connect
  • Network interruptions might prevent HAQM EC2 instances from authenticating or accessing domain-based resources
  • Potential network latency and firewall configuration challenges

Strategy 2: Extend on-premises AD domain controller (DC) to HAQM EC2

Figure 3: AD integration architectural strategies – extend on-premises AD DC to HAQM EC2

Architecture overview

This is an advanced version of the first option. While maintaining AWS VPN or AWS Direct Connect connectivity, one or more domain controllers (DCs) are deployed on HAQM EC2.

Advantages

  • Synchronization of on-premises and cloud AD data through AD replication mechanisms
  • Windows HAQM EC2 instances within the HAQM VPC interact directly with HAQM EC2-based DCs, reducing reliance on AWS VPN or AWS Direct Connect
  • Improved availability and redundancy of AD
  • Reduced latency from cross-network communication

Implementation considerations

  • Careful planning of AD Sites and Service topology required
  • In complex AD environments, customers often implement firewall restrictions between HAQM VPC and on-premises networks. These restrictions, combined with potential AWS VPN or Direct Connect connectivity issues, might force changes to replication topology or limit replication to specific on-premises domain controllers. Therefore, designing a proper replication strategy to maintain data consistency becomes critical

Strategy 3: Extend on-premises AD to AWS Managed Microsoft AD

Figure 4: AD integration architectural strategies – extend on-premises AD to AWS Managed Microsoft AD

Architecture overview

AWS Managed Microsoft AD activates your directory-aware workloads and AWS resources to use a managed AD on AWS.

Advantages

  • The domain controllers run in multiple Availability Zones in a Region of your choice.
  • AWS configures and manages host monitoring and recovery, data replication, snapshots, and software updates
  • Features Forest / External Trust relationships with on-premises AD, enabling AD authentication across environments
  • Reduces operational overhead as AWS handles maintenance, patching, and infrastructure management
  • Smooth integration with supported AWS services

Implementation steps

  1. Set up AWS Managed Microsoft AD in HAQM VPC
  2. Establish a trust relationship between on-premises AD and AWS Managed Microsoft AD. Refer to the Everything you wanted to know about trusts with AWS Managed Microsoft AD blog post for more details
  3. Join servers migrated HAQM EC2 to AWS Managed Microsoft AD domain
  4. Configure appropriate permissions for cross-domain resource access

Considerations

  • Careful DNS resolution strategy design required as trust relationships cannot use the same domain name
  • Not all services support joining a new domain and accessing original resources through trust relationships
  • Managing and using multiple AD configurations increase operational burden and costs

Strategy 4: On-premises AD + Microsoft Entra ID

Figure 5: AD integration architectural strategies – on-premises AD + Microsoft Entra ID

Customers have synchronized their on-premises AD with Microsoft Entra ID (formerly Azure Active Directory), attempting to use Microsoft Entra ID as their primary identity provider for AWS service integration. Microsoft Entra ID is not a traditional AD service. Implementing Windows EC2 domain join capabilities with Microsoft Entra ID requires the use of Microsoft Entra Domain Services (Entra DS) as an intermediary service.

This hybrid identity solution combines on-premises AD with Microsoft Entra ID is suitable for enterprises already using or planning to use Microsoft 365 services. This architecture provides organizations with a flexible and powerful identity management platform across on-premises environments and cloud services.

Important Notes

  1. Entra ID is not traditional AD: Windows server cannot directly join Entra ID, as it’s primarily designed for cloud identity management, not traditional DC functions
  2. Role of Microsoft Entra Domain Services: To provide Windows servers migrated to HAQM EC2 with a similar experience to a traditional AD domain join. Requires Entra Domain Services
  3. Integration Process: Entra ID provides managed domain services, allowing HAQM EC2 instances to join a domain environment synchronized with Entra ID, enabling authentication and group policy management functionalities
  4. Network Considerations: When implementing this solution, ensure proper connectivity between HAQM VPC and Azure networks, typically achieved through Site-to-Site VPN or private connection solution
  5. Synchronization Mechanism: Accomplish synchronization between on-premises AD and Entra ID using the Microsoft Entra Connect tool, ensuring identity information consistency across different environments

For detailed steps and best practices on joining Windows VMs to Entra DS, refer to the official documentation from Microsoft Join a Windows Server virtual machine to a Microsoft Entra Domain Services managed domain.

Choosing an appropriate AD integration strategy is crucial for successfully migrating Windows workloads to AWS. Each method has its advantages and challenges, and enterprises ought to make their choice based on technical needs, security requirements, budget constraints, and long-term IT strategies. Regardless of the chosen strategy, ensuring stable network connectivity, appropriate security measures, and comprehensive disaster recovery plans are indispensable.

During the implementation, we recommend working closely with AWS solution architects or experienced partners to ensure a smooth transition and optimal performance. As cloud computing technology continues to evolve, maintaining flexibility and continuously evaluating new integration options will help enterprises remain competitive in the long run.

Conclusion

In this blog post, we covered Windows Server licensing (License Included vs. BYOL) and four main AD integration strategies. Key points included how licensing impacts cost and compliance, while AD considerations affect authentication, network connectivity, and replication. By carefully matching these factors to your organizational needs, you can keep workloads secure and maintain high availability in AWS. With stable networking, proper replication, and well-planned trust relationships, domain continuity is achievable. In part 2 of our series, we will discuss other technical details regarding hypervisor, instance types, boot modes, and pre-migration preparations for migrating Windows Server to HAQM EC2.

AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.

TAGS: , , , , ,
Sharon Chien

Sharon Chien

Sharon Chien is a Senior Solutions Architect in AWS. She has worked with clients across diverse industries including manufacturing, retail, media, government, healthcare, and enterprise IT to plan and implement AWS cloud solutions for digital transformations. A lifelong learner and avid sharer, Sharon is passionate about understanding customer needs and building end-to-end cloud architectures that drive innovation and growth. Through her work, she continues to help organizations stay at the forefront of technology by embracing the power of the cloud.

Andrea Soria

Andrea Soria

Andrea Soria is a Senior Engineer at AWS Support who specializes in Microsoft Windows and VM Import. He’s passionate about helping customers solve complex problems through creative troubleshooting. Outside of work, Andrea enjoys spending time with his family, diving into narrative-rich adventure games, and science fiction.

George Chang

George Chang

George Chang is a Cloud Support Engineer with over 10 years of Windows expertise. He specializes in Microsoft Windows workloads, Active Directory integration, and enterprise cloud operations. With extensive experience in cloud platform support, he excels in optimizing cloud infrastructures and resolving complex technical challenges.