Skip to main content

How to Configure AWS Active Directory Conditional Forwarders for a Trust between Your AWS Managed Microsoft AD and On-Premises Domain

As you get started. Make sure your VPC configurations for Inbound and Outbound traffic are correct.

If you are using a VPN. Make sure the AWS CIDR and your Local CIDR's are there. The local CIDR range is also your local AWS CIDR, not just your on-premise CIDR block range.

1. In order to establish a connection between your on-premises Active Directory and the AWS Cloud AWS Managed Microsoft Active Directory you must setup both the on-premise server (LOCALDOMAIN.COM) and your AWS Domain (AWSDOMAIN.LOCAL).

2. Create an AWS EC2 VM that will be joined to your awsdomain.local domain. After you have created the VM. Login to the VM and add the DNS addresses that are listed for AWSDOMAIN.LOCAL in the AWS Directory Service. Do an ipconfig /all to make sure that the DNS IP addresses are correct or nslookup will fail.



3. FYI. You cannot RDP into the AWS DC's for the AWS Managed Microsoft AD. You have to use the Server Manager Tools on the server that is joined to the the AWSDomain.Local.



4. Join the machine to your AWS Domain. The default username is "admin" and not "administrator". Then reboot the computer.

Right-click on Conditional Forwarder and then select New Conditional Forwarder



5. Configure your domain that will be used for the trust so that it can talk from your domain.


6. Run PowerShell or CMD Prompt as an administrator and run ipconfig /flushdns

7. Now ping the domain (FYI. It takes a few minutes. Relax). ping the domain name (e.g. ping awsisyourfriend.local) and you should get the ip address back that you put as the IP addresses of the master servers (domain IP's). DNS Settings are here with the arrow.

Image sanitized.


8. After you are able to ping the DNS IP addresses. Do an nslookup awsisyourfriend.local. Now you will get a response something like

C:\Windows\system32>nslookup awsisyourfriend.local
Server:  dc.onpremisedomain.com
Address:  172.55.8.8

Non-authoritative answer:
Name:    awsisyourfriend.local
Addresses:  8.8.8.8
          8.8.4.4

9. Next. Open your Active Directory Domains and Trusts and start the setup of the trust.

Note: URL if you have time. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust_create.html

Pics below for us that need to Get it Done!


10. Type the domain

11. Click Forest Trust


12. Two-Way


13. This Domain Only


14. Forest-wide authentication


15. Trust Password (NOTE: This is the password that you set up with the creation of the AWS Managed Microsoft AD).


16. Do not confirm the Outgoing or Incoming Trust (select No)


11. Now the on-premises side of the AD Domain Trust (Two-Way) is done.



12. Do the AWS Side now.


13. Note: You cannot create the trust from within the Windows OS on AWS. You must do it through the AWS Console. If you attempt to do it from the OS. You will get an error that says Access Denied!

14. If you have done everything correctly. You will get rewarded with a "Verified" green check mark!




AWS Articles:



Popular posts from this blog

How to Login to AWS using CLI with AzureSSO through Azure Active Directory

Testing on Windows 10 Release 1909  Prerequisite (Install Visual Studio Code and the AWS CLI if you don't have it already installed and your Azure Active Directory is already configured and processing authentication) 1. Install Node.Js https://nodejs.org/en/ (Use the LTS Edition/Version) 2. Check the node version in PowerShell or Windows Terminal: node --version && npm --version 3. npm install -g aws-azure-login *install will take about 15-20 minutes. Be patient and let it finish.  4. Configure your profile aws-azure-login --configure --profile=<<Name of your profile>> Example:  aws-azure-login --configure --profile=migrationking Pro Tip: It installs the profile on your machine under ~/.aws/config . You can edit the file with Visual Studio Code or Notepad++ #This will prompt to Enter the Azure AD details *** Azure Tenant ID: << Enter the Azure AD Tenant ID from the Azure AD application configuration for the AWS Account to be accessed>> Azure Tenant I

How to Fix /storage/core filesystem Out of Disk Space Error on VCSA 6.0U1

How to fix the error of " The /storage/core filesystem is out of disk space or inodes" Step 1: Login to the new VCSA 6.0U1 HTML5 web client. https://ip address:5480 Step 2: Enable SSH and Bash Shell Step 3: Login as root and type "shell" at Command> shell Step 4: df -h (Check if it's out of space) /dev/mapper/core_vg-core               50G   50G     0 100% /storage/core Step 5: Stop the services of VCSA:  hostname: # service vmware-vpxd stop hostname: # service vmware-vpxd status (make sure it is stopped) Step 6:  cd /storage/core Step 7: rm -rf *.tgz ( be CAREFUL ...do this in the wrong directory and you will be retrieving from a backup .) If you need help. Go to Cybercity ( http://www.cyberciti.biz/faq/delete-all-files-folder-linux/ )  Step 8: service vmware-vpxd restart Step 9: history -c Step 10:  Refresh the browser (https://ip address:5480). Now it's all green VMware KB

VMware Tools ISO Does Not Exist

1. You attempt to Install VMware Tools and you get the following error: The required VMware Tools ISO image does not exist or is inaccessible. vix error code = 21001 Unable to install VMware Tools. An error occurred while trayin got access image file "/user'/lib/vmware/isoimages/windows.iso" needed to install VMware Tools: 2 (no such file or directory). Please refer the product documentation or KB article 2129825 for details....blah blah blah you get the point. First...that KB article is wrong. It's 1036810: https://kb.vmware.com/s/article/1036810 2. Go to the latest VMware Tools of your OS (You don't need to be logged in): https://packages.vmware.com/tools/esx/latest/index.html 3. Download the ISO and then WinSCP the file or whatever method you want to use to copy the file to /usr/lib/vmware/isoimages/ The quick and easy way is to just mount it and then install the VMware Tools. If you want to get gritty! Follow on! 4. If you don't