EC2 Auto Domain Join using wrong DNS Servers

0

I'm using an AD Connector in a lab environment and have configured it to use internal lab AD Servers and I've specified the internal DNS server IPs. Domain join fails and I notice that the EC2 instance is using the default VPC DNS server not the DNS servers specified in the AD Connector or the same ones in (domain join json document). The DNS IP's listed below are correct but in a different region than the EC2 instance but the VPC's are peered and the ec2 instance can perform nslookup operations on both dns servers.

Any idea why new ec2 servers are not given these IP addresses when requested to join to this domain? Do they have to be in the same VPC?

aws ssm get-document --name "awsconfig_Domain_d-9067434477_SteveCoOregon.com"

{
    "Name": "awsconfig_Domain_d-9067434477_SteveCoOregon.com",
    "CreatedDate": "2022-03-11T03:27:45.633000+00:00",
    "DocumentVersion": "1",
    "Status": "Active",
    "Content": "{\"schemaVersion\": \"1.0\",\"description\": \"Automatic Domain Join Configuration created by EC2 Console.\",\"runtimeConfig\": {\"aws:domainJoin\": {\"properties\": {\"directoryId\": \"d-9067434477\",\"directoryName\": \"SteveCoOregon.com\",\"dnsIpAddresses\": [\"**10.100.130.16**\", \"**10.100.146.64**\"]}}}}",
    "DocumentType": "Command",
    "DocumentFormat": "JSON"
}
asked 2 years ago920 views
2 Answers
0

I suggest running the SSM command document AWS-JoinDirectoryServiceDomain from the ssm console where you can then get output error message - see here

Alternatively a great way to continue to use the default VPC resolver is to configure route53 outbound endpoints and rules. In this model you would not need to supply the dns values and has the added advantage of allowing vpc privatelink endpoints to utilise dns integration

AWS
EXPERT
Peter_G
answered 2 years ago
  • The route53 suggestion worked to resolve AD DNS using the default vpc DNS settings. It didn't fix the auto join problem.

0

I ran the command manually as you suggested and received the output below. If I manually change the DNS on the instance and do a manual join from the OS, the join works.

I will look at the other suggestion you made but wanted to see if I could get this working first.

Failed to create domain computer account 'EC2AMAZ-JT656AN', Message=Could not create computer. RequestId: 1fa37045-9c5d-43a5-bfe0-f01e56873cc9 : RequestId: 1fa37045-9c5d-43a5-bfe0-f01e56873cc9,ErrorCode=InvalidParameterException,ErrorType=Unknown,StatusCode=BadRequest
Amazon.DirectoryService.Model.InvalidParameterException: Could not create computer. RequestId: 1fa37045-9c5d-43a5-bfe0-f01e56873cc9 : RequestId: 1fa37045-9c5d-43a5-bfe0-f01e56873cc9 ---> Amazon.Runtime.Internal.HttpErrorResponseException: The remote server returned an error: (400) Bad Request. ---> System.Net.WebException: The remote server returned an error: (400) Bad Request.
   at System.Net.HttpWebRequest.GetResponse()
   at Amazon.Runtime.Internal.HttpRequest.GetResponse()
   --- End of inner exception stack trace ---
   at Amazon.Runtime.Internal.HttpRequest.GetResponse()
   at Amazon.Runtime.Internal.HttpHandler`1.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.Unmarshaller.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.ErrorHandler.InvokeSync(IExecutionContext executionContext)
   --- End of inner exception stack trace ---
   at Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleExceptionStream(IRequestContext requestContext, IWebResponseData httpErrorResponse, HttpErrorResponseException exception, Stream responseStream)
   at Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleException(IExecutionContext executionContext, HttpErrorResponseException exception)
   at Amazon.Runtime.Internal.ErrorHandler.ProcessException(IExecutionContext executionContext, Exception exception)
   at Amazon.Runtime.Internal.ErrorHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RetryHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.MetricsHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RuntimePipeline.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.AmazonServiceClient.Invoke[TResponse](AmazonWebServiceRequest request, InvokeOptionsBase options)
   at Amazon.EC2Services.Config.Plugins.DomainJoin.Ec2SDomainJoin.CreateComputer(DomainJoinDto domainJoinDto, String desiredComputerName, String accountCreationPassword)
Domain join failed with exception: Domain Join failed, ComputerName:EC2AMAZ-JT656AN; Message:Could not create computer. RequestId: 1fa37045-9c5d-43a5-bfe0-f01e56873cc9 : RequestId: 1fa37045-9c5d-43a5-bfe0-f01e56873cc9; ErrorCode:InvalidParameterException; ErrorType:Amazon.DirectoryService.Model.InvalidParameterException; StatusCode:BadRequest
exit status 1
answered 2 years ago
  • Were you able to resolve this issue? I am encountering the same error. Manually joining an instance works fine, but I need a auto scaling group to join up to my AD automatically.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions