Why can't I connect to an AWS EC2 instance in Active Directory?
I am unable to join the EC2 instance for my simple AD Directory in Amazon Web Services manually, per Amazon documentation .
- I have a security group attached to my instance that only allows HTTP and RDP from my IP address.
- I enter the FQDN
foo.bar.com
. - I have verified that Simple AD and EC2 instance are on the same (public, at the moment) subnet.
- DNS seems to work (because it
tracert
gives my company domain name for my IP address). - I can't go
tracert
to a simple AD IP (it didn't even hit the first jump) - I can't
tracert
do anything on the internet (same as above). -
arp -a
shows the IP of Simple AD, so it shows that my instance has received traffic from Simple AD.
This is the error message I am getting:
The following error occurred when querying the DNS for the location (SRV) service used to look up the Active Directory Domain Controller (AD DC) for the "aws.bar.com" domain:
Error: "This operation was returned because the timeout period is expired." (error code 0x000005B4 ERROR_TIMEOUT)
The request was for an SRV record for _ldap._tcp.dc._msdcs.aws.bar.com
The DNS servers that this computer uses for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.0.1.34
Make sure this computer is connected to the network, the correct IP addresses of the DNS server and at least one of the DNS servers.
source to share
The problem is that the security group rules that are currently built are blocking AD traffic. Here are the key concepts:
- Security groups are whitelisted , so any traffic that is not explicitly allowed is denied.
- Security groups are attached to every EC2 instance. Think of membership in a Security Group, such as having a copy of the same firewall in every node group. (In contrast, network ACLs are attached to subnets. When using a network ACL, you do not need to specify permissive traffic on the subnet because traffic on the subnet does not traverse the network ACL.)
Add a rule to your security group that allows all traffic to go inside the subnet CIDR block, and this will fix the problem.
source to share