在 AWS Managed AD 和运行 Windows Server Core 版本的本地 Active Directory 之间创建信任关系

AWS customers’ IT administrators who are managing AWS Managed Microsoft AD may sometimes need to establish a trust relationship with an on-premises Active Directory running Windows Server Core edition. Since Windows Server Core does not have a graphical user interface (GUI), it can only be managed via the command line using PowerShell or remote management tools, meaning there is no desktop interface available. To create a trust relationship on a Windows Server Core edition, there are two options:

Option 1: Launch a manage Windows server with graphical user interface (GUI)

  • Join the manage instance to the onprem AD and install RSAT tools

  • Ensure that manage instance can reach the AWS Managed Microsoft AD domain controllers by opening the required ports [1]

Option 2: Run the following scrip on your self-managed AD to create the trust:

  • Update = "remoteforest" with your remote domain name

  • Specify the trust type on the value $remoteForest,": Examples:

  $remoteForest,"Inbound"
  $remoteForest,"Outbound"
  $remoteForest,"Bidirectional"

==========================================

# Change following parameters
$strRemoteForest = "remoteforest"
$remoteContext = New-Object -TypeName "System.DirectoryServices.ActiveDirectory.DirectoryContext" -ArgumentList @( "Forest", $strRemoteForest )
try {
        $remoteForest = [System.DirectoryServices.ActiveDirectory.Forest]::getForest($remoteContext)
        #Write-Host "GetRemoteForest: Succeeded for domain $($remoteForest)"
    }
catch {
        Write-Warning "GetRemoteForest: Failed:`n`tError: $($($_.Exception).Message)"
    }
Write-Host "Connected to Remote forest: $($remoteForest.Name)"
$localforest=[System.DirectoryServices.ActiveDirectory.Forest]::getCurrentForest()
Write-Host "Connected to Local forest: $($localforest.Name)"
try {
        $localForest.CreateTrustRelationship($remoteForest,"Bidirectional")
        Write-Host "CreateTrustRelationship: Succeeded for domain $($remoteForest)"
    }
catch {
        
    }

==========================================

  • After creating the trust on the self-managed AD, set the trust password (/passwordT:password) by executing the following command on a DC core edition using self-managed credentials (/userO:administrator /passwordO:*): [2]

==========================================

 netdom trust parent domain name /domain:child domain name /resetOneSide /passwordT:password /userO:administrator /passwordO:*

==========================================

Example:

netdom trust mydomain.it /domain:managedad.domain /resetOneSide /passwordT:Passw0rd001# /userO:administrator /passwordO:Passw0rd001#

Next, attempt to establich the trust on the AWS Managed AD console [3] using the trust password (/passwordT:password) generated earlier.

[1] Step 1: Prepare your self-managed AD Domain - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust_prepare_onprem.html

[2] Active Directory Forest Recovery - Reset a trust password on one side of the trust - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-reset-trust

[3] Step 3: Create the trust relationship - Configure the trust in your self-managed Active Directory - https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust_create.html#tutorial_setup_trust_onprem_trust

最后更新于