# Assessment Test error messages The following table describes error messages that can occur during assessment tests. These errors indicate blocking issues that must be resolved before proceeding with hybrid directory setup. | Test name | Short name | Error code | Error message | Description | Resolution | | --- | --- | --- | --- | --- | --- | | Active Directory Services Test | `testActiveDirectoryServices` | `AD_CRITICAL_SERVICES_NOT_RUNNING` | `Critical AD Services: [service_list] not running on hostname`. | Occurs if required AD services are not running in your self-managed AD. | Specific required AD services must be running in your self-managed AD. For more information, see [Required Active Directory services](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-services). | | Active Directory Services Test | `testActiveDirectoryServices` | `DOMAIN_CONTROLLER_NOT_FOUND` | `No domain controllers found for testActiveDirectoryServices.` | `Occurs if your self-managed AD domain controllers could not be both detected and queried during AD service validation.` | Ensure your self-managed AD domain controllers are operational and can be reached. Verify network connectivity and DNS resolution for your self-managed AD domain controllers. | | AD Password Policy Test | `testPasswordPolicies` | `PASSWORD_POLICY_VIOLATIONS` | {{`ErrorMessage`}} | Occurs if your self-managed AD password policy does not satisfy Amazon Managed Microsoft AD requirements. | Your self-managed AD password policy must satisfy the Amazon Managed Microsoft AD password requirements. For more information, see [Understanding Amazon Managed Microsoft AD password policies](https://docs.amazonaws.cn/irectoryservice/latest/admin-guide/ms_ad_password_policies.html). | | Amazon Admin User Exist Test | `testAwsAdminUserExist` | `ADMINISTRATOR_ACCOUNT_MISSING` | `Amazon Admin user not found or invalid.` | Occurs if the hybrid directory administrator user does not exist in the Amazon Reserved OU on your self-managed AD. | Ensure the hybrid directory administrator user exists in the Amazon Reserved OU on your self-managed AD. If the user is missing, verify the account was created correctly during the hybrid directory setup process. [Updating a hybrid directory](hybrid_directory_view_and_edit.md#editing_hybrid_dir). If your hybrid directory state is inoperable, contact [Amazon Web Services Support](https://console.amazonaws.cn/support/home#/). | | Amazon Admin User SPN Test | `testNoSpnOnAwsAdminAccount` | `SPN_FOUND_ON_AWS_ADMIN` | `Found {{spnCount}} Service Principal Names (SPNs) set on Amazon admin user {{Username}}. Please remove all SPNs from this account.` | Occurs if the hybrid directory administrator user has any SPNs configured on your self-managed AD. | Remove all Service Principal Names (SPNs) from the Amazon hybrid directory administrator user account. The hybrid directory administrator user must not have any SPNs configured because they can interfere with hybrid directory authentication. | | Amazon Domain Controller Not FSMO Owner Test | `testAwsDcNotFsmoOwner` | `AWS_DC_HOLDS_FSMO_ROLE` | `Amazon Domain Controller owns FSMO roles: {{rolesList}}. Please remove these roles.` | Occurs if you have transferred FSMO roles (PDC Emulator, RID Master, or Infrastructure Master) from your self-managed AD to the hybrid directory domain controller. | Transfer all FSMO roles (PDC Emulator, RID Master, Infrastructure Master) back to your self-managed AD domain controllers before proceeding. For more information, see [Microsoft documentation on transferring FSMO roles](https://learn.microsoft.com/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles). | | Amazon Reserved Group Membership Test | `testValidateAwsReservedGroupMembership` | `AWS_RESERVED_OU_NOT_FOUND` | `Amazon Reserved OU not found.` | Occurs if the Amazon Reserved OU on your self-managed AD doesn't exist. | The Amazon Reserved OU must exist on your self-managed AD in order to validate group membership. Contact [Amazon Web Services Support](https://console.amazonaws.cn/support/home#/). | | Amazon Reserved Group Membership Test | `testValidateAwsReservedGroupMembership` | `GROUP_MEMBERSHIP_MISMATCH` | `Amazon Reserved OU Group [GroupNameA]: Missing User(s) [ Object1 ], [ Object2] and Extra user(s) [ Object3 ].` | Occurs if groups in the Amazon Reserved OU on your self-managed AD contains unauthorized users. | Remove any unauthorized users from Amazon Reserved OU groups on your self-managed AD. | | Amazon Reserved OU ACLs Test | `testReservedOuAclsPermissions` | `RESERVED_OU_NON_COMPLIANT_AC` | `Amazon Reserved OU ACLs permissions are invalid.