AWS Managed MS AD DNS forwarder to ec2 domain instance


I am trying to setup an environment to replicate my on-prem environment.
VPC 1 has 2 ec2 instances, one with Microsoft AD installed. The other instance is added to this domain. I am able to login with domain credentials. domain is 'manual.test.local'
VPC 2 has an AWS managed MS AD, one EC2 instance, joined to this domain. domain is ''
Both VPC's are peered & all ports on DCs are able to be connected to (only tested TCP ones).
I want to setup a one way trust from the AWS managed instance.
Setup a conditional forwarder from each domain to the other.
From VPC 1 I am able to resolve names in the AWS Managed domain.
From VPC 2 I am NOT able to resolve names in the EC2 manually installed domain.
I dont believe that it is a security group issue.
If I perform an nslookup from the ec2 instance in VPC 2 to the other domain (to manual.test.local) just using the aws managed DNS servers this fails. If I put the DNS server to be queried as the dc running manual.test.local this resolves as expected.
I have not put anything in route 53.
Do I need to create a Route 53 resolver record? If so is this because it is the AWS Managed domain?


asked 4 years ago862 views
1 Answer


I resolved this myself (after not following my own advice)
It WAS an issue with the Security group.
The managed directory service group sets outbound connections are only allowed to the domain controllers that it created.
I added the rule to allow all ports out to the DC that I am trying to get to & all was good.
Able to crete & verify trusts.


answered 4 years ago
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions