# `AWSSupport-TroubleshootDirectoryTrust` **Description** The `AWSSupport-TroubleshootDirectoryTrust` runbook diagnoses trust creation issues between an Amazon Managed Microsoft AD and a Microsoft Active Directory. The automation ensures the directory type supports trusts, and then checks the associated security group rules, network access control lists (network ACLs), and route tables for potential connectivity issues. [Run this Automation (console)](https://console.amazonaws.cn/systems-manager/automation/execute/AWSSupport-TroubleshootDirectoryTrust) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Optional) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. + DirectoryId Type: String Allowed pattern: ^d-[a-z0-9]\$110\$1\$1 Description: (Required) The ID of the Amazon Managed Microsoft AD to troubleshoot. + RemoteDomainCidrs Type: StringList Allowed pattern: ^(([0-9]\$1[1-9][0-9]\$11[0-9]\$12\$1\$12[0-4][0-9]\$125[0-5])\$1.)\$13\$1([0-9]\$1[1-9][0-9]\$11[0-9]\$12\$1\$12[0-4][0-9]\$125[0-5])(\$1/(3[0-2]\$1[1-2][0-9]\$1[1-9]))\$1 Description: (Required) The CIDR(s) of the remote domain you are attempting to establish a trust relationship with. You can add multiple CIDRs using comma-separated values. For example, 172.31.48.0/20, 192.168.1.10/32. + RemoteDomainName Type: String Description: (Required) The fully qualified domain name of the remote domain you are establishing a trust relationship with. + RequiredTrafficACL Type: String Description: (Required) The default port requirements for Amazon Managed Microsoft AD. In most cases, you should not modify the default value. Default: \$1"inbound":\$1"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636],[1024,65535]],"udp":[[53,53],[88,88],[123.123],[138,138],[389,389],[445,445],[464,464]],"icmp":[[-1,-1]]\$1,"outbound":\$1"-1":[[0,65535]]\$1\$1 + RequiredTrafficSG Type: String Description: (Required) The default port requirements for Amazon Managed Microsoft AD. In most cases, you should not modify the default value. Default: \$1"inbound":\$1"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636],[1024,65535]],"udp":[[53,53],[88,88],[123.123],[138,138],[389,389],[445,445],[464,464]],"icmp":[[-1,-1]]\$1,"outbound":\$1"-1":[[0,65535]]\$1\$1 + TrustId Type: String Description: (Optional) The ID of the trust relationship to troubleshoot. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ds:DescribeConditionalForwarders` + `ds:DescribeDirectories` + `ds:DescribeTrusts` + `ds:ListIpRoutes` + `ec2:DescribeNetworkAcls` + `ec2:DescribeSecurityGroups` + `ec2:DescribeSubnets` **Document Steps** + `aws:assertAwsResourceProperty` - Confirms the directory type is Amazon Managed Microsoft AD. + `aws:executeAwsApi` - Gets information about the Amazon Managed Microsoft AD. + `aws:branch` - Branches automation if a value is provided for the `TrustId` input parameter. + `aws:executeAwsApi` - Gets information about the trust relationship. + `aws:executeAwsApi` - Gets the conditional forwarder DNS IP addresses for the `RemoteDomainName` . + `aws:executeAwsApi` - Gets information about IP routes that have been added to the Amazon Managed Microsoft AD. + `aws:executeAwsApi` - Gets the CIDRs of the Amazon Managed Microsoft AD subnets. + `aws:executeAwsApi` - Gets information about the security groups associated with the Amazon Managed Microsoft AD. + `aws:executeAwsApi` - Gets information about the network ACLs associated with the Amazon Managed Microsoft AD. + `aws:executeScript` - Confirms the `RemoteDomainCidrs` are valid values. Confirms that the Amazon Managed Microsoft AD has conditional forwarders for the `RemoteDomainCidrs` , and that the requisite IP routes have been added to the Amazon Managed Microsoft AD if the `RemoteDomainCidrs` are non-RFC 1918 IP addresses. + `aws:executeScript` - Evaluates security group rules. + `aws:executeScript` - Evaluates network ACLs. **Outputs** evalDirectorySecurityGroup.output - Results from evaluating whether the security group rules associated with the Amazon Managed Microsoft AD allow the requisite traffic for trust creation. evalAclEntries.output - Results from evaluating whether the network ACLs associated with the Amazon Managed Microsoft AD allow the requisite traffic for trust creation. evaluateRemoteDomainCidr.output - Results from evaluating whether the `RemoteDomainCidrs` are valid values. Confirms that the Amazon Managed Microsoft AD has conditional forwarders for the `RemoteDomainCidrs` , and that the requisite IP routes have been added to the Amazon Managed Microsoft AD if the `RemoteDomainCidrs` are non-RFC 1918 IP addresses.