` | Occurs if the Amazon Reserved OU ACLs on your self-managed AD do not enforce read-only permissions for entities non-Amazon and do not prevent unauthorized access to Amazon-managed resources. | Review and correct the permissions on the Amazon Reserved OU ACLs on your self-managed AD. Ensure that non-Amazon entities have only have read permissions (`ListChildren`, `ReadProperty`, `ListObject`, `ReadControl`, `GenericRead`, `Synchronize`) and remove any excessive permissions. | | Amazon Reserved OU GPO Associations Test | `testReservedOuGPOs` | `AWS_RESERVED_OU_NON_RESERVED_GPO_FOUND` | `Found non-Amazon GPOs attached to the Amazon Reserved OU: Amazon Reserved OU ({{count}} unauthorized). Allowed GPOs: [{{allowedAwsGpos}}]. Domain Controllers OU ({{count}} unauthorized). Allowed GPOs: [{{allowedDcGpos}}]. Please, remove extra GPOs from the Amazon Reserved OU.` | Occurs if the Amazon Reserved OU and Domain Controllers OU on your self-managed AD are linked to unauthorized GPOs. | (Only Amazon managed Group Policy Objects (GPOs) can be linked to these OUs. Remove any unauthorized GPOs linked to the Amazon Reserved OU and Domain Controllers OU on your self-managed AD. | | Amazon Reserved OU Resources Test | `testAwsReservedOUResources` | `AWS_RESERVED_OU_NOT_FOUND` | `The Amazon Reserved OU does not exist. Please contact Amazon Support.` | Occurs if the Amazon Reserved OU does not exist in your self-managed AD which is required for Amazon Managed Microsoft AD directory functionality. | The Amazon Reserved OU must be automatically created during hybrid directory setup and should not be deleted. If this error persists, contact [Amazon Web Services Support](https://console.amazonaws.cn/support/home#/). | | Amazon Reserved OU Resources Test | `testAwsReservedOUResources` | `AWS_RESERVED_OU_RESOURCES_MISMATCH` | `The following required resources are missing from Amazon Reserved OU - Objects: {{missing objects}}, GPOs: {{missing GPOs}}. The following resources should not exist but were found in Amazon Reserved OU: Objects: {{unexpected objects}}, GPOs: {{unexpected GPOs}}` | Occurs if the Amazon Reserved OU created on your self-managed AD does not contain the required objects and GPOs for proper hybrid directory operation. | Ensure no one edits the Amazon Reserved OU. It must contain the required Amazon-managed resources. Remove any unauthorized objects or GPOs, and contact [Amazon Web Services Support](https://console.amazonaws.cn/support/home#/) if required resources are missing. | | Amazon Reserved OU Test | `testCleanAwsReservedOU` | `AWS_RESERVED_RESOURCES_STILL_EXIST` | `Amazon Reserved OU or Amazon Reserved GPO still exists, please delete.` | Occurs if Amazon Reserved resources found on your self-managed AD from a previous hybrid directory setup still exist. | Delete the existing failed hybrid directory from the console. Then delete any Amazon Reserved OU and related GPOs from your self-managed AD before proceeding. | | Bridgehead Naming Context Test | `testBridgeheadNamingContext` | `NAMING_CONTEXT_INCONSISTENT` | {{`failureDetails`}} | Occurs if self-managed AD replication between sites using Bridgehead is not working as expected. It can also occur if the naming contexts are not synchronized between sites. | Your self-managed AD bridgehead site must be successful. You can diagnose further with: `repadmin /bridgeheads /verbose`. Address the issues from that assessment before continuing. | | Child Domain Test | `testChildDomain` | `CHILD_DOMAIN_NOT_SUPPORTED` | `Child Domains are not supported for Hybrid Directory.` | Occurs if your self-managed AD forest contains child domains, which are not supported with Amazon Managed Microsoft AD directories. | Amazon Managed Microsoft AD directories do not support child domains. You must use a single-domain forest for your self-managed AD. For more information, see [Microsoft Active Directory domain requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-domain). | | DcDiag Test | `testDcDiag` | `DCDIAG_TEST_FAILED` | `DCDiag test failed due to issue from [{{formatedFailedTests}}].` | Occurs if any Microsoft DCDiag tests fail on your self-managed AD. | Amazon uses DCDiag to test your self-managed AD. If there are errors, you can not create a hybrid directory. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/troubleshoot-domain-controller-deployment#tools-and-commands-for-troubleshooting-domain-controller-configuration). | | DNS IP Match Test | `testDnsIpMatch` | `DNS_IP_MISMATCH` | `DNS IP address does not match expected IP addresses.` | Occurs if the provided DNS IP addresses of your self-managed AD does not match the DNS IP addresses on your self-managed AD domain controllers that are enabled with Amazon Systems Manager. | Provide the correct DNS IP addresses. | | DNS Name Match Test | `testDnsNameMatch` | `DOMAIN_DNS_NAME_MISMATCH` | `DNS name does not match expected domain name.