# Troubleshooting Simple AD
The following can help you troubleshoot some common problems you might encounter when creating or using your Simple AD Active Directory.
**Topics**
+ [Password recovery](#simple_ad_tshoot_password_recovery)
+ [I receive a 'KDC can't fulfill requested option' error when adding a user to Simple AD](#kdc_requested_option)
+ [I am not able to update the DNS name or IP address of an instance joined to my domain (DNS dynamic update)](#dns_dynamic_updates)
+ [I can't log onto SQL Server using a SQL Server account](#sql_login_fail)
+ [My Simple AD is stuck in the 'Requested' state](#stuck_in_requested1)
+ [I receive an 'AZ constrained' error when I create a Simple AD](#contrained_az1)
+ [Some of my users can't authenticate with my Simple AD](#kerberos_preauth1)
+ [Additional resources](#troubleshoot_general_resources)
+ [Troubleshooting Simple AD directory status messages](simple_ad_troubleshooting_reasons.md)
## Password recovery
If a user forgets a password or is having trouble signing in to your Simple AD directory, you can reset their password using either the AWS Management Console, PowerShell or the AWS CLI.
For more information, see [Resetting a Simple AD user password](simple_ad_manage_users_groups_reset_password.md).
## I receive a 'KDC can't fulfill requested option' error when adding a user to Simple AD
This can occur when the Samba CLI client does not correctly send the `net` commands to all domain controllers. If you see this error message when using the `net ads` command to add a user to your Simple AD directory, use the `-S` argument and specify the IP address of one of your domain controllers. If you still see the error, try the other domain controller. You can also use the Active Directory Administration Tools to add users to your directory. For more information, see [Installing the Active Directory Administration Tools for Simple AD](simple_ad_install_ad_tools.md).
## I am not able to update the DNS name or IP address of an instance joined to my domain (DNS dynamic update)
DNS dynamic updates are not supported in Simple AD domains. You can instead make the changes directly by connecting to your directory using DNS Manager on an instance that is joined to your domain.
## I can't log onto SQL Server using a SQL Server account
You might receive an error if you attempt to use SQL Server Management Studio (SSMS) with a SQL Server account to log into SQL Server running on a Windows 2012 R2 Amazon EC2 instance. The issue occurs when SSMS runs as a domain user and can result in the error `Login failed for user`, even when valid credentials are provided. This is a known issue and AWS is actively working to resolve it.
To work around the issue, you can log into SQL Server with Windows Authentication instead of SQL Authentication. Or launch SSMS as a local user instead of a Simple AD domain user.
## My Simple AD is stuck in the 'Requested' state
If you have a Simple AD that has been in the `Requested` state for more than five minutes, try deleting the directory and recreating it. If this problem persists, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
## I receive an 'AZ constrained' error when I create a Simple AD
Some AWS accounts created before 2012 might have access to Availability Zones in the US East (N. Virginia), US West (N. California), or Asia Pacific (Tokyo) Region that do not support Directory Service directories. If you receive an error such as this when creating a directory, choose a subnet in a different Availability Zone and try to create the directory again.
## Some of my users can't authenticate with my Simple AD
Your user accounts must have Kerberos preauthentication enabled. This is the default setting for new user accounts, and it should not be modified. For more information about this setting, go to [Preauthentication](http://technet.microsoft.com/en-us/library/cc961961.aspx) on Simple AD TechNet.
## Additional resources
The following resources can help you troubleshoot as you work with AWS.
+ **[AWS Knowledge Center](https://aws.amazon.com/premiumsupport/knowledge-center/)**–Find FAQs and links to other resources to help you troubleshoot issues.
+ **[AWS Support Center](https://console.aws.amazon.com/support/home#/)**–Get technical support.
+ **[AWS Premium Support Center](https://aws.amazon.com/premiumsupport/)**–Get premium technical support.
