![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 97%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
6,635 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYL%3C/text%3E%3C/svg%3E)
Hello
Thank you for posting in Q&A forum.
The error DNS_ERROR_ZONE_CONFIGURATION_ERROR indicates a problem with the DNS zone configuration
To resolve this, you can try the following steps:
- Flush DNS Cache: Sometimes, a corrupted DNS cache can cause issues Open Command Prompt as an administrator and run the following command:
ipconfig /flushdns
This will clear the DNS cache and might resolve the issue
- Check DNS Zone Configuration: Ensure that the DNS zone for aws.contoso.local is correctly configured on your on-premises DNS server. You can do this by opening the DNS management console and verifying the settings for the conditional forwarder.
- Create Conditional Forwarder: If not already done, create a conditional forwarder for aws.contoso.local on your on-premises DNS server. This will help in resolving DNS queries for the AWS-managed domain.
- Verify Network Connectivity: Ensure that there is proper network connectivity between your on-premises network and the AWS VPC where the AWS Managed AD is hosted. Check that the necessary ports are open and that there are no firewall restrictions blocking traffic.
Regarding the type of trust, you can create either a Forest Trust or a Realm Trust depending on your requirements. A Forest Trust is typically used to share resources between multiple forests and is transitive, meaning it can extend beyond the two forests involved. A Realm Trust is used for cross-platform communication between a Windows domain and a non-Windows Kerberos realm.
steps to set up an Active Directory (AD) Forest Trust between your on-premises AD and AWS Managed AD:
Prerequisites
- Network Connectivity: Ensure that your on-premises network can connect to the AWS VPC where the AWS Managed AD is hosted. Open the necessary ports (TCP/UDP 53, 88, 389, 445, etc.) on your firewall.
- Conditional Forwarder: Create a conditional forwarder on your on-premises DNS server for the AWS Managed AD domain.
Steps to Create a Forest Trust
- Prepare On-Premises AD:
Open the Active Directory Domains and Trusts console on your on-premises domain controller.
Right-click the Domain node and select Properties.
Go to the Trusts tab and click New Trust.
- Create the Trust:
Select Forest trust and click Next.
Enter the Domain name of the AWS Managed AD (e.g., aws.contoso.local).
Choose the Trust type (one-way or two-way).
Enter the Trust password and confirm it.
Select the Authentication level (e.g., All, Selective).
Click Next and review the summary.
Click Finish to create the trust.
- Create Conditional Forwarder:
Open the DNS Manager on your on-premises domain controller.
Right-click Conditional Forwarders and select New Conditional Forwarder.
Enter the Domain name of the AWS Managed AD and the IP addresses of the AD controllers.
Click OK to create the conditional forwarder.
- Verify the Trust:
Use the Active Directory Domains and Trusts console to verify the trust status.
Ensure that the trust is listed and active.
Best regards
Yanhong
=====================================
If the answer is helpful, please click "Accept answer" and upvote it