Questions tagged with AWS Directory Service

Hi I have workspace which user cannot access anymore with message 'Unable to connect ' ( with AWS workspace client ) We tried to RDP the workspace from another workspace and got following message. The Remote computer that you are trying to connect to requires Network Level Authentication NLA, but your windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the system Properties dialog box I can RDP other workspaces. We have tried to restore the workspace that did not work. I have checked the AD account for workspace, and it is there. Do not Require Kerberos pre-authentication is unticked on user’ ad account User has not changed the password. I wanted to migrate the workspace and did test migrate on working workspace and now cannot access it that is why migration is off the table as non-working workspace has important data. Can someone advice what to do next thanks in advance

Hi everyone, I have different WorkSpaces set up on different locations but the ones I have in a particular one seem to have a password expiration set up for users so I need to reset it up for them every month. Does anyone know how can it be disabled? Is this tied to the directory? Thanks, Laura

Hello, We are using AWS Managed Microsoft AD services , but recently the domain controllers(which are managed by AWS) has the issue, we can't resolve them because we don't have access to it and it seems without paying for premium support we can't ask AWS to fix the issue of their service. Please let us know what options do we have , because we are getting trust issues,RPC errors, we can't create or manage users, computer .

We have been launching windows instances using the [Seamless domain join](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html) instructions using our AD Connector for several years. Since being automatically opted-in to the new launch experience, I cannot find the option join a domain no longer appears. I can still get to it by opting-out to the old experience, but that is going to go away at some point. Am I missing this or did this feature not make it into the new experience?

Dear Experts, We want to migrate on-premise domain controller to AWS. As I understand that are two options, one is migrating to Microsoft Managed AD and second is using the two ec2 instances to create the domain controller from scratch and then add it in the existing domain controller group of on-premise. This way we will be having two domain controllers running in on-premise and two domain controller in AWS. We will remove the on-premise domain controller once we are confident with AWS installed and configured domain controllers. Which you think would be the best approach for migrating DC. I am looking for approach which is less risky and easy to execute. For example with managed Microsoft AD, do we need to keep the on-going trust setup with on-premise domain controller. What should be the strategy for the two approach. With the two approach, please share the technical steps to follow.

to maintain the desired timezone as UTC across all workspaces. i created the gpo settings suggested by the aws (https://docs.aws.amazon.com/workspaces/latest/adminguide/group_policy.html). but the group policy is working for few workspaces. whereas, for few workspaces its not working. Any suggestions?

Hi, I would like to know if it's possible to activate the Multi Factor Authentication for a Simple AD directory as I would like this to be used for all our Workspaces. Thank you

I have a multi region AWS Managed Microsoft AD Enterprise directory set up in Directory Service. The primary region is us-east-1 and the secondary region is us-west-2. I need to downgrade from Enterprise to Standard (separate topic) but before I do so, I need to change the Primary Region from us-east-1 to us-west-2. I don't see any way to do this in the documentation or in the management console. Is it possible to change the Primary Region in Managed AD Enterprise? If so, how? Thanks!

We have members that use multiple workspaces in N.Virginia (us-east-1) region. The base configuration includes Simple AD. Initially, workspaces were created in this region, yet staff can be working from other regions. This leads to performance/lag problems. I'd like to clone workspaces to other regions (both preserving the installed apps and user profile on D drive). I've followed the best practices to create an image. Image Checker did not report any problems. Then I used this image, and copied it to another region (Let's say eu-west-1). I created a new bundle with the image. So far no errors. Then, attempting to launch a new WS by using the bundle, I am prompted to create a new directory. If I create a new directory, I'm required to create a new user. (Because directories are different original user is not listed in Show All Users section). Upon launching the new WS using the settings above, indeed I see an emtpy/fresh Workspace with both installed apps lost and user profile does not retain changes in the image. Based on the info above, what could be wrong? Do I need to switch to Active Directory setup? Do we have to use external tools to make a true clone? Please kindly share your knowledge. Thank you for reading. If needed I can provide additional information.

Can a customer use the Microsoft AD on the cloud as the only AD for his company that employees authenticates to. What does it take to join the PCs and Users to the domain. Will it be over the internet. How much will the customer be paying for a team of about 20 personnel..

Hi! I built a web app on an EC2 windows instance & want to put it on my clients domain. Once the server is on the domain, the users only have to go to the server name in their browser & the app renders. I haven't worked with AWS networking & want to know if I should I use Resolver, Amazon Active Directory, or AD Connector? Preferably quick & easy. I only need to join one ec2 windows instance to my clients network. Thanks in advance!

I want to connect AWS AD with AWS SSO. I've synced the AD users with SSO and I'm able to login to the SSO application. But unable assume the role associated to the user and access the account. Giving 403 error.

This is connector is in an Inoperable state. When attempting to delete it, I get the following error: Cannot delete the directory because it still has authorized applications. Any attempt to remove the AWS Console application fails. I see that others have had similar issues and it requires technical support to resolve. Is that still the case? Thanks, John

I am trying to configure Workspaces to use MFA. I have tried setting up MFA in the AD Connector area and then tried in the Workspaces Directory area (not at the same time). In both cases it goes from Creating to Failed. On the MFA server we see a request from our expected AWS external IP with user awsfaketestuser during the MFA creation. The security group used by AD connector has 1812 TCP/UDP allowed inbound and outbound is using a NAT gateway. As we see the request from AWS on our RADIUS server, we don't suspect a network problem. We have also tried creating a user on the RADIUS host called awsfaketestuser and setting it to disabled. I'm not sure how to get more information about the error or how to fix the problem.

Hi There! I have successfully created a Service Catalog with related Portfolio and Products when my users were IAM users. I am have issues adding the SSO (sync'd with AD) users to the Portfolio though. When following this step: https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-deploy.html. It's not clear how I can add an SSO group instead of an IAM group. ASK: Is it possible to add an SSO user to the Service Catalog Portfolio? If so how? Many thanks in advance!

My website is not responding since last 10 days, it's showing Error 522 connection timed out. I have already done all the basic steps which are required to prevent this errors such as clear cookies, used different browsers etc but still it's didn't work. Please help me to fix this issue. Website: machcart.com

We have setup a test ADFS on a Windows Server 2019 EC2 in our AWS Managed Active Directory. We have enabled the ADFS sign-on page (example URL: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx). ADFS is successful for signing in with our AD credentials, and for accessing our AWS Console when tested from our ADFS server. The issue is that this URL is only opening when directly logged into the ADFS Windows Server. This sign-on URL is not available from another Windows 2019 EC2 test server that is within the same VPC and subnet. All Security Group ports, and Windows Firewalls are temporarily off on both EC2s. The servers can ping each other and using Nmap it displays all the open ports on the ADFS server. Route 53 has a hosted zone for this AWS Managed domain name, and both the ADFS server and test Windows 2019 server have DNS entries for them. We need to test accessing the ADFS sign-on from outside of the ADFS server. Is there another ADFS URL that is for this purpose or another ADFS configuration that is missing? Both links below were used for setting up ADFS on AWS Managed AD https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/ Thank you.

