Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Adding Storage Gateway to AD Domain via CLI

0

Hi

We have a problem with Storage Gateway joining the domain via CLI (version: aws-cli/1.16.93 and aws-cli/1.16.90).
When we run the following command "$ aws storagegateway join-domain....", it returns:

An error occurred (InvalidGatewayRequestException) when calling the JoinDomain operation: The gateway cannot connect to the specified domain.

This is the command we used:
aws storagegateway join-domain --gateway-arn arn:aws:storagegateway:<region>:<account-id>:gateway/<gateway-id> --domain-name <our-domainname> --organizational-unit "OU=<our-ou-name>,DC=<our-domain>,DC=COM --domain-controllers <our-dc-ip> --user-name <username> --password <password>

Could someone help us debug why we are unable to join the Domain?

We already checked the following:
-Specified DC is reachable and necessary ports are opened
-All traffic inbound/outbound allowed between Storage Gateway and specified DC
-Storage gateway can resolve Domain Name
-DHCP Options Sets specify correct DC and domainname in search list
-The user and/or OU has right to join the domain
-The user and password is correct
-Other windows instance which is in same subnet and same security group can join the domain

  • Added additional reachable DCs to the domain-controllers list, and the problem remains

Thank you,

Argomenti
Archiviazione
Tag
Gateway di archiviazione AWS
Lingua
English
ttakatsuka
posta 5 anni fa703 visualizzazioni
2 Risposte
0

Please check the logs on your Domain Controller/AD for any errors? Most probably the error is being returned by your DC/AD. You can also capture the network packets while you are executing the "join-domain" operation to confirm that the error is returned by the DC/AD.

Can you please PM me your Storage Gateway ID & the Region?

AWS
Shashi-AWS
con risposta 5 anni fa
0

Hi shashi-AWS,

Thank you for your advise.
After discussion with our DC/AD admins, we found error log in event viewer.
-> Event Id:16642, Directory-Service-SAM, The account-identifier allocator was unable to assign a new identifier.

It was because DC in AWS does not have connectivity with FSMO role holder DC. After we switched site2site VPN to other site which has DC with FSMO role, successfully storage gateway could join the domain with same command I posted initially.

Again, thank you for your help.

ttakatsuka
con risposta 5 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente