Amazon Directory Service Data - Amazon Directory Service
Replication and consistency
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Directory Service Data

Amazon Directory Service Data is an extension of Amazon Directory Service. You can create, read, update, and Active Directory (AD) users, groups, and memberships from an Amazon Directory Service for Microsoft Active Directory without deploying dedicated AD management instances on an Amazon EC2 instance. You can also perform built-in object management tasks across directories without any direct network connectivity. This simplifies provisioning and access management to achieve fully automated deployments. For more information, see the Amazon Directory Service Data API Reference .

Directory Service Data supports user and group write operations, like CreateUser and CreateGroup, within the Amazon Managed Microsoft AD that's in your organizational unit (OU). Directory Service Data supports read operations, like ListUsers and ListGroups, on all users, groups, and group memberships within the Amazon Managed Microsoft AD and across trusted realms. Directory Service Data supports adding and removing group members from groups in your OU and the Amazon Delegated Groups OU, so you can delegate permissions by adding users to specific delegated group objects. For more information, see User and group management in Amazon Managed Microsoft AD.

Note

Directory Service Data is only available in your Primary Region. For more information, see Primary vs additional Regions.

Topics

Replication and consistency

The Directory Service Data API connects to your Amazon Managed Microsoft AD domain controllers to perform operations on the underlying directory objects. Active Directory is an eventually consistent platform, and replication is continuously occurring between Amazon Directory Service directory domain controllers. By default, every Amazon Directory Service directory is created with two domain controllers.

Directory Service Data attempts to maintain a consistent experience by utilizing the same domain controller across requests. In the event that a domain controller is unavailable, Directory Service Data switches to an alternative domain controller. During these events, you might notice eventual consistency across domain controllers while objects are replicated across domain controllers.

Directory limits vary by Amazon Managed Microsoft AD edition:

  • Standard edition – Supports 8 transactions per second for read operations and 4 TPS for write operations per directory.

  • Enterprise edition – Supports 16 transactions per second for read operations and 8 TPS for write operations per directory.

Note

There's a concurrency limit of 10 concurrent requests for both Standard and Enterprise editions.

  • Amazon Web Services account – Supports a total of 100 transactions per second for Directory Service Data operations across all directories.