Why can't I seamlessly join my Amazon EC2 Windows instance to an AWS Managed Microsoft AD directory?

Resolution

Note: If you use Amazon Virtual Private Cloud (Amazon VPC) interface endpoints for AWS Systems Manager, then the Windows Server instances can still join a domain. However, the VPC endpoints must allow access to the AWS Managed Microsoft AD APIs and domain controllers. For more information, see VPC endpoint restrictions and limitations.

Verify your OS

Confirm that you use an operating system (OS) that Systems Manager supports.

Verify your IAM role policies

To verify that your AWS Identity and Access Management (IAM) role has the correct managed policies attached, complete the following steps:

1. Open the IAM console.
2. In the navigation pane, choose Roles.
3. Choose the Role name for the IAM role that's associated with your EC2 instance.
4. Choose the Permissions tab.
5. For Permissions policies, confirm that you attached the AmazonSSMDirectoryServiceAccess and AmazonSSMManagedInstanceCore policies.
6. If you didn't attach the permissions policies, then choose Add permissions.
7. Choose Attach policies.
8. Enter the policy names in the search bar, and then choose the missing policy.
9. Choose Add permissions.

Verify that the required ports are open

The directory's security group must allow ports 53, 88, and 389.

To locate and review the security group for your directory, complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Security Groups.
3. Under Security group name, search for directoryid_controllers. The value for directoryid is your directory ID. For example, in d-1234567891_controllers, the directory ID is d-1234567891.
4. Choose the Security group ID of the directory controller's security group.
5. Choose the Inbound rules and Outbound rules tabs to check the port information. If a required port is missing, then add the port to the security group.
6. Repeat steps 2-5 for the security group that's attached to the EC2 instance. Confirm that the instance's security group allows outbound connection to the directoryid_controllers security group.

To test the domain's connectivity to the required ports, you can use the PortQry command line tool. For more information, see Using the PortQry command-line tool on the Microsoft website.

Verify that the DNS servers on your instance point to the directory's DNS servers

To view the network adapter configuration on the instance, run the following command:

ipconfig /all

In the output, check the IP addresses listed for DNS Servers.

Then, complete the following steps to locate the directory's DNS servers:

1. Open the AWS Directory Service console.
2. In the navigation pane, choose Directories.
3. Choose the Directory ID of your directory.
4. Make sure that the value for DNS address matches the IP addresses in the output for ipconfig. If they don't match, then you must join the DNS servers to your instance.

To join the DNS servers to your instance, complete the following steps:

1. Use the Remote Desktop Protocol (RDP) to connect your instance.

2. Run the following command to open Network Connections:

   %SystemRoot%\system32\control.exe ncpa.cpl

3. Open the context (right-click) menu for any activate network connection, and then choose Properties.

4. In the Connection Properties dialog box, open (double-click) Internet Protocol Version 4.

5. Select Use the following DNS server addresses.

6. For Preferred DNS server and Alternate DNS server, enter the IP addresses of the DNS servers that AWS Managed Microsoft AD provided, and then choose OK.

Confirm that you can resolve the domain name from the instance

To confirm that you can resolve the domain name from your instance, run one of the following commands based on your command line.

PowerShell:

Resolve-DnsName domainname

Command prompt:

nslookup domainname

Note: Replace domainname with your domain name.

Check the DNS server configuration

Verify that you correctly configured the instance's DNS server. Run the following command to check whether the instance can locate and communicate with a domain controller in the target domain:

nltest /dsgetdc:domainname /force

Note: Replace domainname with the DNS name, not the NetBIOS name. For example, for the example.com domain, the DNS name is example.com and the NetBIOS name is example. For more information about this command, see Nltest on the Microsoft website.

If you receive an error message in the output, then troubleshoot the issue that's listed in the error.

Verify that the instance is a managed instance

Only managed instances can join an Active Directory.

Complete the following steps to verify that your instance is a managed instance in Fleet Manager, a capability of AWS Systems Manager:

1. Open the Systems Manager console.
2. In the navigation pane, choose Fleet Manager.
3. Choose the Managed nodes tab.
4. Confirm that the instance is listed and is online. If you can't find the instance, then see Why isn't Systems Manager showing my Amazon EC2 instance as a managed instance?

Confirm that the instance has a State Manager association

The awsconfig_Domain_directoryid_domainname document must have an have an association with State Manager, a capability of AWS Systems Manager, for the instance.

To check the State Manager association for issues, complete the following steps:

1. Open the Systems Manager console.
2. In the navigation pane, choose State Manager.
3. In the search bar, select Instance Id and Equal, and then enter the instance ID.
4. Choose the association ID.
5. Confirm that the Status is Success, and then choose Execution history to check the status of other association executions.
   If the Status is Failed, then choose Execution id, and then choose Output to review the output details and identify the cause of the issue.
   If the Status is Pending, then check the logs on the EC2 instance for error messages that help you identify the cause of the issue. For instructions, proceed to Review logs to find error messages.

Check whether you can manually join the instance to the domain

Make sure that you configured your AWS account to have the required permissions to add computer objects to the domain.

Note: To create new Windows instances, use the Microsoft tool Sysprep to create a standardized Amazon Machine Image (AMI).

Review logs to find error messages

If you still can't join a domain, then check the following instance logs for error messages.

SSM Agent logs

Check the AWS Systems Manager Agent (SSM Agent) logs.

Netsetup.log file

To open a log file, run the following command in a command prompt:

%windir%\debug\netsetup.log

To troubleshoot NetSetup.log errors, see Troubleshoot networking errors that occur when you join Windows-based computers to a domain on the Microsoft website.

If your security groups or firewall block UDP traffic, then the domain join workflow doesn't create outputs in the NetSetup.log file. To test the DNS connectivity to the DNS server, run the following PowerShell command:

Test-DnsServer -IPAddress YourIPAddress

Note: Replace YourIPAddress with the IP address for your DNS server.

Event Viewer logs

To check the Event Viewer logs, complete the following steps:

1. Choose the Start menu, and then enter Event viewer.
2. Choose Event Viewer.
3. In the navigation pane, expand Windows Logs, and then choose System.
4. Check the Date and Time column to identify events that occurred during the domain join operation.

To further troubleshoot issues, see Active Directory domain join troubleshooting guidance on the Microsoft website.

Related information

Ways to join an Amazon EC2 instance to your AWS Managed Microsoft AD

Joining an Amazon EC2 Windows instance to your AWS Managed Microsoft AD Active Directory