Active Directory hybrid of AWS Managed AD and On-Prem AD

• Author
• Recent Posts

Mohamed Wali

Mohamed is a cloud infrastructure expert with experience in engineering and implementation in AWS and Azure. He currently works as a Cloud Infrastructure Architect at Amazon Web Services.

Latest posts by Mohamed Wali (see all)

• EC2 Image Builder: Build your golden VM images on AWS - Wed, Jan 19 2022
• Configuring DFS Namespaces for Amazon FSx for Windows file servers - Fri, Jan 7 2022
• AWS Systems Manager Session Manager: Securely connect EC2 instances - Wed, Dec 22 2021

Creating a trust relationship between AWS Managed AD and On-Prem AD has almost no differences compared to other trust relationships you create between different forests on-prem. So, you can actually configure one/two way external/forest trust for all three relationship directions: two-way, incoming, and outgoing. The only difference is that AWS Managed AD doesn't support trust with single-label domains.

Before we get started, make sure you have the following prerequisites in place:

• Ensure that your on-prem network can connect to the VPC subnets in which the AWS Managed AD is hosted.
• The on-prem network firewall must allow traffic for the AWS Managed AD subnets via the following ports:
  • TCP/UDP 53 – DNS
  • TCP/UDP 88 – Kerberos authentication
  • TCP/UDP 389 – LDAP
  • TCP 445 – SMB
  • These are the minimum ports that need to be allowed if you have a specific configuration that may require more ports to be opened.
• Update the AWS Managed AD security group outbound rules to allow all the traffic to the IP address or CIDR block of the on-prem domain controllers.
• Update the AWS Managed AD security group inbound rules to allow incoming traffic from the IP address or CIDR block of on-prem domain controllers via the following ports:
  • TCP/UDP 445
  • TCP/UDP 53
  • TCP/UDP 88
  • UDP 123
  • UDP 138
  • TCP/UDP 389
  • TCP/UDP 464
  • TCP 135
  • TCP 636
  • TCP 1024–65535
  • TCP 3268–3269
  • All ICMP

Note: You can find the AWS Managed AD security group by searching in the security group console with the Managed AD ID.

Create a conditional forwarder

Navigate to the on-premises domain controller and open the DNS console.

Right-click Conditional Forwarders and select New Conditional Forwarder.

Creating a conditional forwarder

A new wizard will pop up. Use this wizard to pass the DNS domain of the AWS Managed AD, including its IP addresses. You can get the IP addresses from the Directory Details pane under DNS Address. Select the Store this conditional forwarder in Active Directory option and select the option to replicate it to All DNS servers in this domain.

Specifying the conditional forwarder configuration

Note: After you enter the DNS addresses, you might get a time-out or Unable to resolve error and see a red X next to the IP addresses; you can ignore these messages.

Two-way trust between on-prem AD and AWS Managed AD

This is a two-part task in which you will create trusts from the on-prem AD and the AWS Managed AD.

Establish trust from the on-prem AD

Navigate to Active Directory Domains and Trusts.

Right-click the domain and select Properties.

Opening the properties of Active Directory domains and trusts

Select Trusts > New Trust.

Creating a new trust

A new wizard will pop up with a welcome screen. Click Next.

Then pass the DNS Name of the Managed AD.

Specifying the DNS name of the AWS Managed AD

In the following screens, specify the Trust Type, Direction of Trust, Sides of Trust, Outgoing Trust Authentication Level, and Trust Password.

Establish trust from the AWS Managed AD

Navigate to the AWS Directory Service and click the directory you have there.

Under Network & security, click Add trust relationship.

Adding a trust relationship to the AWS Managed AD

Specify the Trust type, the on-prem AD, Trust password specified earlier, and Trust direction. For Conditional forwarder, enter the IP addresses of the on-prem DNS servers. You can pass up to four IPs by clicking on Add another IP address.

Configuring an AWS Managed AD trust

When you're done, click Add and the trust. AWS Managed AD establishes and verifies the trust relationship with the on-prem AD.

Creating an AWS Managed AD forest trust

Once the trust status is verified, you can start granting permissions for directory objects across the two different forests.

Conclusion

In this article, we've gone through how to integrate AWS Managed AD with On-Prem AD via cross-forest trust. If you have any further questions, please mention them in the comments.