Managed AD, Multi Region, Limited to 5 : How to use same domain in more regions?
We have hundreds of machines spread across 12 regions. We started implementing AWS Directory Service Managed AD with multi-region Replication and ran up against the 5 region limit (why the limit if I'm willing to pay for the additional regions?). We'd like to have all of the instances in the same domain as we are a global organization and use machines around the world for sales, service and support of our software products.
What is the best practice and architecture (and how) to get domain services into the remaining 7 regions?
- Newest
- Most votes
- Most comments
The limit of 5 regions is a soft limit. Please open a support case to request a limit increase.
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html#creating-a-support-case
Hi Metageek,
I understand you have hundreds of machines spread across 12 regions and want to use the same domain in the 12 regions.You further more want to know the best practice and architecture of AWS domain services.
Please note Multi-Region replication can be used to automatically replicate your AWS Managed Microsoft AD directory data across multiple Regions.
AWS Managed Microsoft AD is available in two editions, Standard and Entrerprise. Link [1].
However Multi-Region replication is only supported for Enterprise Edition of AWS Managed Microsoft AD. Please be on the lookout for feature realize on this link [2] because this feature is unavailable in the following regions:
• Africa (Cape Town) af-south-1 • Asia Pacific (Hong Kong) ap-east-1 • Europe (Milan) eu-south-1 • Middle East (Bahrain) me-south-1
I hope this helps.
Reference
[1] https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html
Thanks for the general information on directory services. As I've said, I've already deployed to 5 regions so I'm beyond the basics.
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html While you can increase the soft limit You can consider this - share a single directory with other trusted AWS accounts within the same organization or share the directory with other AWS accounts that are outside your organization. You can also share your directory when your AWS account is not currently a member of an organization.
Directory sharing is a Regional feature of AWS Managed Microsoft AD. You can not use sharing in regions where the directory does not exist.
Relevant content
- Accepted Answerasked 4 months ago
- asked 9 months ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
Thanks - I had opened a parallel case and this was the first option offered, to raise the soft limit. I'm still curious if it's possible to use the 5 existing and join machines in other regions to the domain assuming peering is enabled between all of the regions.
Yes, you can domain join from regions without domain controllers provided there is a network path to a region with domain controllers. Your suggestion of a peering connection between the two is ideal for this scenario. The only thing that wouldn't work is EC2's Seamless Domain Join¹ feature which will domain join at instance launch. Instead you will have to manually join² the instance or automate it yourself by adding some code to User Data or authoring an SSM document.
1 - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html 2 - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html