How can I set up a trust relationship between two AWS Managed Microsoft AD domains?
Last updated: 2021-04-01
I want to create a trust relationship between two AWS Directory Service for Microsoft Active Directory domains. How can I do that?
Configure the Amazon Virtual Private Cloud (Amazon VPC) resources
- Create two Amazon VPCs with two subnets in each VPC.
Note: Make sure that Enable DNS hostnames is set to Yes on both VPCs.
- Create a VPC peering connection between the two VPCs.
- Modify the VPC peering connection to enable Accepter DNS resolution.
- Update your VPC route tables to support the peering connection.
Configure the AWS Managed Microsoft AD resources
- Deploy an AWS Managed Microsoft AD directory in each VPC.
- Create an Amazon Elastic Compute Cloud (Amazon EC2) instance in each VPC to manage each corresponding AWS Managed Microsoft AD directory. Then, join each instance to its corresponding directory.
- Find the default security group for the AWS Managed Microsoft AD domain controllers on each directory. Then, add an Outbound rule for All traffic to 0.0.0.0/0.
- Install Active Directory administration tools on each management instance.
Create a DNS conditional forwarder from one AWS Managed Microsoft AD directory to the other
- Log in to the management instance for one AWS Managed Microsoft AD directory (Directory A).
- Open the DNS management console.
- Expand Conditional Forwarders.
- Open the context (right-click) menu and then select New Conditional Forwarder.
- Enter the FQDN and both IP addresses of the other AWS Managed Microsoft AD directory (Directory B).
- Choose the option to Store this conditional forwarder in Active Directory and replicate as follows. Then, select All DNS servers in this forest.
- Choose OK.
Create the trust relationship in Directory A
- Open the Directory Service console.
- On the list of Directories, choose the ID of Directory A. This is the directory where you created a DNS conditional forwarder in the previous steps.
- Follow the steps to configure the trust relationship in Directory A.
- After you create the trust relationship, the status is Verify Failed. Proceed with the steps to create the trust relationship on Directory B.
Create the trust relationship in Directory B
Verify the trust relationship in Directory A
- Return to the trust relationship that you created for Directory A.
- Verify the trust.
- After you verify the trust, the status of the trust relationship for Directory A changes to Verified.