# Tutorial: Creating a trust from AWS Managed Microsoft AD to a self-managed Active Directory installation on Amazon EC2
<a name="ms_ad_tutorial_test_lab_trust"></a>

In this tutorial, you learn how to create a trust between the AWS Directory Service for Microsoft Active Directory forest that you created in the [Base tutorial](ms_ad_tutorial_test_lab_base.md). You also learn to create a new native Active Directory forest on a Windows Server in Amazon EC2. As shown in the following illustration, the lab that you create from this tutorial is the second building block necessary when setting up a complete AWS Managed Microsoft AD test lab. You can use the test lab to test your pure cloud or hybrid cloud–based AWS solutions. 

You should only need to create this tutorial once. After that you can add optional tutorials when necessary for more experience.

![\[Steps to create a trust from a Microsoft Active Directory to a self-managed Active Directory: Set up your environment, create your Microsoft Active Directory, Deploy an Amazon EC2 instance, and test the lab.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadtrust.png)


**[Step 1: Set up your environment for trusts](microsoftadtruststep1.md)**  
Before you can establish trusts between a new Active Directory forest and the AWS Managed Microsoft AD forest that you created in the [Base tutorial](ms_ad_tutorial_test_lab_base.md), you need to prepare your Amazon EC2 environment. To do that, you first create a Windows Server 2019 server, promote that server to a domain controller, and then configure your VPC accordingly.

**[Step 2: Create the trusts](microsoftadtruststep2.md)**  
In this step, you create a two-way forest trust relationship between your newly created Active Directory forest hosted in Amazon EC2 and your AWS Managed Microsoft AD forest in AWS. 

**[Step 3: Verify the trust](microsoftadtruststep3.md)**  
Finally, as an administrator, you use the Directory Service console to verify that the new trusts are operational.

# Step 1: Set up your environment for trusts
<a name="microsoftadtruststep1"></a>

In this section, you set up your Amazon EC2 environment, deploy your new forest, and prepare your VPC for trusts with AWS.

![\[Amazon EC2 environment with Amazon VPC, subnets, and Internet Gateways to deploy a new forest and establish a trust relationship.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadbase_vpclayout.png)


## Create a Windows Server 2019 EC2 instance
<a name="createkeypair1"></a>

Use the following procedure to create a Windows Server 2019 member server in Amazon EC2. 

**To create a Windows Server 2019 EC2 instance**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the Amazon EC2 console, choose **Launch Instance**.

1. On the **Step 1** page, locate **Microsoft Windows Server 2019 Base - ami-*xxxxxxxxxxxxxxxxx*** in the list. Then choose **Select**.

1. On the **Step 2** page, select **t2.large**, and then choose **Next: Configure Instance Details**.

1. On the **Step 3** page, do the following:
   + For **Network**, select **vpc-*xxxxxxxxxxxxxxxxx* AWS-OnPrem-VPC01** (which you previously set up in the [Base tutorial](microsoftadbasestep1.md#createvpc)).
   + For **Subnet**, select **subnet-*xxxxxxxxxxxxxxxxx* \$1 AWS-OnPrem-VPC01-Subnet01 \$1 AWS-OnPrem-VPC01**.
   + For **Auto-assign Public IP** list, choose **Enable** (if the subnet setting is not set to **Enable** by default).
   + Leave the rest of the settings at their defaults.
   + Choose **Next: Add Storage**.

1. On the **Step 4** page, leave the default settings, and then choose **Next: Add Tags**.

1. On the **Step 5** page, choose **Add Tag**. Under **Key** type **example.local-DC01**, and then choose **Next: Configure Security Group**.

1. On the **Step 6** page, choose **Select an existing security group**, select **AWS On-Prem Test Lab Security Group** (which you previously set up in the [Base tutorial](microsoftadbasestep1.md#createsecuritygroup)), and then choose **Review and Launch** to review your instance.

1. On the **Step 7** page, review the page, and then choose **Launch**.

1. On the **Select an existing key pair or create a new key pair** dialog box, do the following:
   + Choose **Choose an existing key pair**.
   + Under **Select a key pair**, choose **AWS-DS-KP** (which you previously set up in the [Base tutorial](microsoftadbasestep1.md#createkeypair2)).
   + Select the **I acknowledge...** check box.
   + Choose **Launch Instances**.

1. Choose **View Instances** to return to the Amazon EC2 console and view the status of the deployment.

## Promote your server to a domain controller
<a name="promoteserver"></a>

Before you can create trusts, you must build and deploy the first domain controller for a new forest. During this process you configure a new Active Directory forest, install DNS, and set this server to use the local DNS server for name resolution. You must reboot the server at the end of this procedure.

**Note**  
If you want to create a domain controller in AWS that replicates with your on-premises network, you would first manually join the EC2 instance to your on-premises domain. After that you can promote the server to a domain controller.

