Patching and maintenance for Amazon Managed Microsoft AD - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Patching and maintenance for Amazon Managed Microsoft AD

Amazon Directory Service for Microsoft Active Directory, also known as Amazon DS for Amazon Managed Microsoft AD, is actually Microsoft Active Directory Domain Services (AD DS), delivered as a managed service. The system uses Microsoft Windows Server 2019 for the domain controllers (DCs), and Amazon adds software to the DCs for service management purposes. Amazon updates (patches) DCs to add new functionality and keep the Microsoft Windows Server software current. During the patching process, your directory remains available for use.

Ensuring availability

By default each directory consists of two DCs, each installed in a different Availability Zone. At your option, you may add DCs to further increase availability. For critical environments needing high-availability and fault-tolerance, we recommend deploying additional DCs. Amazon patches your DCs sequentially, during which time the DC that Amazon is actively patching is unavailable. In the event that one or more of your DCs is temporarily out of service, Amazon defers patching until your directory has at least two operational DCs. This lets you use the other operating DCs during the patch process, which typically takes 30 to 45 minutes per DC, although this time may vary. To ensure your applications can reach an operating DC in the event that one or more DCs is unavailable for any reason, including patching, your applications should use the Windows DC locator service and not use static DC addresses.

Understanding the patching schedule

To keep the Microsoft Windows Server software current on your DCs, Amazon utilizes Microsoft updates. As Microsoft makes monthly rollup patches available for Windows Server, Amazon makes a best effort to test and apply the rollup to all customer DCs within three calendar weeks. In addition, Amazon reviews updates that Microsoft releases outside of the monthly rollup based on applicability to DCs and urgency. For security patches that Microsoft rates as Critical or Important, and that are relevant to DCs, Amazon makes every effort to test and deploy the patch within five days.