Deploy additional domain controllers - AWS Directory Service

Deploy additional domain controllers

Deploying additional domain controllers increases the redundancy, which results in even greater resilience and higher availability. This also improves the performance of your directory by supporting a greater number of Active Directory requests. For example, you can now use AWS Managed Microsoft AD to support multiple .NET applications that are deployed on large fleets of Amazon EC2 and Amazon RDS for SQL Server instances.

When you first create your directory, AWS Managed Microsoft AD deploys two domain controllers across multiple Availability Zones, which is required for highly availability purposes. Later, you can easily deploy additional domain controllers via the AWS Directory Service console by just specifying the total number of domain controllers that you want. AWS Managed Microsoft AD distributes the additional domain controllers to the Availability Zones and VPC subnets on which your directory is running.

For example, in the below illustration, DC-1 and DC-2 represent the two domain controllers that were originally created with your directory. The AWS Directory Service console refers to these default domain controllers as Required. AWS Managed Microsoft AD intentionally locates each of these domain controllers in separate Availability Zones during the directory creation process. Later, you might decide to add two more domain controllers to help distribute the authentication load over peak login times. Both DC-3 and DC-4 represent the new domain controllers, which the console now refers to as Additional. As before, AWS Managed Microsoft AD again automatically places the new domain controllers in different Availability Zones to ensure your domain's high availability.

This process eliminates the need for you to manually configure directory data replication, automated daily snapshots, or monitoring for the additional domain controllers. It's also easier for you to migrate and run mission critical Active Directory–integrated workloads in the AWS Cloud without having to deploy and maintain your own Active Directory infrastructure. You can also deploy or remove additional domain controllers for AWS Managed Microsoft AD using the UpdateNumberOfDomainControllers API.


Additional domain controllers is a Regional feature of AWS Managed Microsoft AD. If you are using Multi-Region replication, the following procedures must be applied separately in each Region. For more information, see Global vs Regional features.

Add or remove additional domain controllers

Use the following procedure to deploy or remove additional domain controllers in your AWS Managed Microsoft AD directory.


If you have configured your AWS Managed Microsoft AD to enable LDAPS, any additional domain controllers you add will also have LDAPS enabled automatically. For more information, see Enable secure LDAP (LDAPS).

To add or remove additional domain controllers

  1. In the AWS Directory Service console navigation pane, choose Directories.

  2. On the Directories page, choose your directory ID.

  3. On the Directory details page, do one of the following:

    • If you have multiple Regions showing under Multi-Region replication, select the Region where you want to add or remove domain controllers, and then choose the Scale & share tab. For more information, see Primary vs additional Regions.

    • If you do not have any Regions showing under Multi-Region replication, choose the Scale & share tab.

  4. On the Directory details page, select the Scale tab.

  5. In the Domain controllers section, choose Edit.

  6. Specify the number of domain controllers to add or remove from your directory, and then choose Modify.

  7. When AWS Managed Microsoft AD completes the deployment process, all domain controllers show Active status, and both the assigned Availability Zone and VPC subnets appear. New domain controllers are equally distributed across the Availability Zones and subnets where your directory is already deployed.


After deploying additional domain controllers, you can reduce the number of domain controllers to two, which is the minimum required for fault-tolerance and high availability purposes.

Related AWS Security Blog Article