EC2 AD Join using AD Connector

0

Hi,

The objective of my issue is to automate EC2 AD join. EC2 will be deployed in AWS VPC with is connected to Corporate Network using TGW.

  • DC is OnPrem.

Disclaimer: This server has connectivity to the AD. In fact, if I try to join the domain manually, it works too.

Directory Service Port Test:

S C:\Users\Administrator\Desktop\test1\DirectoryServicePortTest> .\DirectoryServicePortTest.exe -d x.x.x.x.x-ip x.x.x.x -tcp "53,88,389" -udp "53,88,389"
Testing forest functional level.
The x.x.x.x could not be found.
 
Testing TCP ports to  x.x.x.x:
Checking TCP port 53: PASSED
Checking TCP port 88: PASSED
Checking TCP port 389: PASSED
 
Testing UDP ports to  x.x.x.x:
Checking UDP port 53: PASSED
Checking UDP port 88: PASSED
Checking UDP port 389: PASSED
 
Press <enter> to continue.
PS C:\Users\Administrator\Desktop\test1\DirectoryServicePortTest>

I've deployed AD Connector based on following guide

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_getting_started.html

DNS works for domain name and for following endpoints:

  • my.domain.name
  • ssm.eu-central-1.amazonaws.com
  • ec2messages.eu-central-1.amazonaws.com
  • ec2.eu-central-1.amazonaws.com
  • ssmmessages.eu-central-1.amazonaws.com

HTTP Connectivity:

ComputerName     : ssm.eu-central-1.amazonaws.com
RemoteAddress    : 52.119.188.195
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True  

ComputerName     : ec2messages.eu-central-1.amazonaws.com                                                               
RemoteAddress    : 52.94.138.208                                                                                        
RemotePort       : 443                                                                                                  
InterfaceAlias   : Ethernet 2                                                                                           
SourceAddress    : 10.180.6.24                                                                                          
TcpTestSucceeded : True  

ComputerName     : ec2.eu-central-1.amazonaws.com
RemoteAddress    : 52.94.141.15
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True   

ComputerName     : ssmmessages.eu-central-1.amazonaws.com                                                               
RemoteAddress    : 52.119.188.27                                                                                        
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True

ComputerName     : ec2.eu-central-1.amazonaws.com
RemoteAddress    : 52.94.141.15
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True

ComputerName     : ds.eu-central-1.amazonaws.com
RemoteAddress    : 54.239.55.7
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True

When I look through the ssm-agent-worker logs I encounter this error:

2024-02-28 09:22:58 INFO [ssm-agent-worker] [MessageService] [Association] Updating association status {
  "ErrorCode": "",
  "ExecutionDate": "2024-02-28T09:22:58.688Z",
  "ExecutionSummary": "1 out of 1 plugin processed, 0 success, 1 failed, 0 timedout, 0 skipped. \nThe operation aws:domainJoin failed because Failed to create domain computer account 'EC2AMAZ-E363G22', Message=A WebException with status SendFailure was thrown.,ErrorCode=,ErrorType=Sender,StatusCode=0\r\nAmazon.Runtime.AmazonServiceException: A WebException with status SendFailure was thrown. ---\u003e System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---\u003e System.I--output truncated--",
  "OutputUrl": null,
  "Status": "InProgress"
}

IAM ROLE for Domain Join:

AmazonEC2RoleforSSM	
AmazonSSMDirectoryServiceAccess
AmazonSSMManagedInstanceCore
AmazonSSMPatchAssociation
AWSDirectoryServiceFullAccess
SecretsManagerReadWrite
Piotr
asked a month ago114 views
2 Answers
1
Accepted Answer

adding 443 rule exception on firewall for ds.eu-central-1.amazonaws.com solved the issue.

Piotr
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

Error

2024-02-28 09:22:58 INFO [ssm-agent-worker] [MessageService] [Association] Updating association status {
  "ErrorCode": "",
  "ExecutionDate": "2024-02-28T09:22:58.688Z",
  "ExecutionSummary": "1 out of 1 plugin processed, 0 success, 1 failed, 0 timedout, 0 skipped. \nThe operation aws:domainJoin failed because Failed to create domain computer account 'EC2AMAZ-E363G22', Message=A WebException with status SendFailure was thrown.,ErrorCode=,ErrorType=Sender,StatusCode=0\r\nAmazon.Runtime.AmazonServiceException: A WebException with status SendFailure was thrown. ---\u003e System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---\u003e System.I--output truncated--",
  "OutputUrl": null,
  "Status": "InProgress"
}

Error Components

  1. Operation aws:domainJoin failed: This indicates that the specific SSM document action intended to join the EC2 instance to the Active Directory domain was unsuccessful.

  2. Failed to create domain computer account 'EC2AMAZ-E363G22': The process could not create a computer account in the Active Directory for the EC2 instance. This step is crucial for the domain join operation, as it registers the EC2 instance in the AD domain.

  3. A WebException with status SendFailure was thrown: This suggests a problem with the HTTP request made by the SSM agent or a related process. The SendFailure typically indicates that the request could not be sent over the network.

  4. The underlying connection was closed: An unexpected error occurred on a send: This further clarifies that the network connection used for the operation was unexpectedly closed during the process of sending data.

Possible Causes

  • Network Connectivity Issues: There might be issues with the network configuration, such as incorrect security group settings, network ACLs, or problems with the VPC setup, preventing successful communication with the Active Directory services.

  • Firewall or Security Appliance Blocking: A firewall, either in AWS or on-premises, could be blocking the necessary ports or protocols used for domain join operations and AD communications.

  • AD Connector or Direct AD Issue: If you're using AD Connector, there may be a configuration issue or connectivity problem between AD Connector and your on-premises AD. Alternatively, if directly connected to AD, there might be a similar connectivity or configuration issue.

  • SSM Agent or Instance Configuration: The SSM agent might be misconfigured, or there could be an issue with the instance's configuration preventing successful domain join operations.

profile picture
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions