Assessment Test error messages
The following table describes error messages that can occur during assessment tests. These errors indicate blocking issues that must be resolved before proceeding with hybrid directory setup.
Test name |
Short name |
Error code |
Error message |
Description |
Resolution |
|---|---|---|---|---|---|
Active Directory Services Test |
|
|
|
Occurs if required AD services are not running in your self-managed AD. |
Specific required AD services must be running in your self-managed AD. For more information, see Required Active Directory services. |
Active Directory Services Test |
|
|
|
|
Ensure your self-managed AD domain controllers are operational and can be reached. Verify network connectivity and DNS resolution for your self-managed AD domain controllers. |
AD Password Policy Test |
|
|
|
Occurs if your self-managed AD password policy does not satisfy Amazon Managed Microsoft AD requirements. |
Your self-managed AD password policy must satisfy the Amazon Managed Microsoft AD password requirements. For more information, see Understanding Amazon Managed Microsoft AD password policies. |
Amazon Admin User Exist Test |
|
|
|
Occurs if the hybrid directory administrator user does not exist in the Amazon Reserved OU on your self-managed AD. |
Ensure the hybrid directory administrator user exists in the Amazon
Reserved OU on your self-managed AD. If the user is
missing, verify the account was created correctly during the
hybrid directory setup process. Updating a hybrid directory. If your hybrid directory state
is inoperable, contact Amazon Web Services Support |
Amazon Admin User SPN Test |
|
|
|
Occurs if the hybrid directory administrator user has any SPNs configured on your self-managed AD. |
Remove all Service Principal Names (SPNs) from the Amazon hybrid directory administrator user account. The hybrid directory administrator user must not have any SPNs configured because they can interfere with hybrid directory authentication. |
Amazon Domain Controller Not FSMO Owner Test |
|
|
|
Occurs if you have transferred FSMO roles (PDC Emulator, RID Master, or Infrastructure Master) from your self-managed AD to the hybrid directory domain controller. |
Transfer all FSMO roles (PDC
Emulator, RID Master,
Infrastructure Master) back to your
self-managed AD domain controllers before proceeding. For more
information, see Microsoft documentation on transferring
FSMO roles |
Amazon Reserved Group Membership Test |
|
|
|
Occurs if the Amazon Reserved OU on your self-managed AD doesn't exist. |
The Amazon Reserved OU must exist on your
self-managed AD in order to validate group membership. Contact
Amazon Web Services Support |
Amazon Reserved Group Membership Test |
|
|
|
Occurs if groups in the Amazon Reserved OU on your self-managed AD contains unauthorized users. |
Remove any unauthorized users from Amazon Reserved OU groups on your self-managed AD. |
Amazon Reserved OU ACLs Test |
|
|
|
Occurs if the Amazon Reserved OU ACLs on your self-managed AD do not enforce read-only permissions for entities non-Amazon and do not prevent unauthorized access to Amazon-managed resources. |
Review and correct the permissions on the Amazon Reserved
OU
ACLs on your self-managed AD. Ensure that non-Amazon
entities have only have read permissions ( |
Amazon Reserved OU GPO Associations Test |
|
|
|
Occurs if the Amazon Reserved OU and Domain Controllers OU on your self-managed AD are linked to unauthorized GPOs. |
(Only Amazon managed Group Policy Objects (GPOs) can be linked to these OUs. Remove any unauthorized GPOs linked to the Amazon Reserved OU and Domain Controllers OU on your self-managed AD. |
Amazon Reserved OU Resources Test |
|
|
|
Occurs if the Amazon Reserved OU does not exist in your self-managed AD which is required for Amazon Managed Microsoft AD directory functionality. |
The Amazon Reserved OU must be automatically
created during hybrid directory setup and should not be deleted. If this
error persists, contact Amazon Web Services Support |
Amazon Reserved OU Resources Test |
|
|
|
Occurs if the Amazon Reserved OU created on your self-managed AD does not contain the required objects and GPOs for proper hybrid directory operation. |
Ensure no one edits the Amazon Reserved OU. It
must contain the required Amazon-managed resources. Remove any
unauthorized objects or GPOs, and contact Amazon Web Services Support |
Amazon Reserved OU Test |
|
|
|
Occurs if Amazon Reserved resources found on your self-managed AD from a previous hybrid directory setup still exist. |
Delete the existing failed hybrid directory from the console. Then delete any Amazon Reserved OU and related GPOs from your self-managed AD before proceeding. |
Bridgehead Naming Context Test |
|
|
|
Occurs if self-managed AD replication between sites using Bridgehead is not working as expected. It can also occur if the naming contexts are not synchronized between sites. |
Your self-managed AD bridgehead site must be
successful. You can diagnose further with: |
Child Domain Test |
|
|
|
Occurs if your self-managed AD forest contains child domains, which are not supported with Amazon Managed Microsoft AD directories. |
Amazon Managed Microsoft AD directories do not support child domains. You must use a single-domain forest for your self-managed AD. For more information, see Microsoft Active Directory domain requirements. |
DcDiag Test |
|
|
|
Occurs if any Microsoft DCDiag tests fail on your self-managed AD. |
Amazon uses DCDiag to test your
self-managed AD. If there are errors, you can not create a
hybrid directory. For more information, see Microsoft
documentation |
DNS IP Match Test |
|
|
|
Occurs if the provided DNS IP addresses of your self-managed AD does not match the DNS IP addresses on your self-managed AD domain controllers that are enabled with Amazon Systems Manager. |
Provide the correct DNS IP addresses. |
DNS Name Match Test |
|
|
|
Occurs if the DNS name provided for your self-managed AD does not match the DNS name on your self-managed AD domain controllers enabled with Amazon Systems Manager. |
Provide the correct DNS name. |
DNS Records Test |
|
|
|
Occurs if Windows DNS records are not set for type A, NS, SOA, and SRV and can be queried. |
The DNS records for Address (A),
Namespace (NS), State of Authority
(SOA), and Service Record (SRV)
must be set and can be queried. For more information, see Microsoft
documentation |
Domain Forest Functional Level Test |
|
|
|
Occurs if your self-managed AD domain and forest functional levels do not meet minimum requirements. |
Your self-managed AD must use Windows
2012 R2 or 2016 functional level. For
more information, see Microsoft
documentation |
Domain Health Tests |
|
|
|
Occurs if your self-managed AD does not have the minimum required number of domain controllers. |
Ensure your self-managed AD has at least two of domain controllers enabled with Amazon Systems Manager. For more information, see Microsoft Active Directory domain requirements. |
Existing Domain Test |
|
|
|
Occurs if your self-managed AD domain is already joined to an existing hybrid directory. |
Your self-managed AD domain is already joined to an existing hybrid directory. Each self-managed AD domain joined with a hybrid directory must be unique Create new self-managed AD domain or remove it from the hybrid directory configuration to which they are joined. |
FSMO Connectivity Test |
|
|
|
Occurs if FSMO roles, PDC Emulator, and/or RID Master IPs on your self-managed AD are not routable. |
The Primary Domain Controller (PDC) must be routable at all times. Specifically, the PDC Emulator and RID Master IPs of your self-managed AD. For more information, see Microsoft Active Directory domain requirements. |
FSMO Connectivity Test |
|
|
|
Occurs if your self-managed AD domain controllers can not access your FSMO roles. |
Your Flexible Single Master Operation (FSMO)
role in your self-managed AD must be connected to your
self-managed AD domain controllers. For more information, see
Microsoft
documentation |
IP Conflict Test |
|
|
|
Occurs if your self-managed AD IP Ranges overlap with Amazon reserved ranges. |
Your self-managed AD cannot use an IP address range that overlaps with Reserved Amazon IP ranges. For more information, see Microsoft Active Directory domain requirements. |
Kerberos Test |
|
|
|
Occurs if Kerberos is not configured correctly and in use. |
Kerberos must be enabled on your
self-managed AD. For more information, see Microsoft
Documentation |
LDAP Connectivity Test |
|
|
|
Occurs if LDAP does not work. |
Lightweight Directory Access Protocol (LDAP)
must be enabled and functioning on your self-managed AD. For more
information, see Microsoft
documentation |
Not Read Only Domain Controller For FSMO Test |
|
|
|
Occurs if your self-managed AD domain controller FSMO role is RODC. |
The domain controller for your self-managed AD must not use a
Read-Only Domain Controller (RODC) Flexible Single
Master Operation (FSMO) role. For more information,
see Microsoft
documentation |
Read Only Domain Controller Password Replication Test |
|
|
|
Occurs if the RODC has permission to replicate Admin passwords. |
The RODC for your self-managed AD must be
explicitly denied permission to replicate Admin passwords. For more
information, see Microsoft
documentation |
Read Only Domain Controller Test |
|
|
|
Occurs if your self-managed AD domain controllers are in ReadOnlyDC mode. |
Your self-managed AD must be read-write domain controllers.
For more information about domain controller types, see Microsoft
documentation |
Remote Port Connectivity Test |
|
|
|
Occurs if required ports on your Amazon subnet and your self-managed AD domain controller are not open. |
Ensure all required ports are open between your Amazon subnet and your self-managed AD. See Network port requirements for more information. |
Replication Test |
|
|
|
Occurs if your self-managed AD domain controllers replication failed. |
Your self-managed AD domain controllers replication status
must be successful. For more information, see Microsoft
documentation |
SMBV1 Test |
|
|
|
Occurs if self-managed AD is currently using SMBv1 for authentication. |
SMBv1 is known to be unsafe and must be disabled
on your self-managed AD. For more information, see Microsoft
documentation |
SSM User Permissions Test |
|
|
|
Occurs if Windows user that is used by SSM has insufficient privileges. |
You'll need Windows Administrator permissions for the Amazon System Manager (SSM) agents on your self-managed AD. For more information, see Amazon Web Services account permissions. |
Sysvol Replication Test |
|
|
|
Occurs if your self-managed AD does not have the correct sysvol replication method(DFSR), and if any DCs failed during DFSR replication event. |
Your self-managed AD sysvol replication method
(DFSR) must be successful. For more information,
see Microsoft
documentation |
Top Level GPO Test |
|
|
|
Occurs if your self-managed AD has Top Level GPOs set as Enforced. |
Ensure your self-managed AD domain Top Level group policy
object (GPO) is not set to Enforced. For more
information, see Microsoft
documentation |
Trust Types Test |
|
|
|
Occurs if your self-managed AD has unsupported trust types. |
Uplevel is the only trust type supported with
hybrid directory. Your self-managed AD cannot have the following trust
types: DCE, MIT,
Downlevel. For more information on trust types,
see Microsoft
documentation |
Valid Domain Controller Test |
|
|
|
Occurs if your self-managed AD instances provided are not domain controllers or if they are already part of another hybrid directory. |
Provide self-managed AD domain controllers that are unique to this hybrid directory. Retry with a new directory. Ensure that you have deleted the failed hybrid directory and any the Amazon OU in your self-managed AD. |