` | Occurs if the DNS name provided for your self-managed AD does not match the DNS name on your self-managed AD domain controllers enabled with Amazon Systems Manager. | Provide the correct DNS name. | | DNS Records Test | `testDnsRecords` | `DNS_RECORD_MISSING` | `Unable to resolve the following DNS queries: [{{missingRecordsString}}`]. | Occurs if Windows DNS records are not set for type A, NS, SOA, and SRV and can be queried. | The DNS records for Address (A), Namespace (NS), State of Authority (SOA), and Service Record (SRV) must be set and can be queried. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/azure/dns/dns-zones-records). | | Domain Forest Functional Level Test | `testDomainForestFunctionalLevel` | `UNSUPPORTED_FUNCTIONAL_LEVEL` | `Detected unsupported domain functional level: {{DomainFunctionalLevel}}, we require minimum of {{MinimumDomainMode}}. Detected unsupported forest functional level: {{ForestFunctionalLevel}}, we require minimum of {{MinimumForestMode}}.` | Occurs if your self-managed AD domain and forest functional levels do not meet minimum requirements. | Your self-managed AD must use Windows 2012 R2 or 2016 functional level. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-deployment). | | Domain Health Tests | `testOnPremDcNumber` | `DC_NUMBER_BELOW_LIMIT` | `On-Prem DC count is lower than required number. DC count is {{NumberOfDc}}, Amazon required number is {{DcMinimum}}.` | Occurs if your self-managed AD does not have the minimum required number of domain controllers. | Ensure your self-managed AD has at least two of domain controllers enabled with Amazon Systems Manager. For more information, see [Microsoft Active Directory domain requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-domain). | | Existing Domain Test | `testDomainAlreadyJoined` | `DOMAIN_ALREADY_JOINED` | `Instance is already joined to a domain.` | Occurs if your self-managed AD domain is already joined to an existing hybrid directory. | Your self-managed AD domain is already joined to an existing hybrid directory. Each self-managed AD domain joined with a hybrid directory must be unique Create new self-managed AD domain or remove it from the hybrid directory configuration to which they are joined. | | FSMO Connectivity Test | `testFsmoConnectivity` | `FSMO_ROLE_HOLDER_NOT_ROUTABLE` | `(PDCEmulator Ip: 1.1.1.1, RIDMaster Ip: 1.1.1.1) is not in routable ranges: [2.2.0.0/16, 3.3.0.0/16, 4.4.0.0/16, 5.5.0.0/16, 6.6.0.0/16].` | Occurs if FSMO roles, PDC Emulator, and/or RID Master IPs on your self-managed AD are not routable. | The Primary Domain Controller (PDC) must be routable at all times. Specifically, the PDC Emulator and RID Master IPs of your self-managed AD. For more information, see [Microsoft Active Directory domain requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-domain). | | FSMO Connectivity Test | `testFsmoConnectivity` | `FSMO_ROLE_MISSING` | `FSMO role(s): [{{missingRolesString}}] missing or DNS Record not found.` | Occurs if your self-managed AD domain controllers can not access your FSMO roles. | Your Flexible Single Master Operation (FSMO) role in your self-managed AD must be connected to your self-managed AD domain controllers. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/fsmo-roles). | | IP Conflict Test | `testIpConflict` | `IP_RANGE_CONFLICT` | `Conflicting IP address detected: {{ipOverlaps}}` | Occurs if your self-managed AD IP Ranges overlap with Amazon reserved ranges. | Your self-managed AD cannot use an IP address range that overlaps with Reserved Amazon IP ranges. For more information, see [Microsoft Active Directory domain requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-domain). | | Kerberos Test | `testKerberos` | `KERBEROS_AUTHENTICATION_FAILED` | `Unable to get kerberos TGT.` | Occurs if Kerberos is not configured correctly and in use. | Kerberos must be enabled on your self-managed AD. For more information, see [Microsoft Documentation](https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview). | | LDAP Connectivity Test | `testLdapConnectivity` | `LDAP_TEST_FAILED` | `Unable to query LDAP with rootDSE call.` | Occurs if LDAP does not work. | Lightweight Directory Access Protocol (LDAP) must be enabled and functioning on your self-managed AD. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/lightweight-directory-access-protocol-ldap-api). | | Not Read Only Domain Controller For FSMO Test | `testNotRodcForFsmo` | `FSMO_FOUND_ON_RODC` | `FSMO Role Found on RODC` | Occurs if your self-managed AD domain controller FSMO role is RODC. | The domain controller for your self-managed AD must not use a Read-Only Domain Controller (RODC) Flexible Single Master Operation (FSMO) role. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/fsmo-roles). | | Read Only Domain Controller Password Replication Test | `testRodcPasswordReplication` | `RODC_REPLICATE_ADMIN_PASSWORD` | `ReadOnly Domain Controller password replication is not explicitly denied for following groups: [{{missingGroupsString}}].` | Occurs if the RODC has permission to replicate Admin passwords. | The RODC for your self-managed AD must be explicitly denied permission to replicate Admin passwords. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/rodc-replicates-passwords-grant-incorrect-permissions). | | Read Only Domain Controller Test | `testIsDCRodc` | `DC_READONLY_MODE` | `Provided Domain Controller is set to Read-Only mode.` | Occurs if your self-managed AD domain controllers are in ReadOnlyDC mode. | Your self-managed AD must be read-write domain controllers. For more information about domain controller types, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-special-identities-groups#enterprise-domain-controllers). | | Remote Port Connectivity Test | `testPortConnectivity` | `PORT_TEST_FAILED` | `Connection to {{TargetDestination}} failed for TCP ports [{{failed TCP ports}}]. UDP ports [{{failed UDP ports}}].` | Occurs if required ports on your Amazon subnet and your self-managed AD domain controller are not open. | Ensure all required ports are open between your Amazon subnet and your self-managed AD. See [Network port requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ports) for more information. | | Replication Test | `testReplication` | `REPLICATION_FAILED` | `Replication failed for [{{failedDSAsString}}].` | Occurs if your self-managed AD domain controllers replication failed. | Your self-managed AD domain controllers replication status must be successful. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/dfs-replication-overview). | | SMBV1 Test | `testSMBV1` | `INSECURE_SETTING_SMB` | `SMBv1 is enabled on the system.` | Occurs if self-managed AD is currently using SMBv1 for authentication. | SMBv1 is known to be unsafe and must be disabled on your self-managed AD. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server). | | SSM User Permissions Test | `testSSMUserPermissions` | `INSUFFICIENT_PERMISSIONS` | `Systems Manager user does not have required elevated privileges.` | Occurs if Windows user that is used by SSM has insufficient privileges. | You'll need Windows Administrator permissions for the Amazon System Manager (SSM) agents on your self-managed AD. For more information, see [Amazon Web Services account permissions](create_hybrid_directory_prereqs.md#hybrid-dir-prereq-perms). | | Sysvol Replication Test | `testSysvolReplication` | `DFSR_FAILURE_DETECTED` | `Failed DFSR event logs: {{failedLogsString}}.` | Occurs if your self-managed AD does not have the correct sysvol replication method(DFSR), and if any DCs failed during DFSR replication event. | Your self-managed AD sysvol replication method (DFSR) must be successful. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr). | | Top Level GPO Test | `testTopLevelEnforcedGPO` | `TOP_LEVEL_ENFORCED_GPO_FOUND` | `GroupPolicy cannot be set to Enforced at the Domain Root, Found GPOs: [{{GposEnforced}}] set as Enforced.` | Occurs if your self-managed AD has Top Level GPOs set as Enforced. | Ensure your self-managed AD domain Top Level group policy object (GPO) is not set to Enforced. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-processing). | | Trust Types Test | `testTrustTypes` | `INVALID_TRUST_TYPE` | `Invalid trust types detected: [{{InvalidTrustString}}], only Uplevel (Microsoft AD) is currently supported. ` | Occurs if your self-managed AD has unsupported trust types. | Uplevel is the only trust type supported with hybrid directory. Your self-managed AD cannot have the following trust types: DCE, MIT, Downlevel. For more information on trust types, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/rodc-replicates-passwords-grant-incorrect-permissions). | | Valid Domain Controller Test | `testValidDC` | `COMPUTER_NOT_DC` | `Provided instance is not a domain controller.` | Occurs if your self-managed AD instances provided are not domain controllers or if they are already part of another hybrid directory. | Provide self-managed AD domain controllers that are unique to this hybrid directory. Retry with a new directory. Ensure that you have deleted the failed hybrid directory and any the Amazon OU in your self-managed AD. |