# Tutorial: Create a trust relationship between your AWS Managed Microsoft AD and your self-managed Active Directory domain
This tutorial walks you through all the steps necessary to set up a trust relationship between AWS Directory Service for Microsoft Active Directory and your self-managed (on-premises) Microsoft Active Directory. Although creating the trust requires only a few steps, you must first complete the following prerequisite steps.
**Topics**
+ [Prerequisites](before_you_start.md)
+ [Step 1: Prepare your self-managed AD Domain](ms_ad_tutorial_setup_trust_prepare_onprem.md)
+ [Step 2: Prepare your AWS Managed Microsoft AD](ms_ad_tutorial_setup_trust_prepare_mad.md)
+ [Step 3: Create the trust relationship](ms_ad_tutorial_setup_trust_create.md)
**See Also**
[Creating a trust relationship between your AWS Managed Microsoft AD and self-managed AD](ms_ad_setup_trust.md)
# Prerequisites
This tutorial assumes you already have the following:
**Note**
AWS Managed Microsoft AD does not support trust with [Single label domains](https://support.microsoft.com/en-us/help/2269810/microsoft-support-for-single-label-domains).
+ An AWS Managed Microsoft AD directory created on AWS. If you need help doing this, see [Getting started with AWS Managed Microsoft AD](ms_ad_getting_started.md).
+ An EC2 instance running Windows added to that AWS Managed Microsoft AD. If you need help doing this, see [Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory](launching_instance.md).
**Important**
The admin account for your AWS Managed Microsoft AD must have administrative access to this instance.
+ The following Windows Server tools installed on that instance:
+ AD DS and AD LDS Tools
+ DNS
If you need help doing this, see [Installing Active Directory Administration Tools for AWS Managed Microsoft AD](ms_ad_install_ad_tools.md).
+ A self-managed (on-premises) Microsoft Active Directory
You must have administrative access to this directory. The same Windows Server tools as listed above must also be available for this directory.
+ An active connection between your self-managed network and the VPC containing your AWS Managed Microsoft AD. If you need help doing this, see [Amazon Virtual Private Cloud Connectivity Options](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-vpc-connectivity-options.pdf).
+ A correctly set local security policy. CheckĀ `Local Security Policy > Local Policies > Security Options > Network access: Named Pipes that can be accessed anonymously` and ensure that it contains at least the following three named pipes:
+ netlogon
+ samr
+ lsarpc
+ The NetBIOS and domain names must be unique and cannot be the same to establish a trust relationship
For more information about the prerequisites for creating a trust relationship, see [Creating a trust relationship between your AWS Managed Microsoft AD and self-managed AD](ms_ad_setup_trust.md).
## Tutorial configuration
For this tutorial, we've already created a AWS Managed Microsoft AD and a self-managed domain. The self-managed network is connected to the AWS Managed Microsoft AD's VPC. Following are the properties of the two directories:
### AWS Managed Microsoft AD running on AWS
+ Domain name (FQDN): MyManagedAD.example.com
+ NetBIOS name: MyManagedAD
+ DNS Addresses: 10.0.10.246, 10.0.20.121
+ VPC CIDR: 10.0.0.0/16
The AWS Managed Microsoft AD resides in VPC ID: vpc-12345678.
### Self-managed or AWS Managed Microsoft AD domain
+ Domain name (FQDN): corp.example.com
+ NetBIOS name: CORP
+ DNS Addresses: 172.16.10.153
+ Self-managed CIDR: 172.16.0.0/16
**Next Step**
[Step 1: Prepare your self-managed AD Domain](ms_ad_tutorial_setup_trust_prepare_onprem.md)
# Step 1: Prepare your self-managed AD Domain
First you need to complete several prerequisite steps on your self-managed (on-premises) domain.
## Configure your self-managed firewall
You must configure your self-managed firewall so that the following ports are open to the CIDRs for all subnets used by the VPC that contains your AWS Managed Microsoft AD. In this tutorial, we allow both incoming and outgoing traffic from 10.0.0.0/16 (the CIDR block of our AWS Managed Microsoft AD's VPC) on the following ports:
+ TCP/UDP 53 - DNS
+ TCP/UDP 88 - Kerberos authentication
+ TCP/UDP 389 - Lightweight Directory Access Protocol (LDAP)
+ TCP 445 - Server Message Block (SMB)
+ TCP 9389 - Active Directory Web Services (ADWS) (*Optional* - This port needs to be open if you want to use your NetBIOS name instead of your full domain name for authentication with AWS applications like Amazon WorkDocs or Amazon Quick.)
**Note**
SMBv1 is no longer supported.
These are the minimum ports that are needed to connect the VPC to the self-managed directory. Your specific configuration may require additional ports be open.
## Ensure that Kerberos pre-authentication is enabled
User accounts in both directories must have Kerberos preauthentication enabled. This is the default, but let's check the properties of any random user to make sure nothing has changed.
**To view user's Kerberos settings**
1. On your self-managed domain controller, open Server Manager.
1. On the **Tools** menu, choose **Active Directory Users and Computers**.
1. Choose the **Users** folder and open the context (right-click) menu. Select any random user account listed in the right pane. Choose **Properties**.
1. Choose the **Account** tab. In the **Account options** list, scroll down and ensure that **Do not require Kerberos preauthentication** is *not* checked.
![\[Corp User Properties dialog box with the account option do not require Kerberos preauthentication highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/kerberos_enabled.png)
## Configure DNS conditional forwarders for your self-managed domain
You must set up DNS conditional forwarders on each domain. Before doing this on your self-managed domain, you will first get some information about your AWS Managed Microsoft AD.
**To configure conditional forwarders on your self-managed domain**
1. Sign into the AWS Management Console and open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/).
1. In the navigation pane, select **Directories**.
1. Choose the directory ID of your AWS Managed Microsoft AD.
1. On the **Details** page, take note of the values in **Directory name** and the **DNS address** of your directory.
1. Now, return to your self-managed domain controller. Open Server Manager.
1. On the **Tools** menu, choose **DNS**.
1. In the console tree, expand the DNS server of the domain for which you are setting up the trust. Our server is WIN-5V70CN7VJ0.corp.example.com.
1. In the console tree, choose **Conditional Forwarders**.
1. On the **Action** menu, choose **New conditional forwarder**.
1. In **DNS domain**, type the fully qualified domain name (FQDN) of your AWS Managed Microsoft AD, which you noted earlier. In this example, the FQDN is MyManagedAD.example.com.
1. Choose **IP addresses of the primary servers** and type the DNS addresses of your AWS Managed Microsoft AD directory, which you noted earlier. In this example those are: 10.0.10.246, 10.0.20.121
After entering the DNS addresses, you might get a "timeout" or "unable to resolve" error. You can generally ignore these errors.
![\[New Conditional Forwarder dialog box with the IP addresses of the DNS servers highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/new_cond_forwarder_diag_box_2.png)
1. Select **Store this conditional forwarder in Active Directory, and replicate it as follows**.
1. Select **All DNS servers in this domain**, and then choose **OK**.
**Next Step**
[Step 2: Prepare your AWS Managed Microsoft AD](ms_ad_tutorial_setup_trust_prepare_mad.md)
# Step 2: Prepare your AWS Managed Microsoft AD
Now let's get your AWS Managed Microsoft AD ready for the trust relationship. Many of the following steps are almost identical to what you just completed for your self-managed domain. This time, however, you are working with your AWS Managed Microsoft AD.
## Configure your VPC subnets and security groups
You must allow traffic from your self-managed network to the VPC containing your AWS Managed Microsoft AD. To do this, you will need to make sure that the ACLs associated with the subnets used to deploy your AWS Managed Microsoft AD and the security group rules configured on your domain controllers, both allow the requisite traffic to support trusts.
Port requirements vary based on the version of Windows Server used by your domain controllers and the services or applications that will be leveraging the trust. For the purposes of this tutorial, you will need to open the following ports:
**Inbound**
+ TCP/UDP 53 - DNS
+ TCP/UDP 88 - Kerberos authentication
+ UDP 123 - NTP
+ TCP 135 - RPC
+ TCP/UDP 389 - LDAP
+ TCP/UDP 445 - SMB
+ TCP/UDP 464 - Kerberos authentication
+ TCP 636 - LDAPS (LDAP over TLS/SSL)
+ TCP 3268-3269 - Global Catalog
+ TCP/UDP 49152-65535 - Ephemeral ports for RPC
**Note**
SMBv1 is no longer supported.
**Outbound**
+ ALL
**Note**
These are the minimum ports that are needed to be able to connect the VPC and self-managed directory. Your specific configuration may require additional ports be open.
**To configure your AWS Managed Microsoft AD domain controller outbound and inbound rules**
1. Return to the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/). In the list of directories, take note the directory ID for your AWS Managed Microsoft AD directory.
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, choose **Security Groups**.
1. Use the search box to search for your AWS Managed Microsoft AD directory ID. In the search results, select the Security Group with the description **AWS created security group for *yourdirectoryID* directory controllers**.
![\[In the Amazon VPC Console, search results for the security group for the directory controllers are highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/security-group-search.png)
1. Go to the **Outbound Rules** tab for that security group. Choose **Edit outbound rules**, and then **Add rule**. For the new rule, enter the following values:
+ **Type**: ALL Traffic
+ **Protocol**: ALL
+ **Destination** determines the traffic that can leave your domain controllers and where it can go. Specify a single IP address or an IP address range in CIDR notation (for example, 203.0.113.5/32). You can also specify the name or ID of another security group in the same Region. For more information, see [Understand your directory's AWS security group configuration and use](ms_ad_best_practices.md#understandsecuritygroup).
1. Select **Save Rule**.
![\[In the Amazon VPC Console, edit the outbound rules for the directory controller security groups.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/editing-and-saving-rule.png)
## Ensure that Kerberos pre-authentication is enabled
Now you want to confirm that users in your AWS Managed Microsoft AD also have Kerberos pre-authentication enabled. This is the same process you completed for your self-managed directory. This is the default, but let's check to make sure nothing has changed.
