Prerequisites - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


This tutorial assumes you already have the following:


Amazon Managed Microsoft AD does not support trust with Single label domains.

  • An Amazon Managed Microsoft AD directory created on Amazon. If you need help doing this, see Getting started with Amazon Managed Microsoft AD.

  • An EC2 instance running Windows added to that Amazon Managed Microsoft AD. If you need help doing this, see Manually join an Amazon EC2 Windows instance to your Amazon Managed Microsoft AD Active Directory.


    The admin account for your Amazon Managed Microsoft AD must have administrative access to this instance.

  • The following Windows Server tools installed on that instance:

    • AD DS and AD LDS Tools

    • DNS

    If you need help doing this, see Install the Active Directory Administration Tools for Amazon Managed Microsoft AD.

  • A self-managed (on-premises) Microsoft Active Directory

    You must have administrative access to this directory. The same Windows Server tools as listed above must also be available for this directory.

  • An active connection between your self-managed network and the VPC containing your Amazon Managed Microsoft AD. If you need help doing this, see Amazon Virtual Private Cloud Connectivity Options.

  • A correctly set local security policy. Check Local Security Policy > Local Policies > Security Options > Network access: Named Pipes that can be accessed anonymously and ensure that it contains at least the following three named pipes:

    • netlogon

    • samr

    • lsarpc

  • The NetBIOS and domain names must be unique and cannot be the same to establish a trust relationship

For more information about the prerequisites for creating a trust relationship, see Creating a trust relationship.

Tutorial configuration

For this tutorial, we've already created a Amazon Managed Microsoft AD and a self-managed domain. The self-managed network is connected to the Amazon Managed Microsoft AD's VPC. Following are the properties of the two directories:

Amazon Managed Microsoft AD running on Amazon

  • Domain name (FQDN):

  • NetBIOS name: MyManagedAD

  • DNS Addresses:,


The Amazon Managed Microsoft AD resides in VPC ID: vpc-12345678.

Self-managed or Amazon Managed Microsoft AD domain

  • Domain name (FQDN):

  • NetBIOS name: CORP

  • DNS Addresses:

  • Self-managed CIDR:

Next Step

Step 1: Prepare your self-managed AD Domain