This step-by-step guide explains how to integrate AWS Managed AD with On-Prem AD via a trust relationship. A hybrid Active Directory helps administrators to maintain a relationship between the two domains to ensure domain resources can be accessed by the users in the different domains.

Creating a trust relationship between AWS Managed AD and On-Prem AD has almost no differences compared to other trust relationships you create between different forests on-prem. So, you can actually configure one/two way external/forest trust for all three relationship directions: two-way, incoming, and outgoing. The only difference is that AWS Managed AD doesn't support trust with single-label domains.

Before we get started, make sure you have the following prerequisites in place:

  • Ensure that your on-prem network can connect to the VPC subnets in which the AWS Managed AD is hosted.
  • The on-prem network firewall must allow traffic for the AWS Managed AD subnets via the following ports:
    • TCP/UDP 53 – DNS
    • TCP/UDP 88 – Kerberos authentication
    • TCP/UDP 389 – LDAP
    • TCP 445 – SMB
    • These are the minimum ports that need to be allowed if you have a specific configuration that may require more ports to be opened.
  • Update the AWS Managed AD security group outbound rules to allow all the traffic to the IP address or CIDR block of the on-prem domain controllers.
  • Update the AWS Managed AD security group inbound rules to allow incoming traffic from the IP address or CIDR block of on-prem domain controllers via the following ports:
    • TCP/UDP 445
    • TCP/UDP 53
    • TCP/UDP 88
    • UDP 123
    • UDP 138
    • TCP/UDP 389
    • TCP/UDP 464
    • TCP 135
    • TCP 636
    • TCP 1024–65535
    • TCP 3268–3269
    • All ICMP

Note: You can find the AWS Managed AD security group by searching in the security group console with the Managed AD ID.

Create a conditional forwarder ^

Navigate to the on-premises domain controller and open the DNS console.

Right-click Conditional Forwarders and select New Conditional Forwarder.

Creating a conditional forwarder

Creating a conditional forwarder

A new wizard will pop up. Use this wizard to pass the DNS domain of the AWS Managed AD, including its IP addresses. You can get the IP addresses from the Directory Details pane under DNS Address. Select the Store this conditional forwarder in Active Directory option and select the option to replicate it to All DNS servers in this domain.

Specifying the conditional forwarder configuration

Specifying the conditional forwarder configuration

Note: After you enter the DNS addresses, you might get a time-out or Unable to resolve error and see a red X next to the IP addresses; you can ignore these messages.

Two-way trust between on-prem AD and AWS Managed AD ^

This is a two-part task in which you will create trusts from the on-prem AD and the AWS Managed AD.

Establish trust from the on-prem AD

Navigate to Active Directory Domains and Trusts.

Right-click the domain and select Properties.

Opening the properties of Active Directory domains and trusts

Opening the properties of Active Directory domains and trusts

Select Trusts > New Trust.

Creating a new trust

Creating a new trust

A new wizard will pop up with a welcome screen. Click Next.

Then pass the DNS Name of the Managed AD.

Specifying the DNS name of the AWS Managed AD

Specifying the DNS name of the AWS Managed AD

In the following screens, specify the Trust Type, Direction of Trust, Sides of Trust, Outgoing Trust Authentication Level, and Trust Password.

Establish trust from the AWS Managed AD

Navigate to the AWS Directory Service and click the directory you have there.

Under Network & security, click Add trust relationship.

Adding a trust relationship to the AWS Managed AD

Adding a trust relationship to the AWS Managed AD

Specify the Trust type, the on-prem AD, Trust password specified earlier, and Trust direction. For Conditional forwarder, enter the IP addresses of the on-prem DNS servers. You can pass up to four IPs by clicking on Add another IP address.

Configuring an AWS Managed AD trust

Configuring an AWS Managed AD trust

When you're done, click Add and the trust. AWS Managed AD establishes and verifies the trust relationship with the on-prem AD.

Creating an AWS Managed AD forest trust

Creating an AWS Managed AD forest trust

Once the trust status is verified, you can start granting permissions for directory objects across the two different forests.

Subscribe to 4sysops newsletter!

Conclusion ^

In this article, we've gone through how to integrate AWS Managed AD with On-Prem AD via cross-forest trust. If you have any further questions, please mention them in the comments.

+1
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account