You access your directory service from the AWS Directory Service console and the status of the directory is listed as "Impaired". This issue occurs after you join a domain controller to your existing implementation of the AWS Directory Service.

The AWS Directory Service is a managed service and provides high availability by deploying two Amazon EC2 instances to a VPC with two subnets running in different Availability Zones. The AWS Directory Service then creates the functional equivalent of Active Directory primary and backup domain controllers on the EC2 instances. Because the EC2 instances are in different Availability Zones, the AWS Directory Service continues to function normally if service disruption occurs in one of the Availability Zones.

When an additional domain controller is joined to an existing implementation of the AWS Directory Service, the status of the directory is listed as "Impaired" because the additional domain controller is not recognized by AWS as a managed service and does not provide high availability and fault tolerance inherent to AWS Directory Service.

AWS Directory Service monitors ownership of the Flexible Single Master Operations (FSMO) role for the directory. If the FSMO role is transferred to another domain controller, AWS Directory Service monitoring ceases to function, disabling managed service functionality of the AWS Directory Service.

Note: To receive text or email notifications whenever the status of your directory changes, follow the guidance at Get notified of directory status changes using Amazon SNS. Amazon Simple Notification Service (Amazon SNS) can notify you if your directory goes from "Active" status to "Impaired" or "Inoperable" status. You can also receive a notification when the directory returns to "Active" status.

To resolve this issue with Simple AD, you should move the FSMO roles back to the controllers for Directory Service and remove the additional domain controller.

Note: This isn’t possible with AWS Directory Service for Microsoft Active Directory, because this services does not enable Enterprise Admin rights.

You can use ntdsutil.exe to view and transfer the FSMO roles back to a controller under the control of AWS. For more information, see How To Find Servers That Hold Flexible Single Master Operations Roles and Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller.

If this doesn’t work, or if you are using AWS Directory Service for Microsoft Active Directory, you will need to restore your directory from a snapshot that was taken before you added another domain controller. If you don’t know when you added the domain controller, or you cannot restore to a time before you added the domain controller, you might need to recreate the directory.

AWS automatically creates daily snapshots of your directory, so your data loss should be at a minimum. You can also roll back to a snapshot that you have created manually. For more information, see Snapshots (Simple AD and Microsoft AD).

Note: This issue doesn’t affect AD Connector, because there are no managed FSMO roles with AD Connector. If you have an Impaired status under this directory type, open a support case.

You should remove the new domain controller from the directory to prevent Directory Service from indicating a status of impaired in the future. This should ensure all FSMO roles are assigned back to Directory Service.

AWS Directory Service, Simple AD, Microsoft Active Directory, FSMO, Impaired, AD Connector

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-04-22