Multi-Region replication
Multi-Region replication can be used to automatically replicate your Amazon Managed Microsoft AD directory data across multiple Amazon Web Services Regions. This replication can improve performance for users and applications in disperse geographic locations. Amazon Managed Microsoft AD uses native Active Directory replication to replicate your directory’s data securely to the new Region.
Multi-Region replication is only supported for the Enterprise Edition of Amazon Managed Microsoft AD.
You can use automated multi-Region replication in most Regions where Amazon Managed Microsoft AD is available.
Important
Multi-Region replication is unavailable in the following opt-in Regions:
-
Africa (Cape Town) af-south-1
-
Asia Pacific (Hong Kong) ap-east-1
-
Asia Pacific (Hyderabad) ap-south-2
-
Asia Pacific (Jakarta) ap-southeast-3
-
Asia Pacific (Melbourne) ap-southeast-4
-
Canada West (Calgary) ca-west-1
-
Europe (Milan) eu-south-1
-
Europe (Spain) eu-south-2
-
Europe (Zurich) eu-central-2
-
Israel (Tel Aviv) il-central-1
-
Middle East (Bahrain) me-south-1
-
Middle East (UAE) me-central-1
For more information about opt-in Regions and how to enable them, see Specify which Amazon Web Services Regions your account can use in the Amazon Account Management Guide.
Topics
Benefits
With multi-Region replication in Amazon Managed Microsoft AD, Active Directory-aware applications use the directory locally for high performance and the multi-Region feature for resiliency. You can use multi-Region replication with Active Directory-aware applications like SharePoint and SQL Server Always On as well as Amazon services like Amazon RDS for SQL Server and FSx for Windows File Server. The following are additional benefits of multi-Region replication.
-
It lets you deploy a single Amazon Managed Microsoft AD instance globally, quickly, and eliminates the heavy lifting of self-managing a global Active Directory infrastructure.
-
It makes it easier and more cost-effective for you to deploy and manage Windows and Linux workloads in multiple Amazon Regions. Automated multi-Region replication enables optimal performance in your global Active Directory-aware applications. All applications deployed in Windows or Linux instances use Amazon Managed Microsoft AD locally in the Region, which enables responses to user requests from the closest Region possible.
-
It provides multi-Region resiliency. Deployed in the highly available Amazon managed infrastructure, Amazon Managed Microsoft AD handles automated software updates, monitoring, recovery, and the security of the underlying Active Directory infrastructure across all Regions. This allows you to focus on building your applications.
How multi-Region replication works
With the multi-Region replication feature, Amazon Managed Microsoft AD eliminates the undifferentiated heavy lifting of managing a global Active Directory infrastructure. When configured, Amazon replicates all customer directory data including users, groups, group policies, and schema across multiple Amazon Regions.
Once a new Region has been added, the following operations automatically occur as shown in the illustration:
-
Amazon Managed Microsoft AD creates two domain controllers in the selected VPC and deploys them to the new Region in the same Amazon account. Your directory identifier (
directory_id) remains the same across all Regions. You can add additional domain controllers later if you want. -
Amazon Managed Microsoft AD configures the networking connection between the primary Region and the new Region.
-
Amazon Managed Microsoft AD creates a new Active Directory site and gives it the same name as the Region, such as us-east-1. You can also rename this later using the Active Directory Sites and Services tool.
-
Amazon Managed Microsoft AD replicates all Active Directory objects and configurations to the new Region, including users, groups, group policies, Active Directory trusts, organizational units, and Active Directory schema. Active Directory site links are configured to use Change Notification
. With change notification between sites enabled, changes propagate to the remote site with the same frequency that they are propagated within the source site, including changes that warrant urgent replication. -
If this is the first Region you've added, Amazon Managed Microsoft AD makes all features multi-Region aware. For more information, see Global vs Regional features.
Active Directory sites
Multi-Region replication supports multiple Active Directory sites (one Active Directory site per Region). When a new Region is added, it is given the same name as the Region—for example, us-east-1. You can also rename this later using Active Directory Sites and Services.
Amazon services
Amazon services such as Amazon RDS for SQL Server and Amazon FSx connect to the local instances of the global directory. This allows your users to sign in once to Active Directory-aware applications that run in Amazon as well as Amazon services like Amazon RDS for SQL Server in any Amazon Region. To do so, users need credentials from Amazon Managed Microsoft AD or on-premises Active Directory when you have a trust with your Amazon Managed Microsoft AD.
You can use the following Amazon services with the multi-Region replication feature.
-
Amazon EC2
-
Amazon FSx for Windows File Server
-
Amazon Relational Database Service for SQL Server
-
Amazon RDS for Oracle
-
Amazon RDS for MySQL
-
Amazon RDS for PostgreSQL
-
Amazon RDS for MariaDB
-
Amazon Aurora for MySQL
-
Amazon Aurora for PostgreSQL
Failover
In the event that all domain controllers in one Region are down, Amazon Managed Microsoft AD recovers the domain controllers and replicates the directory data automatically. Meanwhile domain controllers in other Regions stay up and running.