Troubleshooting self-managed Active Directory - Amazon Relational Database Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting self-managed Active Directory

The following are issues you might encounter when you set up or modify self-managed AD.

Error Code Description Common causes Troubleshooting suggestions

Error 2 / 0x2

The system cannot find the file specified.

The format or location for the Organizational Unit (OU) specified with the —domain-ou parameter is invalid. The domain service account specified via Amazon Secrets Manager lack the permissions required to join the OU.

Review the —domain-ou parameter. Ensure the domain service account has the correct permissions to the OU. For more information, see Configure your AD domain service account.

Error 5 / 0x5

Access is denied.

Misconfigured permissions for the domain service account, or the computer account already exists in the domain.

Review the domain service account permissions in the domain, and verify that the RDS computer account is not duplicated in the domain. You can verify the name of the RDS computer account by running SELECT @@SERVERNAME on your RDS for SQL Server DB instance. If you are using Multi-AZ, try rebooting with failover and then verify that the RDS computer account again. For more information, see Rebooting a DB instance.

Error 87 / 0x57

The parameter is incorrect.

The domain service account specified via Amazon Secrets Manager doesn't have the correct permissions. The user profile may also be corrupted.

Review the requirements for the domain service account. For more information, see Configure your AD domain service account.

Error 234 / 0xEA

Specified Organizational Unit (OU) does not exist.

The OU specified with the —domain-ou parameter doesn't exist in your self-managed AD.

Review the —domain-ou parameter and ensure the specified OU exists in your self-managed AD.

Error 1326 / 0x52E

The user name or password is incorrect.

The domain service account credentials provided in Amazon Secrets Manager contains an unknown username or bad password. The domain account may also be disabled in your self-managed AD.

Ensure the credentials provided in Amazon Secrets Manager are correct and the domain account is enabled in your self-managed AD.

Error 1355 / 0x54B

The specified domain either does not exist or could not be contacted.

The domain is down, the specified set of DNS IPs are unreachable, or the specified FQDN is unreachable.

Review the —domain-dns-ips and —domain-fqdn parameters to ensure they're correct. Review the networking configuration of your RDS for SQL Server DB instance and ensure your self-managed AD is reachable. For more information, see Configure your network connectivity.

Error 1722 / 0x6BA

The RPC server is unavailable.

There was an issue reaching the RPC service of your AD domain. This might be a service or network issue.

Validate that the RPC service is running on your domain controllers and that the TCP ports 135 and 49152-65535 are reachable on your domain from your RDS for SQL Server DB instance.

Error 1727 / 0x6BF

The remote procedure call failed and did not execute.

Network connectivity issue or firewall restriction blocking RPC communication to the domain controller.

If using Cross VPC domain join, validate Cross VPC communication is setup correctly with either VPC peering or Transit Gateway. Ensure TCP high ports 49152-65535 are reachable on your domain from your RDS for SQL Server DB instance, including any possible firewall restrictions.

Error 2224 / 0x8B0

The user account already exists.

The computer account that's attempting to be added to your self-managed AD already exists.

Identify the computer account by running SELECT @@SERVERNAME on your RDS for SQL Server DB instance and then carefully remove it from your self-managed AD.

Error 2242 / 0x8c2

The password of this user has expired.

The password for the domain service account specified via Amazon Secrets Manager has expired.

Update the password for the domain service account used to join your RDS for SQL Server DB instance to your self-managed AD.

After joining your DB instance to a self-managed Active Directory domain, you might receive RDS events related to your domain health.

Unhealthy domain state detected while attempt to verify or 
configure your Kerberos endpoint in your domain on 
node node_n. message

For Multi-AZ instances, you might notice the error reporting for both node1 and node2, which indicates your instance's Kerberos configuration is not ready for failover. In the event of a failover, you might experience authentication difficulties using Kerberos. Resolve the configuration issues to ensure Kerberos setup is valid and up to date. For Multi-AZ instances, no actions are required to use Kerberos authentication on the new primary host given all network and permission configurations are in place.

For Single-AZ instances, node1 is the primary node. If your Kerberos authentication is not working as expected, check the instance events and resolve the configuration issues to ensure Kerberos setup is valid and up to date.