**To promote your server to a domain controller**

1. In the Amazon EC2 console, choose **Instances**, select the instance you just created, and then choose **Connect**. 

1. In the **Connect To Your Instance** dialog box, choose **Download Remote Desktop File**. 

1. In the **Windows Security** dialog box, type your local administrator credentials for the Windows Server computer to login (for example, **administrator**). If you do not yet have the local administrator password, go back to the Amazon EC2 console, right-click on the instance, and choose **Get Windows Password**. Navigate to your `AWS DS KP.pem` file or your personal `.pem` key, and then choose **Decrypt Password**.

1. From the **Start** menu, choose **Server Manager**.

1. In the **Dashboard**, choose **Add Roles and Features**.

1. In the **Add Roles and Features Wizard**, choose **Next**. 

1. On the **Select installation type** page, choose **Role-based or feature-based installation**, and then choose **Next**.

1. On the **Select destination server** page, make sure that the local server is selected, and then choose **Next**.

1. On the **Select server roles** page, select **Active Directory Domain Services**. In the **Add Roles and Features Wizard** dialog box, verify that the **Include management tools (if applicable)** check box is selected. Choose **Add Features**, and then choose **Next**.

1. On the **Select features** page, choose **Next**. 

1. On the **Active Directory Domain Services** page, choose **Next**.

1. On the **Confirm installation selections** page, choose **Install**.

1. Once the Active Directory binaries are installed, choose **Close**.

1. When Server Manager opens, look for a flag at the top next to the word **Manage**. When this flag turns yellow, the server is ready to be promoted. 

1. Choose the yellow flag, and then choose **Promote this server to a domain controller**.

1. On the **Deployment Configuration** page, choose **Add a new forest**. In **Root domain name**, type **example.local**, and then choose **Next**.

1. On the **Domain Controller Options** page, do the following:
   + In both **Forest functional level** and **Domain functional level**, choose **Windows Server 2016**.
   + Under **Specify domain controller capabilities**, verify that both **DNS server** and **Global Catalog (GC)** are selected.
   + Type and then confirm a Directory Services Restore Mode (DSRM) password. Then choose **Next**.

1. On the **DNS Options** page, ignore the warning about delegation and choose **Next**.

1. On the **Additional options** page, make sure that **EXAMPLE** is listed as the NetBios domain name.

1. On the **Paths** page, leave the defaults, and then choose **Next**.

1. On **Review Options** page, choose **Next**. The server now checks to make sure all the prerequisites for the domain controller are satisfied. You may see some warnings displayed, but you can safely ignore them. 

1. Choose **Install**. Once the installation is complete, the server reboots and then becomes a functional domain controller.

## Configure your VPC
<a name="configurevpc1"></a>

The following three procedures guide you through the steps to configure your VPC for connectivity with AWS.

**To configure your VPC outbound rules**

1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/), make a note of the AWS Managed Microsoft AD directory ID for corp.example.com that you previously created in the [Base tutorial](microsoftadbasestep2.md).

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Security Groups**.

1. Search for your AWS Managed Microsoft AD directory ID. In the search results, select the item with the description **AWS created security group for d-*xxxxxx* directory controllers**.
**Note**  
This security group was automatically created when you initially created your directory.

1. Choose the **Outbound Rules** tab under that security group. Choose **Edit**, choose **Add another rule**, and then add the following values:
   + For **Type**, choose **All Traffic**.
   + For **Destination**, type **0.0.0.0/0**.
   + Leave the rest of the settings at their defaults.
   + Select **Save**.

**To verify kerberos preauthentication is enabled**

1. On the **example.local** domain controller, open **Server Manager**.

1. On the **Tools** menu, choose **Active Directory Users and Computers**.

1. Navigate to the **Users** directory, right-click on any user and select **Properties**, and then choose the **Account** tab. In the **Account options** list, scroll down and ensure that **Do not require Kerberos preauthentication** is **not** selected.

1. Perform the same steps for the **corp.example.com** domain from the **corp.example.com-mgmt **instance.

**To configure DNS conditional forwarders**
**Note**  
A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

1. Open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/).

1. In the navigation pane, choose **Directories**.

1. Select the **directory ID** of your AWS Managed Microsoft AD.

1. Take note of the fully qualified domain name (FQDN), **corp.example.com**, and the DNS addresses of your directory.

1. Now, return to your **example.local** domain controller, and then open **Server Manager**.

1. On the **Tools** menu, choose **DNS**.

1. In the console tree, expand the DNS server of the domain for which you are setting up the trust, and navigate to **Conditional Forwarders**.

1. Right-click **Conditional Forwarders**, and then choose **New Conditional Forwarder**.

1. In DNS domain, type **corp.example.com**.

1. Under **IP addresses of the primary servers**, choose **<Click here to add ...>**, type the first DNS address of your AWS Managed Microsoft AD directory (which you made note of in the previous procedure), and then press **Enter**. Do the same for the second DNS address. After typing the DNS addresses, you might get a "timeout" or "unable to resolve" error. You can generally ignore these errors.

1. Select the **Store this conditional forwarder in Active Directory, and replicate as follows** check box. In the drop-down menu, choose **All DNS servers in this Forest**, and then choose **OK**.

