Simple AD directory status reasons

The critical elastic network interface (ENI) that was created on your behalf during directory creation to establish network connectivity with your VPC is not attached to the directory instance. Amazon applications backed by this directory will not be functional. Your directory cannot connect to your on-premises network.

If the ENI is detached but still exists, contact Amazon Web Services Support. If the ENI is deleted, there is no way to resolve the issue and your directory is permanently unusable. You must delete the directory and create a new one.

An internal error was detected by the instance. This usually signifies that the monitoring service is actively attempting to recover the impaired instances.

In most cases, this is a transient issue, and the directory eventually returns to the Active state. If the problem persists, contact Amazon Web Services Support for more assistance.

When a Simple AD is created, Amazon Directory Service creates a service account in the directory with the name AWSAdminD-xxxxxxxxx. This error is received when this service account cannot be found. Without this account, Amazon Directory Service cannot perform administrative functions on the directory, rendering the directory unusable.

To correct this issue, restore the directory to a previous snapshot that was created before the service account was deleted. Automatic snapshots are taken of your Simple AD directory one time a day. If it has been more than five days after this account was deleted, you may not be able to restore the directory to a state where this account exists. If you are not able to restore the directory from a snapshot where this account exists, your directory may become permanently unusable. If this is the case, you must delete your directory and create a new one.

When a Simple AD is created, Amazon Directory Service creates a service account in the directory with the name AWSAdminD-xxxxxxxxx. This error is received when this service account is not a member of the Domain Admins group. Membership in this group is needed to give Amazon Directory Service the privileges it needs to perform maintenance and recovery operations, such as transferring FSMO roles, domain joining new directory controllers, and restoring from snapshots.

Use the Active Directory Users and Computers tool to re-add the service account to the Domain Admins group.

When a Simple AD is created, Amazon Directory Service creates a service account in the directory with the name AWSAdminD-xxxxxxxxx. This error is received when this service account is disabled. This account must be enabled so that Amazon Directory Service can perform maintenance and recovery operations on the directory.

Use the Active Directory Users and Computers tool to re-enable the service account.

All the FSMO roles are not owned by the Simple AD directory controller. Amazon Directory Service cannot guarantee certain behavior and functionality if the FSMO roles do not belong to the correct Simple AD directory controller.

Use Active Directory tools to move the FSMO roles back to the original working directory controller. For more information about moving the FSMO roles, go to https://docs.microsoft.com/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds. If this does not correct the problem, please contact Amazon Web Services Support for more assistance.

The Simple AD directory controllers are failing to replicate with one another. This can be caused by one or more of the following issues:

For more information about your VPC network requirements, see either Amazon Managed Microsoft AD Amazon Managed Microsoft AD prerequisites, AD Connector AD Connector prerequisites, or Simple AD Simple AD prerequisites. If there is an unknown domain controller in your directory, you must demote it. If your VPC network setup is correct, but the error persists, please contact Amazon Web Services Support for more assistance.