Hello to anyone reading, I have a question about the following, imagine that an AWS customer creates their account and chooses to use the Directory Service service for their Microsoft AD. Over the years, this company was purchased by a company and its account became a daughter account. Is it possible to migrate as a replica the Directory service with all the records of groups, users and everything else? Taking into account that after migration the Directory has to be deleted from the child account. Thank you very much.

Is it possible to use ADFS to federate with AWS VPN client? If it is possible, how can the setup for the Assertion Consumer Service (ACS) URL: http://127.0.0.1:35001 be configured in ADFS as it seems that ADFS only support https. thanks.

I'm looking for the info formerly included in an old forum thread that has disappeared with the migration to the new AWS re:Post forum. Is it possible to find the info in this thread? https://forums.aws.amazon.com/thread.jspa?threadID=261247 I'm looking for info on migrating our existing Simple AD directory to a new AWS Managed Microsoft AD directory.

Here https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_prereqs.html , in `Multi-factor authentication prerequisites` it is said that : `To support multi-factor authentication with your AWS Managed Microsoft AD directory, you must configure either your on-premises or cloud-based Remote Authentication Dial-In User Service (RADIUS) server in the following way so that it can accept requests from your AWS Managed Microsoft AD directory in AWS.` Does the AWS provide "cloud-based Remote Authentication Dial-In User Service (RADIUS) server" service? Or we really need to setup something our own? Cant we have the same MFA solution, as in the default for AWS SSO "Aws sso identity store"?

I have an on premise domain controller i'm using to test migrating to Managed Microsoft AD. We have a site-to-site VPN up on our Meraki MX68 and it's active to our VPC where the domain controller lives and all traffic is allowed in and out for the on-prem IP subnet. I added the two way trust in the on-prem DC but when I try to add the trust to AWS it says the domain controller is unreachable. YET, I'm able to ping my domain controller, RDP to it and browse the directory from an instance in EC2 on the same subnet (once authenticated). the ONLY think I can't do is ping the secondary IP address of the managed domain because that tunnel is down BUT I can ping and reach the primary one. Subnet of VPC 172.16.0.0/24 Subnet of on-prem DC 192.168.128.0/24 Neither of these are publicly routed so i'm a bit confused. (Yes these routes are propagated in the routing table). What am I doing wrong here? ACLs and Secruity groups all have the same IP range allowed for the on-prem internal subnets inbound and outbound, Firewall is off on the domain controller that's on-prem, the IP I set for the conditional forwarder matches the on-prem DC. Any assistance would be greatly appreciated.

I am using the AWS Transfer service with S3 buckets for storage and a chrooted dynamic path to create the user directory as the user is authenticated - "/mybucket/${Transfer:UserName}". This is working as expected except that when the ${Transfer:UserName} variable is used to create the user directory it matches the case that the user name was entered on the client. Authentication is via the AWS Directory service. As this is a windows system there is no distinction between lowercase and uppercase usernames. E.g. if the client specifies the username in lowercase the user directory is created in lowercase. If the client specifies the username in uppercase then the user directory is created in uppercase. This can result in multiple user directories. Is there a way to force the case of the user directory to lowercase when it is created using the ${Transfer:UserName} variable?

I'm using an AD Connector in a lab environment and have configured it to use internal lab AD Servers and I've specified the internal DNS server IPs. Domain join fails and I notice that the EC2 instance is using the default VPC DNS server not the DNS servers specified in the AD Connector or the same ones in (domain join json document). The DNS IP's listed below are correct but in a different region than the EC2 instance but the VPC's are peered and the ec2 instance can perform nslookup operations on both dns servers. Any idea why new ec2 servers are not given these IP addresses when requested to join to this domain? Do they have to be in the same VPC? aws ssm get-document --name "awsconfig_Domain_d-9067434477_SteveCoOregon.com" ``` { "Name": "awsconfig_Domain_d-9067434477_SteveCoOregon.com", "CreatedDate": "2022-03-11T03:27:45.633000+00:00", "DocumentVersion": "1", "Status": "Active", "Content": "{\"schemaVersion\": \"1.0\",\"description\": \"Automatic Domain Join Configuration created by EC2 Console.\",\"runtimeConfig\": {\"aws:domainJoin\": {\"properties\": {\"directoryId\": \"d-9067434477\",\"directoryName\": \"SteveCoOregon.com\",\"dnsIpAddresses\": [\"**10.100.130.16**\", \"**10.100.146.64**\"]}}}}", "DocumentType": "Command", "DocumentFormat": "JSON" } ```

I want to create a folder in the shared top directory of FSx. Flow Powershell commands using ssm's AWS-RunPowerShellScript. However, the executing user is ssm-user. This user is not an active directory user and access is denied. The New-Item command does not set credentials. Is it possible to create a folder in the FSx shared top directory by running the powershell command from ssm?

I would like to run powershell commands on a specified EC2 instance using AWS-RunPowerShellScript in Systems Manager's Run Command. In doing so, I would like to use the dsadd-user command to add a user in the Active directory. However, when I actually execute this, I get an "Access is denied" error because I don't have access rights. My thinking is that this is because when I run this command with ssm it is running as a local user named ssm-user. I would like to run the command as a user belonging to the active directory. Is that possible? Thank you very much.

I've been following this recipe for enabling MFA.... https://medium.com/@sjsumit10/enable-mfa-for-aws-managed-ad-using-freeradius-with-google-authenticator-caaabc450c0b The procedure works well up until I reach the final step where MFA is enabled for the AD using the AWS console. The step fails with no obvious information as to why. I believe I've verified that UDP port 1812 is open. Where can I look for hints as to what the problem is? CloudWatch logs are not providing much insight.

I have an AWS Transfer server running using an AWS Hosted Active Directory for authentication. I have a two way transitive domain trust in place with an on-premise Active Directory domain. Is it possible to use security groups form the trusted domain to grant access? I have tried to add Group SID's from the trusted domain but this results the following error: Failed to add access (1 validation error detected: Value ' <SID> at 'externalId' failed to satisfy constraint: Member must satisfy regular expression pattern: ^S-1-[\d-]+$) Setting up Access with a SID from the AWS Directory Service is working as expected.

Is there a way to receive notifications when a backup is completed as part of the automated backups for Managed Active Directory? I have reviewed the CloudTrail logs for the "CreateSnapshot" but as far as I can tell this event is never called when creating the backups

Hi, We are planning to use AWS SSO as main method to access EC2 instances with the use of the SSO attribute: SSMSessionRunAs = ${path:userName} and the AWS SSO username identical to the username in /etc/passwd on the Amazon Linux instance. I've read documentation about AWS SSO but don't see anything about this use case. We confirm that it works but also, is this supported? Thanks in advance, + Joe

Hello, I have been experimenting with Workspaces and created an AD connector and an EC2 instance as a Domain controller. The EC2 instance got deleted by mistake and this moved the AD connector to the "Inoperable" state. I cannot delete the AD connector now and when I try, it gives the message "On-premises issue(s) detected by instance 10.101.1.138: Unable to reach DNS port (TCP 53) of on-premises server 10.101.0.37. On-premises issue(s) detected by instance 10.101.2.164: Unable to reach DNS port (TCP 53) of on-premises server 10.101.0.37. How can I delete this AD connector? This was all created via terraform and I am now stuck. Please advise.

Per https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_ldap_server_side.html, in order to enable LDAPS for ManagedAD, I need a Microsoft enterprise CA server. Can ACM Private CA be used as a Microsoft enterprise CA server or do I need to set one up on an EC2 instance?

Currently, we have an on-prem Active Directory. We also have a disaster recovery environment that is connected also in our on-prem AD. Once our on-prem get down, there will be no SSO or domain for our servers. We are thinking of using AWS Directory Service to extend our on-prem AD to AWS Cloud, and as a solution also for disaster recovery. Is this possible? Once we configured this service, do the servers or users will still be able to connect using their AD accounts or domain if our on-prem AD fails? What will happen to the AWS Directory Service if it lost the connection to our on-prem AD?

I am struggling to get EC2 instances deployed via an ASG joined to the domain. I get the following error each time *New-SSMAssociation : Document schema version, 2.2, is not supported by association that is created with instance id* I have tried various schema versions detailed [Here](https://docs.aws.amazon.com/systems-manager/latest/userguide/document-schemas-features.html) however all fail with the same error **SSMdoc.tf** ``` resource "aws_ssm_document" "ad-join-domain" { name = "ad-join-domain" document_type = "Command" content = jsonencode( { "schemaVersion" = "2.2" "description" = "aws:domainJoin" "parameters" : { "directoryId" : { "description" : "(Required) The ID of the directory.", "type" : "String" }, "directoryName" : { "description" : "(Required) The name of the domain.", "type" : "String" }, "dnsIpAddresses" : { "description" : "(Required) The IP addresses of the DNS servers for your directory.", "type" : "StringList" }, }, "mainSteps" = [ { "action" = "aws:domainJoin", "name" = "domainJoin", "inputs" = { "directoryId" : data.aws_directory_service_directory.adgems.id, "directoryName" : data.aws_directory_service_directory.adgems.name, "dnsIpAddresses" : [data.aws_directory_service_directory.adgems.dns_ip_addresses] } } ] } ) } ``` template.tf ``` data "template_file" "ad-join-template" { template = <<EOF <powershell> Set-DefaultAWSRegion -Region eu-west-2 Set-Variable -name instance_id -value (Invoke-Restmethod -uri http://169.254.169.254/latest/meta-data/instance-id) New-SSMAssociation -InstanceId $instance_id -Name "${aws_ssm_document.ad-join-domain.name}" </powershell> EOF } ``` The template is then referenced in the ASG Launch Template user_data section. Getting onto the instance I can see the script/logs and have confirmed the variables set (instance id for example). Full error message from the PS running below ``` New-SSMAssociation : Document schema version, 2.2, is not supported by association that is created with instance id At C:\Windows\system32\config\systemprofile\AppData\Local\Temp\EC2Launch228430162\UserScript.ps1:3 char:5 + New-SSMAssociation -InstanceId $instance_id -Name "ad-join-domain ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (Amazon.PowerShe...sociationCmdlet:NewSSMAssociationCmdlet) [New-SSMAs sociation], InvalidOperationException + FullyQualifiedErrorId : Amazon.SimpleSystemsManagement.Model.InvalidDocumentException,Amazon.PowerShell.Cmdlets. SSM.NewSSMAssociationCmdlet ```

Using AWS Backup to backup and restore Windows 2016 and above EC2 instances which are domain joined to AWS Managed AD. When the instances are restored (as a copy) they appear to retain the same NetBIOS. There will then be two EC2 instances of the same name (different instance IDs) in the same VPC. This has been a problem in the past outside of the cloud. Any best practices in the community for using AWS Backup and Restore with Windows you can point to?

Hi there, I have created an AWS Active Directory and am now trying to create an EC2 Window Server 2012 to connect to the directory/domain. On the configure instance details, I can select the directory quite fine. I then created an IAM role which contained the two managed policies specified. However, no matter what I do, that IAM role will not appear on the list to select! Any ideas please. Thank you kindly

Hi there, just created my AWS Microsoft Active Directory (Standard edition). I know this has created 2 virtual MS Server 2012 in different availability zones, but I can see no way to connect to either to start setting up? I remember reading in the documentation that 2 user connections were allowed to each server for this reason

I am trying to access the AWS Console via AWS SSO with Azure AD as my identity provider. Following this Microsoft tutorial: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aws-single-sign-on-tutorial, I was able to successfully set up SSO and automatic provisioning. To initiate sign in I use the My App browser extension. I can authenticate but I am brought to the User Portal and I have no applications. What am I missing? How do I access the AWS Console using this method? Microsoft has another Enterprise Application call AWS Single-Account Access. If I set this up, I can access the Console: https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial but I don't think that's what I want. Any help would be much appreciated. Thanks

I have a VPC set up in 192.168.0.0/16 CIDR with public and private subnet. In private subnet I have following servers (all on Win server 2016) DC1 192.168.1.20 royal-dc1 DC2 192.168.1.21 .. DNS 192.168.1.19 .. SMTP 192.168.1.21 .. KMS 192.168.1.22 royal-kms I have created DHCP option sets and I have assigned: domain name: mydomain.local domain name servers: 192.168.1.19,192.168.1.20. 192.168.1.21 I have created my domain mydomain.local and joined all instances into it. Autodiscovery is enable but When I go onto any of the three computers, I can only see my local computer. (1) I have noticed that this may have something to do with DNS. When I go to file exploder and enter ip addresses I am able access other computers. Also, I am able ping between DNS, SMT and KMS using host name, but I can not ping DC1 or DC2 from rest of the servers. I also can not ping nothing from DC2 using host names. It works when I use IP addresses. On top of this I have noticed that if I ping dc using full computer name ping royal-dc1.mydomain.local ping seems to work ... Finally I have noticed that private dns ip name in EC2 description is not setup for mydomain.local but uses default E2.... name. (idk if this matters) Very unusual, I don't know what can be possible issue. Please advise

Hello, the question is in the title - "do the aws supports HOTP"? (hmac based one time password), for now i tried to setup my yubikey as MFA in AWS SSO as "otp generator" , for TOTP it worked perfectly , but HOTP didn't worked, now im thinking if AWS is even supporting it.

