How multi-Region replication works - Amazon Directory Service
Active Directory sitesAmazon servicesFailover
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How multi-Region replication works

With the multi-Region replication feature, Amazon Managed Microsoft AD eliminates the undifferentiated heavy lifting of managing a global Active Directory infrastructure. When configured, Amazon replicates all customer directory data including users, groups, group policies, and schema across multiple Amazon Regions.

Once a new Region has been added, the following operations automatically occur as shown in the illustration:

  • Amazon Managed Microsoft AD creates two domain controllers in the selected VPC and deploys them to the new Region in the same Amazon account. Your directory identifier (directory_id) remains the same across all Regions. You can add additional domain controllers later if you want.

  • Amazon Managed Microsoft AD configures the networking connection between the primary Region and the new Region.

  • Amazon Managed Microsoft AD creates a new Active Directory site and gives it the same name as the Region, such as us-east-1. You can also rename this later using the Active Directory Sites and Services tool.

  • Amazon Managed Microsoft AD replicates all Active Directory objects and configurations to the new Region, including users, groups, group policies, Active Directory trusts, organizational units, and Active Directory schema. Active Directory site links are configured to use Change Notification. With change notification between sites enabled, changes propagate to the remote site with the same frequency that they are propagated within the source site, including changes that warrant urgent replication.

  • If this is the first Region you've added, Amazon Managed Microsoft AD makes all features multi-Region aware. For more information, see Global vs Regional features.

Diagram of an Amazon Managed Microsoft AD with multi-region replication showing primary and additional regions.

Active Directory sites

Multi-Region replication supports multiple Active Directory sites (one Active Directory site per Region). When a new Region is added, it is given the same name as the Region—for example, us-east-1. You can also rename this later using Active Directory Sites and Services.

Amazon services

Amazon services such as Amazon RDS for SQL Server and Amazon FSx connect to the local instances of the global directory. This allows your users to sign in once to Active Directory-aware applications that run in Amazon as well as Amazon services like Amazon RDS for SQL Server in any Amazon Region. To do so, users need credentials from Amazon Managed Microsoft AD or on-premises Active Directory when you have a trust with your Amazon Managed Microsoft AD.

You can use the following Amazon services with the multi-Region replication feature.

  • Amazon EC2

  • FSx for Windows File Server

  • Amazon RDS for SQL Server

  • Amazon RDS for Oracle

  • Amazon RDS for MySQL

  • Amazon RDS for PostgreSQL

  • Amazon RDS for MariaDB

  • Amazon Aurora for MySQL

  • Amazon Aurora for PostgreSQL

Failover

In the event that all domain controllers in one Region are down, Amazon Managed Microsoft AD recovers the domain controllers and replicates the directory data automatically. Meanwhile domain controllers in other Regions stay up and running.