Menu
AWS Directory Service
Administration Guide (Version 1.0)

Step 2: Prepare Your Microsoft AD

Now let's get your Microsoft AD ready for the trust relationship. Many of the following steps are almost identical to what you just completed for your on-premises domain. This time, however, you are working with your Microsoft AD.

Configure Your VPN Subnets and Security Groups

You must allow traffic from your on-premises network to the VPC containing your Microsoft AD. To do this, configure the VPC access control list (ACL) to allow both incoming and outgoing traffic from your on-premises directory for the following ports:

  • TCP/UDP 53 - DNS

  • TCP/UDP 88 - Kerberos authentication

  • TCP/UDP 389 - LDAP

  • TCP 445 - SMB

Note

These are the minimum ports that are needed to be able to connect the VPC and on-premises directory. Your specific configuration may require additional ports be open. For this tutorial, we have opened up all ports to our on-premises domain:


                                VPN incoming rules

                            VPN outgoing rules

Similarly, your Microsoft AD domain controller must have the appropriate outbound and inbound rules.

To configure your Microsoft AD domain controller outbound and inbound rules

  1. Return to the AWS Directory Service console at https://console.aws.amazon.com/directoryservice/. On the Directory Details page, note your Microsoft AD directory ID.

    
                                Choose directory for rules
  2. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  3. In the navigation pane, choose Security Groups.

    
                                    Choose security groups
  4. Use the search box to search for your Microsoft AD directory ID. In the search results, select the item with the description AWS created security group for <yourdirectoryID> directory controllers.

    
                                    Search for security group
  5. Go to the Outbound Rules tab for that security group. Choose Edit, and then Add another rule. For the new rule, enter the following values:

    • Type: ALL Traffic

    • Protocol: ALL

    • Destination determines the traffic that can leave your domain controllers and where it can go. Specify a single IP address or an IP address range in CIDR notation (for example, 203.0.113.5/32). You can also specify the name or ID of another security group in the same region. For more information, see Understand Your Directory’s AWS Security Group Configuration and Use.

  6. Select Save.

    
                                    Edit security group
  7. Go to the Inbound Rules tab for that same security group. Choose Edit, and then Add another rule. For the new rule, enter the following values:

    • Type: Custom UDP Rule

    • Protocol: UDP

    • Port Range: 445

    • For Source, specify a single IP address, or an IP address range in CIDR notation (for example, 203.0.113.5/32). You can also specify the name or ID of another security group in the same region. This setting determines the traffic that can reach your domain controllers. For more information, see Understand Your Directory’s AWS Security Group Configuration and Use.

  8. Select Save.

  9. Repeat these steps, adding each of the following rules:

    Type Protocol Port Range Source
    Custom UDP Rule UDP 88 Specify the Source traffic used in the previous step.
    Custom UDP Rule UDP 123 Specify the Source traffic used in the previous step.
    Custom UDP Rule UDP 138 Specify the Source traffic used in the previous step.
    Custom UDP Rule UDP 389 Specify the Source traffic used in the previous step.
    Custom UDP Rule UDP 464 Specify the Source traffic used in the previous step.
    Custom TCP Rule TCP 88 Specify the Source traffic used in the previous step.
    Custom TCP Rule TCP 135 Specify the Source traffic used in the previous step.
    Custom TCP Rule TCP 445 Specify the Source traffic used in the previous step.
    Custom TCP Rule TCP 464 Specify the Source traffic used in the previous step.
    Custom TCP Rule TCP 636 Specify the Source traffic used in the previous step.
    Custom TCP Rule TCP 1024 - 65535 Specify the Source traffic used in the previous step.
    Custom TCP Rule TCP 3268 - 3269 Specify the Source traffic used in the previous step.
    DNS (UDP) UDP 53 Specify the Source traffic used in the previous step.
    DNS (TCP) TCP 53 Specify the Source traffic used in the previous step.
    LDAP TCP 389 Specify the Source traffic used in the previous step.
    All ICMP All N/A Specify the Source traffic used in the previous step.
    All traffic All All The current security group (The security group for your directory).

Ensure That Kerberos Pre-authentication Is Enabled

Now you want to confirm that users in your Microsoft AD also have Kerberos pre-authentication enabled. This is the same process you completed for your on-premises directory. This is the default, but let's check to make sure nothing has changed.

To view user Kerberos settings

  1. Log in to an instance that is a member of your Microsoft AD using an account that has domain administrative privileges.

  2. If they are not already installed, install the Active Directory Users and Computers tool and the DNS tool. Learn how to install these tools in Installing the Active Directory Administration Tools.

  3. Open Server Manager. On the Tools menu, choose Active Directory Users and Computers.

  4. Choose the Users folder in your domain. Note that this is the Users folder under your NetBIOS name, not the Users folder under the fully qualified domain name (FQDN).Open the context (right-click) menu for a user account and choose Properties.

    
                                        Correct users folder
  5. Choose the Account tab. In the Account options list, ensure that Do not require Kerberos preauthentication is not checked.

Next Step

Step 3: Create the Trust Relationship