Setting up trust between on premise domain and AWS Managed Active Directory

 On Premise domain prerequisites:

You must configure your on-premises firewall so that the ports below are open to the CIDRs for all subnets used by the VPC that contains your AWS Managed Microsoft AD

• TCP/UDP 53 - DNS

• TCP/UDP 88 - Kerberos authentication

• TCP/UDP 389 - LDAP

• TCP 445 - SMB

You must also ensure that Kerberos preauthentication is enabled:

1. On your on-premises domain controller, open Server Manager.

2. On the Tools menu, choose Active Directory Users and Computers.

3. Choose the Users folder and open the context (right-click) menu. Select any random user account listed in the right pane. Choose Properties.

4. Choose the Account tab. In the Account options list, scroll down and ensure that Do not require Kerberos preauthentication is not checked.

Lastly, ensure that the Local Security Policy on each domain controller has the below entries in the security policy "Network access: Named Pipes that can be accessed anonymously":as

netlogon

samr

lsarpc

This policy is in Local Security Policy > Local Policies > Security Options

AWS Prerequisites

When you created your directory in AWS, it should have created the security group for the directory service for you. In the directory console, note the directory ID. Now go to the security groups page and search by description for AWS created security group for <yourdirectoryID> directory controllers.

This group should contain all of the rules you need but you may want to tweak the sources for the inbound rules to contain just your VPC CIDR block and your on premise CIDR block (don't leave it open to the world). You also need to add an Outbound rule to your on premise CIDR block.

You must also ensure that Kerberos preauthentication is enabled as per the same steps above for the on premise domain

Configure the trust

To configure the trust in your on-premises AD

1. Open Server Manager and on the Tools menu, choose Active Directory Domains and Trusts.

2. Open the context (right-click) menu of your domain and choose Properties.

3. Choose the Trusts tab and choose New trust. Type the name of your AWS Managed Microsoft AD and choose Next.

4. Choose Forest trust. Choose Next.

5. Choose Two-way. Choose Next.

6. Choose This domain only. Choose Next.

7. Choose Forest-wide authentication. Choose Next.

8. Type a Trust password. Make sure to remember this password as you will need it when setting up the trust for your AWS Managed Microsoft AD.

9. In the next dialog box, confirm your settings and choose Next. Confirm that the trust was created successfully and again choose Next.

10. Choose No, do not confirm the outgoing trust. Choose Next.

11. Choose No, do not confirm the incoming trust. Choose Next.

To configure the trust in your AWS Managed Microsoft AD directory

1. In the Directory Service console on the Directories page, choose your AWS Managed Microsoft AD.

2. On the Directory details page, select the Networking & security tab.

3. In the Trust relationships section, choose Actions, and then select Add trust relationship.

4. On the Add a trust relationship page, Type the FQDN of your on-premises domain (domainname.local or whatever your domain is called). Type the same trust password that you used when creating the trust on your on-premises domain. Specify the direction. In this case we choose Two-way.

5. In the Conditional forwarder field, enter the IP address of your on-premises DNS servers.You can add another IP address and enter a second IP address for your on-premises DNS server. You can specify up to a total of four DNS servers.

6. Choose Add.