Deploying additional domain controllers for your Amazon Managed Microsoft AD - Amazon Directory Service
Adding or removing additional domain controllers with the Amazon Web Services Management Console
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Deploying additional domain controllers for your Amazon Managed Microsoft AD

Deploying additional domain controllers for your Amazon Managed Microsoft AD increases the redundancy, which results in even greater resilience and higher availability. This also improves the performance of your directory by supporting a greater number of Active Directory requests. For example, you can now use Amazon Managed Microsoft AD to support multiple .NET applications that are deployed on large fleets of Amazon EC2 and Amazon RDS for SQL Server instances.

When you first create your directory, Amazon Managed Microsoft AD deploys two domain controllers across multiple Availability Zones, which is required for highly availability purposes. Later, you can easily deploy additional domain controllers via the Amazon Directory Service console by just specifying the total number of domain controllers that you want. Amazon Managed Microsoft AD distributes the additional domain controllers to the Availability Zones and Amazon VPC subnets on which your directory is running.

For example, in the below illustration, DC-1 and DC-2 represent the two domain controllers that were originally created with your directory. The Amazon Directory Service console refers to these default domain controllers as Required. Amazon Managed Microsoft AD intentionally locates each of these domain controllers in separate Availability Zones during the directory creation process. Later, you might decide to add two more domain controllers to help distribute the authentication load over peak login times. Both DC-3 and DC-4 represent the new domain controllers, which the console now refers to as Additional. As before, Amazon Managed Microsoft AD again automatically places the new domain controllers in different Availability Zones to ensure your domain's high availability.

Four domain controllers spread across two availability zones.

This process eliminates the need for you to manually configure directory data replication, automated daily snapshots, or monitoring for the additional domain controllers. It's also easier for you to migrate and run mission critical Active Directory–integrated workloads in the Amazon Web Services Cloud without having to deploy and maintain your own Active Directory infrastructure.

You can use either of the following tools to deploy or remove additional domain controllers to your Amazon Managed Microsoft AD:

Note

Additional domain controllers is a Regional feature of Amazon Managed Microsoft AD. If you are using Multi-Region replication, the following procedures must be applied separately in each Region. For more information, see Global vs Regional features.

Adding or removing additional domain controllers with the Amazon Web Services Management Console

You can use the Amazon Web Services Management Console to add or remove additional domain controllers to your Amazon Managed Microsoft AD.

Prerequisites

Before adding or removing additional domain controllers to your Amazon Managed Microsoft AD, here's more information about domain controller requirements:

  • After deploying additional domain controllers, you can reduce the number of domain controllers to two, which is the minimum required for fault-tolerance and high availability purposes.

  • The deleted domain controllers will be delete from the list of additional domain controllers. The primary and secondary domain controllers are required and can't be deleted.

  • If you have configured your Amazon Managed Microsoft AD to enable LDAPS, any additional domain controllers you add will also have LDAPS enabled automatically. For more information, see Enable Secure LDAP or LDAPS.

Procedure

Use the following procedure to deploy or remove additional domain controllers in your Amazon Managed Microsoft AD with the Amazon Web Services Management Console.

To add or remove additional domain controllers

  1. In the Amazon Directory Service console navigation pane, choose Directories.

  2. On the Directories page, choose your directory ID.

  3. On the Directory details page, do one of the following:

    • If you have multiple Regions showing under Multi-Region replication, select the Region where you want to add or remove domain controllers, and then choose the Scale & share tab. For more information, see Primary vs additional Regions.

    • If you do not have any Regions showing under Multi-Region replication, choose the Scale & share tab.

  4. In the Domain controllers section, choose Edit.

  5. Specify the number of domain controllers to add or remove from your directory, and then choose Modify.

  6. When Amazon Managed Microsoft AD completes the deployment process, all domain controllers show Active status, and both the assigned Availability Zone and Amazon VPC subnets appear. New domain controllers are equally distributed across the Availability Zones and subnets where your directory is already deployed.

Related Amazon Security Blog Article