By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Directory Service AD Connector fails to create to On-Premise ActiveDirectory

0

I'm currently using a local Hyper-V hosted Domain Controller on my laptop to act as an on-prem Active Directory DC, currently with no firewall running on the DC VM currently and all pre-req ports opened for AD connector on local laptop firewall hosting Hyper-V.

I have a site to site VPN connected to a VPC in AWS via a Meraki Z3c teleworker gateway and I'm trying to setup the AWS AD connector which keeps failing to create.

I can ping and RDP to the EC2 instance on Private subnet (in AWS) from Domain Controller on-premise and I can ping and RDP to the Domain Controller from the EC2 instance.

Followed steps to use the DirectoryServicePortTest tool on an EC2 instance from AWS and when running the tests it cannot get a forest functional level or find domain name although it passes on all TCP ports, with exception of 49152, and all UDP ports pass , see below (domain and IP address removed from output):

C:\DirectoryServicePortTest>DirectoryServicePortTest.exe -d [domain.local] -ip 192.168.100.100 -tcp "53,88,135,139,389,445,464,636,49152" -udp "53,88,123,137,138,389,445,464" [domain.local] Testing forest functional level. The domain [domain.local] could not be found.

Testing TCP ports to 192.168.100.100: Checking TCP port 53: PASSED Checking TCP port 88: PASSED Checking TCP port 135: PASSED Checking TCP port 139: PASSED Checking TCP port 389: PASSED Checking TCP port 445: PASSED Checking TCP port 464: PASSED Checking TCP port 636: PASSED Checking TCP port 49152: FAILED

Testing UDP ports to 192.168.100.100: Checking UDP port 53: PASSED Checking UDP port 88: PASSED Checking UDP port 123: PASSED Checking UDP port 137: PASSED Checking UDP port 138: PASSED Checking UDP port 389: PASSED Checking UDP port 445: PASSED Checking UDP port 464: PASSED

Press <enter> to continue.

C:\DirectoryServicePortTest>

Everything suggests the AD Connector should work and create the connection to my on-premise AD, although it fails each time with the following detail:

Connectivity issues detected: DNS unavailable (TCP port 53) for IP: 192.168.100.100. Please ensure that the listed ports are available and retry the operation.

The above error suggests a TCP port 53 is not open but tests state otherwise. Can anybody please give me some ideas to try as I'm losing the will to live and cannot think of anything else to try?

All suggestions welcome.

Thanks in advance.

Mark

Topics
Networking & Content Delivery
Tags
Amazon VPCNetworking & Content Delivery
Language
English
profile picture
MarkB
asked a month ago268 views
1 Answer
0

You should try to review AD Connector prerequistes as described here: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ad_connector_getting_started.html#prereq_connector

I suggest you to enable delegation on ADUC and forest/domain level, after this point check also if the DNS resolution works correctly, i know sometimes results tricky, you can also try to use Route53 to create a resolver from and to your VPC. Regards

profile picture
Alessandro Bellini
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content