# Configure Multi-Region replication for AWS Managed Microsoft AD
Multi-Region replication can be used to automatically replicate your AWS Managed Microsoft AD directory data across multiple AWS Regions. This replication can improve performance for users and applications in disperse geographic locations. AWS Managed Microsoft AD uses native Active Directory replication to replicate your directory's data securely to the new Region.
Multi-Region replication is only supported for the **Enterprise Edition** of AWS Managed Microsoft AD.
You can use automated multi-Region replication in most Regions where AWS Managed Microsoft AD is available.
**Note**
Multi-Region replication is unavailable in the following opt-in Regions:
Middle East (Bahrain) me-south-1
Middle East (UAE) me-central-1
For more information about opt-in Regions and how to enable them, see [Specify which AWS Regions your account can use](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) in the *AWS Account Management Guide*.
**Important**
You can only extend Multi-Region replication to additional Regions if your primary Region is an AWS default Region. If your primary Region is an opt-in Region, you cannot add additional Regions to your Multi-Region replication. Ensure that your directory was originally created in an AWS default Region before attempting to extend replication.
## How Multi-Region replication works
With the Multi-Region replication feature, AWS Managed Microsoft AD eliminates the undifferentiated heavy lifting of managing a global Active Directory infrastructure. When configured, AWS replicates all customer directory data including users, groups, group policies, and schema across multiple AWS Regions.
Once a new Region has been added, the following operations automatically occur as shown in the illustration:
+ AWS Managed Microsoft AD creates two domain controllers in the selected VPC and deploys them to the new Region in the same AWS account. Your directory identifier (`directory_id`) remains the same across all Regions. You can add additional domain controllers later if you want.
+ AWS Managed Microsoft AD configures the networking connection between the primary Region and the new Region.
+ AWS Managed Microsoft AD creates a new Active Directory site and gives it the same name as the Region, such as us-east-1. You can also rename this later using the Active Directory Sites and Services tool.
+ AWS Managed Microsoft AD replicates all Active Directory objects and configurations to the new Region, including users, groups, group policies, Active Directory trusts, organizational units, and Active Directory schema. Active Directory site links are configured to use [Change Notification](https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/modify-default-intra-site-dc-replication-interval). With change notification between sites enabled, changes propagate to the remote site with the same frequency that they are propagated within the source site, including changes that warrant urgent replication.
+ If this is the first Region you've added, AWS Managed Microsoft AD makes all features multi-Region aware. For more information, see [Global vs Regional features](multi-region-global-region-features.md).
![\[Multi-region replication of a AWS Managed Microsoft AD Active Directory between a primary region and an additional region.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/multiregion.png)
### Active Directory sites
Multi-Region replication supports multiple Active Directory sites (one Active Directory site per Region). When a new Region is added, it is given the same name as the Region—for example, us-east-1. You can also rename this later using Active Directory Sites and Services.
### AWS services
AWS services such as Amazon RDS for SQL Server and Amazon FSx connect to the local instances of the global directory. This allows your users to sign in once to Active Directory-aware applications that run in AWS as well as AWS services like Amazon RDS for SQL Server in any AWS Region. To do so, users need credentials from AWS Managed Microsoft AD or on-premises Active Directory when you have a trust with your AWS Managed Microsoft AD.
You can use the following AWS services with the multi-Region replication feature.
+ Amazon EC2
+ Amazon FSx for Windows File Server
+ Amazon Relational Database Service for SQL Server
+ Amazon RDS for Oracle
+ Amazon RDS for MySQL
+ Amazon RDS for PostgreSQL
+ Amazon RDS for MariaDB
+ Amazon Aurora for MySQL
+ Amazon Aurora for PostgreSQL
### Failover
In the event that all domain controllers in one Region are down, AWS Managed Microsoft AD recovers the domain controllers and replicates the directory data automatically. Meanwhile domain controllers in other Regions stay up and running.
## Benefits of multi-Region replication
With multi-Region replication in AWS Managed Microsoft AD, Active Directory-aware applications use the directory locally for high performance and the multi-Region feature for resiliency. You can use multi-Region replication with Active Directory-aware applications like SharePoint and SQL Server Always On as well as AWS services like Amazon RDS for SQL Server and FSx for Windows File Server. The following are additional benefits of multi-Region replication.
