Troubleshoot Connector for AD connector creation failures
Connector for AD connector creation can fail for various reasons. When connector creation fails, you'll receive the failure reason in the API response. If you're using the console, then the failure reason is displayed in the Connector details page under the Additional status details field within in the Connector details container. The following table describes failure reasons and recommended steps for resolution.
Failure status | Description | Remediation |
---|---|---|
CA_CERTIFICATE_REGISTRATION_FAILED |
Connector for AD is unable to import CA certificates into your directory. |
Review the Prerequisites page and check that your service account has the right permissions. After delegating the correct permissions to your service account, delete the failed connector and create a new one. For information about delegating permissions, see Delegate privileges to your service account in the AWS Directory Service Administration Guide. |
DIRECTORY_ACCESS_DENIED |
Connector for AD unable to access your directory. |
You must grant Connector for AD access to your directory. Review the Step 4: Create IAM Policy section to make sure that you the IAM policy associated with your AWS account enables you to access and describe directories. After granting the correct permissions to your AWS role, delete the failed connector and create a new one. If using Connector for AD with an AWS Directory Service AD Connector, make sure that the AD Connector service account's password isn't expired and is valid. For information about AD Connector service accounts, see Getting started with AD Connector in the AD Connector Administration Guide. |
INTERNAL_FAILURE |
Connector for AD experienced an internal failure. |
Try again later. Delete the failed connector and create a new one. |
PRIVATECA_ACCESS_DENIED |
Connector for AD is unable to access your private CA. |
Review the Prerequisites page and check that you have the permissions to create a connector. For information, see Step 4: Create IAM Policy. If you're creating a connector through AWS CLI or API, review the Prerequisites page and check that you have shared the private CA with Connector for AD using AWS Resource Access Manager. After checking and fixing IAM permissions and AWS RAM resource sharing, delete the failed connector and create a new one. |
PRIVATECA_RESOURCE_NOT_FOUND |
Connector for AD can't find the specified private CA. |
Make sure that you specify the correct private CA Amazon Resource Name (ARN), then delete the failed connector and create a new one using your intended private CA ARN. |
SECURITY_GROUP_NOT_IN_VPC |
The security group isn't in the VPC that hosts your directory. |
Use a security group that is in the VPC that hosts your directory. For more information, see Step 7: Configure security groups. Delete the failed connector and create a new one with a security group that is in the VPC. |
VPC_ACCESS_DENIED |
Connector for AD can't access the Amazon VPC that hosts your directory. |
Check your IAM permissions. Delete the failed connector and create a new one. For an example IAM policy that includes access permissions, see Step 4: Create IAM Policy |
VPC_ENDPOINT_LIMIT_EXCEEDED |
Connector for AD can't create an endpoint in your Amazon VPC. You have reached the limit of VPC endpoints that you can create for your account. |
Delete Amazon VPC endpoints, or request a limit increase. Once you've done one of the two steps, delete the failed connector and create a new one. For information about quotas, see Amazon Virtual Private Cloud Service quotas. |
VPC_RESOURCE_NOT_FOUND |
Connector for AD can't find the specified VPC. |
Make sure that you specified the correct VPC and that the VPC exists. Then delete the failed connector and create a new one using the correct VPC ID. |