I have a cloud service for managing company's users, now I have an attempt to manage AWS Directory, exploring AWS APIs I find some, but not for managing, for that I'm using domain controller to getting LDAP users and after deleting, the solution is working fine if you put in the same network. Now, my cloud service it's not in the internal network, and I have a problem with the connection, I'm searching for connecting externally as a trusted machine to my AWS Directory, without a VPN or using an AWS service, in AWS documentation I find some definitions as trusted network, but no any precision solution and my questions stand to: Is it possible to connect to AWS Directory externally as a trusted network by IP and port for managing it? If yes, how? Thank you!

How do I fix my Simple AD Directory d-93673320a1 as it's status is "Impaired" and showing an error "Issue(s) detected by instance 172.x.x.x: Domain controller replication failures."

Hello, I want to login into the AWS SSO using AWS CLI, but i want to use only CMD , without interacting with browser , is there any solutions for this?

Greetings, Our Simple AD DCs don't seem to be synchronizing anymore: After joining a server to the domain only one of the two DC shows the new server record under Computers in AD Users and Computers. A new A record is only seen with that first DC, as verified via the DNS Manager. Two days later the second DC is still not synchronized - only showing the old entries. An attempt to trigger replication via Windows ADSS hangs. An attempt to run repadmin /syncall from the command prompt hangs indefinitely too. No errors in the Windows server event log. The status of the Simple AD is "Active". Is that normal? How soon Simple AD DCs are supposed to replicate? Should I resort to contacting aws technical support? Thanks. EDIT: In addition, it appears that automatic snapshots of the Simple AD haven't been created for about two weeks now. Previously, they were created every other day or so. Also, attempts to create a manual snapshots fail.

We are using AWS Workspaces with AD connector and would like to test moving Workspaces between OUs. I believe moving a Widows Workspace VM from the OU that it was deployed to initially should not affect the Workspace in any way from the point of AWS as OU parameter is only used for the initial deployment. Is this a correct assumption?

Hi there, I managed to add FSx for NetApp ONTAP to our domain with FSxServiceAccount as described on the product page. However, I am running into issues when I am trying to attach it to my Windows instance. (It works fine on Linux). I see the following issues: - When I am running this command New-SmbGlobalMapping -Persistent $true -RemotePath \\<IO of my smb>\share -Credential $creds -LocalPath G:` I get the following error: `New-SmbGlobalMapping : Access is denied.` - I am using domain admin credentials - When I am running this command `net use Z: \\<dns address of the smb>\share` I got the following error: `System error 5 has occurred. Access is denied.` - Also with domain admin creds - I can successfully attach via File Explorer > This PC > Computer >Map network drive, however I can not read/write to it. If I check the FIle permission mode in Propertires I can see that only the owner (FSxServiceAccount?) is allowed to write, however Read should work, but I can not change the permissions as domain Admin. I am using Directory Service Standard Edition. Did you guys experience issues with this? What am I doing wrong? **Update:** I managed to attach the disk, but I can not write or read any file on the disk. It is in OU=Computers, and allowed Everyone Full Access, also allowed Everyone Read/Write the NFS filesystems attached to the AD, but still not working. I am suspecting this is something NetApp specific, but we will see. **Update #2** Based on CloudWreck's comment I found the following: I am using mixed style. I use the following code: ``` net use P: \\WINDOWS\vol1 $CurTgt = "P:" $CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $acl = Get-Acl $CurTgt $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow") $acl.SetAccessRule($AccessRule) $acl | Set-Acl $CurTgt ``` Get-Acl returns ``` Path Owner Access ---- ----- ------ P:\ Everyone Everyone Allow -1 ``` Also using this one: ``` $CurTgt = "P:" $CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $acl = Get-Acl $CurTgt $usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr) $acl.PurgeAccessRules($usersid) $acl | Set-Acl $CurTgt ``` Also tried this: ``` takeown /F * /R takeown : ERROR: File ownership cannot be applied on insecure file systems; ``` But I am still unable to write/read files or create folders. **Update#3** I ran the following commands and changed the permission from the ONTAP side ``` vserver security file-directory show -vserver windows -path /vol1 vserver security file-directory ntfs create -ntfs-sd sd1 -owner DomainName\Administrator vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type success -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type allow -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files vserver security file-directory policy create -policy-name policy1 vserver security file-directory policy task add -policy-name policy1 -path /vol1 -ntfs-sd sd1 vserver security file-directory apply -policy-name policy1 vserver security file-directory show -path /vol1 -expand-mask true ``` It changed the file permissions (mode), however I am still unable to read/write files. These are the current settings: ``` File Path: /vol1 File Inode Number: 64 Security Style: mixed Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: 0x10 ...0 .... .... .... = Offline .... ..0. .... .... = Sparse .... .... 0... .... = Normal .... .... ..0. .... = Archive .... .... ...1 .... = Directory .... .... .... .0.. = System .... .... .... ..0. = Hidden .... .... .... ...0 = Read Only UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor ``` ``` ALLOW-Everyone-0x1f01ff-OI|CI 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 1... .... .... .... .... = Write Owner .... .... .... .1.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...1 .... .... .... .... = Delete .... .... .... .... .... ...1 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .1.. .... = Delete Child .... .... .... .... .... .... ..1. .... = Execute .... .... .... .... .... .... ...1 .... = Write EA .... .... .... .... .... .... .... 1... = Read EA .... .... .... .... .... .... .... .1.. = Append .... .... .... .... .... .... .... ..1. = Write .... .... .... .... .... .... .... ...1 = Read ```

Hi there, When I am trying to join my domain (using Directory service), I am receiving the following error: ``` Amazon FSx is unable to establish a connection with your Active Directory domain controller(s) because the service account credentials provided are invalid. To fix this problem, delete your storage virtual machine and create a new one using a valid service account as recommended in the Amazon FSx user guide. ``` I have read the user guide, and followed all the steps. Now, I am using the same security group as the domain controller and allowing all traffic inside the sg. I checked with Reachability analyzer, the ENI from fsx can communicate with the domain controller's domain controller. I also tried to use the domain admin, just to make sure - but for some reason it does not work. Did any of you experienced something similar?

