Microsoft technologies form the backbone of many Enterprise IT Infrastructures. Whether you are running Microsoft Exchange, SharePoint, SQL Server or Active Directory; chances are you rely upon you these services for your mission critical needs. Solutions Architects and IT professionals will get an overview of the common Microsoft workloads running on AWS including approaches for server migrations, design and deployment of infrastructure services and maintenance and monitoring of those services once they are in production.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Wayne Saxe
AWS Ecosystem Solutions Architect
29 July 2015
AWS Summit
Chicago
Migration of Microsoft Workloads

2. Agenda
Architecture Overview
Design and Deployment of Infrastructure Services
Instance Migration and Upgrade
Management and Maintenance

3. Architecture Best Practices
Design for failure and nothing fails
Loose coupling sets you free
Implement elasticity
Build security in every layer
Leverage different storage options

4. Design Considerations
Your VPC is Your Home
• Transition from Subnet Based Design to Security Groups and
NACLs
The Principals of Security Don’t Change Much
Remember You’re Always Working Remote

5. Availability Zone
Private Subnet
Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DCDBAPPWEB
Domain
Controller
SQL
Server
App
Server
IIS
Server
RDGW
Availability Zone
Private Subnet
Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DCDBAPPWEB
Domain
Controller
SQL
Server
App
Server
IIS
Server
RDGW
Remote
Users / Admins
Your VPC Is
Your Home

6. The Principals
of Security
Don’t Change
Much
• Roles Based Access Control and Least Privilege Apply
• Use Security Groups
Availability Zone
Web Security Group
SQL Security Group
Private Subnet
Public Subnet
Accept TCP Port 80
from Internet
Accept TCP Port
1433 from Web SG
User
WEB SQL
TCP 80 TCP 1433
10.0.0.0/24 10.0.1.0/24

7. Remember, You’re Always Working Remote
Clients can use the Remote Desktop Protocol (RDP)
over HTTPS to establish a secure, encrypted
connection
Bastion hosts can run Windows PowerShell Web
Access for remote command line administration
Deploying a bastion host in each Availability Zone can provide highly
available and secure remote access over the Internet

8. SQL Server on AWS
Two primary deployment paths:
Amazon RDS
Amazon EC2
• You Manage Your Infrastructure
• Advanced Deployments: WSFC +
Always On Availability Groups
• Fully Managed by AWS
• No Administrative Intervention
• Uses SQL Server Mirroring
Many Versions and Editions of SQL Server including Express, Web, Standard
and Enterprise and SQL 2005, 2008 and 2012 and more

9. Highly Available SQL Server
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit
Synchronous-commit
Primary: 10.0.2.100
WSFC: 10.0.2.101
AG Listener: 10.0.2.102
Primary: 10.0.3.100
WSFC: 10.0.3.101
AG Listener: 10.0.3.102
AG Listener:
ag.awslabs.net
Automatic Failover

10. SQL Server WSFC Failover: The Quorum
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica
Synchronous-commit
Synchronous-commit
Automatic Failover
Witness
Server

11. SQL Server HA With Read Replica
Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Private Subnet
Secondary
Replica 1
Synchronous-commit
Synchronous-commit
AG Listener:
ag.awslabs.net
Automatic Failover
Asynchronous-commit
Secondary
Replica 2
(Readable)
Reporting
Application

12. Availability Zone 1
Private Subnet
Primary
Replica
Availability Zone 2
Secondary
Replica 1
Private Subnet
AG Listener:
ag.awslabs.net
Corporate Network
VPN
Automatic Failover
Secondary
Replica 2
(Readable)
Reporting
Application
Backups
Manual Failover
SQL Server HA With Disaster Recovery

13. Web tier is made highly available through load balancing
Application-tier load balancing is native to SharePoint
• Database-tier high availability can be
achieved with SQL AlwaysOn
• Install SharePoint using SQL Client Alias
• Update alias after making DBs highly
available, and point to an Availability
Group Listener fully qualified domain
name (FQDN)
SharePoint 2013 on AWS