# Step 2: Create the trusts
<a name="microsoftadtruststep2"></a>

In this section, you create two separate forest trusts. One trust is created from the Active Directory domain on your EC2 instance and the other from your AWS Managed Microsoft AD in AWS.

![\[Two way trust between corp.example.com and example.local\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/tutorialmicrosoftadtrust_twoway.png)


**To create the trust from your EC2 domain to your AWS Managed Microsoft AD**

1. Log into **example.local**.

1. Open **Server Manager** and in the console tree choose **DNS**. Take note of the IPv4 address listed for the server. You will need this in the next procedure when you create a conditional forwarder from **corp.example.com** to the **example.local** directory.

1. In the **Tools** menu, choose **Active Directory Domains and Trusts**.

1. In the console tree, right-click **example.local** and then choose **Properties**.

1. On the **Trusts** tab, choose **New Trust**, and then choose **Next**.

1. On the **Trust Name** page, type **corp.example.com**, and then choose **Next**.

1. On the **Trust Type** page, choose **Forest trust**, and then choose **Next**.
**Note**  
AWS Managed Microsoft AD also supports external trusts. However, for the purposes of this tutorial, you will create a two-way forest trust.

1. On the **Direction of Trust** page, choose **Two-way**, and then choose **Next**.
**Note**  
If you decide later to try this with a one-way trust instead, ensure that the trust directions are setup correctly (Outgoing on trusting domain, Incoming on trusted domain). For general information, see [Understanding trust direction](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731404(v=ws.11)) on Microsoft's website.

1. On the **Sides of Trust** page, choose **This domain only**, and then choose **Next**.

1. On the **Outgoing Trust Authentication Level** page, choose **Forest-wide authentication**, and then choose **Next**.
**Note**  
Although **Selective authentication** in an option, for the simplicity of this tutorial we recommend that you do not enable it here. When configured it restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. For more information, see [Configuring selective authentication settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816580(v=ws.10)).

1. On the **Trust Password** page, type the trust password twice, and then choose **Next**. You will use this same password in the next procedure.

1. On the **Trust Selections Complete** page, review the results, and then choose **Next**.

1. On the **Trust Creation Complete** page, review the results, and then choose **Next**.

1. On the **Confirm Outgoing Trust** page, choose **No, do not confirm the outgoing trust**. Then choose **Next**

1. On the **Confirm Incoming Trust** page, choose **No, do not confirm the incoming trust**. Then choose **Next**

1. On the **Completing the New Trust Wizard** page, choose **Finish**.

**Note**  
Trust relationships is a global feature of AWS Managed Microsoft AD. If you are using [Configure Multi-Region replication for AWS Managed Microsoft AD](ms_ad_configure_multi_region_replication.md), the following procedures must be performed in the [Primary Region](multi-region-global-primary-additional.md#multi-region-primary). The changes will be applied across all replicated Regions automatically. For more information, see [Global vs Regional features](multi-region-global-region-features.md).

**To create the trust from your AWS Managed Microsoft AD to your EC2 domain**

1. Open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/).

1. Choose the **corp.example.com** directory.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the primary Region, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.

1. In the **Trust relationships** section, choose **Actions**, and then select **Add trust relationship**.

1. In the **Add a trust relationship** dialog box, do the following:
   + Under **Trust type** select **Forest trust**.
**Note**  
Make sure that the **Trust type** you choose here matches the same trust type configured in the previous procedure (To create the trust from your EC2 domain to your AWS Managed Microsoft AD).
   + For **Existing or new remote domain name**, type **example.local**.
   + For **Trust password**, type the same password that you provided in the previous procedure.
   + Under **Trust direction**, select **Two-Way**.
**Note**  
If you decide later to try this with a one-way trust instead, ensure that the trust directions are setup correctly (Outgoing on trusting domain, Incoming on trusted domain). For general information, see [Understanding trust direction](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731404(v=ws.11)) on Microsoft's website.
Although **Selective authentication** in an option, for the simplicity of this tutorial we recommend that you do not enable it here. When configured it restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. For more information, see [Configuring selective authentication settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816580(v=ws.10)).
   + For **Conditional forwarder**, type the IP address of your DNS server in the **example.local** forest (which you noted in the previous procedure). 
**Note**  
A conditional forwarder is a DNS server on a network that is used to forward DNS queries according to the DNS domain name in the query. For example, a DNS server can be configured to forward all the queries it receives for names ending with widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

1. Choose **Add**. 

# Step 3: Verify the trust
<a name="microsoftadtruststep3"></a>

In this section, you test whether the trusts were set up successfully between AWS and Active Directory on Amazon EC2.

**To verify the trust**

1. Open the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/).

1. Choose the **corp.example.com** directory.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the primary Region, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.

1. In the **Trust relationships** section, select the trust relationship you just created.

1. Choose **Actions**, and then choose **Verify trust relationship**.

Once the verification has completed, you should see **Verified** displayed under the **Status** column. 

Congratulations on completing this tutorial\$1 You now have a fully functional multiforest Active Directory environment from which you can begin testing various scenarios. Additional test lab tutorials are planned in 2018, so check back on occasion to see what's new.