Hi all. I'm working with Aws Cloud Directory using the managed schema and through the GO API, so far so good with objects, links, search, queries; but, when I try to create a policy object with dynamic faced I get the error: "Missing required node values: [policy_type, policy_document]" I tried adding two more elements to the AttribuKeyAndValue but still got the error. ``` var keysAndValues []types.AttributeKeyAndValue policyType := types.AttributeKeyAndValue{ Key: &types.AttributeKey{ SchemaArn: aws.String(APPLIED_SCHEMA_ARN), FacetName: aws.String("DynamicObjectFacet"), Name: aws.String("policy_type"), }, Value: &types.TypedAttributeValueMemberStringValue{ Value: "AppUser", }, } bina, _ := json.Marshal(obj) policyDoc := types.AttributeKeyAndValue{ Key: &types.AttributeKey{ SchemaArn: aws.String(APPLIED_SCHEMA_ARN), FacetName: aws.String("DynamicObjectFacet"), Name: aws.String("policy_document"), }, Value: &types.TypedAttributeValueMemberBinaryValue{ Value: bina, }, } keysAndValues = append(keysAndValues, policyType) keysAndValues = append(keysAndValues, policyDoc) ``` I would be grateful if someone gives me a light on how to create policy objects using the dynamic schema.

I've created a WorkDocs site using an AD connector for authorization or authentication, but had to remake my domain and now I'm in the need to change the current AD Connector that WorkDocs is using to point to the new domain. ¿Can someone tell me if this is a re-configuration that can be done?

I have a workspace machine (Windows 10) where the DNS resolution is always returning the wildcard domain over the actual entries in the domain. For example if I have the following DNS entries: *.somecompany.com CNAME app.somecompany.com CNAME Then I do a dns lookup on the workspace machine for `nslookup app.somecompany.com` then it returns the entry for `*.somecompany.com` and not the expected entry for `app.somecompany.com`. In fact I can test with several other domains registered in my DNS Zone settings, and they all return `*somecompany.com`. My zone is hosted on Route 53. If I do a similar resolution outside of the workspace it resolves correctly. And this used to work flawlessly on workspaces. What I did notice was that my DNS server on the workspace instance is set to my Simple Directory for my account, but outside of the workspace it's set to VPC's DNS server or an external DNS server. I don't see a lot of ways to inspect how the DNS is set up on the Simple Directory either. I should also add if I do a `nslookup google.com` I get the answer for `*.somecompany.com`! But if I go into Chrome or Firefox and enter `google.com` then it returns the expected results. But other programs on my machine seem to be suffering from the same issue. So something about the Simple Directory server running for my domain isn't updating from Route53 or is just not working. What is going on?

I have a Simple AD directory not deleting, it's been stuck in the deleting stage for 5 hours. Is there any way I can force delete it, do I just wait, or do I need AWS to delete it for me ? Any advice? Many Thanks.

Hi Guys, We have our Domain Controllers running on Microsoft AD hosted on EC2 instances. It has lot of users and conputers authenticating against it. Now the goal is to make your environment compatible for AWS applications and integration, seamless Domain join of new EC2s and lastly to retire EC2 hosted DCs. In order to achieve this, can we extend our EC2 AD to AWS Managed AD with AD trust and then migrate all objects and passwords with ADMT tool and then demote EC2 AD?? Is this a good solution?

Hi Friends, I am bit new to this AWS Managed AD. Please suggest me the best solution based on below requirements / situation. I have an EC2 instance where I am running Microsoft Windows AD with approx. 500 users and 50 domain joined computers. Now I want my existing users to use AWS hosted applications with their same credentials and I want other EC2 also to get domain joined and also want to use AWS resources. Presently EC2 AD is synced with Okta, but later on Okta will get synced from AWS managed AD (if required) or operate as it is. 1. Now with this requirements what is the best solutions?? Entirely Migrating to Managed AD, or AD Connector or trust between EC2 AD and Managed AD. 2. Also in order to achieve the above goal if we at all have to migrate from EC2 AD to AWS Managed AD (with ADMT tool) , **Can we keep the same domain name in AWS Managed AD as EC2 Windows AD?** 3. Or its not required, we can simply extend our EC2 AD to Managed AD (with different domain name) with AD Trust?? 4. Also whats the ideal situation where we migrate from OnPrem AD to AWS Managed AD with tools like ADMT.?? PS. A detailed answer would be appreciated rather than sharing AWS tutorials links. Edited by: Swaprakash on Jul 8, 2021 1:54 AM

I have had an AD Connector set up for some time with no issue. This is being used by AWS Client VPN. We are now enabling MFA on this service. I am using DUO Auth_Proxy for RADIUS - it is only handling secondary authentication with primary auth being handled by AD. I have enabled MFA on the directory service and it completes successfully, and in the RADIUS logs I do see that the awsfaketestuser attempts to connect. However when attempting to connect the client VPN the secondary authentication challenge never reaches the RADIUS server. I have tested that it is working correctly by standing up an EC2 instance in the same security group and subnet as the AWS directory endpoints - and the challenge does go to the RADIUS server as expected and is logged. Just the AWS AD Connector doesn't appear to be sending challenges. I have also set this up successfully in a separate environment. It just seems as though the AD Connector (Directory) is not forwarding the challenge to the RADIUS server. Oh, and the Open VPN configuration on the client HAS been updated with the static-challenge. I have confirmed with DUO that the solution is configured correctly. I am really scratching my head over this one. Any ideas?

A SimpleAD has two IP addresses. We want to set up two A-records in a hosted zone that point to those IP addresses. In the A-record code we tried this (simpleAD is the constructed SimpleAD): target: route53.RecordTarget.fromIpAddresses(simpleAd.attrDnsIpAddresses\[0], simpleAd.attrDnsIpAddresses\[1]), .. but got "Error: Resolution error: Resolution error: Cannot add elements to list token, got: #{Token\[TOKEN.163]},.." We tried adding a dependency (aRecord is the constructed A-record): aRecord.node.addDependency(simpleAd) ; ... but no change. So how do we refer to those addresses in a way that lets them be used in the A-record construction? Any ideas gratefully accepted. Regards, K.

