AdvLab3: Setting up hybrid AD

Author: Dean Suzuki (Last Updated: 4/1/20)


Many customers already have Microsoft Active Directory running in their on-premises data centers. Earlier, you setup AWS Managed Microsoft Active Directory (AD) that creates an AD forest running inside of AWS. In this lab, you will learn how to integrate the two AD forests, on-premises AD forest and AWS Managed Microsoft AD forest. This integration will be done by creating an AD trust between the AWS Managed Microsoft AD running in AWS and your on-premises AD.

In this lab, you will simulate your on-premises AD by setting up AD on EC2.

For more information on AWS Directory service, please visit our developers guide.

For more information on trust relationship, please visit When to Create a Trust Relationship.


To do this lab, you will need to have completed the following prior labs (on

  • Step 1: Building the network

  • Step 2: Deploying Active Directory

  • Step 3: Administering AD

Section 1: Deploying AD-DC on EC2 to simulate on-premises AD

In this section, you will setup Active Directory domain controllers running on EC2 to simulate your on-premises AD forest. To perform this step, you will leverage a CloudFormation template that has been created.

Note: This CloudFormation template may have already been run in your lab environment so please check with your lab proctor.

  1. Login to the AWS Console and navigate to the CloudFormation (CFN) console.

  2. Make sure you to select the “N.Virginia” region.

  3. Click on Create stack with new resources (standard)

  4. In the Create stack screen, enter the values as shown below and click on Next.

  5. For stack name, enter AD-Onprem

  6. Provide the below inputs for the CloudFormation stack then click Next to continue.

    • VPC ID: WinVPC-VPCStack
    • Private Subnet 1 ID: ( subnet 1A)
    • Private Subnet 2 ID: ( subnet 2A)
    • Domain Controller 1 Instance type: m5.large
    • Domain Controller 1 Name: DC1
    • Domain Controller 1 IP Address:
    • Domain Controller 2 Instance type: m5.large
    • Domain Controller 2 Name: DC2
    • Domain Controller 2 IP Address:
    • Key Pair Name: Select your existing keypair (e.g. WinLab-KeyPair)
    • Domain admin password: Use a password that you can remember
    • Domain DNS name: onprem.local
    • Domain NetBIOS name: ONPREM
    • Press Next.
  7. For the tags, enter “Name” for key and “AD Lab” for value and click Next.

  8. In this last page, check “I acknowledge that CloudFormation might create IAM resources”, then click on Create Stack.

  9. It will take a about 40 minutes to deploy the stack which will deploy the EC2 Instances and promote them as Domain Controllers for the onprem.local domain.

Section 2: Setup Trust between AWS Managed AD & AD-DC on EC2

Part 1: Allow necessary communication between the directories

  1. Log in to your AWS account. Go to EC2 console and select Security Group in left navigation.
  2. In the Filter/Search bar type Controller and hit enter. This will show you the AD/AWS Directory Service Security groups as shown:

    Note: Look at the descriptions, you will see a “Domain Controller” Security group. These correspond to the on-prem domain controllers built. You will also see the Security group that was created for your AWS Directory Service “AWS created security group with name d-xxxx_controllers”. Take note of these security group ID’s.

  3. Copy the Group ID for the “AD-Onprem-DomainControllersSG-###” group and save it in a notepad file.

  4. Copy the Group ID for the “d-xxxxxxx_controllers” group and save it in a notepad file.

  5. Select the Security Group named “d-xxxxxxx_controllers” and click on Outbound Rules tab and click on Edit.

  6. You will need to create an Allow All Outbound rules, for Domain Controller Security group set as the destination. Press Add Rule. For Type, select All Traffic. For Destination, paste the Group Id for the “AD-Onprem-DomainControllersSG-###” group. Press Save.

  7. Select the Security Group “AD-Onprem-DomainControllerSG-xxxx” and click on Inbound Rules tab and click Edit.

  8. Press Add Rule. For Type, select All traffic. For source, paste in the Group ID for “d-xxxxxxx_controllers” group. Press Save.

Part 2: Configure Conditional Forwarder on On-Prem Domain Controller

  1. Sign into the AWS Management Console and open a new tab for AWS Directory Service console.
  2. In the navigation pane, select Directories and Click on the directory ID of your AWS Managed Microsoft AD.
  3. On the Details page, take note of the values in Directory name and the DNS address of your directory as shown below.

