Why am I getting a domain join error when I create a WorkSpace?

Last updated: 2020-10-28

When I create a WorkSpace with Amazon WorkSpaces, I receive an error message similar to the following:

"There was an issue joining the WorkSpace to your domain. Verify that your service account is allowed to complete domain join operations. If you continue to see an issue, contact AWS Support."

How can I fix this issue?


Try the following troubleshooting steps to resolve this error:

  • Verify that the following ports are open on your directory controllers for the Amazon WorkSpaces VPC CIDR:
    TCP/UDP 53: DNS
    TCP/UDP 88: Kerberos authentication
    UDP 123: NTP
    TCP 135: RPC
    UDP 137-138: Netlogon
    TCP 139: Netlogon
    TCP/UDP 389: LDAP
    TCP/UDP 445: SMB
    TCP 1024-65535: Dynamic ports for RPC
  • Confirm that the outbound rules in the WorkSpace’s security groups and network access control lists (ACL) are open to the Directory Network CIDR.
  • If you are using an AD Connector account, confirm that the service account user has the following privileges:
    Read users and groups
    Create computer objects
    Join computers to the domain
  • This error can occur if a user tries to add more than 10 workstations to the default Computers container. Active Directory allows members of the Authenticated Users group to join up to 10 computer accounts. To confirm if this is the root cause, try to add any machine to the domain with the AD Connector user credentials. To fix this issue, you can delegate privileges to your AD Connector service account.
  • Confirm that the custom configured organizational unit (OU) from your directory or connected directory configuration is valid. Then, verify that the AD Connector service account has permission to create computer objects in that OU.
  • If you use an AD Connector, verify that the AD Connector service account is unlocked and updated with the latest credentials.
  • If you use an AD Connector, confirm that the DNS servers configured in the AD Connector are reachable, and that they have valid SRV records. To validate both of these requirements, join an Amazon Elastic Compute Cloud (Amazon EC2) instance from the AD Connector VPC to your on-premises Active Directory. Use the same DNS and user configuration as the AD Connector.

Did this article help?

Do you need billing or technical support?