Assessment Test warning messages - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Assessment Test warning messages

The following table describes warning messages that can occur during assessment tests. These warnings represent recommendations for optimal configuration but do not prevent hybrid directory setup.

Test name

Short name

Warning code

Warning message

Description

Resolution

Domain Health Tests

testDisabledStaleUserNumber

STALE_USERS_FOUND

StaleUserCount users were found to be stale, they have not logged in for StaleThresholdInDays days.

Occurs if there are user accounts in your self-managed AD that have not logged in for an extended period and may be considered stale or inactive.

Clean up stale user accounts.

Domain Controller Time Source Test

testDCTimeSource

DC_BAD_TIMESOURCE

Time sources not properly configured for PDC, should using an authoritative source. Time sources not properly configured for dcHostName, should using PDC as source

Occurs if self-managed AD has the correct time source setup and that there is no large time skewness when compared to a Amazon time source.

Your primary domain controller (PDC) time server is directed to 169.254.169.123. Your non-primary domain controllers should be pointed to the PDC as the source. For more information, see Keeping time with Amazon Time Sync Service.

Free Space Test

testFreeSpace

DISK_SPACE_EXCEEDED

Supported service max capacity of 7 GB exceeded; SysVol + NTDS is currently using: 24 GB)

Occurs if your self-managed AD Combined NTDS and Sysvol usage is above supported quota.

Your self-managed AD should have 24 GB of disk space for hybrid directories.

S channel SSP Test

testSchannelSSP

TLS_1_2_NOT_ENABLED

Disabled protocol DisabledProtocol is still enabled.

Occurs if a self-managed AD does not use TLS1.2 and AES256 encryption.

Your self-managed AD must use TLS 1.2 and AES256 for hybrid directories.

Disk Corruption Test

testDiskCorruption

DISK_CORRUPT

Disk corruption detected on Drive.

Occurs if there is disk corruption on your self-managed AD.

Your self-managed AD disks should not be corrupted.

Domain Controller Specs Test

testDcSpecs

INSUFFICIENT_RESOURCES

numAvailableCores cores detected when requiredCores cores recommended. gbAvailableRam GB ram detected when requiredRam GB recommended.

Occurs if your self-managed AD domain controllers don't meet the required specifications.

Your self-managed AD domain controllers should have at least 7 GB RAM and 2 CPU cores for hybrid directory.

Server Level Plugin Dll Test

testServerLevelPluginDll

SERVER_LEVEL_PLUGIN_DLL_IS_SET

ServerLevelPluginDll registry configuration is not permitted.

Occurs if ServerLevelPluginDll is set on your self-managed AD domain controllers.

Your self-managed AD domain controllers should not have ServerLevelPluginDII configured.

Allow NT4 Crypto Test

testAllowNT4Crypto

NT4_CRYPTO_NOT_ALLOWED

Registry key AllowNt4Crypto is not allowed.

Occurs if self-managed AD allows NT4 Cryptography.

Your self-managed AD should not use NT4 Cryptography. For more information, see Microsoft documentation.

Orphaned Admin Users Test

testOrphanedAdminUsers

ORPHANED_ADMIN_USER_FOUND

OrphanedUsersCount Orphaned Admin Users Found: [OrphanedUserNames].

Occurs if orphaned admin users exist in your self-managed AD.

Remove orphaned users on your self-managed AD before continuing.

Privileged User Count Test

testPrivilegedUserCount

DOMAIN_ADMIN_COUNT_EXCEEDED

Number of Domain Admins (daCount) exceeded allowance of (allowedDomainAdminCount).

Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5.

Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing.

Privileged User Count Test

testPrivilegedUserCount

ENTERPRISE_ADMIN_COUNT_EXCEEDED

Number of Enterprise Admins (eaCount) exceeded allowance of (allowedEnterpriseAdminCount).

Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5.

Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing.

Privileged User Count Test

testPrivilegedUserCount

BUILTIN_ADMIN_COUNT_EXCEEDED

Number of Built-in Admins (baCount) exceeded allowance of (allowedAdminCount).

Occurs if the total count of your Built-in Admins, Domain Admins,and Enterprise Admins on your self-managed AD a is greater than 5.

Your self-managed AD environment should not have multiple privileged accounts. You should remove excessive admin accounts before continuing.

NTLM Test

testNTLM

INSECURE_SETTING_NTLM

NTLMv1 is enabled.

Occurs if NTLMv1 is enabled for authentication on your self-managed AD.

NT LAN Manager version 1 (NTLMv1) has known security vulnerabilities and should not be used. Disable NTLMv1 on your self-managed AD. For more information, see Microsoft documentation.

Tombstone Lifetime Test

testTombstoneLifetime

TOMBSTONE_LIFETIME_ABOVE_LIMIT

Tombstone Lifetime is too long. DC Tombstone Lifetime is TombstoneLifeTime, Amazon suggested number is TombstoneMaximum days.

Occurs if the Tombstone lifetime on your self-managed AD is more than 180 days.

The Tombstone lifetime is the number of days before a deleted object is removed from AD. The Tombstone lifetime value for your self-managed AD should be 180 days or less. For more information, see Microsoft documentation.