# Assessment Test error messages The following table describes error messages that can occur during assessment tests. These errors indicate blocking issues that must be resolved before proceeding with hybrid directory setup. | Test name | Short name | Error code | Error message | Description | Resolution | | --- | --- | --- | --- | --- | --- | | Active Directory Services Test | `testActiveDirectoryServices` | `AD_CRITICAL_SERVICES_NOT_RUNNING` | `Critical AD Services: [service_list] not running on hostname`. | Occurs if required AD services are not running in your self-managed AD. | Specific required AD services must be running in your self-managed AD. For more information, see [Required Active Directory services](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-services). | | Active Directory Services Test | `testActiveDirectoryServices` | `DOMAIN_CONTROLLER_NOT_FOUND` | `No domain controllers found for testActiveDirectoryServices.` | `Occurs if your self-managed AD domain controllers could not be both detected and queried during AD service validation.` | Ensure your self-managed AD domain controllers are operational and can be reached. Verify network connectivity and DNS resolution for your self-managed AD domain controllers. | | AD Password Policy Test | `testPasswordPolicies` | `PASSWORD_POLICY_VIOLATIONS` | *`ErrorMessage`* | Occurs if your self-managed AD password policy does not satisfy AWS Managed Microsoft AD requirements. | Your self-managed AD password policy must satisfy the AWS Managed Microsoft AD password requirements. For more information, see [Understanding AWS Managed Microsoft AD password policies](https://docs.aws.amazon.com/irectoryservice/latest/admin-guide/ms_ad_password_policies.html). | | AWS Admin User Exist Test | `testAwsAdminUserExist` | `ADMINISTRATOR_ACCOUNT_MISSING` | `AWS Admin user not found or invalid.` | Occurs if the hybrid directory administrator user does not exist in the AWS Reserved OU on your self-managed AD. | Ensure the hybrid directory administrator user exists in the AWS Reserved OU on your self-managed AD. If the user is missing, verify the account was created correctly during the hybrid directory setup process. [Updating a hybrid directory](hybrid_directory_view_and_edit.md#editing_hybrid_dir). If your hybrid directory state is inoperable, contact [Support](https://console.aws.amazon.com/support/home#/). | | AWS Admin User SPN Test | `testNoSpnOnAwsAdminAccount` | `SPN_FOUND_ON_AWS_ADMIN` | `Found spnCount Service Principal Names (SPNs) set on AWS admin user Username. Please remove all SPNs from this account.` | Occurs if the hybrid directory administrator user has any SPNs configured on your self-managed AD. | Remove all Service Principal Names (SPNs) from the AWS hybrid directory administrator user account. The hybrid directory administrator user must not have any SPNs configured because they can interfere with hybrid directory authentication. | | AWS Domain Controller Not FSMO Owner Test | `testAwsDcNotFsmoOwner` | `AWS_DC_HOLDS_FSMO_ROLE` | `AWS Domain Controller owns FSMO roles: rolesList. Please remove these roles.` | Occurs if you have transferred FSMO roles (PDC Emulator, RID Master, or Infrastructure Master) from your self-managed AD to the hybrid directory domain controller. | Transfer all FSMO roles (PDC Emulator, RID Master, Infrastructure Master) back to your self-managed AD domain controllers before proceeding. For more information, see [Microsoft documentation on transferring FSMO roles](https://learn.microsoft.com/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles). | | AWS Reserved Group Membership Test | `testValidateAwsReservedGroupMembership` | `AWS_RESERVED_OU_NOT_FOUND` | `AWS Reserved OU not found.` | Occurs if the AWS Reserved OU on your self-managed AD doesn't exist. | The AWS Reserved OU must exist on your self-managed AD in order to validate group membership. Contact [Support](https://console.aws.amazon.com/support/home#/). | | AWS Reserved Group Membership Test | `testValidateAwsReservedGroupMembership` | `GROUP_MEMBERSHIP_MISMATCH` | `AWS Reserved OU Group [GroupNameA]: Missing User(s) [ Object1 ], [ Object2] and Extra user(s) [ Object3 ].` | Occurs if groups in the AWS Reserved OU on your self-managed AD contains unauthorized users. | Remove any unauthorized users from AWS Reserved OU groups on your self-managed AD. | | AWS Reserved OU ACLs Test | `testReservedOuAclsPermissions` | `RESERVED_OU_NON_COMPLIANT_AC` | `AWS Reserved OU ACLs permissions are invalid.` | Occurs if the AWS Reserved OU ACLs on your self-managed AD do not enforce read-only permissions for entities non-AWS and do not prevent unauthorized access to AWS-managed resources. | Review and correct the permissions on the AWS Reserved OU ACLs on your self-managed AD. Ensure that non-AWS entities have only have read permissions (`ListChildren`, `ReadProperty`, `ListObject`, `ReadControl`, `GenericRead`, `Synchronize`) and remove any excessive permissions. | | AWS Reserved OU GPO Associations Test | `testReservedOuGPOs` | `AWS_RESERVED_OU_NON_RESERVED_GPO_FOUND` | `Found non-AWS GPOs attached to the AWS Reserved OU: AWS Reserved OU (count unauthorized). Allowed GPOs: [allowedAwsGpos]. Domain Controllers OU (count unauthorized). Allowed GPOs: [allowedDcGpos]. Please, remove extra GPOs from the AWS Reserved OU.` | Occurs if the AWS Reserved OU and Domain Controllers OU on your self-managed AD are linked to unauthorized GPOs. | (Only AWS managed Group Policy Objects (GPOs) can be linked to these OUs. Remove any unauthorized GPOs linked to the AWS Reserved OU and Domain Controllers OU on your self-managed AD. | | AWS Reserved OU Resources Test | `testAwsReservedOUResources` | `AWS_RESERVED_OU_NOT_FOUND` | `The AWS Reserved OU does not exist. Please contact AWS Support.` | Occurs if the AWS Reserved OU does not exist in your self-managed AD which is required for AWS Managed Microsoft AD directory functionality. | The AWS Reserved OU must be automatically created during hybrid directory setup and should not be deleted. If this error persists, contact [Support](https://console.aws.amazon.com/support/home#/). | | AWS Reserved OU Resources Test | `testAwsReservedOUResources` | `AWS_RESERVED_OU_RESOURCES_MISMATCH` | `The following required resources are missing from AWS Reserved OU - Objects: missing objects, GPOs: missing GPOs. The following resources should not exist but were found in AWS Reserved OU: Objects: unexpected objects, GPOs: unexpected GPOs` | Occurs if the AWS Reserved OU created on your self-managed AD does not contain the required objects and GPOs for proper hybrid directory operation. | Ensure no one edits the AWS Reserved OU. It must contain the required AWS-managed resources. Remove any unauthorized objects or GPOs, and contact [Support](https://console.aws.amazon.com/support/home#/) if required resources are missing. | | AWS Reserved OU Test | `testCleanAwsReservedOU` | `AWS_RESERVED_RESOURCES_STILL_EXIST` | `AWS Reserved OU or AWS Reserved GPO still exists, please delete.` | Occurs if AWS Reserved resources found on your self-managed AD from a previous hybrid directory setup still exist. | Delete the existing failed hybrid directory from the console. Then delete any AWS Reserved OU and related GPOs from your self-managed AD before proceeding. | | Bridgehead Naming Context Test | `testBridgeheadNamingContext` | `NAMING_CONTEXT_INCONSISTENT` | *`failureDetails`* | Occurs if self-managed AD replication between sites using Bridgehead is not working as expected. It can also occur if the naming contexts are not synchronized between sites. | Your self-managed AD bridgehead site must be successful. You can diagnose further with: `repadmin /bridgeheads /verbose`. Address the issues from that assessment before continuing. | | Child Domain Test | `testChildDomain` | `CHILD_DOMAIN_NOT_SUPPORTED` | `Child Domains are not supported for Hybrid Directory.` | Occurs if your self-managed AD forest contains child domains, which are not supported with AWS Managed Microsoft AD directories. | AWS Managed Microsoft AD directories do not support child domains. You must use a single-domain forest for your self-managed AD. For more information, see [Microsoft Active Directory domain requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-domain). | | DcDiag Test | `testDcDiag` | `DCDIAG_TEST_FAILED` | `DCDiag test failed due to issue from [formatedFailedTests].` | Occurs if any Microsoft DCDiag tests fail on your self-managed AD. | AWS uses DCDiag to test your self-managed AD. If there are errors, you can not create a hybrid directory. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/troubleshoot-domain-controller-deployment#tools-and-commands-for-troubleshooting-domain-controller-configuration). | | DNS IP Match Test | `testDnsIpMatch` | `DNS_IP_MISMATCH` | `DNS IP address does not match expected IP addresses.` | Occurs if the provided DNS IP addresses of your self-managed AD does not match the DNS IP addresses on your self-managed AD domain controllers that are enabled with AWS Systems Manager. | Provide the correct DNS IP addresses. | | DNS Name Match Test | `testDnsNameMatch` | `DOMAIN_DNS_NAME_MISMATCH` | `DNS name does not match expected domain name.