Troubleshooting Simple AD - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting Simple AD

The following can help you troubleshoot some common issues you might encounter when creating or using your directory.

Password recovery

If a user forgets a password or is having trouble signing in to either your Simple AD or Amazon Managed Microsoft AD directory, you can reset their password using either the Amazon Web Services Management Console, Windows PowerShell or the Amazon CLI.

For more information, see Reset a Simple AD user password.

I receive a "KDC can't fulfill requested option" error when adding a user to Simple AD

This can occur when the Samba CLI client does not correctly send the 'net' commands to all domain controllers. If you see this error message when using the 'net ads' command to add a user to your Simple AD directory, use the -S argument and specify the IP address of one of your domain controllers. If you still see the error, try the other domain controller. You can also use the Active Directory Administration Tools to add users to your directory. For more information, see Install the Active Directory Administration Tools for Simple AD.

I am not able to update the DNS name or IP address of an instance joined to my domain (DNS dynamic update)

DNS dynamic updates are not supported in Simple AD domains. You can instead make the changes directly by connecting to your directory using DNS Manager on an instance that is joined to your domain.

I cannot log onto SQL Server using a SQL Server account

You might receive an error if you attempt to use SQL Server Management Studio (SSMS) with a SQL Server account to log into SQL Server running on a Windows 2012 R2 EC2 instance. The issue occurs when SSMS runs as a domain user and can result in the error "Login failed for user," even when valid credentials are provided. This is a known issue and Amazon is actively working to resolve it.

To work around the issue, you can log into SQL Server with Windows Authentication instead of SQL Authentication. Or launch SSMS as a local user instead of a Simple AD domain user.

My directory is stuck in the "requested" state

If you have a directory that has been in the "Requested" state for more than five minutes, try deleting the directory and recreating it. If this problem persists, contact the Amazon Web Services Support Center.

I receive an "AZ constrained" error when I create a directory

Some Amazon accounts created before 2012 might have access to Availability Zones in the US East (N. Virginia), US West (N. California), or Asia Pacific (Tokyo) Region that do not support Amazon Directory Service directories. If you receive an error such as this when creating a directory, choose a subnet in a different Availability Zone and try to create the directory again.

Some of my users cannot authenticate with my directory

Your user accounts must have Kerberos preauthentication enabled. This is the default setting for new user accounts, and it should not be modified. For more information about this setting, go to Preauthentication on Microsoft TechNet.

Additional resources

The following resources can help you troubleshoot as you work with Amazon.