Adding Storage Gateway to AD Domain via CLI

0

Hi

We have a problem with Storage Gateway joining the domain via CLI (version: aws-cli/1.16.93 and aws-cli/1.16.90).
When we run the following command "$ aws storagegateway join-domain....", it returns:

An error occurred (InvalidGatewayRequestException) when calling the JoinDomain operation: The gateway cannot connect to the specified domain.

This is the command we used:
aws storagegateway join-domain --gateway-arn arn:aws:storagegateway:<region>:<account-id>:gateway/<gateway-id> --domain-name <our-domainname> --organizational-unit "OU=<our-ou-name>,DC=<our-domain>,DC=COM --domain-controllers <our-dc-ip> --user-name <username> --password <password>

Could someone help us debug why we are unable to join the Domain?

We already checked the following:
-Specified DC is reachable and necessary ports are opened
-All traffic inbound/outbound allowed between Storage Gateway and specified DC
-Storage gateway can resolve Domain Name
-DHCP Options Sets specify correct DC and domainname in search list
-The user and/or OU has right to join the domain
-The user and password is correct
-Other windows instance which is in same subnet and same security group can join the domain

  • Added additional reachable DCs to the domain-controllers list, and the problem remains

Thank you,

asked 5 years ago641 views
2 Answers
0

Please check the logs on your Domain Controller/AD for any errors? Most probably the error is being returned by your DC/AD. You can also capture the network packets while you are executing the "join-domain" operation to confirm that the error is returned by the DC/AD.

Can you please PM me your Storage Gateway ID & the Region?

AWS
answered 5 years ago
0

Hi shashi-AWS,

Thank you for your advise.
After discussion with our DC/AD admins, we found error log in event viewer.
-> Event Id:16642, Directory-Service-SAM, The account-identifier allocator was unable to assign a new identifier.

It was because DC in AWS does not have connectivity with FSMO role holder DC. After we switched site2site VPN to other site which has DC with FSMO role, successfully storage gateway could join the domain with same command I posted initially.

Again, thank you for your help.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions