- Newest
- Most votes
- Most comments
It is generally recommended to have a separate Active Directory (AD) site for each region because it helps to ensure that clients can always find a domain controller (DC) that is located close to them and can provide fast authentication and authorization services. This is especially important if the clients are located in different regions, as it can help to reduce the amount of cross-region traffic that is generated by clients trying to authenticate to the AD.
However, if you have a large number of clients that are all located within the same region and availability zone (AZ), then it might make sense to create a separate AD site for each AZ. This can help to further optimize the authentication process for these clients by ensuring that they can always find a DC that is located within the same AZ.
It's worth noting that creating a separate AD site for each AZ can be more complex to manage and maintain than a single AD site per region. This is because you would need to create and manage multiple AD site links, and you would also need to ensure that the site topology is properly configured to reflect the different AZs.
In general, the best approach for designing AD sites will depend on your specific requirements and the distribution of your clients. It might be useful to consider factors such as the number of clients that are located in each region or AZ, the expected workload on the DCs, and the expected network latency between the clients and the DCs when deciding how to design your AD sites.
Relevant content
- asked 5 months ago
- asked 4 years ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 9 months ago
That makes a lot of sense. Thank you!