` | Occurs if the DNS name provided for your self-managed AD does not match the DNS name on your self-managed AD domain controllers enabled with AWS Systems Manager. | Provide the correct DNS name. | | DNS Records Test | `testDnsRecords` | `DNS_RECORD_MISSING` | `Unable to resolve the following DNS queries: [missingRecordsString`]. | Occurs if Windows DNS records are not set for type A, NS, SOA, and SRV and can be queried. | The DNS records for Address (A), Namespace (NS), State of Authority (SOA), and Service Record (SRV) must be set and can be queried. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/azure/dns/dns-zones-records). | | Domain Forest Functional Level Test | `testDomainForestFunctionalLevel` | `UNSUPPORTED_FUNCTIONAL_LEVEL` | `Detected unsupported domain functional level: DomainFunctionalLevel, we require minimum of MinimumDomainMode. Detected unsupported forest functional level: ForestFunctionalLevel, we require minimum of MinimumForestMode.` | Occurs if your self-managed AD domain and forest functional levels do not meet minimum requirements. | Your self-managed AD must use Windows 2012 R2 or 2016 functional level. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-deployment). | | Domain Health Tests | `testOnPremDcNumber` | `DC_NUMBER_BELOW_LIMIT` | `On-Prem DC count is lower than required number. DC count is NumberOfDc, AWS required number is DcMinimum.` | Occurs if your self-managed AD does not have the minimum required number of domain controllers. | Ensure your self-managed AD has at least two of domain controllers enabled with AWS Systems Manager. For more information, see [Microsoft Active Directory domain requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-domain). | | Existing Domain Test | `testDomainAlreadyJoined` | `DOMAIN_ALREADY_JOINED` | `Instance is already joined to a domain.` | Occurs if your self-managed AD domain is already joined to an existing hybrid directory. | Your self-managed AD domain is already joined to an existing hybrid directory. Each self-managed AD domain joined with a hybrid directory must be unique Create new self-managed AD domain or remove it from the hybrid directory configuration to which they are joined. | | FSMO Connectivity Test | `testFsmoConnectivity` | `FSMO_ROLE_HOLDER_NOT_ROUTABLE` | `(PDCEmulator Ip: 1.1.1.1, RIDMaster Ip: 1.1.1.1) is not in routable ranges: [2.2.0.0/16, 3.3.0.0/16, 4.4.0.0/16, 5.5.0.0/16, 6.6.0.0/16].` | Occurs if FSMO roles, PDC Emulator, and/or RID Master IPs on your self-managed AD are not routable. | The Primary Domain Controller (PDC) must be routable at all times. Specifically, the PDC Emulator and RID Master IPs of your self-managed AD. For more information, see [Microsoft Active Directory domain requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-domain). | | FSMO Connectivity Test | `testFsmoConnectivity` | `FSMO_ROLE_MISSING` | `FSMO role(s): [missingRolesString] missing or DNS Record not found.` | Occurs if your self-managed AD domain controllers can not access your FSMO roles. | Your Flexible Single Master Operation (FSMO) role in your self-managed AD must be connected to your self-managed AD domain controllers. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/fsmo-roles). | | IP Conflict Test | `testIpConflict` | `IP_RANGE_CONFLICT` | `Conflicting IP address detected: ipOverlaps` | Occurs if your self-managed AD IP Ranges overlap with AWS reserved ranges. | Your self-managed AD cannot use an IP address range that overlaps with Reserved AWS IP ranges. For more information, see [Microsoft Active Directory domain requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ad-domain). | | Kerberos Test | `testKerberos` | `KERBEROS_AUTHENTICATION_FAILED` | `Unable to get kerberos TGT.` | Occurs if Kerberos is not configured correctly and in use. | Kerberos must be enabled on your self-managed AD. For more information, see [Microsoft Documentation](https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview). | | LDAP Connectivity Test | `testLdapConnectivity` | `LDAP_TEST_FAILED` | `Unable to query LDAP with rootDSE call.` | Occurs if LDAP does not work. | Lightweight Directory Access Protocol (LDAP) must be enabled and functioning on your self-managed AD. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/lightweight-directory-access-protocol-ldap-api). | | Not Read Only Domain Controller For FSMO Test | `testNotRodcForFsmo` | `FSMO_FOUND_ON_RODC` | `FSMO Role Found on RODC` | Occurs if your self-managed AD domain controller FSMO role is RODC. | The domain controller for your self-managed AD must not use a Read-Only Domain Controller (RODC) Flexible Single Master Operation (FSMO) role. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/fsmo-roles). | | Read Only Domain Controller Password Replication Test | `testRodcPasswordReplication` | `RODC_REPLICATE_ADMIN_PASSWORD` | `ReadOnly Domain Controller password replication is not explicitly denied for following groups: [missingGroupsString].` | Occurs if the RODC has permission to replicate Admin passwords. | The RODC for your self-managed AD must be explicitly denied permission to replicate Admin passwords. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/rodc-replicates-passwords-grant-incorrect-permissions). | | Read Only Domain Controller Test | `testIsDCRodc` | `DC_READONLY_MODE` | `Provided Domain Controller is set to Read-Only mode.` | Occurs if your self-managed AD domain controllers are in ReadOnlyDC mode. | Your self-managed AD must be read-write domain controllers. For more information about domain controller types, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-special-identities-groups#enterprise-domain-controllers). | | Remote Port Connectivity Test | `testPortConnectivity` | `PORT_TEST_FAILED` | `Connection to TargetDestination failed for TCP ports [failed TCP ports]. UDP ports [failed UDP ports].` | Occurs if required ports on your AWS subnet and your self-managed AD domain controller are not open. | Ensure all required ports are open between your AWS subnet and your self-managed AD. See [Network port requirements](create_hybrid_directory_prereqs.md#create_hybrid_directory_prereqs-ports) for more information. | | Replication Test | `testReplication` | `REPLICATION_FAILED` | `Replication failed for [failedDSAsString].` | Occurs if your self-managed AD domain controllers replication failed. | Your self-managed AD domain controllers replication status must be successful. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/dfs-replication-overview). | | SMBV1 Test | `testSMBV1` | `INSECURE_SETTING_SMB` | `SMBv1 is enabled on the system.` | Occurs if self-managed AD is currently using SMBv1 for authentication. | SMBv1 is known to be unsafe and must be disabled on your self-managed AD. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3?tabs=server). | | SSM User Permissions Test | `testSSMUserPermissions` | `INSUFFICIENT_PERMISSIONS` | `Systems Manager user does not have required elevated privileges.` | Occurs if Windows user that is used by SSM has insufficient privileges. | You'll need Windows Administrator permissions for the AWS System Manager (SSM) agents on your self-managed AD. For more information, see [AWS account permissions](create_hybrid_directory_prereqs.md#hybrid-dir-prereq-perms). | | Sysvol Replication Test | `testSysvolReplication` | `DFSR_FAILURE_DETECTED` | `Failed DFSR event logs: failedLogsString.` | Occurs if your self-managed AD does not have the correct sysvol replication method(DFSR), and if any DCs failed during DFSR replication event. | Your self-managed AD sysvol replication method (DFSR) must be successful. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr). | | Top Level GPO Test | `testTopLevelEnforcedGPO` | `TOP_LEVEL_ENFORCED_GPO_FOUND` | `GroupPolicy cannot be set to Enforced at the Domain Root, Found GPOs: [GposEnforced] set as Enforced.` | Occurs if your self-managed AD has Top Level GPOs set as Enforced. | Ensure your self-managed AD domain Top Level group policy object (GPO) is not set to Enforced. For more information, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-processing). | | Trust Types Test | `testTrustTypes` | `INVALID_TRUST_TYPE` | `Invalid trust types detected: [InvalidTrustString], only Uplevel (Microsoft AD) is currently supported. ` | Occurs if your self-managed AD has unsupported trust types. | Uplevel is the only trust type supported with hybrid directory. Your self-managed AD cannot have the following trust types: DCE, MIT, Downlevel. For more information on trust types, see [Microsoft documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/rodc-replicates-passwords-grant-incorrect-permissions). | | Valid Domain Controller Test | `testValidDC` | `COMPUTER_NOT_DC` | `Provided instance is not a domain controller.` | Occurs if your self-managed AD instances provided are not domain controllers or if they are already part of another hybrid directory. | Provide self-managed AD domain controllers that are unique to this hybrid directory. Retry with a new directory. Ensure that you have deleted the failed hybrid directory and any the AWS OU in your self-managed AD. |