Not able to associate EC2 instances to an Active Directory using an Auto Scaling Group

Question

I am trying to deploy a Auto Scaling Group that has all its EC2 instances connected automatically to the AWS Directive Service. I followed all the steps in this tutorial : https://aws.amazon.com/blogs/security/how-to-configure-your-ec2-instances-to-automatically-join-a-microsoft-active-directory-domain/

This is the user data script I use : (it install code deploy also)

<powershell>
New-Item -Path c:\temp -ItemType "directory" -Force
Read-S3Object -BucketName aws-codedeploy-us-east-1/latest -Key codedeploy-agent.msi -File c:\temp\codedeploy-agent.msi
Start-Process -Wait -FilePath c:\temp\codedeploy-agent.msi -WindowStyle Hidden

Set-Variable -name instance_id -value (Invoke-Restmethod -uri http://169.254.169.254/latest/meta-data/instance-id)
New-SSMAssociation -InstanceId $instance_id -Name "ssmDocumentName_works_fine"
</powershell>

I am using a custom AMI. Before creating the AMI, I launched the EC2ConfigService Settings and checked the option: Enable User Data execution for next service start.

However when a new instance is launched by the ASG, it is not part of any domain. It is still in the workgroup : WORKGROUP. If I RDP to the EC2 and I run the user data in the powershell, I get a "AssociationAlreadyExistsException" exception.

Why are the EC2 not connecting to the Active Directory?

Thanks

Answer 1

I finally find out what was the problem. The instances security group was allowing only https (port 443) for outbound traffic.

I found the list of ports I needed to open to make it work : http://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_managed.html

I hope this help others too