By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

cannot join remote windows 10 pro desktop to newly created aws simple ad domain

0

I followed all the instructions from AWS. Created a VPC, created a Directory Service (simple AD) and created a EC2 Windows Server instance that is joined to the simple AD. I can remote in to the EC2 instance via RDC and I setup a new user and a new computer in the active directory. When i try to connect a computer to the domain it says it cannot be contacted. I cannot ping the public IP of the instance although I am RDC to it. I cannot ping it from either the computer(1) that is RDC to it nor from the computer(2) that i am trying to add to the domain. I added the public IP of the EC2 as the primary DNS server for computer2. I am setting the computer name and user name to what I setup in the active directory and the domain to "MYDOMAIN.COM" which is what AWS lists as my domain name.
I checked the security groups for the EC2 and the "AWS created security group for directory controllers" seems to allow ICMP from 0.0.0.0/0 which is anywhere. So not sure why I cannot ping. I have checked the IP address 5 ways from Sunday. Any suggestions greatly appreciated. UPDATE: I have tried numerous things to ping the domain controller. The public IP does not respond. And of course windows cannot contact the DNS server. I checked the security group several times and the DNS port is open as is the ICMP. Don't know where to turn next. ????

Topics
Security, Identity, & ComplianceComputeNetworking & Content Delivery
Tags
AWS Directory ServiceAmazon EC2Networking & Content Delivery
Language
English
BobB
asked a year ago384 views
2 Answers
1

Could you please verify if you have configured these rules in your Security Group (SG) and Network Access Control List (ACL)?

Security Group Inbound Rules:

  • ICMP - IPv4 - All
  • TCP - Ports 53, 88, 389, 445, 139 - Source: 0.0.0.0/0
  • UDP - Ports 53, 88, 389, 137, 138 - Source: 0.0.0.0/0

Security Group Outbound Rules:

  • All traffic - Destination: 0.0.0.0/0

Network ACL Inbound Rules:

  • Rule #100 - ICMP - IPv4 - All - Source: 0.0.0.0/0
  • Rule #110 - TCP - Ports 53, 88, 389, 445, 139 - Source: 0.0.0.0/0
  • Rule #120 - UDP - Ports 53, 88, 389, 137, 138 - Source: 0.0.0.0/0

Network ACL Outbound Rules:

  • Rule #100 - All traffic - Destination: 0.0.0.0/0

💡 These rules should allow the necessary inbound and outbound traffic for Active Directory and DNS communication between the local Windows 10 Pro desktops and the AWS Simple AD domain controller.

ℹ️ Enhance your AWS Managed Microsoft AD network security configuration

profile picture
EXPERT
Osvaldo Marte
answered a year ago
  • BobB
    a year ago

    Thanks for the help but... Everything in the security groups was enabled except for TCP 139, which I added. The outputs were correct.
    For the ACLs, I added 110 TCP for port range 53-445 and 120 UDP for port range 53-389. Outbound ACL was already set. Unfortunately still no joy. Still no ping.

  • Osvaldo Marte EXPERT
    a year ago

    Is the EC2 instance passing both health checks? Health Check 2/2?

  • BobB
    a year ago

    Well, things have changed. I can no longer RDP into the EC2 instance. I was in there yesterday and I changed nothing. I created a brand new instance and tried to access that and I cannot access that either. Both say either remote access is not enabled, the computer is off or it is not on the network. This is bizarre.
    The instance says 2/2 status checks passed.
    I still think the first issue I need to solve is the inability to ping the instance. So a specific question is should I be able to ping the public IP of the instance. I currently cannot.

    It seems odd that I can remote in to the server using remote desktop but I cannot ping it.

    While I would prefer not to start over again, I can repeat all the setup steps after deleting everything. Will ponder on that approach for awhile. Thanks again.

  • Osvaldo Marte EXPERT
    a year ago

    Could you please confirm the following details for troubleshooting connectivity issues with your instance?

    1. Is there an inbound rule for port 3389 (RDP) set in your Security Group?
    2. Does your instance have a Public IP address assigned, and are you using an Elastic IP? If so, please ensure it is properly associated.
    3. Could you check if the route table linked to your subnet is correctly routing traffic to the Internet Gateway?
    4. Is ICMP IPv4 traffic allowed in your Security Group's inbound rules, with the source set to 0.0.0.0/0? This setting is necessary for enabling ping responses.

    📢 Please let me know as soon as you can so I can continue to assist you.

0

Hi,

So if I understand correctly,

  • You were able to successfully join the first EC2 instance (EC2-1) to the Simple AD Domain, but you are not able to join another instance (EC2-2) to the same domain.
  • You are able to remote desktop into EC2-1 using the public IP but you cannot ping the same IP
  • You are also not able to ping the Public IP of EC2-2
  • Security Groups attached to both EC2 instances allow ICMP from anywhere

Assuming the configuration is correct, and it looks like it, the ping failure could be the local windows firewall blocking the traffic, I would check that to rule it out.

For the domain join issue, it looks like it may be DNS related. I assume you are performing a manual join of the instance to the AD domain - see https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_join_windows_instance.html - and in this case you need to add the Simple AD's IP addresses as the DNS IP address of the EC2 instance, so the instance can perform a lookup your AD domain. It looks like you are using the EC2-1's public IP address instead, can you share more why you are doing that?

AWS
Akin
answered a year ago
  • BobB
    a year ago

    Thanks for the response. The two computers, 1 and 2 are local to my office, not separate EC2 instances. I can RDC (connect) into the EC2 instance that is the server for the domain controller from computer1. I am trying to join computer2 to that domain controller on AWS. I cannot ping the AWS EC2 from either computer even tho I can remote into it. I suspect not be able to ping is part of the reason why I cannot join the domain. When I try to join it says it cannot find the domain, so ... Yes I believe the security groups allow ICMP from anywhere. Both local computers can ping www.google.com so I do not think they have a firewall issue. The public IP address of the instance is the primary DNS server for computer2. Still does not ping. Again, suggestions appreciated.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content