Other considerations

FSMO Roles. You can follow the same recommendation you would follow for your on-premises deployment to determine FSMO roles on DCs. See also best practices from Microsoft. In the case of AWS Managed Microsoft AD, all domain controllers and FSMO roles assignments are managed by AWS and do not require you to manage or change them.

Global Catalog. Unless you have slow connections or an extremely large Active Directory database, we recommend adding global catalog role to all of your domain controllers in multi-domain forests (except the domain controller with the Infrastructure Master role).

If you are hosting Microsoft Exchange in AWS Cloud, at least one global catalog server is required in a site with Exchange servers. For more information about global catalog, see Microsoft documentation. Since there is only one domain in the forest for AWS Managed Microsoft AD, all domain controllers are configured as global catalog and will have full information about all objects.

Read Only Domain Controllers (RODC). It’s possible to deploy RODC on AWS if you are running Active Directory on EC2 instances and require it, and there are no special considerations for doing so. AWS Managed Microsoft AD does not support RODCs. All of the domain controllers that are deployed as a part of AWS Managed Microsoft AD are writable domain controllers.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security considerations

Conclusion