FSx for NetApp ONTAP - Can't join domain


Hi there, When I am trying to join my domain (using Directory service), I am receiving the following error:

Amazon FSx is unable to establish a connection with your Active Directory domain controller(s) because the service account credentials provided are invalid. To fix this problem, delete your storage virtual machine and create a new one using a valid service account as recommended in the Amazon FSx user guide.

I have read the user guide, and followed all the steps. Now, I am using the same security group as the domain controller and allowing all traffic inside the sg. I checked with Reachability analyzer, the ENI from fsx can communicate with the domain controller's domain controller. I also tried to use the domain admin, just to make sure - but for some reason it does not work. Did any of you experienced something similar?

1 réponse
Réponse acceptée

Hello! I was actually testing this on my lab last week and I got it to work. The above message points to lack of permissions on the account used to join to the Directory, not connectivity as the reason behind the issue. A couple of questions come to mind:

  1. Are you using AWS Managed AD or a self managed/onprem AD with AD Connector?

  2. If using AD Connector, have you performed the delegation of permissions as explained on this link? https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/self-managed-AD-best-practices.html. You might also need to supply the OU.

  3. If using Managed AD, you need to specify the OU where the computer object of the storage virtual machine will be created. Since you are not the full domain admin of the Managed AD, you will need to supply the provisioned OU (i.e OU=<yourdomain>,DC=<yourdomain>,DC=<yoursuffix>) that you used to create the Managed AD (or any OU beneath it)

  4. You might consider testing joining the domain using ONTAP's CLI interface:

    services name-service dns create -domains example.local -name-servers,,

    vserver cifs create -cifs-server svm1 -domain example.local -ou “OU=OUName,DC=Domain,DC=com”

I haven't tested the CLI route, but you can find more information in this link https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-991%2Fvserver__active-directory__create.html&cp=2_2_29_17_0. The advantage of using the CLI is that you don't need to delete the SVM between each retry. Still, I would advise to continue using the AWS console for the time being, as that's all I used when testing in my lab.

répondu il y a 2 ans
profile picture
vérifié il y a 2 mois
  • Thanks Francisco, Your point #3 made the difference and saved me a LOT of time. Thank you once again!

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions