Network Validation
Before joining your RDS Custom instance to either self-managed or AWS Managed Microsoft AD, check the following from a EC2 instance in the same VPC as where you plan to launch the RDS Custom for SQL Server instance.
Check if you are able to resolve the fully qualified domain name (FQDN) to domain controller IPs.
nslookup corp.example.comThe command must return a similar output:
Server: ip-10-0-0-2.us-west-2.compute.internal Address: 25.0.0.2 Non-authoritative answer: Name: corp.example.com Addresses: 40.0.9.25 (DC1 IP) 40.0.50.123 (DC2 IP)-
Resolve AWS services from an EC2 instance in the VPC where you are launching your RDS Custom instance:
$region='input-your-aws-region' $domainFQDN='input-your-domainFQDN' function Test-DomainPorts { param ( [string]$Domain, [array]$Ports ) foreach ($portInfo in $Ports) { try { $conn = New-Object System.Net.Sockets.TcpClient $connectionResult = $conn.BeginConnect($Domain, $portInfo.Port, $null, $null) $success = $connectionResult.AsyncWaitHandle.WaitOne(1000) # 1 second timeout if ($success) { $conn.EndConnect($connectionResult) $result = $true } else { $result = $false } } catch { $result = $false } finally { if ($null -ne $conn) { $conn.Close() } } Write-Host "$($portInfo.Description) port open: $result" } } # Check if ports can be reached $ports = @( @{Port = 53; Description = "DNS"}, @{Port = 88; Description = "Kerberos"}, @{Port = 389; Description = "LDAP"}, @{Port = 445; Description = "SMB"}, @{Port = 5985; Description = "WinRM"}, @{Port = 636; Description = "LDAPS"}, @{Port = 3268; Description = "Global Catalog"}, @{Port = 3269; Description = "Global Catalog over SSL"}, @{Port = 9389; Description = "AD DS"} ) function Test-DomainReachability { param ( [string]$DomainName ) try { $dnsResults = Resolve-DnsName -Name $DomainName -ErrorAction Stop Write-Host "Domain $DomainName is successfully resolving to following IP addresses: $($dnsResults.IpAddress)" Write-Host "" return $true } catch { Write-Host "" Write-Host "Error Message: $($_.Exception.Message)" Write-Host "Domain $DomainName reachability check failed, please Configure DNS resolution" return $false } } $domain = (Get-WmiObject Win32_ComputerSystem).Domain if ($domain -eq 'WORKGROUP') { Write-Host "" Write-Host "Host $env:computername is still part of WORKGROUP and not part of any domain" } else { Write-Host "" Write-Host "Host $env:computername is joined to $domain domain" Write-Host "" } $isReachable = Test-DomainReachability -DomainName $domainFQDN if ($isReachable) { write-Host "Checking if domain $domainFQDN is reachable on required ports " Test-DomainPorts -Domain $domainFQDN -Ports $ports } else { Write-Host "Port check skipped. Domain not reachable" } # Get network adapter configuration $networkConfig = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled -eq $true } | Select-Object -First 1 # Check DNS server settings $dnsServers = $networkConfig.DNSServerSearchOrder if ($dnsServers) { Write-Host "`nDNS Server settings:" foreach ($server in $dnsServers) { Write-Host " - $server" } } else { Write-Host "`nNo DNS servers configured or unable to retrieve DNS server information." } write-host "" # Checks Reachability to AWS dependent Services $services = "s3", "ec2", "secretsmanager", "logs", "events", "monitoring", "ssm", "ec2messages", "ssmmessages" function Get-TcpConnectionAsync { param ( $ServicePrefix, $region ) $endpoint = "${ServicePrefix}.${region}.amazonaws.com" $tcp = New-Object Net.Sockets.TcpClient $result = $false try { $connectTask = $tcp.ConnectAsync($endpoint, 443) $timedOut = $connectTask.Wait(3000) $result = $tcp.Connected } catch { $result = $false } return $result } foreach ($service in $services) { $validationResult = Get-TcpConnectionAsync -ServicePrefix $service -Region $region Write-Host "Reachability to $service is $validationResult" }The
TcpTestSucceededvalue must returnTruefors3,ec2,secretsmanager,logs,events,monitoring,ssm,ec2messages, andssmmessages.
