Windows Ec2 instance seamless domain join


I have a AWS Managed AD directory service. I am not able to seamlessly join the Windows Ec2 instance to Domain. If i RDP into the instance and try to join the domain manually it works.

I am also able to join domain by running the following command in running EC2 instance: AWS-JoinDirectoryServiceDomain and AWS-JoinDirectoryServiceDomain

Here is the error message that i am getting: Execution Summary: XXXXXXXX-XXXX-XXXX-XXX-XXXXXXXX 1 out of 1 plugin processed, 0 success, 1 failed, 0 timedout, 0 skipped. The operation aws:domainJoin failed because Domain join failed with exception: Domain Join failed exit status 1.

I have already confirmed all the required ports are open. Infact i have allow everything in both SG and ACL.

1 Answer

When you launch the EC2 instance are you choosing to join the domain? If you are using the new EC2 launch wizard you will find this option at the bottom of the screen under "Advanced details" - you get to pick which domain it will join.

Opening security groups is not the right path to making this work. You MUST make sure that the EC2 has an IAM instance role that has at least the following permission:


For example here is an IAM instance role definition in CloudFormation that grants Domain join permission and also SSM managed instance permission:

    Type: AWS::IAM::Role
          - Effect: Allow
              Service: []
            Action: ['sts:AssumeRole']
      Path: /
        - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
        - arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions