Prerequisites - AWS Directory Service


This tutorial assumes you already have the following:


AWS Managed Microsoft AD does not support trust with Single label domains.

  • An AWS Managed Microsoft AD directory created on AWS. If you need help doing this, see Getting started with AWS Managed Microsoft AD.

  • An EC2 instance running Windows added to that AWS Managed Microsoft AD. If you need help doing this, see Manually join a Windows instance.


    The admin account for your AWS Managed Microsoft AD must have administrative access to this instance.

  • The following Windows Server tools installed on that instance:

    • AD DS and AD LDS Tools

    • DNS

    If you need help doing this, see Installing the Active Directory administration tools.

  • A self-managed (on-premises) Microsoft Active Directory

    You must have administrative access to this directory. The same Windows Server tools as listed above must also be available for this directory.

  • An active connection between your self-managed network and the VPC containing your AWS Managed Microsoft AD. If you need help doing this, see Amazon Virtual Private Cloud Connectivity Options.

  • A correctly set local security policy. CheckĀ Local Security Policy > Local Policies > Security Options > Network access: Named Pipes that can be accessed anonymously and ensure that it contains at least the following three named pipes:

    • netlogon

    • samr

    • lsarpc

Tutorial configuration

For this tutorial, we've already created a AWS Managed Microsoft AD and a self-managed domain. The self-managed network is connected to the AWS Managed Microsoft AD's VPC. Following are the properties of the two directories:

AWS Managed Microsoft AD running on AWS

  • Domain name (FQDN):

  • NetBIOS name: MyManagedAD

  • DNS Addresses:,


The AWS Managed Microsoft AD resides in VPC ID: vpc-12345678.

Self-managed or AWS Managed Microsoft AD domain

  • Domain name (FQDN):

  • NetBIOS name: CORP

  • DNS Addresses:

  • Self-managed CIDR:

Next Step

Step 1: Prepare your self-managed AD Domain