By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do you remove a controller from managed AD directory service?

1

The documentation says that you can reduce the number of controllers to 2 https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_deploy_additional_dcs.html#addremovedcs

However in the console, setting a number less than 2 causes an error message to be displayed: "Number must be greater than 2." Screenshot depicting error message in the console

The directory type is Microsoft AD, after adding a third controller and determining that it is not needed, it seems to be impossible to remove it.

Topics
Security, Identity, & Compliance
Tags
AWS Directory Service
Language
English
Gordon
asked a year ago327 views
2 Answers
1
Accepted Answer

The Console does not allow reducing the number to, 2. I believe this is a validation error for the UI Team. The API update-number-of-domain-controllers does allow removing all 'ADDITIONAL' labeled DC's and return the Directory to 2 'REQUIRED' nodes.

aws ds update-number-of-domain-controllers --directory-id d-12345a678b --desired-number 2

steve-st
answered a year ago
  • steve-st
    a year ago

    We found some DNS entries pointing to the removed DC after this process. check _kerberos._tcp and _ldap records.

0

I would like to inform you that the removal of domain controllers in an AWS Managed Microsoft Directory is currently not supported by UI. Although we can achieve the same using API. Please feel free to use any of the methods provided below.

Prerequisites:

  1. Requires AD Admin permissions.
  2. Requires AWS Tools for Windows PowerShell or AWS CLI installed and configured.

You can refer to this document to configure AWS CLI : https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html

Document to configure Windows Powershell : https://docs.aws.amazon.com/powershell/latest/userguide/specifying-your-aws-credentials.html

Using Windows Powershell:-

  1. Get information about the directories Get-DSDirectory -Region "<region>"

  2. To remove additional domain controller Set-DSDomainControllerCount -DirectoryId "<directory-id>" -Region "<region>" -DesiredNumber <Desired number of DCs> -Force

  3. Verify the state of domain controllers Get-DSDomainControllerList -DirectoryId "<directory-id>" -Region "<region>"

Using AWS CLI:-

  1. Get information about the directories aws ds describe-directories --region "<region>"

  2. To remove additional domain controller aws ds update-number-of-domain-controllers --directory-id "<directory-id>" --desired-number <number of domain controller> --region "<region>"

  3. Verify the state of the domain controller aws ds describe-domain-controllers --directory-id "<directory-id>" --region "<region>"

AWS
SUPPORT ENGINEER
Parul_g
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content