Problem joining EC2 instances to MS AD when launching, and 30 days later

0

Short description:
When I launch EC instances, they do not join to the AD correctly. I can work around it by joining manually.
But the resultant AMI only works for 30 days. And then it fails to contact the domain controller.
I suspect they are related. But I do not know for sure.
(More info below)

Question:

  1. Why doesn't the seamless join work? How can I troubleshoot that?

  2. Why does my AMI fail at the 30 day mark? Is there something I can do to mitigate/extend that? (Without having to constantly recreating AMIs)

Setup:

  • I have a Microsoft AD using the AWS Directory service.
  • I launch an EC2 instance, I have AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess policy attached in a role during the launch of this instance. (a t3a.___ instance if that matters.)

Problem 1:

  • The EC2 instance is not actually joined to the domain.

Workaround 1:

  • I manually join the domain, but typing in the AD controller IP and go to the system properties and add to the domain.
  • During the join process, I am asked to login to the AD. I use an service account credential.
  • I do some stuff to the EC2 instance to make it useful.
  • I capture this EC2 instance as an AMI, and I use an auto-scaling-group to launch more copies of this at certain times etc. And all is well.

Problem 2:

  • After 30 days, the AMI no longer works, it cannot connection to the AD controllers. When I try to RDP, I get a Network Level Authentication error.
  • Even if I try to log in as the local Administrator, I still get the NLA error.

Workaround 2:

  • I had to create a new AMI, which is good for another 30 days.

Edited by: threedot14 on Sep 25, 2020 12:07 PM

asked 4 years ago1511 views
3 Answers
0

My best guess is that you are not running Sysprep before creating the AMI. If you miss that step then all of the windows computers will have the same identity.
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation

By default, domain joined computers change their password every 30 days. If multiple computers are using the same identity, then once one computer changes the password all of the other computers will not have the new password and will break.
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age

At AWS we do SysPrep a little different, so please read this article to learn how to properly SysPrep a Windows AMI.
https://aws.amazon.com/premiumsupport/knowledge-center/sysprep-create-install-ec2-windows-amis/

profile pictureAWS
answered 4 years ago
0

@joedaws,

Thanks for the hint. (And apologies for the long gap in responses).
We have made some progress in isolation the issue, and we agree with your diagnosis that the Windows computer appear as the same identity and we are running afoul of the 30 day computer password policy. So you have answered the second part ("30 days later')

However, to solve this 30 day problem, we can't figure out the first part -- for AMIs we have run sysprep on, it is still not joining the domain automatically. In fact, even the vanilla images are not joining the domain automatically, despite granting the two AmazonSSM policies.

How can I debug failed domain joins? And any tips and hints for that?

Thanks

answered 3 years ago
0

Hello There,

Thanks for getting back to us.

As you mentioned you have AmazonSSMManagedInstanceCore and AmazonSSMDirectoryServiceAccess policy attached in a role during the launch of this instance and still unable to domain join using the vanilla image as well.

In order to narrow down if the policy was applied correctly and a domain join attempt was made please check the netsetup logs under C:\Windows\debug. From the logs we will be able to confirm if domain join attempt was made, if attempt was made that means there is no issue with the IAM policy and you will see it in the logs as to why it failed to join to the domain. Please check the "NetpDoDomainJoin: status:" in the logs.

If no attempt was made to domain join then it means there is still an issue in getting the instance as managed instance. Please refer the below mentioned article on how to troubleshoot this issue
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-windows-seamless-join-microsoft-ad/

Thanks

AWS
Robin-P
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions