David Cummings
asked on
unable to promote domain controller over VPN or WAN connection
Domain on premises, Windows 2016 servers.
A domain 2016server ec2 instance, Amazon, AWS. I can join the ec2 machine to the on premise domain over the VPN connection between AWS/on-prem... but when I try to promote as a domain controller it says "access denied".
Also, I found that if I open a windows explorer window on the aws ec2 machine, I cannot put \\domainname in the address bar and get the administrative shares but if I put \\ip-address I do get those shares.
I have tried putting the domain name in a hosts file on the ec2 instance, but no change.
Short version: can join an aws instance to an on-prem domain over the VPN, but can't promote the aws instance to a domain controller.
I could really use help with this.
Thanks.
A domain 2016server ec2 instance, Amazon, AWS. I can join the ec2 machine to the on premise domain over the VPN connection between AWS/on-prem... but when I try to promote as a domain controller it says "access denied".
Also, I found that if I open a windows explorer window on the aws ec2 machine, I cannot put \\domainname in the address bar and get the administrative shares but if I put \\ip-address I do get those shares.
I have tried putting the domain name in a hosts file on the ec2 instance, but no change.
Short version: can join an aws instance to an on-prem domain over the VPN, but can't promote the aws instance to a domain controller.
I could really use help with this.
Thanks.
ASKER
no windows firewalls running on DC's or the ec2 instance
AWS security group allows all outgoing and all incoming on the VPN
the on-prem firewall device has all ports open in both directions on the VPN
AWS security group allows all outgoing and all incoming on the VPN
the on-prem firewall device has all ports open in both directions on the VPN
Is the AWS server configured to use an on-prem domain controller for its DNS?
ASKER
Daryl, yes. The on prem dc's are 172.20.1.1 and 172.20.1.2 and those are the dns servers on the aws machine.
You said \\domainname doesn't work. Did you enter the full domain name? ie: \\mydomain.com ?
ASKER
yes, full domain
is there some troubleshooting utility or tool I can apply to this problem?
Thanks for your responses so far.
is there some troubleshooting utility or tool I can apply to this problem?
Thanks for your responses so far.
How are you trying to promote the server ? Are you using System Manger to promote it? If you are it should give you a checklist if requirements are met before promoting the server. It sounds like maybe the user you are trying to use to promote the server doesn’t have the proper permissions.
ASKER
The answer to all questions is this:
The promotion procedure is EXACTLY THE SAME, whether its done on-prem or on the Amazon server over the VPN. Same user. Same domain. Connected to same source domain controller. Everything is the same.
The only difference is, over the Amazon-on-prem-VPN the promotion procedure fails, even though EVERY OTHER DOMAIN-RELATED ACTION OVER THE VPN SUCCEEDS.
I have abandoned trying this and it looks like no one who has bothered to look at this question (and I thank those, sincerely, for taking that look) has any idea if this is even possible or not.
What I ended up doing was building a new domain controller on-prem, exporting it to Amazon, converting the export to an EC2 instance, turned it up in Amazon and it works just fine, in full communication with the on-prem servers. So I now HAVE a domain controller in Amazon but I can't get one there by PROMOTING a domain controller in Amazon.
The promotion procedure is EXACTLY THE SAME, whether its done on-prem or on the Amazon server over the VPN. Same user. Same domain. Connected to same source domain controller. Everything is the same.
The only difference is, over the Amazon-on-prem-VPN the promotion procedure fails, even though EVERY OTHER DOMAIN-RELATED ACTION OVER THE VPN SUCCEEDS.
I have abandoned trying this and it looks like no one who has bothered to look at this question (and I thank those, sincerely, for taking that look) has any idea if this is even possible or not.
What I ended up doing was building a new domain controller on-prem, exporting it to Amazon, converting the export to an EC2 instance, turned it up in Amazon and it works just fine, in full communication with the on-prem servers. So I now HAVE a domain controller in Amazon but I can't get one there by PROMOTING a domain controller in Amazon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
are you able to see traffic logs at your VPN/firewall device ? filter by the source and destination IP's and you should be able to see what is being blocked.