I have a bit of a unique situation, I have a series of AWS servers that all have Active Directory installed on them (DNS and a bunch of other things too) and are Domain Controllers, I'm trying to migrate all of these to use a centralized AD service, AWS AD DS. The first step of my migration is to create a two way trust between one of my servers (in this case my dev server - 10.0.0.119) and this new service. I've followed these instructions on the server side (10.0.0.119) to establish a two way trust, looks something like this:
Of course it doesn't connect because I need to setup it in AWS:
Which is where I run into trouble, when I try to setup the two way relationship in AWS I can't seem to get it to connect to my server, I get the following error message:
The remote domain dev.ebm.com is not reachable. Please ensure your security group settings are correct and your conditional forwarder is configured properly.
I'm really not sure why though, my configuration matches what is specified on my server (same error if I set one way authentication or "Forest Trust"):
Both my new AD DS service endpoints are on the same subnet and VPC as my server:
I can ping both of these from my dev server without issue. I've disabled all firewalls on the server and I don't have any firewall restrictions in AWS on this network.
Not a great deal is written on this subject. A number of posts point to adding a IP routes to cover your server before adding the trust. However both that article and AWS interface state that:
Modify the route table in your directory to enable routing to public IP addresses through your VPC.
So I feel that's not the right direction.
The most likely place I think I might be confused on is the "Existing or new remote domain", I've tried all sorts of thing such as the servers name and the domain name, I'm pretty sure that should match the name of the domain, but all combinations I've tried don't seem to work.
There's also significant discussion about conditional forwarding, I've set this up on the client side. I've also made sure to include the dev server in the AWS DC side configuration. Doesn't seem to have any effect though.
Does anyone know where I'm off on this?
0 Answers