By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I set up a trust relationship between two AWS Managed Microsoft AD domains?

3 minute read
0

I want to create a trust relationship between two AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) domains.

Resolution

Configure the Amazon Virtual Private Cloud (Amazon VPC) resources

  1. Create two Amazon VPCs with two subnets in each VPC.
    Note: Make sure that Enable DNS hostnames is set to Yes on both VPCs.
  2. Create a VPC peering connection between the two VPCs.
  3. Modify the VPC peering connection to activate Accepter DNS resolution.
  4. Update your VPC route tables to support the peering connection.

Configure the AWS Managed Microsoft AD resources

  1. Deploy an AWS Managed Microsoft AD directory in each VPC.
  2. Create an Amazon Elastic Compute Cloud (Amazon EC2) instance in each VPC to manage each corresponding AWS Managed Microsoft AD directory. Then, join each instance to its corresponding directory.
  3. Find the default security group for the AWS Managed Microsoft AD domain controllers on each directory. Then, add an Outbound rule for All traffic to 0.0.0.0/0.
  4. Install Active Directory administration tools on each management instance.

Create a DNS conditional forwarder from one AWS Managed Microsoft AD directory to the other

  1. Log in to the management instance for one AWS Managed Microsoft AD directory (Directory A).
  2. Open the DNS management console.
  3. Expand Conditional Forwarders.
  4. Open the context (right-click) menu, and then choose New Conditional Forwarder.
  5. Enter the FQDN and both IP addresses of the other AWS Managed Microsoft AD directory (Directory B).
  6. Choose the option to Store this conditional forwarder in Active Directory and replicate as follows. Then, choose All DNS servers in this forest.
  7. Choose OK.

Create the trust relationship in Directory A

  1. Open the Directory Service console.
  2. On the list of Directories, choose the ID of Directory A. This is the directory where you created a DNS conditional forwarder in the previous steps.
  3. Follow the steps to configure the two-way trust relationship in Directory A.

After you create the trust relationship, the status is Verify Failed

Create the trust relationship in Directory B

  1. Open the Directory Service console.
  2. On the list of Directories, choose the ID of Directory B. This is the directory that the DNS conditional forwarder points to.
  3. Follow the steps to configure the two-way forest trust relationship in Directory B.

After you create the trust relationship, the status is Verified.

Verify the trust relationship in Directory A

  1. Return to the trust relationship that you created for Directory A.
  2. Verify the trust.

After you verify the trust, the status of the trust relationship for Directory A changes to Verified.

Topics
Security, Identity, & Compliance
Tags
AWS Directory Service
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago
No comments

Relevant content