How can I set up a trust relationship between two AWS Managed Microsoft AD domains?

Last updated: 2021-04-01

I want to create a trust relationship between two AWS Directory Service for Microsoft Active Directory domains. How can I do that?

Resolution

Configure the Amazon Virtual Private Cloud (Amazon VPC) resources

  1. Create two Amazon VPCs with two subnets in each VPC.
    Note: Make sure that Enable DNS hostnames is set to Yes on both VPCs.
  2. Create a VPC peering connection between the two VPCs.
  3. Modify the VPC peering connection to enable Accepter DNS resolution.
  4. Update your VPC route tables to support the peering connection.

Configure the AWS Managed Microsoft AD resources

  1. Deploy an AWS Managed Microsoft AD directory in each VPC.
  2. Create an Amazon Elastic Compute Cloud (Amazon EC2) instance in each VPC to manage each corresponding AWS Managed Microsoft AD directory. Then, join each instance to its corresponding directory.
  3. Find the default security group for the AWS Managed Microsoft AD domain controllers on each directory. Then, add an Outbound rule for All traffic to 0.0.0.0/0.
  4. Install Active Directory administration tools on each management instance.

Create a DNS conditional forwarder from one AWS Managed Microsoft AD directory to the other

  1. Log in to the management instance for one AWS Managed Microsoft AD directory (Directory A).
  2. Open the DNS management console.
  3. Expand Conditional Forwarders.
  4. Open the context (right-click) menu and then select New Conditional Forwarder.
  5. Enter the FQDN and both IP addresses of the other AWS Managed Microsoft AD directory (Directory B).
  6. Choose the option to Store this conditional forwarder in Active Directory and replicate as follows. Then, select All DNS servers in this forest.
  7. Choose OK.

Create the trust relationship in Directory A

  1. Open the Directory Service console.
  2. On the list of Directories, choose the ID of Directory A. This is the directory where you created a DNS conditional forwarder in the previous steps.
  3. Follow the steps to configure the trust relationship in Directory A.
  4. After you create the trust relationship, the status is Verify Failed. Proceed with the steps to create the trust relationship on Directory B.

Create the trust relationship in Directory B

  1. Open the Directory Service console.
  2. On the list of Directories, choose the ID of Directory B. This is the directory that the DNS conditional forwarder points to.
  3. Follow the steps to configure the trust relationship in Directory B.
  4. After you create the trust relationship, the status is Verified.

Verify the trust relationship in Directory A

  1. Return to the trust relationship that you created for Directory A.
  2. Verify the trust.
  3. After you verify the trust, the status of the trust relationship for Directory A changes to Verified.

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support