Why can't I join my AWS EC2 instance to Active Directory?

3

I'm unable to join an EC2 instance to my Directory Services Simple AD in Amazon Web Services manually, per Amazon's documentation.

  • I have a Security Group attached to my instance which allows HTTP and RDP only from my IP address.
  • I'm entering the FQDN foo.bar.com.
  • I've verified that the Simple AD and the EC2 instance are in the same (public, for the moment) subnet.
  • DNS appears to be working (because tracert to my IP gives my company's domain name).
  • I cannot tracert to the Simple AD's IP address (it doesn't even hit the first hop)
  • I cannot tracert to anything on the Internets (same as above).
  • arp -a shows the IP of the Simple AD, so it appears my instance has received traffic from the Simple AD.

This is the error message I'm receiving:

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "aws.bar.com":

The error was: "This operation returned because the timeout period expired." (error code 0x000005B4 ERROR_TIMEOUT)

The query was for the SRV record for _ldap._tcp.dc._msdcs.aws.bar.com

The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:

10.0.1.34

Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.

windows
amazon-web-services
active-directory
asked on Stack Overflow Jun 30, 2015 by Josh Kodroff • edited Jul 13, 2015 by Josh Kodroff

2 Answers

4

The problem is the Security Group rules as currently constructed are blocking the AD traffic. Here's the key concepts:

  1. Security Groups are whitelists, so any traffic that's not explicitly allowed is disallowed.
  2. Security Groups are attached to each EC2 instance. Think of Security Group membership like having a copy of an identical firewall in front of each node in the group. (In contrast, Network ACLs are attached to subnets. With a Network ACL you would not have to specify allowing traffic within the subnet because traffic within the subnet does not cross the Network ACL.)

Add a rule to your Security Group which allows all traffic to flow within the subnet's CIDR block and that will fix the problem.

answered on Stack Overflow Jul 6, 2015 by Josh Kodroff
1

The question marked as the answer is incorrect.

Both of my AWS EC2 instances are in same VPC, same subnet, with same security group.

I have the same issue. Here are my inbound rules on my security group:

inbound rules

Here is the outbound rules:

outbound rules

I can also ping from the between the dc and the other host, bi-directional with replies on both side.

I also have the DC IP address set as the primary and only DNS server on the other EC2 instance.

AWS has some weird sorcery preventing a secondary EC2 instance from joining the EC2 domain controller, unless using their managed AD services which I am NOT using.

The other EC2 instance has the DC IP address set as primary DNS. And bundled with the fact I can ping each host from each other, I should have ZERO problems joining to domain.


User contributions licensed under CC BY-SA 3.0