FSx for NetApp ONTAP - Can't join domain


Hi there, When I am trying to join my domain (using Directory service), I am receiving the following error:

Amazon FSx is unable to establish a connection with your Active Directory domain controller(s) because the service account credentials provided are invalid. To fix this problem, delete your storage virtual machine and create a new one using a valid service account as recommended in the Amazon FSx user guide.

I have read the user guide, and followed all the steps. Now, I am using the same security group as the domain controller and allowing all traffic inside the sg. I checked with Reachability analyzer, the ENI from fsx can communicate with the domain controller's domain controller. I also tried to use the domain admin, just to make sure - but for some reason it does not work. Did any of you experienced something similar?

1개 답변
수락된 답변

Hello! I was actually testing this on my lab last week and I got it to work. The above message points to lack of permissions on the account used to join to the Directory, not connectivity as the reason behind the issue. A couple of questions come to mind:

  1. Are you using AWS Managed AD or a self managed/onprem AD with AD Connector?

  2. If using AD Connector, have you performed the delegation of permissions as explained on this link? https://docs.aws.amazon.com/fsx/latest/ONTAPGuide/self-managed-AD-best-practices.html. You might also need to supply the OU.

  3. If using Managed AD, you need to specify the OU where the computer object of the storage virtual machine will be created. Since you are not the full domain admin of the Managed AD, you will need to supply the provisioned OU (i.e OU=<yourdomain>,DC=<yourdomain>,DC=<yoursuffix>) that you used to create the Managed AD (or any OU beneath it)

  4. You might consider testing joining the domain using ONTAP's CLI interface:

    services name-service dns create -domains example.local -name-servers,,

    vserver cifs create -cifs-server svm1 -domain example.local -ou “OU=OUName,DC=Domain,DC=com”

I haven't tested the CLI route, but you can find more information in this link https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-991%2Fvserver__active-directory__create.html&cp=2_2_29_17_0. The advantage of using the CLI is that you don't need to delete the SVM between each retry. Still, I would advise to continue using the AWS console for the time being, as that's all I used when testing in my lab.

지원 엔지니어
답변함 2년 전
profile picture
검토됨 2달 전
  • Thanks Francisco, Your point #3 made the difference and saved me a LOT of time. Thank you once again!

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