Why can’t I seamlessly join my Amazon EC2 Windows instance to an AWS Managed Microsoft AD directory?

Resolution

Follow these steps to troubleshoot issues when seamlessly joining your Amazon EC2 Windows instance to an AWS Managed Microsoft AD.

Note: AWS Systems Manager doesn’t support seamless domain join for interface VPC endpoint because there are no interface VPC endpoints for AWS Directory Service. For more information, see VPC endpoint restrictions and limitations.

Verify prerequisites

Confirm that you meet all prerequisites for using AWS Systems Manager.

Verify AWS Identity and Access Management (IAM) role policies

1.    Open the IAM console, and then choose Roles from the navigation pane.

2.    Choose the Role name for the IAM role associated with your instance to open the Summary page.

3.    On the Permissions tab, for Permissions policies, confirm that the AmazonSSMDirectoryServiceAccess and AmazonSSMManagedInstanceCore policies are attached.

If either policy is missing, then choose Attach policies. Search for the policy names, and then choose Attach policy.

Verify that the required ports are open

Verify that ports 53, 88, and 389 are open in the directory security group. To locate the security group for your directory:

1.    Open the Amazon EC2 console, and then choose Security Groups from the navigation pane under Network & Security.

2.    Sort the list by Security group name to find directoryid_controllers, where directory_id is your directory ID. For example, d-1234567891_controllers.

Note: Use Microsoft's Portqry.exe command line utility to test the domain's connectivity to the required ports.

Verify that the DNS servers on your EC2 instance are pointing to the directory DNS servers

Run the following command to display the network adapter configuration on the instance:

ipconfig /all

To locate the directory DNS servers:

1.    Open the Directory Service console, and then choose Directories from the navigation pane.

2.    Choose your Directory ID to open the Directory Details page and view the DNS address.

Confirm that you can resolve the domain name from the instance

Run the following command, replacing domainname with your domain name.

Using PowerShell:

Resolve-DnsName domainname

Using a command prompt:

nslookup domainname

Verify DNS server configuration

Verify that you configured the correct DNS server on the instance, and that the instance can reach the DNS server. Run the following Nltest command:

nltest /dsgetdc:domainname /force

Note: Be sure to replace domainname with the DNS name, and not the NetBIOS name. For example, if your domain is example.com, then the DNS name is example.com, and the NetBIOS name is example.

Verify that the instance is reporting as Managed

First, open the AWS Systems Manager console. Next, choose Fleet Manager from the navigation pane to view all managed instances, and confirm that the instance is listed and online.

Then, confirm that a corresponding State Manager association for the document awsconfig_Domain_directoryid_domainname was automatically created for the instance. Follow these steps:

1.    From the Systems Manager console, choose State Manager from the navigation pane.

2.    Select the search bar, choose Instance ID, Equal, and then enter the instance_id.

3.    Verify the output of the execution for the association under Execution History. Confirm that the Status is Success.

If the status is Failed, then review the output and detailed status to identify the cause of the issue.

If the status is Pending, then verify that you followed all the previous troubleshooting steps. Then, review the logs on the EC2 instance for any explicit error messages to identify the cause of the issue. For instructions, see the following Troubleshooting section.

Confirm that you can manually join the instance to the domain

Verify that your account has the required permission to add computer objects to the domain. For more information, see Delegate directory join privileges for AWS Managed Microsoft AD.

Confirm a successful seamless domain join

Retry joining a domain to verify that the previous steps resolved the issue.

1.    Open the AWS Systems Manager console, and then choose State Manager from the navigation pane.

2.    Select the association that you created to join the domain, and then choose Apply association now.

3.    Verify that the Status is Success.

Troubleshooting

If you're still having issues joining a domain, then review the following logs on the EC2 instance for indications of the problem.

For Amazon SSM agent logs:

Navigate to the following location to review the Amazon SSM agent logs: C:\ProgramData\Amazon\SSM\Logs

netsetup.log file:

Open a command prompt, and then enter the following command:

%windir%\debug\netsetup.log

For information about netsetup.log error codes, see How to troubleshoot errors that occur when you join Windows-based computers to a domain on the Microsoft website.

For Event Viewer logs:

1.    Open the Windows Start menu, and then open Event Viewer.

2.    Choose Windows Logs from the navigation pane.

3.    For Windows Logs, choose System.

4.    Review the Date and Time column to identify events that occurred during the operation to join the domain.

Related information

Join an EC2 instance to your AWS Managed Microsoft AD Directory