Cannot create an AWS AD Connector to On-Premise domain
Hi
I have been trying to create a directory using AWS AD Connector to my on-premise Active Directory domain.
I have been attempting this for the last 3 weeks and have had no joy what's so ever getting the connector to create a directory successfully.
The setup is using a VPC with 2 x subnets (Private only), site-to-site VPN to a Meraki Z3 appliance and an MS Active directory Domain controller/DNS Server configured on the on-premise network.
I have followed all the documentation and troubleshooting guides found on the subject of creating a directory service using ad connector and still I cannot successfully create a directory. I have used the directory port testing tools on an EC2 instance and all TCP and UDP ports succeed in the test but not the Domain name or functional level tests. I re-read the guides and see the following:
Test your AD Connector For AD Connector to connect to your existing directory, the firewall for your existing network must have certain ports open to the CIDRs for both subnets in the VPC. To test if these conditions are met, perform the following steps:
To test the connection Launch a Windows instance in the VPC and connect to it over RDP. The instance must be a member of your existing domain. The remaining steps are performed on this VPC instance.
The line that states: "The instance must be a member of your existing domain." confuses me now as how can the EC2 instance be joined to my domain if the connector service isn't created? The port test script runs on a standalone EC2 instance and port test succeeds as stated earlier, does it need to be domain joined?
I'm consistently getting the error: "DNS unavailable (TCP port 53) for IP: <DNS IP address> AD Connector must be able to communicate with your on-premises DNS servers via TCP and UDP over port 53."
Please can somebody help as I really cannot see where the problem lies and would appreciate some advice and not a link to another guide as this isn't helping?
Many thanks
M
- Newest
- Most votes
- Most comments
Hello.
Can I join a domain if I configure EC2 to point directly to my on-premises AD DC instead of via ADConnecter?
First of all, I think it would be a good idea to check whether you can refer to the on-premises AD DC from the machine on the VPC.
By the way, do you meet all the prerequisites listed in the document below?
For example, have the service account settings been completed correctly?
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_getting_started.html#prereq_connector
Thank you for the reply.
I have ensured all prereq's have been configured to the best of my knowledge as per documentation, with exception of AWS IAM Identity Centre prerequisites and Multi-factor authentication prerequisites as I simply want to use On-Prem AD creds.
I have now also managed to domain join an EC2 instance to my on-prem domain by applying Route 53 inbound endpoint and rules, although when I try to create the directory once again via the AD Connector I still receive the DNS Port 53 error.
I believe I have everything in place but still no joy! any further advice or suggestions are welcomed!
Thanks
Mark
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
By the way, is communication reaching the on-premises AD DC from AD Connector? For example, try obtaining a packet capture on AD DC and confirming that communication is being received from AD Connector. If the communication is not reaching AD DC, there is a possibility that the communication is blocked on the way.
I think the following blog will be helpful for setting up AD Connector itself. https://theithollow.com/2018/04/23/aws-directory-service-ad-connector/
By the way, I don't really trust it, but I also found a report where an error occurred because the user's password was not complex enough. https://serverfault.com/questions/843776/aws-ad-connector-to-on-premise-ad-failed