I am new to AD, and am trying to add Users and Groups to the AD I created. I understand that I first need to create Users OUs but I cannot create that either. I've attached images. When I go to Windows > Administrative Tools > Active Directory Users and Computers, I get a message that says "To manage users and groups on this computer, use Local Users and Groups" (see Image1 attached). When I go to Windows > Administrative Tools > Administrative Center, I get a message saying "Your account or computer is not joined to any domain. Join to a domain and try again." (see Image2 attached). But I followed the instructions found here: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html. Furthermore some troubleshooting attempts show that the EC2 is joined (see Image3 and Image4). The Windows has the proper EC2DomainJoin Role with the 2 Policies attached (AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess). What am I missing? Edited by: AdminNewProject on Feb 19, 2021 11:35 AM

Hi, Is it possible to have an autoscaling for windows ec2 instances and auto join to domain at the same time? Thanks!

Hi, Im new to AWS MM AD. We have an amazon direct connect to connect our on-premise and AWS VPCs. I have a few questions. can we create an AWS managed microsoft AD that has the same domain name as our existing? can we create an aws manage microsoft AD and join it to our existing microsoft AD? can we create an aws managed microsoft AD in the same VPC as our on premise EC2 instance of Microsoft AD? In managing aws managed microsoft AD do we need a jump machine to do that?

Hi, I'm following an AWS walkthrough to join an instance to to AWS Directory Service Directory (http://docs.aws.amazon.com/fsx/latest/WindowsGuide/walkthrough01-prereqs.html)......part 3 talks about changing the preferred and alternate DNS server addresses to the AWS Directory Service ones) I have created my directory, but I don't know where to find the DNS server addresses provided by the AWS Directory Service Can anybody help with this? Any assistance gratefully received

A customer is integrating Cognito with Ping to allow federation with Active Directory. The access token generated by Cognito is then passed to Istio to provide RBAC based on Istio policies to backend Java apps in AWS. These policies are based on the AD Group. When using Ping without Cognito they can take the AD Group (memberOf) that is returned as 'group' in the Ping response authorize the user in Istio and authorization completes successfully. When using Cognito the AD group is not present and they have not been able to find a method to include or inject it as a custom attribute. Is there a recommended method to allow for AD groups to be forwarded in the Access Token by Cognito? My initial assumption is that there would need to maybe be a mapping to a Cognito Group or an override in the Pre Token Generation Lambda Trigger?

Does Simple AD or Managed Microsoft AD support importing custom admx/adml templates? A 3rd-party app in my environment includes a custom_app.admx/.adml files so app settings can be managed via Windows GPO. I wish to manage this app's settings using GPO linked to my AD Domain which means the admx should be imported to the DC. Traditionally when I had full control of my Domain Controllers, I could import the admx to my DC. https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_simple_ad.html https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html

A customer wants to switch **Workspace + SimpleAD** to **Workspace + AWS Managed AD**. Is there a way for them to do it without rebuild the existing **Workspace**?

Hello, I am trying to setup an environment to replicate my on-prem environment. VPC 1 has 2 ec2 instances, one with Microsoft AD installed. The other instance is added to this domain. I am able to login with domain credentials. domain is 'manual.test.local' VPC 2 has an AWS managed MS AD, one EC2 instance, joined to this domain. domain is 'awsmanaged.work.local' Both VPC's are peered & all ports on DCs are able to be connected to (only tested TCP ones). I want to setup a one way trust from the AWS managed instance. Setup a conditional forwarder from each domain to the other. From VPC 1 I am able to resolve names in the AWS Managed domain. From VPC 2 I am NOT able to resolve names in the EC2 manually installed domain. I dont believe that it is a security group issue. If I perform an nslookup from the ec2 instance in VPC 2 to the other domain (to manual.test.local) just using the aws managed DNS servers this fails. If I put the DNS server to be queried as the dc running manual.test.local this resolves as expected. I have not put anything in route 53. Do I need to create a Route 53 resolver record? If so is this because it is the AWS Managed domain? Thanks, Matt

A customer has a AD connector in the N.Virginia region to connect our Active directory to AWS to use Workspaces. They are looking to expand to the London Region, and will create a new AD connector to connect that region to the domain controller. My question is can they use the same Active directory user that they used in the Virginia region? Or would do they need to create a new user?

A customer would like to restrict db access to their RDS Postgres instances to only specific AD users. Postgres authentication flow is Postgres RDS -> Managed AD -> on-prem AD. Is there a way using either AD domain groups or other method to grant only specific users to RDS instances?

Hello, I am looking at getting an AD connector setup to be able to login to workspace with AD credentials, as well as all of the governance around the system. The DNS servers that we have are appliances, not integrated into Active Directory. As such the DNS service does not run on the domain controllers. Could I point to the appliance that is running DNS to get domain resolution, it will then also connect to one of the 10 DC's that I have. Thanks, Matt Edited by: Mattridd on Jul 6, 2020 5:48 AM

I am helping a customer with their Workspaces deployment. The customer has AWS Control Tower, with an account for networking (where AD will be deployed) and one for Workspaces. I am running through the setup now and I can’t seem to get AD to register. I created 4 subnets (2 private, 2 public) in the Workspaces account which I shared (using RAM) to the Network account. I set up managed AD on the Network account and selected the 2 private subnets that were shared from the Workspace account ( each subnet is in different AZ). I also shared managed AD with the Workspace account and set VPC peering. The last step prior to deploying Workspaces is to Register the AD directory, which requires two subnets in different AZs. When attempting to do so, the only subnets displayed on the register window are a private and public subnet which are in the same AZ. Additionally, when I attempt to launch a Workspace in the Workspace account it does not recognize the shared AD, instead it prompts to create a new directory. Questions: Are there any concerns with the architecture approach I have taken so far? How do I bypass/fix the issue I am facing with Registration of AD? I checked that the shared VPC has all 4 subnets (a private and public in one az, and another set of private and public subnet in a separate AZ).

If a customer wanted to use AWS Managed AD, how would Redshift be able to use it for authentication? I am guessing that one could install ADFS on Windows-EC2 and connect it to Managed AD. Then one would setup the Redshift driver to federate to the self-managed ADFS on EC2. Is this correct? Has anyone ever done this and tested it? Is there a better way?

Hi All, I'm looking for a way to send custom attribute such as "Company" from AD using ADFS to Cognito User Pools. The customer wants to include the "Company" field in the JWT Token ID. For example, for E-Mail claims configuration I would use the following settings on ADFS side: https://d2908q01vomqb2.cloudfront.net/0a57cb53ba59c46fc4b692527a38a87c78d84028/2018/08/10/ADFS6.png With the following schema on Cognito side: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress There is any solution for that? Which schema / custom claims configuration should I use?

