EC2 instance not able to join to AWS managed MS AD domain


I have a Windows EC2 in a subnet with no internet access, but the VPC has endpoints to all SSM related services. When I try to join the domain by associating an SSM document, it fails and the error log shows the following:

2020-03-25 10:23:35,277 [1] ERROR [Framework] - Failed to create domain computer account 'TESTVM', Message=A WebException with status ConnectFailure was thrown.,ErrorCode=,ErrorType=Sender,StatusCode=0
Amazon.Runtime.AmazonServiceException: A WebException with status ConnectFailure was thrown. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   --- End of inner exception stack trace ---
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at Amazon.Runtime.Internal.HttpHandler`1.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.Unmarshaller.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.ErrorHandler.InvokeSync(IExecutionContext executionContext)
   --- End of inner exception stack trace ---
   at Amazon.Runtime.Internal.WebExceptionHandler.HandleException(IExecutionContext executionContext, WebException exception)
   at Amazon.Runtime.Internal.ErrorHandler.ProcessException(IExecutionContext executionContext, Exception exception)
   at Amazon.Runtime.Internal.ErrorHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RetryHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.CallbackHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.MetricsHandler.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.Internal.RuntimePipeline.InvokeSync(IExecutionContext executionContext)
   at Amazon.Runtime.AmazonServiceClient.Invoke[TRequest,TResponse](TRequest request, IMarshaller`2 marshaller, ResponseUnmarshaller unmarshaller)
   at Amazon.DirectoryService.AmazonDirectoryServiceClient.CreateComputer(CreateComputerRequest request)
   at Amazon.EC2Services.Config.Plugins.DomainJoin.Ec2SDomainJoin.CreateComputer(DomainJoinDto domainJoinDto, String desiredComputerName, String accountCreationPassword)

It seems like the error is happening because it cant reach which is expected because it is not internet accessible. But what is this IP ? I dont think it is an amazon IP, and the location of this IP shows somewhere in China ?
If the server has internet access, associating the ssm document works.

Edited by: thescreenslaver on Mar 25, 2020 3:50 AM

Edited by: thescreenslaver on Mar 25, 2020 3:52 AM

asked 4 years ago1001 views
1 Answer

I figured out the problem.
Writing it here for future reference. The IP it was looking for is indeed an AWS IP address. It is the endpoint IP for AWS Directory service ( Since DS do not have a VPC endpoint as of now, it is not possible to join the instances without internet access to the domain automatically.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions