Anel teaches you how to
create a trust relationship
with AWS Directory Service


I want to create a trust relationship between my on-premises domain and AWS Directory Services. How can I do this?

The advantage of having a trust relationship set up is that you can access services or resources across the trusting domain.

In order to create a trust relationship, you must have created a Directory Service-managed Active Directory, and ensure that your on-premises network can communicate with the AWS VPC that contains the Active Directory domain.

Follow these instructions to establish a trust with a domain controller that is hosted on a Windows EC2 instance.

These ports must be open; for more information, see Prepare Your On-Premises Domain.

  • TCP/UDP 53 – DNS
  • TCP/UDP 88 – Kerberos Authentication
  • TCP/UDP 389 – LDAP
  • TCP 445 – SMB

Log into your on-premises domain controller:

  1. Open DNS Manager, right-click the New Conditional Forwarder folder, and then choose Conditional Forwarders.
  2. In the DNS Domain field, enter the fully qualified domain name (FQDN) of your AWS managed domain.
  3. In the Amazon Directory Services console, choose the Directory ID, and then copy the DNS addresses.
  4. From your domain controller, in the IP Address section, paste the IP addresses for both managed AD controllers.
    Note: You can disregard the red “X” next to the IP address.
  5. Select the Store this conditional forwarder in Active Directory, and replicate it as follows check box.
  6. Choose the replication model you want for the conditional forwarder, and then choose OK.
    Note: In this example, All DNS servers in this domain is selected.
  7. Open Active Directory Domains and Trusts, right-click the domain name, and choose Properties.
  8. Choose the Trusts tab, choose New Trust, and then choose Next.
  9. Enter the name of the AWS-managed domain in the Name field, and then choose Next.
  10. Choose Forest trust and then choose Next.
    Note: External trusts are not supported by managed Active Directory.
  11. Select the direction of the trust, and then choose Next.
    Note: In this example, Two-way is selected.
  12. Choose This domain only, and then choose Next.
  13. Choose Forest-wide authentication, and then chose Next.
  14. Enter a Trust Password that is meaningful to you, and then choose Next.
  15. To complete the trust, choose Next, and then choose Next to configure the new trust.
  16. Choose No, do not confirm the outgoing trust, and then choose Next.
  17. Choose No, do not confirm the incoming trust, choose Next, and then choose Finish.
  18. In the Directory Service Console, choose the Directory ID of the directory that you want to establish the trust with.
  19. Choose the Trust relationships tab, and then choose Add trust relationship.
  20. Enter your on-premises FQDN, your trust password, Trust direction, Conditional forwarder, and then choose Add.
    Note: In the video example, the FQDN is aws.local and the Trust direction is Two-way. You can create the Conditional forwarder manually or enter the IP address of your on-premises DNS server. For additional information, see Configure DNS Conditional Forwarders On Your On-premises Domain.

The trust relationship Status is first displayed as Creating and changes to Verified when the operation is complete.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-09-06