AWS – Access Denied when Adding AD Trust Relationship

Late yesterday I decided to create an AWS Microsoft AD Directory Service.  The task itself is pretty straightforward and I had no problems with the deployment process.  A task that should be equally straightforward is setting up a trust relationship with an existing AD domain.  A task that should take about 5 minutes ended up taking me….much longer than that.  I’ll keep the actual time I spent on it to myself.

Anyway, once I deployed my AWS Microsoft AD (I’ll abbreviate it as MAD because that’s what I got later), I launched a new instance, joined it to the AWS domain, installed the Windows Remote Administration Tools, launched Active Directory Users and Computers, created a new user, and then logged in as that user to do some very basic testing.  Now believing my AWS MAD was good to go, I decided to setup a trust with my existing AD domain.

I looked at the prerequisites, reviewed the Security Groups and Network ACLs on AWS, and ran DirectoryServicePortTest to further verify connectivity between the DCs.  So I created the trust on my existing domain, even entering the trust password with one finger, but when I switch to AWS MAD, not 5 seconds after clicking the Add button I would receive an “Access denied” failure notice like the one shown below:


Are you kidding me?  Thus began the troubleshooting process….

Now I’m not going to go into everything single step, but I did drag Adam into it.  At the end of the day after some very throughout digging, the issue was still not resolved but we were able to rule several things out.  Perhaps I should have gone home, but the traffic in Raleigh around 5pm can be horrible enough, but when it’s been rainy it’s downright miserable so I decided to stay in the office a little longer to work on this issue.  I knew the trust password was not the issue, but what domain security setting wouldn’t allow a trust to be created?  To that end, I decided to look at each security setting enabled on the Default Domain Policy and when you take breath and really look at stuff, the problem can reveal itself.  Look at what’s highlighted below as an example:


Yes, you guessed it!  The time difference between the AWS MAD and my existing directory was off by about 5 minutes and 19 seconds.  My existing DCs were behind so I matched those to the AWS domain and wouldn’t you know it, the trust was then successfully established.

So, if you’re going to configure a trust between an AWS MAD and an existing domain, save yourself some pain and add a time check to your prerequisites checklist.

Leave a Reply

Your email address will not be published. Required fields are marked *