Step 2: Create the trust relationship with another Amazon Managed Microsoft AD domain - Amazon Directory Service
Configure the trust in your first Amazon Managed Microsoft AD domainConfigure the trust in your second Amazon Managed Microsoft AD domain
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 2: Create the trust relationship with another Amazon Managed Microsoft AD domain

Now that the preparation work is complete, the final steps are to create the trusts between your two Amazon Managed Microsoft AD domains. If you have any issues during the trust creation process, see Trust creation status reasons for assistance.

Configure the trust in your first Amazon Managed Microsoft AD domain

In this tutorial, you configure a two-way forest trust. However, if you create a one-way forest trust, be aware that the trust directions on each of your domains must be complementary. For example, if you create a one-way, outgoing trust on this first domain, you need to create a one-way, incoming trust on your second Amazon Managed Microsoft AD domain.

Note

Amazon Managed Microsoft AD also supports external trusts. However, for the purposes of this tutorial, you will create a two-way forest trust.

To configure the trust in your first Amazon Managed Microsoft AD domain

  1. Open the Amazon Directory Service console.

  2. On the Directories page, choose your first Amazon Managed Microsoft AD ID.

  3. On the Directory details page, do one of the following:

    • If you have multiple Regions showing under Multi-Region replication, select the primary Region, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.

    • If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.

  4. In the Trust relationships section, choose Actions, and then select Add trust relationship.

  5. On the Add a trust relationship page, Type the FQDN of your second Amazon Managed Microsoft AD domain. Make sure to remember this password as you will need it when setting up the trust for your second Amazon Managed Microsoft AD. Specify the direction. In this case, choose Two-way.

  6. In the Conditional forwarder field, enter the IP address of your second Amazon Managed Microsoft AD DNS server.

  7. (Optional) Choose Add another IP address and enter a second IP address for your second Amazon Managed Microsoft AD DNS server. You can specify up to a total of four DNS servers.

  8. Choose Add. The trust will fail at this point which is expected until we create the other side of the trust.

Configure the trust in your second Amazon Managed Microsoft AD domain

Now, you configure the forest trust relationship with your second Amazon Managed Microsoft AD directory. Because you created a two-way forest trust on the first Amazon Managed Microsoft AD domain, you also create a two-way trust using this Amazon Managed Microsoft AD domain.

To configure the trust in your second Amazon Managed Microsoft AD domain

  1. Return to the Amazon Directory Service console.

  2. On the Directories page, choose your second Amazon Managed Microsoft AD ID.

  3. On the Directory details page, do one of the following:

    • If you have multiple Regions showing under Multi-Region replication, select the primary Region, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.

    • If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.

  4. In the Trust relationships section, choose Actions, and then select Add trust relationship.

  5. On the Add a trust relationship page, Type the FQDN of your first Amazon Managed Microsoft AD domain. Type the same trust password that you used when creating the trust on your on-premises domain. Specify the direction. In this case, choose Two-way.

  6. In the Conditional forwarder field, enter the IP address of your first Amazon Managed Microsoft AD DNS server.

  7. (Optional) Choose Add another IP address and enter a second IP address for your first Amazon Managed Microsoft AD DNS server. You can specify up to a total of four DNS servers.

  8. Choose Add. The trust should be verified shortly afterwards.

  9. Now, go back to the trust you created in the first domain and verify the trust relationship again.

Congratulations. You now have a trust relationship between your two Amazon Managed Microsoft AD domains. Only one relationship can be set up between these two domains. If for example, you want to change the trust direction to one-way, you would first need to delete this existing trust relationship and create a new one.