Why can't I seamlessly join my EC2 Windows instance to an AWS Managed Microsoft AD directory?

Resolution

To troubleshoot why you can't seamlessly join your EC2 Windows instance to an AWS Managed Microsoft AD directory, complete the following steps.

Note: Amazon Virtual Private Cloud (Amazon VPC) interface endpoints for AWS Systems Manager place limitations on requests to join Windows Server instances to domains. For more information, see VPC endpoint restrictions and limitations.

Verify your OS and machine type

Confirm that AWS Systems Manager supports your operating system (OS) and machine type.

Verify your IAM role policies

To verify that your AWS Identity and Access Management (IAM) role has the correct managed policies attached, complete the following steps:

1. Open the IAM console.
2. In the navigation pane, choose Roles.
3. Choose the Role name for the IAM role that's associated with your instance to open the Summary page.
4. On the Permissions tab, for Permissions policies, confirm that the AmazonSSMDirectoryServiceAccess and AmazonSSMManagedInstanceCore policies are attached.
5. If the permissions policies are missing, then choose Add permissions, Attach policies. Search for the policy names, choose the correct policies from the search results, and then choose Add permissions.

Verify that the required ports are open

Verify that ports 53, 88, and 389 are open in the directory's security group. To locate and review the security group for your directory, complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Security Groups.
3. Sort the Security Groups list by Security group name to find directoryid_controllers, where directoryid is your directory ID. For example, d-1234567891_controllers.
4. Choose the Security group ID of the directory controller's security group.
5. Open the Inbound rules and Outbound rules tabs to review the port information.

Note: Use Microsoft's PortQry command line tool to test the domain's connectivity to the required ports.

Verify that the DNS servers on your instance are pointing to the directory's DNS servers

To display the network adapter configuration on the instance, run the following AWS Command Line Interface (AWS CLI) command:

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent version of the AWS CLI.

ipconfig /all

To locate the directory's DNS servers, complete the following steps:

1. Open the Directory Service console.
2. In the navigation pane, choose Directories.
3. Choose the Directory ID to open the Directory details page.
4. See the DNS address.

Confirm that you can resolve the domain name from the instance

To confirm that you can resolve the domain name from your instance, run one of the following commands:

Note: In your commands, replace domainname with your domain name.

Using PowerShell:

Resolve-DnsName domainname

Using a command prompt:

nslookup domainname

Verify the DNS server configuration

To verify that you correctly configured the instance's DNS server and that the instance can reach the DNS server, run the following Nltest Window's command:

Note: In your command, replace domainname with the DNS name, not the NetBIOS name. For example, if your domain is example.com, then the DNS name is example.com and the NetBIOS name is example.

nltest /dsgetdc:domainname /force

Verify that the instance is a managed instance

To verify that your instance is a managed instance, complete the following steps:

1. Open the Systems Manager console.
2. In the navigation pane, choose Fleet Manager.
3. On the Fleet Manager page, choose the Managed nodes tab.
4. Confirm that the instance is listed and is online.

Confirm that the instance has a State Manager association

To confirm that the document awsconfig_Domain_directoryid_domainname has a State Manager association that's created for the instance, complete the following steps:

Note: In the document name, directoryid is your directory ID and domainname is your domain name.

1. Open the Systems Manager console.
2. In the navigation pane, choose State Manager.
3. In the search bar, choose Instance Id and Equal, and then enter the instance ID.
4. Select the association ID.
5. Confirm that the Status is Success, and then choose Execution history to verify the association executions.
6. If the Status is Failed, then choose Execution id, Output to review the output details and identify the cause of the issue.
7. If the Status is Pending, then verify that you followed all the previous troubleshooting steps. Then, review the logs on the EC2 instance for any error messages to identify the cause of the issue. For instructions, see the Review logs to find error messages section.

Confirm that you can manually join the instance to the domain

Verify that your account has the required permission to add computer objects to the domain. For more information, see Delegate directory join privileges for AWS Managed Microsoft AD.

Note: To create new EC2 Windows instances, use the Microsoft tool Sysprep to create a standardized Amazon Machine Image (AMI).

Confirm a successful seamless domain join

To verify that the troubleshooting steps resolved your issue, try to rejoin a domain:

1. Open the Systems Manager console.
2. In the navigation pane, choose State Manager.
3. Select the association that you created to join the domain, and then choose Apply association now.
4. Verify that the Status is Success.

Review logs to find error messages

If you still can't join a domain, then review the following logs on the instance to find error messages.

Using SSM Agent logs:

To see AWS Systems Manager Agent (SSM Agent) logs, go to %PROGRAMDATA%\Amazon\SSM\Logs\.

Using the Netsetup.log file:

To open a log file, run the following command in a command prompt:

%windir%\debug\netsetup.log

Expected error codes and behaviors for each port in the NetSetup.log output

TCP 88 - Kerberos authentication:

NetUseAdd to \\serverDC1.example.com\IPC$ returned 64
NetpJoinDomainOnDs: status of connecting to dc '\\serverDC1.example.com':0x40
NetpJoinDomainOnDs: Function exits with status of: 0x40
NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'example.com' returned 0x0
NetpJoinDomainOnDs: NetpResetIDNEncoding on 'example.com': 0x0
NetpDoDomainJoin: status: 0x40

TCP 389 – LDAP:

NetpLdapBind: ldap_bind failed on serverDC1.example.com: 81: Server Down
NetpJoinCreatePackagePart: status:0x3a.
NetpJoinDomainOnDs: Function exits with status of: 0x3a
NetpJoinDomainOnDs: status of disconnecting from '\\serverDC1.example.com': 0x0
NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'example.com' returned 0x0
NetpJoinDomainOnDs: NetpResetIDNEncoding on 'example.com': 0x0
NetpDoDomainJoin: status: 0x3a

UDP 389 – LDAP:

NetpCheckDomainNameIsValid [ Exists ] for 'example.com' returned 0x54b
NetpJoinDomainOnDs: Domain name is invalid,
NetpValidateName returned: 0x54b
NetpJoinDomainOnDs: Function exits with status of: 0x54b
NetpJoinDomainOnDs: NetpResetIDNEncoding on '(null)': 0x0
NetpDoDomainJoin: status: 0x54b

UDP 53 – DNS:

When UDP DNS traffic isn't allowed, the domain join workflow doesn't create any output in the NetSetup.log file. To test the DNS server, run the following PowerShell command:

Note: In your command, replace YourIPAddress with the IP address for your DNS server.

Test-DnsServer -IPAddress YourIPAddress

For information about NetSetup.log error codes, see How to troubleshoot errors that occur when you join Windows-based computers to a domain on the Microsoft website.

Using Event Viewer logs:

1. On the Windows taskbar, choose Search, enter "event viewer", and then choose Event Viewer to open the tool.
2. In the navigation pane, expand Windows Logs, and then choose System.
3. Review the Date and Time column to identify events that occurred during the domain join operation.

Related information

Join an EC2 instance to your AWS Managed Microsoft AD directory