14. 10.0.2.0/24
Availability Zone
Availability Zone
Public Subnet
NAT
10.0.0.0/24
DC
DB
PrimaryAPPWEB
Domain
Controller
App
Server
Web
Front-End
RDGW
Public Subnet
NAT
10.0.0.0/24 10.0.2.0/24
DC
DB
SecondaryAPPWEB
Domain
Controller
App
Server
Web
Front-End
RDGW
Users
Availability
Group
SQL
Server
SQL
Server
Private Subnet
Private Subnet
SharePoint
2013 on AWS:
Example
Architecture

15. SharePoint Migration Strategies
Create
SharePoint
Farm
• Create the New Target Farm to Spec
Copy Database
to the Target
Farm
• Place Source Farm and Database in Read-Only Mode
• Backup Content and Service Application Database
• Restore the Databases to the Target Farm
Upgrade
Service
Applications
• Configure Service Applications for the
Target Farm
• Create New Web Applications matching
the Source Farm
Upgrade
Content
Databases
• Upgrade and Mount the
New Content Databases
Upgrade Site
Collections
• Site Owners
Responsibility

16. Active Directory on AWS
Two High Level Deployment Paths
Amazon EC2
AWS Directory Services
• Fully Managed by You
• Isolated, Stretched or Federated
• Managed By AWS
• Simple AD and AD Connector

17. AD Connector
Connect to your on-premises Active Directory
• Via existing VPC VPN connection, or AWS Direct Connect
Users access AWS applications with existing credentials
Administrators can access AWS Management Console with
existing credentials
Integrate with existing RADIUS MFA solutions

18. Simple AD
Launch managed stand-alone directories
Powered by Samba 4 Active Directory Compatible Server
Supports common AD features
• User accounts/group memberships/domain-joining EC2 instances running Windows,
Kerberos based SSO, and Group Policies
Use existing AD management tools with Simple AD
Simple AD accounts can access AWS applications
• Amazon WorkSpaces
• Amazon Zocalo

19. Directories Managed For You
AWS does the heavy lifting directory management tasks
• Patch management
• Host monitoring
Simple AD includes snapshot backups and point-in-time
recovery
Directories are deployed multi-AZ for availability

20. Hybrid Active Directory
• Connectivity via VPN or Direct Connect
• Security groups must allow traffic to and from DCs on-premises
• Properly define AD sites and subnets
• Configure site-link costs
• Enable domain members for "Try Next Closest Site“ group policy
setting

21. Hybrid Active Directory Architecture
Availability Zone
Private Subnet
DC3
Corporate Network
Virginia
DC1
VPN
Washington DC
DC2

22. Instance Migration and Upgrade
• Two primary paths: Migrate and Upgrade
• A fleet migration is a more complex task that may take
longer but better for a complex production environment
• A variety of Technology Partner tools and techniques can
help here
• A system upgrade is suitable for a smaller number of
instances or to get moving quickly
• Native AWS tools apply

23. Management and Maintenance: CloudWatch
Log Types:
• Event Logs
• IIS Logs
• Any Event Tracing for
Windows(ETW) Logs
• Any Performance Counter data
• Any text-based log files
Enables customers to easily monitor instance activity in
real time and create alarms on these events

24. Management and Maintenance: Simple
Systems Manager
Simple Systems Manager provides native AWS tools to
manage your Windows EC2 Instances
• Join an AWS Directory
• Install software using MSI packages
• Run PowerShell Scripts
• Configure CloudWatch Logs

25. Management and Maintenance: Simple
Systems Manager
Simple Systems Manger manages instances while they are
running
• Create a configuration document describing tasks (install
software)
• Attach document to instance and either run it manually
or schedule a task
• Disassociate a document when you no longer need it –
but the configuration doesn’t go away!

26. Thank you!
Wayne Saxe
AWS Ecosystem Solutions Architect
wsaxe@amazon.com