Microsoft AD on AWS, Prepare On-Prem AD for 2 Way Trust
Microsoft AD creates a fully managed, Microsoft Active Directory in the AWS cloud and is powered by Windows Server 2012 R2 and operates at the 2012 R2 functional level.
When you create a directory with Microsoft AD, AWS Directory Service creates two domain controllers and adds the DNS service on your behalf.
The domain controllers are created in different subnets in a VPC; this redundancy helps ensure that your directory remains accessible even if a failure occurs. If you need more domain controllers, you can add them later.
What gets created?
-
AWS Directory Service creates two domain controllers and adds the DNS service on your behalf
-
Creates a new AWS Reserved OU to store all AWS specific accounts
-
Creates a security group for the domain controllers.
Preparing On-Prem AD for 2-way Trust
- Configure the on-premises firewall so that the following ports are open to the CIDRs for all subnets used by the VPC that contains your Microsoft AD.
- Allow both incoming and outgoing traffic from 10.0.0.0/16 (the CIDR block of our Microsoft AD’s VPC) on the following ports:
-
TCP/UDP 53 – DNS
-
TCP/UDP 88 – Kerberos authentication
-
TCP/UDP 389 – LDAP
-
TCP 445 – – SMB
-
Ensure That Kerberos Pre-authentication Is Enabled
-
Configure DNS Conditional Forwarders for Your On-premises Domain
Leave a Reply