How I troubleshoot seamless domain join for Windows instances in Systems Manager?

Short description

The following are the most common reasons why a seamless domain join in Windows might fail:

• The Systems Manager prerequisites aren't completed.
• The AWS Identity and Access Management (IAM) instance profile is missing the policy to seamless domain join.
• The Windows instance traffic can't access the public AWS Directory Service endpoint.
• The Windows instance can't access the domain controller or the ports required to join the domain aren't allowed by the security group or network ACL.
• A duplicate computer object name already exists at the domain controller.
• Your service account doesn't have the required privileges to use an AD Connector.

If a seamless domain join for Windows instance fails, then review the following to troubleshoot the issue:

Resolution

Verify Systems Manager prerequisites

To seamless domain join in Windows instances, complete the System Manager prerequisites. If the Systems Manager prerequisites are completed, then the Managed Node's AWS Systems Manager Agent (SSM Agent) ping status is Online. To see the SSM Agent ping status, open the AWS Systems Manager console, and then choose Fleet Manager from the navigation pane. If the managed instance doesn't appear in Fleet Manager, then verify that your Amazon Elastic Compute Cloud (Amazon EC2) instance meets the managed instance requirements.

Verify the IAM instance profile policies

To seamless domain join in Windows instances, the AmazonSSMDirectoryServiceAccess IAM policy must be assigned. To see the IAM role policies, open the Amazon EC2 console, then choose Instances from the navigation pane. Then, choose IAM Role located in the Details tab.

If the AmazonSSMDirectoryServiceAccess IAM policy is missing, then to add the permissions see Configure instance permissions for Systems Manager.

Allow traffic access to the AWS Directory Service endpoint

To access the AWS Directory Service endpoint from a Windows instance, use the aws:domainJoin plugin.

To seamless domain join to an AWS Directory Service endpoint using the aws:domainJoin plugin, you must allow traffic access from your Windows instance. The traffic from your Windows instance must be allowed to access the public AWS Directory Service endpoints. For more information, see VPC endpoint restrictions and limitations.

Provide access to domain controllers

To seamless domain join the Windows instance, the Windows OS must communicate with domain controllers when performing a seamless domain join. Use the DirectoryServicePortTest test application to verify communication is established with the domain controller from a Windows instance.

For a list of port numbers required to join a domain, see Active Directory and Active Directory Domain Services Port Requirements on the Microsoft website.

You can also verify if instances on the same subnet can manually join the domain. If instances can't access the domain controllers from the same subnet, then the seamless domain join fails.

Avoid duplicate computer object names

If the same name computer object on the domain controller already exists, then the domain join fails. To seamless domain join at multiple Windows instances with a custom Windows image, then use Sysprep before creating image. For instructions on using Sysprep, see How can I use Sysprep to create and install custom reusable Windows AMIs?

Review the AD Connector service account privileges

To use the AD Connector, the service account requires sufficient privileges. If the service account doesn't have the privileges to create a computer account, then the seamless domain join fails. To verify the service account privileges, manually join a Windows instance using the service account.

Related information

Test seamlessly joining an EC2 instance for Windows Server to a domain