How can I troubleshoot issues with joining my Storage Gateway file gateway to a domain for Microsoft Active Directory authentication?

Last updated: 2021-09-28

I created a file gateway on AWS Storage Gateway and I want to use Microsoft Active Directory (Microsoft AD) for authentication. However, when I try to join my file gateway with the Microsoft AD domain, I get one of these error messages:

  • "The specified request timed out"
  • "The gateway cannot connect to the specified domain"
  • "Invalid domain name/DNS name cannot be resolved"

How can I troubleshoot these errors so that I can join my gateway to the domain?


To troubleshoot the errors, try the following checks or configurations:

1.    Confirm that the gateway can reach the domain controller by running a ping test. You must run the ping test from a system with the same network configuration as the file gateway to the domain controller IP address:

Note: Replace DomainControllerIP with the IP address of the domain controller.

ping DomainControllerIP

2.    Verify that you have opened the required ports within your firewall. Confirm this by running the telnet command from a server that's in the same subnet as the file gateway to the domain controller IP address on port 389 (TCP LDAP) or port 636 (TCP LDAPS):

Note: Replace DomainControllerIP with the IP address of the domain controller.

telnet DomainControllerIP 389
telnet DomainControllerIP 636

3.    If the file gateway is running on an Amazon Elastic Compute Cloud (Amazon EC2) instance, then you must create a DHCP options set and then attach the set to the Amazon Virtual Private Cloud (VPC) that the instance is in. This enables your file gateway to find the domain that you want to join. After you create and attach the DHCP option set to the VPC, it's a best practice to stop and start the instance that the file gateway is running on.

Changing the DHCP option set isn't feasible if you're joining the file gateway instance to an on-premises domain controller and the file gateway instance is one of many instances that are using AmazonProvidedDNS. For this use case, you can either:

Note: For each outbound endpoint, you must have either an AWS Direct Connect connection to your network or a VPN connection.

4.    Confirm that the domain can be resolved by the file gateway. If the domain isn't resolvable by the gateway appliance, then you won't be able to join the domain. For a file gateway deployed on an EC2 Linux instance, you can test this by connecting to any other instance in the same VPC as the gateway VM. Then, query the DNS by running the nslookup command. For an on-premises gateway, run the nslookup command from a system with the same network configuration as the file gateway.

If the domain isn't resolving, then add the necessary record to the DNS.

5.    Verify that the domain controller isn't set to read-only, and that the domain controller has enough roles for computers to join. To check this, try joining other servers in the same VPC subnet as the gateway VM to the domain.

6.    It's a best practice to join the file gateway to a domain controller that is geographically closer to the gateway. If the gateway appliance can't reach or query the domain controller within 20 seconds, then the process can time out. For example, the domain-join process might time out if the gateway appliance is in the US East (N. Virginia) Region and the domain controller is in the Asia Pacific (Singapore) Region.

Note: To increase the default timeout value of 20 seconds, you can run the join-domain command on the AWS Command Line Interface (AWS CLI) and include the --timeout-in-seconds option to increase the time. Or, you can use the JoinDomain API call and include the TimeoutInSeconds parameter to increase the time. The maximum timeout value is 3,600 seconds.

If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

7.    Check if the organizational unit (OU) of the Microsoft AD has any Group Policy Objects that create a new computer object in a location other than the default OU. For this use case, there must be a new computer object in the OU before you join the domain to the file gateway. Some environments are customized to have different OUs for newly created objects. To be sure that a computer object (for the gateway VM) under a certain OU joins the domain, try creating the computer object on your domain controller before joining the file gateway to the domain. Or, you can run the join-domain command using the AWS CLI and specify the option for --organizational-unit.

Note: The process of creating the computer object is called pre-staging.

8.    If you still can't join the gateway to the domain after trying the previous checks and configurations, then check if there are any related event logs. Check for any errors in the event viewer of the domain controller. Verify if the gateway query reached the domain controller.

Did this article help?

Do you need billing or technical support?