Next, you are going to login to the Remote Desktop Gateway (RDGW) server.

  1. Log in to the AWS Console and go to Elastic Compute Cloud (EC2) console.

  2. On the left hand menu, select Instances.

  3. Select the checkbox near to the RDGW server.

  4. Click the Connect button. Click the “Download Remote Desktop File” to download the RDP file.

  5. Click the Get Password button.

  6. Click the Choose File button and browse to the location of the key pair file that you downloaded earlier.

  7. Click Decrypt Password

  8. Once the password is decrypted, copy it to the clipboard.

  9. Double click the RDP connection file and paste the password from the clipboard into the password field.

  10. You should be logged into the RDGW server

  11. Once you are logged in to the RDGW server, open Microsoft Remote Desktop again and connect to the IP address “”. This is one of the Domain Controllers that is setup for the on-prem domain.

  12. When logging in to the DC1 (, on the login screen, select More choices. Then select Use a different account. Then enter ONPREM\admin as the username and the password you created when you launched ONPREM domain in Section 1.

  13. On DC1 (, go to the Start Menu and look for Windows Administrative Tools and under there, open DNS.

  14. In the DNS Manager Console, expand the DNS server for DC1.

  15. Right click on “Conditional Forwarders” and click on “New Conditional Forwarder

  16. In DNS domain, type the fully qualified domain name (FQDN) of your AWS Managed Microsoft AD which should be

  17. Under IP addresses of the master servers, add the IP’s of your AWS Managed Microsoft AD directory, which you noted earlier in step 3. Check the option to “Store this conditional forwarder in AD” and select the option “All DNS servers in this domain”.

    Note: Note: After entering the DNS addresses, you may get a “timeout” or “unable to resolve” error. You can ignore these errors.

  18. Click OK to close the conditional forwarder. You can also close the DNS server.

  19. Keep the Remote Desktop connection open and continue with part 3 below.

Part 3: Configure Trust relationship in AD-DS on EC2

  1. Open Server Manager on the DC1 ( and on the Tools menu, click on Active Directory Domains and Trusts.

  2. Right click on the domain which should be “onprem.local” and click on Properties.

  3. Click on the Trusts tab and click on New trust. Type the name of your AWS Managed AD which should be “” and click Next.

  4. Choose Forest trust. Click Next.

  5. Choose Two-way. Click Next.

  6. Choose This domain only. Click Next.

  7. Choose Forest-wide authentication. Click Next.

  8. Type a Trust password. Make sure to remember this password as you will need it when setting up the trust for your AWS Managed Microsoft AD.

  9. In the next dialog box, confirm your settings and choose Next. Confirm that the trust was created successfully and again choose Next.

  10. Choose No, do not confirm the outgoing trust. Click Next.

  11. Choose No, do not confirm the incoming trust. Click Next. Click Finish to close this wizard.

  12. Press Ok to close the dialog box.

Part 4: Configure Trust relationship in AWS Managed AD

  1. Sign into the AWS Management Console and open the AWS Directory Service console.
  2. On the Directories page, click on your AWS Managed AD “”.
  3. On the Directory details page, select the Networking & security tab.

  4. In the Trust relationships section, click on Add trust relationship.

  5. On the Add a trust relationship page, use the following values as shown:

    • Trust Type: Forest Trust

    • Domain: onprem.local

    • Trust Password: Same trust password that you used when creating the trust on your on-premises domain.

    • Trust Direction: Two-Way

    • Conditional Forwarder: Enter; Click on Add additional IP and enter

  6. Click Add to continue.

  7. It will take a few minutes to configure the trust. Once it’s completed you should see the status change to Verified as shown below. Your trust relationship is now setup and ready to be used.


You have successfully deployed a simulated On-premises Active Directory on EC2 Instances and performed necessary steps to setup a two-way Forest trust between the AWS Managed AD and the simulated “on-premises” AD.

You can leverage this architecture to enable single sign-on to AWS resources. For example, a common architecture is to join EC2 instances to the AWS Managed Microsoft AD forest in AWS. By establishing the AD trust, you can leverage the AD groups and AD users in your on-premises AD forest to secure resources in AWS Managed Microsoft AD forest.

If you are done with all the labs, you can clean up the resources in the following order to stop accumulating AWS charges.

  1. Open the CloudFormation Console and delete the Onprem-AD stack