By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't create one-way trust

0

Hello,

I'm trying to create a one-way forest trust between our AWS managed AD and on-premise domain but when creating the one-way trust in Directory Services Console, it fails. I'm following this blog, https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust_create.html. I have thoroughly read, re-ran the tutorial, deleted and re-created the trust but it keeps failing. Is there a fix or work around for this? The error message that I get is "Trust relationship status failed: The remote domain is not reachable. Please ensure your security group settings are correct and your conditional forwarder is configured properly". I've checked and verified the security group and that the ports (from the tutorial) allows incoming traffic from our domain and outgoing is open to all. I've also checked with our security team to make sure our on-prem firewall isn't blocking 172.24.0.0/16 (managed AD CIDRs) traffic to our domain. The conditional forwarder are configured correctly on our on-prem DNS and as well as on the managed AD DNS settings. I can ping to the AWS managed AD from our domain and can ping from the ec2 instance, joined to the managed AD, to our domain.

Any help is appreciated!

Topics
Security, Identity, & Compliance
Tags
AWS Directory Service
Language
English
vue07418
asked 4 years ago897 views
2 Answers
0

The part we were missing is adding IP routing (on-premise is in public IP CIDR range) under the Networking&Security tab in Directory Service, you can read it at https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_setup_trust.html at number 10 under "Create, Verify, or Delete a Trust Relationship".

vue07418
answered 4 years ago
0

In addition if anyone runs into an issue creating a trust. It's good to note that the Managed AD Security Group assigned to your directory only allows outbound communications to itself. If you need to create a trust, you will need to add a rule that allows outbound communications to the domain controllers that you are creating a trust with this. This needs to be done before creating your conditional forwarder as well, or you will get a failure in creating the trust due to communication issues.

profile pictureAWS
EXPERT
Rob_H
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content