How can I troubleshoot a WorkSpace that fails to join a domain?
Last updated: 2022-09-07
When I create a WorkSpace with Amazon WorkSpaces, I receive an error message similar to the following:
"There was an issue joining the WorkSpace to your domain. Verify that your service account is allowed to complete domain join operations. If you continue to see an issue, contact AWS Support."
How can I fix this issue?
WorkSpaces are Active Directory domain members that must communicate with domain controllers in Active Directory. If you're using AWS AD Connector, the service account permissions need to allow for the domain join. Use the following troubleshooting steps to resolve domain joining issues.
Communicate with the domain controllers
To join a domain and authenticate users, WorkSpaces reaches out to the domain controllers by using an elastic network interface in your virtual private cloud (VPC). Verify the following configuration settings:
- Make sure the WorkSpace can communicate with Active Directory through any VPC resources. These resources include security groups, network access control lists (network ACLs), and route tables. Also verify that the WorkSpace can communicate with your on-premises or self-managed domain controllers in Active Directory.
TCP/UDP 53: DNS
TCP/UDP 88: Kerberos authentication
UDP 123: NTP
TCP 135: RPC
TCP/UDP 389: LDAP
TCP/UDP 445: SMB
TCP/UDP 464: Kerberos authentication
TCP 636: LDAP over TLS/SSL (LDAPS)
TCP 3268–3269: Global Catalog
TCP/UDP 49152–65535: Ephemeral ports for RPC
See Configure your VPC subnets and security groups for more information.
- Test TCP/UDP access to the domain controllers by launching an Amazon Elastic Compute Cloud (Amazon EC2) instance to each WorkSpaces subnet.
For example, DirectoryServicePortTest.
See Test your AD Connector for more information.
Service account permissions (AD Connector only)
Valid domain credentials are required to join a computer to a domain. If your organization uses AD Connector, then it's a best practice to use a service account to communicate with your Active Directory. Follow these steps to set up AD Connector:
- Validate your service account.
Confirm that the service account is turned on.
Verify that the account password isn't expired.
Verify that domain members can use their credentials to log in to the domain successfully.
- Delegate organizational unit (OU) management to work around the domain joins limit for the user account used for the service account.
Create a user group for delegating privileges.
Add the service account to the user group as a member.
Delegate control of the OU for domain member computers to the user group. The default is "Computers."
See Delegate privileges to your service account and Default limit to number of workstations a user can join to the domain for more information.
- Confirm that the custom configured OU from your directory or connected directory configuration is valid.