How can I troubleshoot issues with joining my Storage Gateway file gateway to a domain for Microsoft Active Directory authentication?
Last updated: 2022-08-01
I created a file gateway on AWS Storage Gateway and I want to use Microsoft Active Directory (Microsoft AD) for authentication. However, when I try to join my file gateway with the Microsoft AD domain, I get one of these error messages:
How can I troubleshoot these errors so that I can join my gateway to the domain?
To troubleshoot the errors, try the following checks or configurations:
1. Confirm that the gateway can reach the domain controller by running a nping test. To run a nping test, connect to AWS Storage Gateway console using ssh for Amazon Elastic Compute Cloud (Amazon EC2) and the console for VMware, Hyper-V, or KVM. Select the option Command Prompt, and then type h to list all the available commands from the console. To test the connectivity between the Storage Gateway virtual machine and the domain, run the following command:
nping -d <corp.domain.com> -p <389> -c 1 -t tcp
The following is an example of a successful nping test where the gateway was able to reach the domain controller:
nping -d corp.domain.com -p 389 -c 1 -t tcp Starting Nping 0.6.40 ( http://nmap.org/nping ) at 2022-06-30 16:24 UTC SENT (0.0553s) TCP 10.10.10.21:9783 > 10.10.10.10:389 S ttl=64 id=730 iplen=40 seq=2597195024 win=1480 RCVD (0.0556s) TCP 10.10.10.10:389 > 10.10.10.21:9783 SA ttl=128 id=22332 iplen=44 seq=4170716243 win=8192 <mss 8961> Max rtt: 0.310ms | Min rtt: 0.310ms | Avg rtt: 0.310ms Raw packets sent: 1 (40B) | Rcvd: 1 (44B) | Lost: 0 (0.00%) Nping done: 1 IP address pinged in 1.09 seconds<br>
If there is no connectivity, the response of the nping command will look similar to the output below. The command below doesn't have a response for the destination 'corp.domain.com':
nping -d <corp.domain.com> -p <389> -c 1 -t tcp Starting Nping 0.6.40 ( http://nmap.org/nping ) at 2022-06-30 16:26 UTC SENT (0.0421s) TCP 10.10.10.21:47196 > 10.10.10.10:389 S ttl=64 id=30318 iplen=40 seq=1762671338 win=1480 Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A Raw packets sent: 1 (40B) | Rcvd: 0 (0B) | Lost: 1 (100.00%) Nping done: 1 IP address pinged in 1.07 seconds
2. If the file gateway is running on an Amazon EC2 instance, then you must create a DHCP options set and then attach the set (if it's not already set) to the Amazon Virtual Private Cloud (VPC) that the instance is in.
3. Confirm that the domain can be resolved by the file gateway. If the domain isn't resolvable by the gateway appliance, then you can't join the domain. To confirm that the Gateway is resolving the DNS of the domain, run the following command:
dig -d <corp.domain.com> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> corp.domain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24817 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;corp.domain.com. IN A ;; ANSWER SECTION: corp.domain.com. 600 IN A 10.10.10.10 corp.domain.com. 600 IN A 10.10.20.10 ;; Query time: 0 msec ;; SERVER: 10.10.20.228#53(10.10.20.228) ;; WHEN: Thu Jun 30 16:36:32 UTC 2022 ;; MSG SIZE rcvd: 78
4. Verify that the domain controller isn't set to read-only, and that the domain controller has enough roles for computers to join. To check this, try joining other servers in the same VPC subnet as the gateway VM to the domain.
5. It's a best practice to join the file gateway to a domain controller that is geographically closer to the gateway. If the gateway appliance can't reach or query the domain controller within 20 seconds, then the process can time out. For example, the domain-join process might time out if the gateway appliance is in the US East (N. Virginia) Region and the domain controller is in the Asia Pacific (Singapore) Region.
Note: To increase the default timeout value of 20 seconds, you can run the join-domain command on the AWS Command Line Interface (AWS CLI) and include the --timeout-in-seconds option to increase the time. You can also use the JoinDomain API call and include the TimeoutInSeconds parameter to increase the time. The maximum timeout value is 3,600 seconds.
If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.
6. Check whether the organizational unit (OU) of the Microsoft AD has any Group Policy Objects that create a new computer object in a location other than the default OU. For this use case, there must be a new computer object in the OU before you join the domain to the file gateway. Some environments are customized to have different OUs for newly created objects. To be sure that a computer object (for the gateway VM) under a certain OU joins the domain, try creating the computer object on your domain controller before joining the file gateway to the domain. Or, you can run the join-domain command using the AWS CLI. Then, specify the option for --organizational-unit.
Note: The process of creating the computer object is called pre-staging.
7. If you still can't join the gateway to the domain after trying the previous checks and configurations, check if there are any related event logs. Check for any errors in the event viewer of the domain controller. Verify if the gateway query reached the domain controller.