Windows Ec2 instance seamless domain join
I have a AWS Managed AD directory service. I am not able to seamlessly join the Windows Ec2 instance to Domain. If i RDP into the instance and try to join the domain manually it works.
I am also able to join domain by running the following command in running EC2 instance: AWS-JoinDirectoryServiceDomain and AWS-JoinDirectoryServiceDomain
Here is the error message that i am getting: Execution Summary: XXXXXXXX-XXXX-XXXX-XXX-XXXXXXXX 1 out of 1 plugin processed, 0 success, 1 failed, 0 timedout, 0 skipped. The operation aws:domainJoin failed because Domain join failed with exception: Domain Join failed exit status 1.
I have already confirmed all the required ports are open. Infact i have allow everything in both SG and ACL.
- Newest
- Most votes
- Most comments
When you launch the EC2 instance are you choosing to join the domain? If you are using the new EC2 launch wizard you will find this option at the bottom of the screen under "Advanced details" - you get to pick which domain it will join.
Opening security groups is not the right path to making this work. You MUST make sure that the EC2 has an IAM instance role that has at least the following permission:
arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
For example here is an IAM instance role definition in CloudFormation that grants Domain join permission and also SSM managed instance permission:
EC2SsmIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ec2.amazonaws.com]
Action: ['sts:AssumeRole']
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
- arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
Relevant content
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 18 days ago
- AWS OFFICIALUpdated a year ago
