- Newest
- Most votes
- Most comments
The Console does not allow reducing the number to, 2. I believe this is a validation error for the UI Team. The API update-number-of-domain-controllers
does allow removing all 'ADDITIONAL' labeled DC's and return the Directory to 2 'REQUIRED' nodes.
aws ds update-number-of-domain-controllers --directory-id d-12345a678b --desired-number 2
I would like to inform you that the removal of domain controllers in an AWS Managed Microsoft Directory is currently not supported by UI. Although we can achieve the same using API. Please feel free to use any of the methods provided below.
Prerequisites:
- Requires AD Admin permissions.
- Requires AWS Tools for Windows PowerShell or AWS CLI installed and configured.
You can refer to this document to configure AWS CLI : https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html
Document to configure Windows Powershell : https://docs.aws.amazon.com/powershell/latest/userguide/specifying-your-aws-credentials.html
Using Windows Powershell:-
-
Get information about the directories Get-DSDirectory -Region "<region>"
-
To remove additional domain controller Set-DSDomainControllerCount -DirectoryId "<directory-id>" -Region "<region>" -DesiredNumber <Desired number of DCs> -Force
-
Verify the state of domain controllers Get-DSDomainControllerList -DirectoryId "<directory-id>" -Region "<region>"
Using AWS CLI:-
-
Get information about the directories aws ds describe-directories --region "<region>"
-
To remove additional domain controller aws ds update-number-of-domain-controllers --directory-id "<directory-id>" --desired-number <number of domain controller> --region "<region>"
-
Verify the state of the domain controller aws ds describe-domain-controllers --directory-id "<directory-id>" --region "<region>"
Relevant content
- asked a year ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
We found some DNS entries pointing to the removed DC after this process. check _kerberos._tcp and _ldap records.