AWSSupport-TroubleshootDirectoryTrust - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWSSupport-TroubleshootDirectoryTrust

Description

The AWSSupport-TroubleshootDirectoryTrust runbook diagnoses trust creation issues between an Amazon Managed Microsoft AD and a Microsoft Active Directory. The automation ensures the directory type supports trusts, and then checks the associated security group rules, network access control lists (network ACLs), and route tables for potential connectivity issues.

Run this Automation (console)

Document type

Automation

Owner

Amazon

Platforms

Linux, macOS, Windows

Parameters

  • AutomationAssumeRole

    Type: String

    Description: (Optional) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.

  • DirectoryId

    Type: String

    Allowed pattern: ^d-[a-z0-9]{10}$

    Description: (Required) The ID of the Amazon Managed Microsoft AD to troubleshoot.

  • RemoteDomainCidrs

    Type: StringList

    Allowed pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[1-9]))$

    Description: (Required) The CIDR(s) of the remote domain you are attempting to establish a trust relationship with. You can add multiple CIDRs using comma-separated values. For example, 172.31.48.0/20, 192.168.1.10/32.

  • RemoteDomainName

    Type: String

    Description: (Required) The fully qualified domain name of the remote domain you are establishing a trust relationship with.

  • RequiredTrafficACL

    Type: String

    Description: (Required) The default port requirements for Amazon Managed Microsoft AD. In most cases, you should not modify the default value.

    Default: {"inbound":{"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636],[1024,65535]],"udp":[[53,53],[88,88],[123.123],[138,138],[389,389],[445,445],[464,464]],"icmp":[[-1,-1]]},"outbound":{"-1":[[0,65535]]}}

  • RequiredTrafficSG

    Type: String

    Description: (Required) The default port requirements for Amazon Managed Microsoft AD. In most cases, you should not modify the default value.

    Default: {"inbound":{"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636],[1024,65535]],"udp":[[53,53],[88,88],[123.123],[138,138],[389,389],[445,445],[464,464]],"icmp":[[-1,-1]]},"outbound":{"-1":[[0,65535]]}}

  • TrustId

    Type: String

    Description: (Optional) The ID of the trust relationship to troubleshoot.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ds:DescribeConditionalForwarders

  • ds:DescribeDirectories

  • ds:DescribeTrusts

  • ds:ListIpRoutes

  • ec2:DescribeNetworkAcls

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSubnets

Document Steps

  • aws:assertAwsResourceProperty - Confirms the directory type is Amazon Managed Microsoft AD.

  • aws:executeAwsApi - Gets information about the Amazon Managed Microsoft AD.

  • aws:branch - Branches automation if a value is provided for the TrustId input parameter.

  • aws:executeAwsApi - Gets information about the trust relationship.

  • aws:executeAwsApi - Gets the conditional forwarder DNS IP addresses for the RemoteDomainName .

  • aws:executeAwsApi - Gets information about IP routes that have been added to the Amazon Managed Microsoft AD.

  • aws:executeAwsApi - Gets the CIDRs of the Amazon Managed Microsoft AD subnets.

  • aws:executeAwsApi - Gets information about the security groups associated with the Amazon Managed Microsoft AD.

  • aws:executeAwsApi - Gets information about the network ACLs associated with the Amazon Managed Microsoft AD.

  • aws:executeScript - Confirms the RemoteDomainCidrs are valid values. Confirms that the Amazon Managed Microsoft AD has conditional forwarders for the RemoteDomainCidrs , and that the requisite IP routes have been added to the Amazon Managed Microsoft AD if the RemoteDomainCidrs are non-RFC 1918 IP addresses.

  • aws:executeScript - Evaluates security group rules.

  • aws:executeScript - Evaluates network ACLs.

Outputs

evalDirectorySecurityGroup.output - Results from evaluating whether the security group rules associated with the Amazon Managed Microsoft AD allow the requisite traffic for trust creation.

evalAclEntries.output - Results from evaluating whether the network ACLs associated with the Amazon Managed Microsoft AD allow the requisite traffic for trust creation.

evaluateRemoteDomainCidr.output - Results from evaluating whether the RemoteDomainCidrs are valid values. Confirms that the Amazon Managed Microsoft AD has conditional forwarders for the RemoteDomainCidrs , and that the requisite IP routes have been added to the Amazon Managed Microsoft AD if the RemoteDomainCidrs are non-RFC 1918 IP addresses.