Issue with AD connector

Question

In the location us-east-1 our company has a Simple AD corp.rentforevent.com (d-9067ccc6b2) for users whose locations are in Europe we want to create standby workspaces. For this purpose in the location eu-central-1 we created an AD Connector (Connected directory domain - corp.rentforevent.com, Directory ID - d-99676edaeb), configured the VPS and according to the instructions created Service account credentials (username - eucon, member of "Connectors" group). But all the time when creating a workspace we constantly get the error - "There was an issue joining the WorkSpace to your domain. Verify that your service account is allowed to complete domain join operations. If you continue to see an issue, contact AWS Support." We also get this error even when using the administrator data of corp.rentforevent.com (d-9067ccc6b2) as Service account credentials. When setting up and creating AD Connector (Directory ID - d-99676edaeb) we used the guide provided in this link https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_getting_started.html#prereq_connector?icmpid=docs_dirservices_console

Brandon Ancelin · Accepted Answer

Hello,  
First of all make sure that the port are open between your subnets hosting the AD Connector and your Simple AD.  
The minimum requirements are :  
* TCP/UDP 53 - DNS
* TCP/UDP 88 - Kerberos authentication
* TCP/UDP 389 - LDAP.

BUT it's not limited to this. If you use LDAPS, you must open LDAPS port such as TCP 636. [AD Services Port Requirements](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)#communication-to-domain-controllers).

Normally a default configuration between your Simple AD and AD Connector should works, until there are connectivities.

For troubleshooting and to see more details, I suggest launching a Windows EC2 instance in the same subnets where your AD Connector will be deployed, and testing connectivity using telnet commands.  
Then, try manually joining the EC2 instance to your domain using the same service account — you’ll get more detailed information in case of failure.  
If you’ve previously created the service account, you most likely already have the necessary setup in place.

re:Post Agent · Answer

It appears you're experiencing issues with your AD Connector when trying to create WorkSpaces in a different region from your Simple AD. This is a common challenge when setting up cross-region directory services. Here are a few potential causes and solutions to consider:

1. Connectivity: Ensure that the AD Connector in eu-central-1 can reach the Simple AD in us-east-1. Check that your network configuration, including VPC peering or AWS Transit Gateway, allows communication between these regions.

2. Service Account Permissions: Verify that the service account (eucon) has the necessary permissions to join computers to the domain. It should be a member of the "Domain Admins" group or have explicit permissions to join computers to the domain, not just the "Connectors" group.

3. Password Complexity: Make sure the service account password meets AWS password complexity requirements. If it doesn't, you may need to recreate the AD Connector with a compliant password.

4. Port Availability: Confirm that the required ports are open between the regions. AD Connector needs access to ports 53 (DNS), 88 (Kerberos), and 389 (LDAP) at a minimum.

5. DNS Resolution: Ensure that DNS resolution is working correctly across regions. The AD Connector needs to be able to resolve the domain controllers in the us-east-1 region.

6. Service Account Credentials: Double-check that the service account credentials are correct and up-to-date in the AWS Secrets Manager secret configured for the directory.

7. Directory Trust: Consider setting up a two-way trust between your Simple AD and the AD Connector if possible, although this may not be necessary for WorkSpaces specifically.

If you've verified all these points and are still encountering issues, you may need to delete the current AD Connector and create a new one, ensuring all prerequisites are met. If the problem persists, it would be advisable to contact AWS Support for further assistance, as there may be specific configuration details or regional considerations that need to be addressed.  
**Sources**  
[Troubleshooting AD Connector - AWS Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_troubleshooting.html)  
[Update AD Connector credentials in WorkSpaces | AWS re:Post](https://repost.aws/knowledge-center/workspaces-update-ad-connector-credentials)  
[WorkSpaces Pools troubleshooting notification codes - Amazon WorkSpaces](https://docs.aws.amazon.com/workspaces/latest/adminguide/wsp-pools-troubleshooting.html)

Aleh · Answer

Many thanks to everyone who took part in the discussion of this issue. Thank you all for your answers. The problem has been solved. The reason is that the rules in the security groups are not fully configured. Based on your suggestions, I rechecked and added the missing rules and I was able to implement this project.

Malini Agrawal · Answer

hi,

As I understand:->

Simple AD (us-east-1) Domain "corp.rentforevent.com" 
AD Connector (eu-central-1) to connect to Simple AD:

you are trying to: use AD Connector to connect to Simple AD.

***This will not work because:***

AD Connector requires a real Microsoft Active Directory backend, and simple AD is not a real. AD connector must connect to a self-managed AD or AWS managed Microsoft AD.

Here are two correct approaches you can consider instead:

Option 1: Use AWS Managed Microsoft AD Instead of Simple AD

Option 2: Create Another Simple AD or AWS Managed AD in eu-central-1

Best,

Issue with AD connector

Relevant content