How do you remove a controller from managed AD directory service?
The documentation says that you can reduce the number of controllers to 2 https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_deploy_additional_dcs.html#addremovedcs
However in the console, setting a number less than 2 causes an error message to be displayed:
"Number must be greater than 2."
The directory type is Microsoft AD, after adding a third controller and determining that it is not needed, it seems to be impossible to remove it.
- 최신
- 최다 투표
- 가장 많은 댓글
The Console does not allow reducing the number to, 2. I believe this is a validation error for the UI Team. The API update-number-of-domain-controllers does allow removing all 'ADDITIONAL' labeled DC's and return the Directory to 2 'REQUIRED' nodes.
aws ds update-number-of-domain-controllers --directory-id d-12345a678b --desired-number 2
I would like to inform you that the removal of domain controllers in an AWS Managed Microsoft Directory is currently not supported by UI. Although we can achieve the same using API. Please feel free to use any of the methods provided below.
Prerequisites:
- Requires AD Admin permissions.
- Requires AWS Tools for Windows PowerShell or AWS CLI installed and configured.
You can refer to this document to configure AWS CLI : https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html
Document to configure Windows Powershell : https://docs.aws.amazon.com/powershell/latest/userguide/specifying-your-aws-credentials.html
Using Windows Powershell:-
-
Get information about the directories Get-DSDirectory -Region "<region>"
-
To remove additional domain controller Set-DSDomainControllerCount -DirectoryId "<directory-id>" -Region "<region>" -DesiredNumber <Desired number of DCs> -Force
-
Verify the state of domain controllers Get-DSDomainControllerList -DirectoryId "<directory-id>" -Region "<region>"
Using AWS CLI:-
-
Get information about the directories aws ds describe-directories --region "<region>"
-
To remove additional domain controller aws ds update-number-of-domain-controllers --directory-id "<directory-id>" --desired-number <number of domain controller> --region "<region>"
-
Verify the state of the domain controller aws ds describe-domain-controllers --directory-id "<directory-id>" --region "<region>"
We found some DNS entries pointing to the removed DC after this process. check _kerberos._tcp and _ldap records.