+ It lets you deploy a single AWS Managed Microsoft AD instance globally, quickly, and eliminates the heavy lifting of self-managing a global Active Directory infrastructure.
+ It makes it easier and more cost-effective for you to deploy and manage Windows and Linux workloads in multiple AWS Regions. Automated multi-Region replication enables optimal performance in your global Active Directory-aware applications. All applications deployed in Windows or Linux instances use AWS Managed Microsoft AD locally in the Region, which enables responses to user requests from the closest Region possible.
+ It provides multi-Region resiliency. Deployed in the highly available AWS managed infrastructure, AWS Managed Microsoft AD handles automated software updates, monitoring, recovery, and the security of the underlying Active Directory infrastructure across all Regions. This allows you to focus on building your applications.
**Topics**
+ [How Multi-Region replication works](#multi-region-how-it-works)
+ [Benefits of multi-Region replication](#multi-region-benefits)
+ [Global vs Regional features](multi-region-global-region-features.md)
+ [Primary vs additional Regions](multi-region-global-primary-additional.md)
+ [Adding a replicated Region for AWS Managed Microsoft AD](multi-region-add-region.md)
+ [Deleting a replicated Region for AWS Managed Microsoft AD](multi-region-delete-region.md)
# Global vs Regional features
When you add an AWS Region to your directory using multi-Region replication, Directory Service enhances the scope of all features so that they become Region-aware. These features are listed on various tabs of the details page that appears when you choose the ID of a directory in the Directory Service console. This means that all features are enabled, configured, or managed based on the Region that you select in the **Multi-Region replication** section of the console. Changes you make to features in each Region are either applied globally or per Region.
Multi-Region replication is only supported for the **Enterprise Edition** of AWS Managed Microsoft AD.
## Global features
Any changes that you make to global features while the [Primary Region](multi-region-global-primary-additional.md#multi-region-primary) is selected will be applied across all Regions.
You can identify the features that are used globally on the **Directory details** page because they display **Applied to all replicated Regions** next to them. Alternatively, if you selected another Region in the list that is not the primary Region, you can identify the globally used features because they display **Inherited from primary Region**.
## Regional features
Any changes that you make to a feature in an [Additional Region](multi-region-global-primary-additional.md#multi-region-additional) will be applied only to that Region.
You can identify the features that are Regional on the **Directory details** page because they do ***not*** display **Applied to all replicated Regions** or **Inherited from primary Region** next to them.
# Primary vs additional Regions
With multi-Region replication, AWS Managed Microsoft AD uses the following two types of Regions to differentiate how global or Regional features should be applied across your directory.
## Primary Region
The initial Region where you first created your directory is referred to as the *primary* Region. You can perform only global directory level operations such as creating Active Directory trusts and updating the AD schema from the primary Region.
The primary Region can always be identified as the first Region showing at the top of the list in the **Multi-Region replication** section, and ends with **- Primary**. For example, **US East (N. Virginia) - Primary**.
Any changes that you make to [Global features](multi-region-global-region-features.md#multi-region-global) while the primary Region is selected will be applied across all Regions.
You can only add Regions while the primary Region is selected. For more information, see [Adding a replicated Region for AWS Managed Microsoft AD](multi-region-add-region.md).
## Additional Region
Any Regions that you have added to your directory are referred to as *additional* Regions.
Although some features can be managed globally for all Regions, others are managed individually per Region. To manage a feature for an additional Region (non-primary Region), you must first select the additional Region from the list in the **Multi-Region replication** section on the **Directory details** page. Then you can proceed to manage the feature.
Any changes that you make to [Regional features](multi-region-global-region-features.md#multi-region-regional) while an additional Region is selected will be applied only to that Region.
# Adding a replicated Region for AWS Managed Microsoft AD
When you add a Region using the [Configure Multi-Region replication for AWS Managed Microsoft AD](ms_ad_configure_multi_region_replication.md) feature, AWS Managed Microsoft AD creates two domain controllers in the selected AWS Region, Amazon Virtual Private Cloud (VPC), and subnet. AWS Managed Microsoft AD also creates the related security groups that enable Windows workloads to connect to your directory in the new Region. It also creates these resources using the same AWS account where your directory is already deployed. You do this by choosing the Region, specifying the VPC, and providing the configurations for the new Region.
Multi-Region replication is only supported for the **Enterprise Edition** of AWS Managed Microsoft AD.
