Creating a trust relationship between your Amazon Managed Microsoft AD and self-managed AD - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a trust relationship between your Amazon Managed Microsoft AD and self-managed AD

You can configure one and two-way external and forest trust relationships between your Amazon Directory Service for Microsoft Active Directory and self-managed (on-premises) directories, as well as between multiple Amazon Managed Microsoft AD directories in the Amazon cloud. Amazon Managed Microsoft AD supports all three trust relationship directions: Incoming, Outgoing and Two-way (Bi-directional).

For more information about trust relationship, see Everything you wanted to know about trusts with Amazon Managed Microsoft AD.

Note

When setting up trust relationships, you must ensure that your self-managed directory is and remains compatible with Amazon Directory Services. For more information on your responsibilities, please see our shared responsibility model.

Amazon Managed Microsoft AD supports both external and forest trusts. To walk through an example scenario showing how to create a forest trust, see Tutorial: Create a trust relationship between your Amazon Managed Microsoft AD and your self-managed Active Directory domain.

A two-way trust is required for Amazon Enterprise Apps such as Amazon Chime, Amazon Connect, Amazon QuickSight, Amazon IAM Identity Center, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, and the Amazon Web Services Management Console. Amazon Managed Microsoft AD must be able to query the users and groups in your self-managed Active Directory.

You can enable selective authentication so only the Amazon application specific service account can query your self-managed Active Directory. For more information, see Enhance security of your Amazon app integration with Amazon Managed Microsoft AD.

Amazon EC2, Amazon RDS, and Amazon FSx will work with either a one-way or two-way trust.

Prerequisites

Creating the trust requires only a few steps, but you must first complete several prerequisite steps prior to setting up the trust.

Note

Amazon Managed Microsoft AD does not support trust with Single Label Domains.

Connect to VPC

If you are creating a trust relationship with your self-managed directory, you must first connect your self-managed network to the Amazon VPC containing your Amazon Managed Microsoft AD. The firewall for your self-managed and Amazon Managed Microsoft AD networks must have the network ports open that are listed in Windows Server 2008 and later versions in Microsoft documentation.

To use your NetBIOS name instead of your full domain name for authentication with your Amazon applictions like Amazon WorkDocs or Amazon QuickSight, you must allow port 9389. For more information about Active Directory ports and protocols, see Service overview and network port requirements for Windows in Microsoft documentation.

These are the minimum ports that are needed to be able to connect to your directory. Your specific configuration may require additional ports be open.

Configure your VPC

The VPC that contains your Amazon Managed Microsoft AD must have the appropriate outbound and inbound rules.

To configure your VPC outbound rules
  1. In the Amazon Directory Service console, on the Directory Details page, note your Amazon Managed Microsoft AD directory ID.

  2. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  3. Choose Security Groups.

  4. Search for your Amazon Managed Microsoft AD directory ID. In the search results, select the item with the description "Amazon created security group for directory ID directory controllers".

    Note

    The selected security group is a security group that is automatically created when you initially create your directory.

  5. Go to the Outbound Rules tab of that security group. Select Edit, then Add another rule. For the new rule, enter the following values:

    • Type: All Traffic

    • Protocol: All

    • Destination determines the traffic that can leave your domain controllers and where it can go in your self-managed network. Specify a single IP address or an IP address range in CIDR notation (for example, 203.0.113.5/32). You can also specify the name or ID of another security group in the same Region. For more information, see Understand your directory’s Amazon security group configuration and use.

  6. Select Save.

Enable Kerberos pre-authentication

Your user accounts must have Kerberos pre-authentication enabled. For more information about this setting, review Preauthentication on Microsoft TechNet.

Configure DNS conditional forwarders on your self-managed domain

You must set up DNS conditional forwarders on your self-managed domain. Refer to Assign a Conditional Forwarder for a Domain Name on Microsoft TechNet for details on conditional forwarders.

To perform the following steps, you must have access to following Windows Server tools for your self-managed domain:

  • AD DS and AD LDS Tools

  • DNS

To configure conditional forwarders on your self-managed domain
  1. First you must get some information about your Amazon Managed Microsoft AD. Sign into the Amazon Web Services Management Console and open the Amazon Directory Service console.

  2. In the navigation pane, select Directories.

  3. Choose the directory ID of your Amazon Managed Microsoft AD.

  4. Take note of the fully qualified domain name (FQDN) and the DNS addresses of your directory.

  5. Now, return to your self-managed domain controller. Open Server Manager.

  6. On the Tools menu, choose DNS.

  7. In the console tree, expand the DNS server of the domain for which you are setting up the trust.

  8. In the console tree, choose Conditional Forwarders.

  9. On the Action menu, choose New conditional forwarder.

  10. In DNS domain, type the fully qualified domain name (FQDN) of your Amazon Managed Microsoft AD, which you noted earlier.