**To view user kerberos settings**
1. Log in to an instance that is a member of your AWS Managed Microsoft AD directory using either the [AWS Managed Microsoft AD Administrator account and group permissions](ms_ad_getting_started_admin_account.md) for the domain or an account that has been delegated permissions to manage users in the domain.
1. If they are not already installed, install the Active Directory Users and Computers tool and the DNS tool. Learn how to install these tools in [Installing Active Directory Administration Tools for AWS Managed Microsoft AD](ms_ad_install_ad_tools.md).
1. Open Server Manager. On the **Tools** menu, choose **Active Directory Users and Computers**.
1. Choose the **Users** folder in your domain. Note that this is the **Users** folder under your NetBIOS name, not the **Users ** folder under the fully qualified domain name (FQDN).
![\[In the Active Directory Users and Computers dialog box, the Users folder is highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/correct_users_folder.png)
1. In the list of users, right-click on a user, and then choose **Properties**.
1. Choose the **Account** tab. In the **Account options** list, ensure that **Do not require Kerberos preauthentication** is *not* checked.
**Next Step**
[Step 3: Create the trust relationship](ms_ad_tutorial_setup_trust_create.md)
# Step 3: Create the trust relationship
Now that the preparation work is complete, the final steps are to create the trusts. First you create the trust on your self-managed domain, and then finally on your AWS Managed Microsoft AD. If you have any issues during the trust creation process, see [Trust creation status reasons](ms_ad_troubleshooting_trusts.md) for assistance.
## Configure the trust in your self-managed Active Directory
In this tutorial, you configure a two-way forest trust. However, if you create a one-way forest trust, be aware that the trust directions on each of your domains must be complementary. For example, if you create a one-way, outgoing trust on your self-managed domain, you need to create a one-way, incoming trust on your AWS Managed Microsoft AD.
**Note**
AWS Managed Microsoft AD also supports external trusts. However, for the purposes of this tutorial, you will create a two-way forest trust.
**To configure the trust in your self-managed Active Directory**
1. Open Server Manager and on the **Tools** menu, choose **Active Directory Domains and Trusts**.
1. Open the context (right-click) menu of your domain and choose **Properties**.
1. Choose the **Trusts** tab and choose **New trust**. Type the name of your AWS Managed Microsoft AD and choose **Next**.
1. Choose **Forest trust**. Choose **Next**.
1. Choose **Two-way**. Choose **Next**.
1. Choose **This domain only**. Choose **Next**.
1. Choose **Forest-wide authentication**. Choose **Next**.
1. Type a **Trust password**. Make sure to remember this password as you will need it when setting up the trust for your AWS Managed Microsoft AD.
1. In the next dialog box, confirm your settings and choose **Next**. Confirm that the trust was created successfully and again choose **Next**.
1. Choose **No, do not confirm the outgoing trust**. Choose **Next**.
1. Choose **No, do not confirm the incoming trust**. Choose **Next**.
## Configure the trust in your AWS Managed Microsoft AD directory
Finally, you configure the forest trust relationship with your AWS Managed Microsoft AD directory. Because you created a two-way forest trust on the self-managed domain, you also create a two-way trust using your AWS Managed Microsoft AD directory.
**Note**
Trust relationships is a global feature of AWS Managed Microsoft AD. If you are using [Configure Multi-Region replication for AWS Managed Microsoft AD](ms_ad_configure_multi_region_replication.md), the following procedures must be performed in the [Primary Region](multi-region-global-primary-additional.md#multi-region-primary). The changes will be applied across all replicated Regions automatically. For more information, see [Global vs Regional features](multi-region-global-region-features.md).
**To configure the trust in your AWS Managed Microsoft AD directory**
1. Return to the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/).
1. On the **Directories** page, choose your AWS Managed Microsoft AD ID.
1. On the **Directory details** page, do one of the following:
+ If you have multiple Regions showing under **Multi-Region replication**, select the primary Region, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
+ If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.
1. In the **Trust relationships** section, choose **Actions**, and then select **Add trust relationship**.
1. On the **Add a trust relationship** page, specify the Trust type. In this case, we choose **Forest trust**. Type the FQDN of your self-managed domain (in this tutorial **corp.example.com**). Type the same trust password that you used when creating the trust on your self-managed domain. Specify the direction. In this case, we choose **Two-way**.
1. In the **Conditional forwarder** field, enter the IP address of your self-managed DNS server. In this example, enter 172.16.10.153.
1. (Optional) Choose **Add another IP address** and enter a second IP address for your self-managed DNS server. You can specify up to a total of four DNS servers.
1. Choose **Add**.
Congratulations. You now have a trust relationship between your self-managed domain (corp.example.com) and your AWS Managed Microsoft AD (MyManagedAD.example.com). Only one relationship can be set up between these two domains. If for example, you want to change the trust direction to one-way, you would first need to delete this existing trust relationship and create a new one.
For more information, including instructions about verifying or deleting trusts, see [Creating a trust relationship between your AWS Managed Microsoft AD and self-managed AD](ms_ad_setup_trust.md).