What gets created - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What gets created

When you create a directory with Simple AD, Amazon Directory Service performs the following tasks on your behalf:

  • Sets up a Samba-based directory within the VPC.

  • Creates a directory administrator account with the user name Administrator and the specified password. You use this account to manage your directory.


    Be sure to save this password. Amazon Directory Service does not store this password, and it cannot be retrieved. However, you can reset a password from the Amazon Directory Service console or by using the ResetUserPassword API.

  • Creates a security group for the directory controllers.

  • Creates an account with the name AWSAdminD-xxxxxxxx that has domain admin privileges. This account is used by Amazon Directory Service to perform automated operations for directory maintenance operations, such as taking directory snapshots and FSMO role transfers. The credentials for this account are securely stored by Amazon Directory Service.

  • Automatically creates and associates an elastic network interface (ENI) with each of your domain controllers. Each of these ENIs are essential for connectivity between your VPC and Amazon Directory Service domain controllers and should never be deleted. You can identify all network interfaces reserved for use with Amazon Directory Service by the description: "Amazon created network interface for directory directory-id". For more information, see Elastic Network Interfaces in the Amazon EC2 User Guide for Windows Instances.


    Domain controllers are deployed across two Availability Zones in a region by default and connected to your Amazon Virtual Private Cloud (VPC). Backups are automatically taken once per day, and the Amazon Elastic Block Store (EBS) volumes are encrypted to ensure that data is secured at rest. Domain controllers that fail are automatically replaced in the same Availability Zone using the same IP address, and a full disaster recovery can be performed using the latest backup.