Microsoft AD creates a fully managed, Microsoft Active Directory in the AWS cloud and is powered by Windows Server 2012 R2 and operates at the 2012 R2 functional level.

When you create a directory with Microsoft AD, AWS Directory Service creates two domain controllers and adds the DNS service on your behalf.

The domain controllers are created in different subnets in a VPC; this redundancy helps ensure that your directory remains accessible even if a failure occurs. If you need more domain controllers, you can add them later.

What gets created?

  • AWS Directory Service creates two domain controllers and adds the DNS service on your behalf

  • Creates a new AWS Reserved OU to store all AWS specific accounts

  • Creates a security group for the domain controllers.

Preparing On-Prem AD for 2-way Trust

  1. Configure the on-premises firewall so that the following ports are open to the CIDRs for all subnets used by the VPC that contains your Microsoft AD.
  2. Allow both incoming and outgoing traffic from 10.0.0.0/16 (the CIDR block of our Microsoft AD’s VPC) on the following ports:
    • TCP/UDP 53 – DNS

    • TCP/UDP 88 – Kerberos authentication

    • TCP/UDP 389 – LDAP

    • TCP 445 – – SMB

  3. Ensure That Kerberos Pre-authentication Is Enabled

  4. Configure DNS Conditional Forwarders for Your On-premises Domain

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.