- Newest
- Most votes
- Most comments
My best guess is that you are not running Sysprep before creating the AMI. If you miss that step then all of the windows computers will have the same identity.
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep--generalize--a-windows-installation
By default, domain joined computers change their password every 30 days. If multiple computers are using the same identity, then once one computer changes the password all of the other computers will not have the new password and will break.
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age
At AWS we do SysPrep a little different, so please read this article to learn how to properly SysPrep a Windows AMI.
https://aws.amazon.com/premiumsupport/knowledge-center/sysprep-create-install-ec2-windows-amis/
@joedaws,
Thanks for the hint. (And apologies for the long gap in responses).
We have made some progress in isolation the issue, and we agree with your diagnosis that the Windows computer appear as the same identity and we are running afoul of the 30 day computer password policy. So you have answered the second part ("30 days later')
However, to solve this 30 day problem, we can't figure out the first part -- for AMIs we have run sysprep on, it is still not joining the domain automatically. In fact, even the vanilla images are not joining the domain automatically, despite granting the two AmazonSSM policies.
How can I debug failed domain joins? And any tips and hints for that?
Thanks
Hello There,
Thanks for getting back to us.
As you mentioned you have AmazonSSMManagedInstanceCore
and AmazonSSMDirectoryServiceAccess
policy attached in a role during the launch of this instance and still unable to domain join using the vanilla image as well.
In order to narrow down if the policy was applied correctly and a domain join attempt was made please check the netsetup logs under C:\Windows\debug. From the logs we will be able to confirm if domain join attempt was made, if attempt was made that means there is no issue with the IAM policy and you will see it in the logs as to why it failed to join to the domain. Please check the "NetpDoDomainJoin: status:" in the logs.
If no attempt was made to domain join then it means there is still an issue in getting the instance as managed instance. Please refer the below mentioned article on how to troubleshoot this issue
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-windows-seamless-join-microsoft-ad/
Thanks
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 months ago