Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

EC2 AD Join using AD Connector

0

Hi,

The objective of my issue is to automate EC2 AD join. EC2 will be deployed in AWS VPC with is connected to Corporate Network using TGW.

  • DC is OnPrem.

Disclaimer: This server has connectivity to the AD. In fact, if I try to join the domain manually, it works too.

Directory Service Port Test:

S C:\Users\Administrator\Desktop\test1\DirectoryServicePortTest> .\DirectoryServicePortTest.exe -d x.x.x.x.x-ip x.x.x.x -tcp "53,88,389" -udp "53,88,389"
Testing forest functional level.
The x.x.x.x could not be found.
 
Testing TCP ports to  x.x.x.x:
Checking TCP port 53: PASSED
Checking TCP port 88: PASSED
Checking TCP port 389: PASSED
 
Testing UDP ports to  x.x.x.x:
Checking UDP port 53: PASSED
Checking UDP port 88: PASSED
Checking UDP port 389: PASSED
 
Press <enter> to continue.
PS C:\Users\Administrator\Desktop\test1\DirectoryServicePortTest>

I've deployed AD Connector based on following guide

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_getting_started.html

DNS works for domain name and for following endpoints:

  • my.domain.name
  • ssm.eu-central-1.amazonaws.com
  • ec2messages.eu-central-1.amazonaws.com
  • ec2.eu-central-1.amazonaws.com
  • ssmmessages.eu-central-1.amazonaws.com

HTTP Connectivity:

ComputerName     : ssm.eu-central-1.amazonaws.com
RemoteAddress    : 52.119.188.195
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True  

ComputerName     : ec2messages.eu-central-1.amazonaws.com                                                               
RemoteAddress    : 52.94.138.208                                                                                        
RemotePort       : 443                                                                                                  
InterfaceAlias   : Ethernet 2                                                                                           
SourceAddress    : 10.180.6.24                                                                                          
TcpTestSucceeded : True  

ComputerName     : ec2.eu-central-1.amazonaws.com
RemoteAddress    : 52.94.141.15
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True   

ComputerName     : ssmmessages.eu-central-1.amazonaws.com                                                               
RemoteAddress    : 52.119.188.27                                                                                        
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True

ComputerName     : ec2.eu-central-1.amazonaws.com
RemoteAddress    : 52.94.141.15
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True

ComputerName     : ds.eu-central-1.amazonaws.com
RemoteAddress    : 54.239.55.7
RemotePort       : 443
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.180.6.24
TcpTestSucceeded : True

When I look through the ssm-agent-worker logs I encounter this error:

2024-02-28 09:22:58 INFO [ssm-agent-worker] [MessageService] [Association] Updating association status {
  "ErrorCode": "",
  "ExecutionDate": "2024-02-28T09:22:58.688Z",
  "ExecutionSummary": "1 out of 1 plugin processed, 0 success, 1 failed, 0 timedout, 0 skipped. \nThe operation aws:domainJoin failed because Failed to create domain computer account 'EC2AMAZ-E363G22', Message=A WebException with status SendFailure was thrown.,ErrorCode=,ErrorType=Sender,StatusCode=0\r\nAmazon.Runtime.AmazonServiceException: A WebException with status SendFailure was thrown. ---\u003e System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---\u003e System.I--output truncated--",
  "OutputUrl": null,
  "Status": "InProgress"
}

IAM ROLE for Domain Join:

AmazonEC2RoleforSSM	
AmazonSSMDirectoryServiceAccess
AmazonSSMManagedInstanceCore
AmazonSSMPatchAssociation
AWSDirectoryServiceFullAccess
SecretsManagerReadWrite
Themen
Sicherheit, Identität & Konformität
Tags
AWS Directory Service
Sprache
English
Piotr
gefragt vor 2 Monaten155 Aufrufe
2 Antworten
1
Akzeptierte Antwort

adding 443 rule exception on firewall for ds.eu-central-1.amazonaws.com solved the issue.

Piotr
beantwortet vor 2 Monaten
profile picture
EXPERTE
Oleksii Bebych
überprüft vor 2 Monaten
0

Error

2024-02-28 09:22:58 INFO [ssm-agent-worker] [MessageService] [Association] Updating association status {
  "ErrorCode": "",
  "ExecutionDate": "2024-02-28T09:22:58.688Z",
  "ExecutionSummary": "1 out of 1 plugin processed, 0 success, 1 failed, 0 timedout, 0 skipped. \nThe operation aws:domainJoin failed because Failed to create domain computer account 'EC2AMAZ-E363G22', Message=A WebException with status SendFailure was thrown.,ErrorCode=,ErrorType=Sender,StatusCode=0\r\nAmazon.Runtime.AmazonServiceException: A WebException with status SendFailure was thrown. ---\u003e System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---\u003e System.I--output truncated--",
  "OutputUrl": null,
  "Status": "InProgress"
}

Error Components

  1. Operation aws:domainJoin failed: This indicates that the specific SSM document action intended to join the EC2 instance to the Active Directory domain was unsuccessful.

  2. Failed to create domain computer account 'EC2AMAZ-E363G22': The process could not create a computer account in the Active Directory for the EC2 instance. This step is crucial for the domain join operation, as it registers the EC2 instance in the AD domain.

  3. A WebException with status SendFailure was thrown: This suggests a problem with the HTTP request made by the SSM agent or a related process. The SendFailure typically indicates that the request could not be sent over the network.

  4. The underlying connection was closed: An unexpected error occurred on a send: This further clarifies that the network connection used for the operation was unexpectedly closed during the process of sending data.

Possible Causes

  • Network Connectivity Issues: There might be issues with the network configuration, such as incorrect security group settings, network ACLs, or problems with the VPC setup, preventing successful communication with the Active Directory services.

  • Firewall or Security Appliance Blocking: A firewall, either in AWS or on-premises, could be blocking the necessary ports or protocols used for domain join operations and AD communications.

  • AD Connector or Direct AD Issue: If you're using AD Connector, there may be a configuration issue or connectivity problem between AD Connector and your on-premises AD. Alternatively, if directly connected to AD, there might be a similar connectivity or configuration issue.

  • SSM Agent or Instance Configuration: The SSM agent might be misconfigured, or there could be an issue with the instance's configuration preventing successful domain join operations.

profile picture
EXPERTE
Osvaldo Marte
beantwortet vor 2 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt