Understanding AWS Managed Microsoft AD Maintenance Mode

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active Directory (MMAD), enables your directory-aware workloads and AWS resources to use managed Active Directory (AD) in AWS. AWS Managed Microsoft AD is built on actual Microsoft AD and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use the standard AD administration tools and take advantage of the built-in AD features, such as Group Policy and single sign-on.

As part of the managed component of the service, AWS takes care of regular operating system patching and occasional software updates. While the patching operation in being performed, your directory’s status will switch to “Under Maintenance”.

During this time your directory is fully operational. The domain controller instances will be applied patches and restarted one at a time. Although there may be an increase on CPU utilization as patches are being applied, this is not significant as to compromise the overall performance. Remember, only one instance is patched at a time. Only during the brief lapse of time when the domain controller instance is reboot to complete the patching operation, the service operates at reduced capacity.

It is important to understand the different between "Under Maintenance" and "Impaired". Maintenance is a planned activity, carried out as part of the normal lifecycle of the managed service. There is no underlying infrastructure issue or other reasons to be concerned if your directory status has moved to “Under Maintenance”. It is important to remember that although, patching activities are scheduled and controlled by AWS, the exact time at which your directory will be patched cannot be determined. For this reason, AWS does not guarantee a specific maintenance window time or provide advanced notifications for patching activities.

User actions that modify the size or configuration of the directory will also imply a maintenance status. Such activities include: Scaling in or out the number of domain controllers; adding or removing a region or; changing one or more configurable directory settings. Once any of this activities is initiated, the directory cannot start performing any other of them until the current one has been completed.

Maintenance status should NOT be confused with an "Impaired" status. Impairment happens when one or more domain controller instances are unexpectedly affected. Impairments are automatically detected and corrected by the service backend. Different from maintenance, during an impairment the affected directory operates at reduced capacity and some level of disruption in the service can be expected. Enable directory status notifications to receive email or SMS alerts when your directory status becomes "Impaired".