When you deploy AWS File Gateway in your on-premises environment or in your Amazon VPC, you may want to join the File Gateway to Active Directory (AD) domain. In this post, I will show how to use CLI, AWS management console to join the gateway to domain, and the prerequisites for File Gateway to your AD domain.
Join Domain using CLI command :
$ aws storagegateway join-domain --gateway-arn arn:aws:storagegateway:us-west-2:111122223333:gateway/sgw-ABCD1234 --domain-name corp.example.com --user-name <username> --password <password>If you want to increase connection timeout, specify a domain controller, or join to a particular Organization Unit, you can use the following example CLI command.
$ aws storagegateway join-domain --gateway-arn arn:aws:storagegateway:us-west-2:111122223333:gateway/sgw-ABCD1234 --domain-name example.corp.com --user-name <username> --password <password> --domain-controller <IP or hostname> --timeout-in-seconds 120 --organizational-unit "OU=SGW,DC=corp,DC=example,DC=com"
Join Domain using AWS management console :
Required ports and usage, domain join steps :
- All the required ports between your File Gateway and your Domain Controller should be open.
- DNS servers configured on your File Gateway should be able to resolve the SRV records of the Domain Controllers of the domain that you are looking to join.
- AD user joining the file gateway to domain should have required permissions.
Depending on your environment, you may need other ports as mentioned in this doc. At minimum, following ports should be open from Gateway to your DNS servers and Active Directory Domain Controller (DC). If you have any firewall, you should allow the file gateway IP to connect to the following ports to your DNS and DC servers.
53 – DNS – TCP/UDP
389 – CLDAP and LDAP – TCP/UDP
445 – SMB – TCP/UDP
135 – DCE/RPC – Distributed Computing Environment / Remote Procedure Call (DCE/RPC) – TCP
88 – Kerberos – TCP/UDP
As part of the domain join process, file gateway sends DNS query for the SRV records to get the domain controllers (DCs) information for your domain.For example, for the domain corp.example.com, the following DNS SRV record would be queried. You can run the following nslookup command from any other domain joined computer in the same network as file gateway.
$ nslookup -type=srv _ldap._tcp.dc._msdcs.corp.example.comIf you want to specify the DNS servers in the nslookup command, you can use the following syntax. You would see the output for the Domain Controller information and SRV record in the response as below.
$ nslookup -type=srv _ldap._tcp.dc._msdcs.corp.example.com <DNS server IP>$ nslookup -type=srv _ldap._tcp.dc._msdcs.corp.example.com
Server: UnKnown
Address: 172.31.38.88
_ldap._tcp.dc._msdcs.example.surya.com SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dc1.corp.example.com
dc1.corp.example.com internet address = 172.31.38.88If you don’t have access to other computer in the same network as file gateway, you can use the file gateway local console, 6. Command Prompt and run the following command. You can verify if the domain is resolvable or not from your gateway. File Gateway uses the DNS servers that are configured on the local console, under Network configuration.
Command: dig -d corp.example.comOnce the domain controllers are identified with SRV records for the domain, file gateway selects a candidate domain controller based on a weighted random order. Then, File gateway sends a A record DNS query and gets the IP address of the candidate Domain Controller (DC). Next, file gateway sends an LDAP ping to that candidate domain controller using UDP port 389. Candidate DC would respond with the Domain information for the LDAP ping.
You can verify the TCP port connectivity for the required ports, running the following commands from the Command Prompt section in the File Gateway local console.
Command: ncport -d <IP Address> -p 53
Command: nping -t tcp -c 1 -d <IP Address> -p 53After the DC location is completed, as in like any other client, file gateway uses the steps as mentioned here for binding and joining to the Active Directory domain.
Apart from the network connectivity/firewall issues for the required ports, you can get access denied and other errors. If the AD user that is trying to join the gateway to domain doesn’t have required permissions, you can get access denied errors. Minimum required permissions that need to be delegated to the Active Directory user are mentioned here.
Sometimes, if the AD user is not part of the Domain Admins Active Directory (AD) group or not delegated permissions to create and delete computer accounts on containers in Active Directory, that user may run out of the default quota of 10 machines. In that case, they cannot join additional computers like file gateway to their domain.
Additional references:
https://docs.aws.amazon.com/filegateway/latest/files3/CreatingAnSMBFileShare.html
https://docs.aws.amazon.com/cli/latest/reference/storagegateway/join-domain.html
https://aws.amazon.com/premiumsupport/knowledge-center/storage-gateway-domain-join-error/