Hi, I have a customer that want to control 'clipboard redirection' function using Simple AD, Workspace. They have already disabled 'clipboard redirection' for the entire user in directory through Group Policy. (https://docs.aws.amazon.com/workspaces/latest/adminguide/group_policy.html#gp_clipboard) But they want to disable only certain users in the directory. So I tested Group Policy to assign it to OU or User/Group, but it didn't work as I intended. 1. Create 'dev' Organization Unit under Domain Name (Active Directory Users and Computers) 2. Create 'dev1' accounts within 'dev' OU 3. Create 'GPO' within 'dev' OU (Group Policy Management) 4. Clipboard redirection disable (Group Policy Management Editor) from the generated GPO Actually, I don't have much experience with AD. Questions are : 1. Is there something wrong with the way I tested it? 2. Is there a way to set the GPO so that it can be applied only to a specific user or group? (Or create a new directory and manage it separately..) Could you help me?

Hello, I&#39;m trying to create a one-way forest trust between our AWS managed AD and on-premise domain but when creating the one-way trust in Directory Services Console, it fails. I&#39;m following this blog, https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust_create.html. I have thoroughly read, re-ran the tutorial, deleted and re-created the trust but it keeps failing. Is there a fix or work around for this? The error message that I get is "Trust relationship status failed: The remote domain is not reachable. Please ensure your security group settings are correct and your conditional forwarder is configured properly". I&#39;ve checked and verified the security group and that the ports (from the tutorial) allows incoming traffic from our domain and outgoing is open to all. I&#39;ve also checked with our security team to make sure our on-prem firewall isn&#39;t blocking 172.24.0.0/16 (managed AD CIDRs) traffic to our domain. The conditional forwarder are configured correctly on our on-prem DNS and as well as on the managed AD DNS settings. I can ping to the AWS managed AD from our domain and can ping from the ec2 instance, joined to the managed AD, to our domain. Any help is appreciated!

We have an AD connector that cannot be deleted. It says the console is still attached as an authorized application. When I try to disable the console, it says "You cannot disable the AWS Management Console because delegated users are still assigned to it. Remove all users and groups from the IAM roles below and try again." When I click one of the roles it says "The role &#39;AWS_PRJ_W&#39; may have been deleted or the role’s trust with AWS Directory Service no longer exists. Either recreate the role and then reassign your delegated users, or edit the trust to repair it." Even though that seems a little ridiculous (creating more things to enable something else to be deleted), I gave it a quick try but it still complained about the role. How do I delete an inoperable AD connector?

My customer is using AWS workspaces with Azure MFA server which was implemented following [this guide][1]. MFA server is no longer being made available by Microsoft, and is now unavailable for new licensees as per detail [here][2]. Instead, Microsoft users are being pushed towards "Azure Cloud MFA”. Is there any way to configure Azure Cloud MFA to work with Workspaces, or any suggested workarounds if this is not possible? [1]: https://aws.amazon.com/blogs/desktop-and-application-streaming/integrating-microsoft-azure-mfa-server-with-amazon-workspaces/ [2]: https://docs.microsoft.com/sv-se/azure/active-directory/authentication/howto-mfaserver-deploy

I am building out a Workspaces demo for a customer. They only use G Suit (for apps and identity) and have no Active Directory. The ask is if it is possible to use Google G Suite as an IdP to provide their users a SSO experience between G Suite and their Workspaces environment. I understand that Workspaces needs an AD compliant directory using either (AD Connector to a running AD, Simple AD or AWS Managed Microsoft AD) to host the Workspaces users. I do not know however if it is possible to federate between G Suit, AD and therefore Workspaces (which I imagine would be the approach if this is possible?). Any guidance or suggestions on this would be most appreciated. Thanks.

Hi I have setup the AWS Directory Service and have a successful outgoing trust relationship to my on premise AD domain. I can assign permissions within my RDS instances, for example, and logon to them using my local, on premise, AD credentials I'm now trying to get AWS Management Console access using our on premise AD credentials working I've enabled Management Console access, created an IAM role with a trust relationship to AWS Directory - it shows up in the Delegate Console Access box within DS config Problem - when I click on the IAM role and within Manage users and groups for this role I choose Add - all I see in the drop down is my AWS Directory Service AD domain, I can't see my on premise AD domain in order to select Groups from there What am I doing wrong please ? Thanks STEVE

This post https://aws.amazon.com/blogs/security/aws-adds-12-more-services-to-its-pci-dss-compliance-program/ Indicates AWS Directory Service for Microsoft and AD Connector is PCI compliant... does this include simple AD????

Hello! When I'm trying to delete unused managed AD directory I get error message: "Cannot delete the directory because it still has authorized applications : RequestId: eba75f73-6c57-11e9-b05a-134391928360" When viewing apps and services on the directory in question, all applications have status disabled. Also the directory hasn't got SSO enabled. The directory isn't shared with other accounts. I've got a feeling there is a bug preventing deletion. Any ideas how to solve? Trebor

Hi; I am currently using AWS Managed MS AD. While configuring the GPO of my domain, i noted that in the GPO Office 365 Administrative Template was not added to the GPO. I try to add the GPO but it is not possible. Can someone advise me how can i add additional Administrative templates to AWS Managed MS AD? Regards

I've setup CloudDirectory, and I'm trying to access my CloudDirectory from a Lambda which is running inside a VPC. When executing the Lambda, I'm not seeing much except that it times out. The log states: ``` [INFO] 2019-04-01T14:48:10.921Z 0604741e-681a-43db-9a47-0b91ec3a1809 Starting new HTTPS connection (1): clouddirectory.eu-west-1.amazonaws.com [INFO] 2019-04-01T14:49:11.630Z 0604741e-681a-43db-9a47-0b91ec3a1809 Starting new HTTPS connection (2): clouddirectory.eu-west-1.amazonaws.com ``` As soon as I take the Lambda outside of the VPC, it directly works, so it seems to be an issue from Lambda towards CloudDirectory when executed inside a VPC. Since this seems like a similar issue like accessing DynamoDB, SNS and other AWS services, I want to make a VPC Endpoint, however CloudDirectory does not seem to be listed as supported service. What is the best way to connect to CloudDirectory from inside a VPC, will the standard VPC Endpoints be supported?

by default, "AWS Delegated Replicate Directory Changes Administrators" have "Replicate Directory Changes" permissions and don't have "Replicate Directory Changes All" which prevent password hash synchronization with Azure AD in case of AD Connect usage. https://social.technet.microsoft.com/wiki/contents/articles/51110.azure-ad-sync-troubleshooting-error-611-replication-access-was-denied-password-synchronisation-failed.aspx Is it by design? Is it possible add "Replicate Directory Changes All" permission? What is the possible work around?

