Step 2: Create the trusts
In this section, you create two separate forest trusts. One trust is created from the Active Directory domain on your EC2 instance and the other from your AWS Managed Microsoft AD in AWS.
To create the trust from your EC2 domain to your AWS Managed Microsoft AD
-
Log into example.local.
-
Open Server Manager and in the console tree choose DNS. Take note of the IPv4 address listed for the server. You will need this in the next procedure when you create a conditional forwarder from corp.example.com to the example.local directory.
-
In the Tools menu, choose Active Directory Domains and Trusts.
-
In the console tree, right-click example.local and then choose Properties.
-
On the Trusts tab, choose New Trust, and then choose Next.
-
On the Trust Name page, type
corp.example.com
, and then choose Next. -
On the Trust Type page, choose Forest trust, and then choose Next.
Note
AWS Managed Microsoft AD also supports external trusts. However, for the purposes of this tutorial, you will create a two-way forest trust.
-
On the Direction of Trust page, choose Two-way, and then choose Next.
Note
If you decide later to try this with a one-way trust instead, ensure that the trust directions are setup correctly (Outgoing on trusting domain, Incoming on trusted domain). For general information, see Understanding trust direction
on Microsoft's website. -
On the Sides of Trust page, choose This domain only, and then choose Next.
-
On the Outgoing Trust Authentication Level page, choose Forest-wide authentication, and then choose Next.
Note
Although Selective authentication in an option, for the simplicity of this tutorial we recommend that you do not enable it here. When configured it restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. For more information, see Configuring selective authentication settings
. -
On the Trust Password page, type the trust password twice, and then choose Next. You will use this same password in the next procedure.
-
On the Trust Selections Complete page, review the results, and then choose Next.
-
On the Trust Creation Complete page, review the results, and then choose Next.
-
On the Confirm Outgoing Trust page, choose No, do not confirm the outgoing trust. Then choose Next
-
On the Confirm Incoming Trust page, choose No, do not confirm the incoming trust. Then choose Next
-
On the Completing the New Trust Wizard page, choose Finish.
Note
Trust relationships is a global feature of AWS Managed Microsoft AD. If you are using Configure Multi-Region replication for AWS Managed Microsoft AD, the following procedures must be performed in the Primary Region. The changes will be applied across all replicated Regions automatically. For more information, see Global vs Regional features.
To create the trust from your AWS Managed Microsoft AD to your EC2 domain
-
Open the AWS Directory Service console
. -
Choose the corp.example.com directory.
-
On the Directory details page, do one of the following:
-
If you have multiple Regions showing under Multi-Region replication, select the primary Region, and then choose the Networking & security tab. For more information, see Primary vs additional Regions.
-
If you do not have any Regions showing under Multi-Region replication, choose the Networking & security tab.
-
-
In the Trust relationships section, choose Actions, and then select Add trust relationship.
-
In the Add a trust relationship dialog box, do the following:
-
Under Trust type select Forest trust.
Note
Make sure that the Trust type you choose here matches the same trust type configured in the previous procedure (To create the trust from your EC2 domain to your AWS Managed Microsoft AD).
-
For Existing or new remote domain name, type example.local.
-
For Trust password, type the same password that you provided in the previous procedure.
-
Under Trust direction, select Two-Way.
Note
-
If you decide later to try this with a one-way trust instead, ensure that the trust directions are setup correctly (Outgoing on trusting domain, Incoming on trusted domain). For general information, see Understanding trust direction
on Microsoft's website. -
Although Selective authentication in an option, for the simplicity of this tutorial we recommend that you do not enable it here. When configured it restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. For more information, see Configuring selective authentication settings
.
-
-
For Conditional forwarder, type the IP address of your DNS server in the example.local forest (which you noted in the previous procedure).
Note
A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.
-
-
Choose Add.