## Prerequisites
Before you proceed with the steps to add a new replication Region, we recommend that you first review the following prerequisite tasks.
+ Verify that you have the necessary AWS Identity and Access Management (IAM) permissions, Amazon VPC setup, and the subnet setup in the new Region to which you want to replicate the directory.
+ If you want to use your existing on-premises Active Directory credentials to access and manage Active Directory-aware workloads in AWS, you must create an Active Directory trust between AWS Managed Microsoft AD and your on-premises AD infrastructure. For more information about trusts, see [Connect AWS Managed Microsoft AD to your existing Active Directory infrastructure](ms_ad_connect_existing_infrastructure.md).
+ If you have an existing trust relationship between your on-premises Active Directory and you want to add a replicated region, you need to verify you have the necessary Amazon VPC and subnet setup in the new Region to which you want to replicate the directory.
You can also create a trust between your AWS Managed Microsoft AD and on-premise AD infrastructure, so you can use existing on-premises Active Directory credentials to manage AD-aware workloads. For more information, see [Connect AWS Managed Microsoft AD to your existing Active Directory infrastructure](ms_ad_connect_existing_infrastructure.md).
## Add a Region
Use the following procedure to add a replicated Region for your AWS Managed Microsoft AD directory.
**To add a replicated Region**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, under **Multi-Region replication**, choose the **Primary** Region from the list, and then choose **Add Region**.
**Note**
You can only add Regions while the **Primary** Region is selected. For more information, see [Primary Region](multi-region-global-primary-additional.md#multi-region-primary).
1. On the **Add Region** page, under **Region**, choose the Region you want to add from the list.
1. Under **VPC**, choose the VPC to use for this Region.
**Note**
This VPC must not have a Classless Inter-Domain Routing (CIDR) that overlaps with a VPC used by this directory in another Region.
1. Under **Subnets**, choose the subnet to use for this Region.
1. Review the information under **Pricing**, and then choose **Add**.
1. When AWS Managed Microsoft AD completes the domain controller deployment process, the Region will display **Active** status. You can now make updates to this Region as needed.
## Next steps
After you add your new Region, you should consider doing the following next steps:
+ Deploy additional domain controllers (up to 20) to your new Region as needed. The number of domain controllers when you add a new Region is 2 by default, which is the minimum required for fault-tolerance and high availability purposes. For more information, see [Adding or removing additional domain controllers with the AWS Management Console](ms_ad_deploy_additional_dcs.md#addremovedcs).
**Note**
When you add a replicated AWS Region to your AWS Managed Microsoft AD, two domain controllers are created by default, which is the minimum number of domain controllers required for fault-tolerance and high availability.
+ Share your directory with more AWS accounts per Region. Directory sharing configurations are not replicated from the primary Region automatically. For more information, see [Share your AWS Managed Microsoft AD](ms_ad_directory_sharing.md).
**Note**
Directory sharing configurations aren't automatically replicated in the primary AWS Region.
+ Enable log forwarding to retrieve your directory's security logs using Amazon CloudWatch Logs from the new Region. When you enable log forwarding, you must provide a log group name in each Region where you replicated your directory. For more information, see [Enabling Amazon CloudWatch Logs log forwarding for AWS Managed Microsoft AD](ms_ad_enable_log_forwarding.md).
**Note**
When you enable log forwarding, you must provide a name for the log group in each AWS Region where you replicated your directory.
+ Enable Amazon Simple Notification Service (Amazon SNS) monitoring for the new Region to track your directory health status per Region. For more information, see [Enabling AWS Managed Microsoft AD directory status notifications with Amazon Simple Notification Service](ms_ad_enable_notifications.md).
# Deleting a replicated Region for AWS Managed Microsoft AD
Use the following procedure to delete a Region for your AWS Managed Microsoft AD directory. Before you delete a Region, make sure it does not have either of the following:
+ Authorized applications attached to it.
+ Shared directories associated with it.
**To delete a replicated Region**
1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, choose **Directories**.
1. From the navigation bar, choose the **Regions** selector and choose the region where your directory is stored.
1. On the **Directories** page, choose your directory ID.
1. On the **Directory details** page, under **Multi-Region replication** choose **Delete Region**.
1. In the **Delete Region** dialog box, review the information, and then enter in the Region name to confirm. Then choose **Delete**.
**Note**
You cannot make updates to the Region while it's being deleted.