Related a bit to forum https://forums.aws.amazon.com/post!reply.jspa?messageID=821050, but I don't think I should completely hijack that topic. I'm performing the following batch_write operation using Python: ``` { 'DirectoryArn': '<snip>', 'Operations': [ {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'Organization'}], 'ObjectAttributeList': [{'Key': {'SchemaArn': '<snip>', 'FacetName': 'Organization', 'Name': 'display_name'}, 'Value': {'StringValue': 'Object #1'}}], 'ParentReference': {'Selector': '/'}, 'LinkName': 'object', 'BatchReferenceName': '5bd5059b-b793-4ebe-b45b-b0a136a4ac8d'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'Meta'}], 'ObjectAttributeList': [{'Key': {'SchemaArn': '<snip>', 'FacetName': 'Meta', 'Name': 'display_name'}, 'Value': {'StringValue': 'Child #1'}}], 'ParentReference': {'Selector': '#5bd5059b-b793-4ebe-b45b-b0a136a4ac8d'}, 'LinkName': 'organization', 'BatchReferenceName': '01e66be7-d47f-40ed-b7d0-faa638db9ced'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'Meta'}], 'ObjectAttributeList': [{'Key': {'SchemaArn': '<snip>', 'FacetName': 'Meta', 'Name': 'display_name'}, 'Value': {'StringValue': 'Child #2'}}], 'ParentReference': {'Selector': '#5bd5059b-b793-4ebe-b45b-b0a136a4ac8d'}, 'LinkName': 'index', 'BatchReferenceName': 'f8b672b9-fef5-40c8-8c55-94152d4db745'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index1', 'BatchReferenceName': '71b75012-516b-4cb6-8354-976ad1cc4589'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index2', 'BatchReferenceName': 'c6824a61-1338-4cd5-8d3a-553b67e50a18'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index3', 'BatchReferenceName': 'c72c0bab-25f1-4a83-a9c5-569d34d1a90d'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index4', 'BatchReferenceName': '8b4368e2-2d29-4666-8eb0-4e93105f1efb'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index5', 'BatchReferenceName': 'e5ba15a8-4cdd-43a7-873e-0afd8c0e6870'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index6', 'BatchReferenceName': 'afba33be-d2a2-461f-8742-ec0cb805b0dc'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index7', 'BatchReferenceName': 'c4b70cd5-1a39-45ba-a5ee-efb0fbc424e7'}}, {'CreateObject': {'SchemaFacet': [{'SchemaArn': '<snip>', 'FacetName': 'INDEX'}], 'ObjectAttributeList': [], 'ParentReference': {'Selector': '#f8b672b9-fef5-40c8-8c55-94152d4db745'}, 'LinkName': 'index8', 'BatchReferenceName': '1ac0290c-339f-4b50-9080-d1c5c8d4159a'}} ] } ``` which fails with the error: ``` An error occurred (LimitExceededException) when calling the BatchWrite operation: Limits exceeded on the request. Write objects, max: 20, actual: 22. Read objects, max: 200, actual: 10. Write attributes, max: 1000, actual: 4. Read attributes, max: 1000, actual: 0. ``` I'm creating 11 objects. The selector paths would look like: ``` /object /object/organization /object/index /object/index/index1 /object/index/index2 /object/index/index3 /object/index/index4 /object/index/index5 /object/index/index6 /object/index/index7 /object/index/index8 ``` Although I can understand where the 22 Writes come from, I wonder if this is a fair assumption as the object with "/object/index" is for example counted 9 times (1 create, 8 updates). I'm using the BatchReference so during the counting it can be taken into account that I intend to write the same object multiple times, and as it is documented that the batch_write is going to be a single transaction, I would expect my "Write object count" to be 12 (11 objects created + root node update. This comment can also be extended a bit to the Read Objects count of 10, but I'll that one out of the discussion. :)

Hello, I am using AWS Directory Service and therefore my VPC has the required custom DHCP options. This seems to be causing my EFS dns name to not resolve: $ sudo mount -t efs fs-981781a1:/ efs Failed to resolve "fs-981781a1.efs.ap-southeast-2.amazonaws.com" - check that your file system ID is correct. $ sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-981781a1.efs.ap-southeast-2.amazonaws.com:/ efs mount.nfs4: Failed to resolve server fs-981781a1.efs.ap-southeast-2.amazonaws.com: Name or service not known However, specifying the EFS target ip address does work: sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport 10.0.14.62:/ efs Any help would be appreciated. Thanks!

I know that only RHEL 7.x is "officially" supported by AWS Managed Microsoft AD, but I wonder if anyone was successful in connecting RHEL 6.x OS to the active directory using "adcli" commands. Thank you, Giga

Today, we made it easier for you to run Microsoft SharePoint and SQL Server Always On availability groups in the AWS Cloud. With [AWS Directory Service for Microsoft Active Directory (Enterprise Edition)](https://aws.amazon.com/directoryservice/), also known as AWS Microsoft AD, you can now migrate additional Windows workloads such as SharePoint and SQL Server Always On availability groups without the complexity of building and maintaining your own Active Directory (AD) infrastructure. Using the [AD security features announced recently](https://aws.amazon.com/about-aws/whats-new/2017/05/simplify-migration-and-improve-security-of-active-directory-integrated-net-applications-by-using-aws-microsoft-ad/), you can provide single sign-on (SSO) to Microsoft SharePoint by using AWS Microsoft AD, and improve the security of SQL Server Always On availability groups. With AWS Microsoft AD, you can use a single directory to support Microsoft SharePoint and SQL Server Always On availability groups, as well as AWS services such as [Amazon WorkSpaces](https://aws.amazon.com/workspaces/) and [Amazon QuickSight](https://quicksight.aws/). You also have the flexibility to use identities from your on-premises directory or managed directory in the AWS Cloud. AWS Microsoft AD uses actual AD running on Windows Server 2012 R2 and does not require you to synchronize or replicate data from your existing AD to the cloud. With just a few clicks, you can create a highly available, managed AD. AWS handles all of the security patching and software updates. Currently, AWS Microsoft AD is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), EU (Frankfurt), EU (London), Canada (Central), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Tokyo) Regions. This feature is now available to all AWS Microsoft AD customers at no additional charge. For existing AWS Microsoft AD customers there is no additional setup in the Directory Service console required. To get started with AWS Microsoft AD, visit the [Directory Service console](https://console.aws.amazon.com/directoryservice/home) and create your directory.