AWS VPC Peering: Troubleshooting AD Domain Join

Troubleshooting AD Domain Join

Prev Question Next Question

Question

A windows machine in one VPC needs to join the AD domain in another VPC.

VPC Peering has been established.

But the domain join is not working.

What is the other step that needs to be followed to ensure that the AD domain join can work as intended?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

In addition to VPC peering and setting the right route tables, the security groups for the AD EC2 instance need to ensure that the right rules are put in place for allowing incoming traffic.

Options Aand B are invalid because changing the connection type will not help.

This is a problem with the Security Groups.

Option D is invalid since the AD should not be placed in a public subnet.

For more information on allowing ingress traffic for AD, please visit the following URL.

https://docs.aws.amazon.com/quickstart/latest/active-directory-ds/ingress.html

The correct answer to this question is C. Ensure the security groups for AD hosted instance has the right rules for relevant instances.

Explanation: When a Windows machine needs to join an Active Directory (AD) domain, it needs to be able to communicate with the domain controllers that are hosting the AD. In this scenario, the domain controllers are located in a different VPC than the Windows machine that needs to join the domain.

The VPC peering connection has been established between the two VPCs, which allows communication between the instances in the two VPCs. However, the domain join is not working, which means that there might be some restrictions on the communication between the Windows machine and the AD domain controllers.

To ensure that the AD domain join can work as intended, we need to ensure that the security groups for the AD hosted instance have the right rules for relevant instances. Security groups act as virtual firewalls that control the inbound and outbound traffic for instances in a VPC.

In this scenario, we need to ensure that the security group for the AD domain controllers allows inbound traffic from the Windows machine that needs to join the domain. Specifically, we need to allow inbound traffic on the following ports:

  • TCP port 88 (Kerberos authentication)
  • TCP and UDP port 389 (LDAP)
  • TCP and UDP port 445 (Microsoft-DS SMB)

Once we have ensured that the security group rules are set up correctly, the Windows machine should be able to communicate with the AD domain controllers and join the domain successfully.

Option A (Change the VPC peering connection to a VPN connection) and Option B (Change the VPC peering connection to a Direct Connect connection) are incorrect because VPC peering connection is already established, and it allows communication between the two VPCs. Changing the type of connection would not help resolve the issue.

Option D (Ensure that the AD is placed in a public subnet) is incorrect because placing the AD in a public subnet is not a good practice from a security perspective. It would expose the AD to the public internet and increase the risk of unauthorized access or attack.