  11. Choose IP addresses of the primary servers and type the DNS addresses of your Amazon Managed Microsoft AD directory, which you noted earlier.

    After entering the DNS addresses, you might get a "timeout" or "unable to resolve" error. You can generally ignore these errors.

  12. Select Store this conditional forwarder in Active Directory and replicate as follows: All DNS servers in this domain. Choose OK.

Trust relationship password

If you are creating a trust relationship with an existing domain, set up the trust relationship on that domain using Windows Server Administration tools. As you do so, note the trust password that you use. You will need to use this same password when setting up the trust relationship on the Amazon Managed Microsoft AD. For more information, see Managing Trusts on Microsoft TechNet.

You are now ready to create the trust relationship on your Amazon Managed Microsoft AD.

NetBIOS and Domain Names

The NetBIOS and domain names must be unique and cannot be the same to establish a trust relationship.

Create, verify, or delete a trust relationship

Note

Trust relationships is a global feature of Amazon Managed Microsoft AD. If you are using Configure Multi-Region replication for Amazon Managed Microsoft AD, the following procedures must be performed in the Primary Region. The changes will be applied across all replicated Regions automatically. For more information, see Global vs Regional features.

To create a trust relationship with your Amazon Managed Microsoft AD
  1. Open the Amazon Directory Service console.

  2. On the Directories page, choose your Amazon Managed Microsoft AD ID.

  3. On the Directory details page, do one of the following:

    • If you have multiple Regions showing under Multi-Region replication, select the primary Region, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.

    • If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.

  4. In the Trust relationships section, choose Actions, and then select Add trust relationship.

  5. On the Add a trust relationship page, provide the required information, including the trust type, fully qualified domain name (FQDN) of your trusted domain, the trust password and the trust direction.

  6. (Optional) If you want to allow only authorized users to access resources in your Amazon Managed Microsoft AD directory, you can optionally choose the Selective authentication check box. For general information about selective authentication, see Security Considerations for Trusts on Microsoft TechNet.

  7. For Conditional forwarder, type the IP address of your self-managed DNS server. If you have previously created conditional forwarders, you can type the FQDN of your self-managed domain instead of a DNS IP address.

  8. (Optional) Choose Add another IP address and type the IP address of an additional self-managed DNS server. You can repeat this step for each applicable DNS server address for a total of four addresses.

  9. Choose Add.

  10. If the DNS server or the network for your self-managed domain uses a public (non-RFC 1918) IP address space, go to the IP routing section, choose Actions, and then choose Add route. Type the IP address block of your DNS server or self-managed network using CIDR format, for example 203.0.113.0/24. This step is not necessary if both your DNS server and your self-managed network are using RFC 1918 IP address spaces.

    Note

    When using a public IP address space, make sure that you do not use any of the Amazon IP address ranges as these cannot be used.

  11. (Optional) We recommend that while you are on the Add routes page that you also select Add routes to the security group for this directory's VPC. This will configure the security groups as detailed above in the "Configure your VPC." These security rules impact an internal network interface that is not exposed publicly. If this option is not available, you will instead see a message indicating that you have already customized your security groups.

You must set up the trust relationship on both domains. The relationships must be complementary. For example, if you create an outgoing trust on one domain, you must create an incoming trust on the other.

If you are creating a trust relationship with an existing domain, set up the trust relationship on that domain using Windows Server Administration tools.

You can create multiple trusts between your Amazon Managed Microsoft AD and various Active Directory domains. However, only one trust relationship per pair can exist at a time. For example, if you have an existing, one-way trust in the “Incoming direction” and you then want to set up another trust relationship in the “Outgoing direction,” you will need to delete the existing trust relationship, and create a new “Two-way” trust.

To verify an outgoing trust relationship
  1. Open the Amazon Directory Service console.

  2. On the Directories page, choose your Amazon Managed Microsoft AD ID.

  3. On the Directory details page, do one of the following:

    • If you have multiple Regions showing under Multi-Region replication, select the primary Region, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.

    • If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.

  4. In the Trust relationships section, select the trust you want to verify, choose Actions, and then select Verify trust relationship.

This process verifies only the outgoing direction of a two-way trust. Amazon does not support verification of an incoming trusts. For more information on how to verify a trust to or from your self-managed Active Directory, refer to Verify a Trust on Microsoft TechNet.

To delete an existing trust relationship
  1. Open the Amazon Directory Service console.

  2. On the Directories page, choose your Amazon Managed Microsoft AD ID.

  3. On the Directory details page, do one of the following:

    • If you have multiple Regions showing under Multi-Region replication, select the primary Region, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.

    • If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.

  4. In the Trust relationships section, select the trust you want to delete, choose Actions, and then select Delete trust relationship.

  5. Choose Delete.