AD Connector cannot connect to Active Directory
For AD Connector to connect to the on-premises directory, the firewall for the on-premises network must have certain ports open to the CIDRs for both subnets in the VPC. Refer to Scenario 1: Using AD Connector to Proxy Authentication to On-Premises Active Directory Service. To test if these conditions are met, perform the following steps.
To test the connection:
-
Launch a Windows instance in the VPC and connect to it over RDP. The remaining steps are performed on the VPC instance.
-
Download and unzip the DirectoryServicePortTest test application. The source code and Microsoft Visual Studio project files are included to modify the test application, if desired.
-
From a Windows command prompt, run the DirectoryServicePortTest test application with the following options:
DirectoryServicePortTest.exe -d <domain_name> -ip <server_IP_address> -tcp "53,88,135,139,389,445,464,636,49152" -udp "53,88,123,137,138,389,445,464" <domain_name>
<domain_name> — The fully qualified domain name, used to test the forest and domain functional levels. If the domain name is excluded, the functional levels won't be tested.
<server_IP_address> — The IP address of a domain controller in the on-premises domain. The ports are tested against this IP address. If the IP address is excluded, the ports won't be tested.
This test determines if the necessary ports are open from the VPC to the domain. The test app also verifies the minimum forest and domain functional levels.