Why can't I seamlessly join an Amazon EC2 Windows instance to an AWS Managed Microsoft AD in Systems Manager?

Short description

The following issues can cause an Amazon EC2 Windows instance and AWS Managed Microsoft AD not to seamlessly join:

• Your Windows instance doesn't meet the minimum requirements for Systems Manager. For more information, see Minimum requirements in Troubleshooting managed node availability using ssm-cli.
• Your AWS Identity and Access Management (IAM) instance profile doesn't have the necessary policies. For more information, see Configure instance permissions required for Systems Manager.
• Your Windows instance traffic can't access your AWS Directory Service endpoint.
• Your Windows instance can't access your domain controller. Or, your security group or network access control list (network ACL) doesn't allow traffic through the required ports.
• A duplicate computer object name already exists at your domain controller.
• You didn't complete the prerequisites for your AWS service account to use AD Connector.

Resolution

Verify that your instance meets the minimum requirements

If your instance meets the minimum requirements for Systems Manager, then the Managed Node's AWS Systems Manager Agent (SSM Agent) ping status is Online.

To see your SSM Agent ping status, open the AWS Systems Manager console, and then in the navigation pane, choose Fleet Manager. If the managed instance doesn't appear in Fleet Manager, then verify that your Amazon EC2 instance meets the managed instance requirements.

Verify the IAM instance profile policies

Make sure that you attached the AmazonSSMDirectoryServiceAccess IAM policy to your instance profile.

To view your IAM role policies, complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Instances.
3. On the Details tab, choose IAM role.

If you didn't attach the AmazonSSMDirectoryServiceAccess IAM policy, then configure your instance permissions. For instructions, see the To create an instance profile for Systems Manager managed instances (console) section in Alternative configuration for Amazon EC2 instance permissions.

Access your AWS Directory Service endpoint

Verify that traffic flows from your Windows instance though AWS Directory Service endpoints. For more information, see Amazon Virtual Private Cloud (VPC) endpoint restrictions and limitations. Then, use the aws:domainJoin plugin to access the AWS Directory Service endpoint.

Provide access to domain controllers

Use the DirectoryServicePortTest application to verify that the Windows operating system (OS) can communicate with your domain controllers from your Windows instance. For instructions, see Test your AD Connector. For a list necessary ports, see Active Directory and Active Directory Domain Services Port Requirements on the Microsoft website.

You can also verify that instances on the same subnet can manually join the domain. If your instances can't access your domain controllers from the same subnet, then the seamless domain join fails.

Avoid duplicate computer object names

If you must seamlessly join multiple Windows instances, then use Sysprep before you create your Windows image.

Review your service account privileges

Use the service account that your AD connector uses to manually join the Windows instance.

If you can't join the Windows instance, then delegate the correct permissions to connect to your directory. For instructions, see the Delegate privileges to your service account.

Note: The service account name that your AD Connector uses must be fewer than 15 characters long.

Verify your changes

After you make the preceding changes, verify that you can seamlessly join the Amazon EC2 Windows instance.

Related information

Test seamlessly joining an Amazon EC2 instance for Windows Server to a domain