Domain Joining Issue or error in AWS, most commonly we will see this issue when your Active Directory Service is running in AWS(Directory Service). Below are the steps to Resolve that issue.
Computer ‘XYZ’ failed to join domain ‘abc.com’ from its current workgroup ‘WORKGROUP’ with following error message: Your computer could not be joined to the domain. You have exceeded the maximum number of computers accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
While you are working on AWS EC2 Instance and you try to add that machine to your AWS Directory Service, you get an error message sometimes telling “Your computer could not be joined to the domain. You have exceeded the maximum number of computers accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.”
To avoid that we want to delegate the
permission to a user or group which we are using to add the computer to the
domain. The steps have been given below.
Go to “Active Directory Users and Computers” on the machine where you have AD configured > Click on your actual domain (As in AWS directory service it will be below your main domain) > Right Click > “New” > “Group”
Give the Group Name as per your requirement, make sure you select the Group scope > “Global” and Group type > “Security” > Click “OK”
Once the group is created You can add the
required members who are going to add the computers to a domain.
Now we want to give the permission to the
group to add a ‘n’ number of computers in that domain.
Right click on the “Computer” OU in your sub domain > Select “Delegate Control”
It will redirect you to the Delegation of Control Wizard > Click “Next”
Click on “Add” button to add the Users or Groups who wants to add multiple computers to the Domain
Search the Users or Groups you wanted to add, and mention it and Click “OK”
Once the User is selected, Click “Next”
On “Tasks to Delegate” page, select “Create a custom task to delegate” and Click “Next”
Next, in the “Active Directory Object Type”, Select “Only the following objects in the folder:”, in that Select “Computer objects” and enable the Check box for “Create selected objects in this folder” and “Delete selected objects in this folder” Click >” Next”
In the “Permissions”, select the “General” and “Property-specific”. In Below “Permissions:” Select “Read” and “Write” (Because the computers can be added or removed). Click “Next”
In “Completing the Delegation of Control Wizard” Verify the information and click “Finish”.
Create a user with a strong password and add that user to the joining group. This user must be in the Users container that is under your NetBIOS name. The user will then have enough privileges to connect instances to the directory.