Two way trust with on-prem domain fails on AWS side

1

I have an on premise domain controller i'm using to test migrating to Managed Microsoft AD.

We have a site-to-site VPN up on our Meraki MX68 and it's active to our VPC where the domain controller lives and all traffic is allowed in and out for the on-prem IP subnet. I added the two way trust in the on-prem DC but when I try to add the trust to AWS it says the domain controller is unreachable. YET, I'm able to ping my domain controller, RDP to it and browse the directory from an instance in EC2 on the same subnet (once authenticated). the ONLY think I can't do is ping the secondary IP address of the managed domain because that tunnel is down BUT I can ping and reach the primary one.

Subnet of VPC 172.16.0.0/24 Subnet of on-prem DC 192.168.128.0/24

Neither of these are publicly routed so i'm a bit confused. (Yes these routes are propagated in the routing table).

What am I doing wrong here?

ACLs and Secruity groups all have the same IP range allowed for the on-prem internal subnets inbound and outbound, Firewall is off on the domain controller that's on-prem, the IP I set for the conditional forwarder matches the on-prem DC.

Any assistance would be greatly appreciated.

1 Answer
0

Here is our public documentation on how to troubleshoot trust creation failures. It includes some common failure patterns.
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_troubleshooting_trusts.html

At the end of the document you will see a reference to this SSM document. It was written by AWS support to help verify many settings that can block trust creation.
https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awssupport-troubleshootdirectorytrust.html

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions