How do I diagnose trust creation issues between AWS Managed Microsoft AD and a Microsoft Active Directory?

Short description

Use the use the AWS Systems Manager AWSSupport-TroubleshootDirectoryTrust runbook to diagnose trust creation issues between these directories.

Resolution

Prerequisites

Before you start the runbook, make sure that your AWS Identify and Access Management (IAM) user or role has the required permissions. For more information, see Required IAM permissions in AWSSupport-TroubleshootDirectoryTrust.

Example inline policy with the required permissions attached to an IAM user or role:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "ds:DescribeTrusts",
            "ds:DescribeConditionalForwarders",
            "ds:DescribeDirectories",
            "ds:ListIpRoutes",
            "ec2:DescribeSubnets",
            "ec2:DescribeNetworkAcls",
            "ec2:DescribeSecurityGroups"
        ],
        "Resource": "*"
    }]
}

Note: To invoke other services, you must give permission to the IAM service role that the Automation workflow uses. This requirement also applies to any custom runbooks that use actions to invoke other AWS services. For more information, see Creating your own runbooks.

Run the AWSSupport-TroubleshootDirectoryTrust automation runbook

1. Open the AWSSupport-TroubleshootDirectoryTrust runbook in the Systems Manager console.

2. For Input parameters, enter these parameters:

• AutomationAssumeRole (optional): The ARN of the IAM role that allows automation to perform actions for you. If you didn't specify a role, then automation uses the permissions of the user who starts the runbook.
• DirectoryId (required): The ID of the Managed Microsoft AD to troubleshoot. Allowed pattern: ^d-[a-z0-9]{10}$
• RemoteDomainCidrs (required): The CIDRs of the remote domain that you're establishing a trust relationship with. You can add multiple CIDRs with comma-separated values. For example, 172.31.48.0/20, 192.168.1.10/32. Allowed pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[1-9]))$
• RemoteDomainName (required): The FQDN of the remote domain that you're establishing a Trust Relationship with.
• RequiredTrafficACL (required): The Directory Service inbound and outbound Network ACL traffic requirements. Default required ports: {"inbound":{"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636],[1024,65535]],"udp":[[53,53],[88,88],[123,123],[138,138],[389,389],[445,445],[464,464]],"icmp":[[-1,-1]]},"outbound":{"-1":[[0,65535]]}}
• RequiredTrafficSG (Required) : The Directory Service inbound and outbound security group traffic requirements. Default required ports: {"inbound":{"tcp":[[53,53],[88,88],[135,135],[389,389],[445,445],[464,464],[636,636],[1024,65535]],"udp":[[53,53],[88,88],[123,123],[138,138],[389,389],[445,445],[464,464]],"icmp":[[-1,-1]]},"outbound":{"-1":[[0,65535]]}}
• TrustId (Optional): The ID of the trust relationship to troubleshoot.

3. Choose Execute. The runbook performs these steps:

• aws:assertAwsResourceProperty: Confirms that the directory type is AWS Managed Microsoft AD.
• aws:executeAwsApi: Gets information about the AWS Managed Microsoft AD.
• aws:branch: Branches automation when a value is provided for the TrustId input parameter.
• aws:executeAwsApi: Gets information about the trust relationship.
• aws:executeAwsApi: Gets the conditional forwarder DNS IP addresses for the RemoteDomainName.
• aws:executeAwsApi: Gets information about IP address routes that you added to the AWS Managed Microsoft AD.
• aws:executeAwsApi: Gets the CIDRs of the AWS Managed Microsoft AD subnets.
• aws:executeAwsApi: Gets information about the security groups that are associated with the AWS Managed Microsoft AD.
• aws:executeAwsApi: Gets information about the network access control lists (network ACLs) that are associated with the AWS Managed Microsoft AD.
• aws:executeScript: Confirms that the RemoteDomainCidrs are valid values. Confirms that the AWS Managed Microsoft AD has conditional forwarders for the RemoteDomainCidrs. Confirms that you added the necessary IP address routes to the AWS Managed Microsoft AD when the RemoteDomainCidrs are non-RFC 1918 IP addresses.
• aws:executeScript: Evaluates security group rules.
• aws:executeScript: Evaluates network ACLs.

4. After the runbook completes, check the details of all the listed resources in the runbook's Output section:

• evalDirectorySecurityGroup.output: Evaluation of whether the security group rules that are associated with the AWS Managed Microsoft AD allow the necessary traffic for trust creation.
• evalAclEntries.output: Evaluation of whether the network ACLs that are associated with the AWS Managed Microsoft AD allow the necessary traffic for trust creation.
• evaluateRemoteDomainCidr.output: Evaluation of whether the RemoteDomainCidrs are valid values. Confirms that the AWS Managed Microsoft AD has conditional forwarders for the RemoteDomainCidrs. Confirms that you added the necessary IP address routes to the AWS Managed Microsoft AD when the RemoteDomainCidrs are non-RFC 1918 IP addresses.

Note: To help you troubleshoot, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the Systems Manager provided predefined runbooks. These runbooks are prefixed with "AWSSupport-" or "AWSPremiumSupport-".

Related information

Run an automation

Setting up Automation