**Topics**
+ [Password recovery](#simple_ad_tshoot_password_recovery)
+ [I receive a 'KDC can't fulfill requested option' error when adding a user to Simple AD](#kdc_requested_option)
+ [I am not able to update the DNS name or IP address of an instance joined to my domain (DNS dynamic update)](#dns_dynamic_updates)
+ [I can't log onto SQL Server using a SQL Server account](#sql_login_fail)
+ [My Simple AD is stuck in the 'Requested' state](#stuck_in_requested1)
+ [I receive an 'AZ constrained' error when I create a Simple AD](#contrained_az1)
+ [Some of my users can't authenticate with my Simple AD](#kerberos_preauth1)
+ [Additional resources](#troubleshoot_general_resources)
+ [Troubleshooting Simple AD directory status messages](simple_ad_troubleshooting_reasons.md)
# Troubleshooting Simple AD directory status messages
When a Simple AD is impaired or inoperable, the directory status message contains additional information. The status message is displayed in the Directory Service console, or returned in the [https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DirectoryDescription.html#ADS-Type-DirectoryDescription-StageReason](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DirectoryDescription.html#ADS-Type-DirectoryDescription-StageReason) member by the [https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDirectories.html](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DescribeDirectories.html) API. For more information about the directory status, see [Understanding your AWS Managed Microsoft AD directory status](ms_ad_directory_status.md).
The following are the status messages for a Simple AD directory:
**Topics**
+ [The directory service's elastic network interface is not attached](#sr_eni_detached)
+ [Issue(s) detected by instance](#sr_internal_error)
+ [The critical Directory Service reserved user is missing from the directory](#sr_service_account_missing)
+ [The critical Directory Service reserved user needs to belong to the Domain Admins group](#sr_service_account_not_admin)
+ [The critical Directory Service reserved user is disabled](#sr_service_account_disabled)
+ [The main domain controller does not have all FSMO roles](#sr_dc_fsmo_role)
+ [Domain controller replication failures](#sr_dc_repl_failures)
## The directory service's elastic network interface is not attached
**Description**
The critical elastic network interface (ENI) that was created on your behalf during directory creation to establish network connectivity with your VPC is not attached to the directory instance. AWS applications backed by this directory will not be functional. Your directory cannot connect to your on-premises network.
**Troubleshooting**
If the ENI is detached but still exists, contact Support. If the ENI is deleted, there is no way to resolve the issue and your directory is permanently unusable. You must delete the directory and create a new one.
## Issue(s) detected by instance
**Description**
An internal error was detected by the instance. This usually signifies that the monitoring service is actively attempting to recover the impaired instances.
**Troubleshooting**
In most cases, this is a transient issue, and the directory eventually returns to the Active state. If the problem persists, contact Support for more assistance.
## The critical Directory Service reserved user is missing from the directory
**Description**
When a Simple AD is created, Directory Service creates a service account in the directory with the name `AWSAdminD-xxxxxxxxx`. This error is received when this service account cannot be found. Without this account, Directory Service cannot perform administrative functions on the directory, rendering the directory unusable.
**Troubleshooting**
To correct this issue, restore the directory to a previous snapshot that was created before the service account was deleted. Automatic snapshots are taken of your Simple AD directory one time a day. If it has been more than five days after this account was deleted, you may not be able to restore the directory to a state where this account exists. If you are not able to restore the directory from a snapshot where this account exists, your directory may become permanently unusable. If this is the case, you must delete your directory and create a new one.
## The critical Directory Service reserved user needs to belong to the Domain Admins group
**Description**
When a Simple AD is created, Directory Service creates a service account in the directory with the name `AWSAdminD-xxxxxxxxx`. This error is received when this service account is not a member of the `Domain Admins` group. Membership in this group is needed to give Directory Service the privileges it needs to perform maintenance and recovery operations, such as transferring FSMO roles, domain joining new directory controllers, and restoring from snapshots.
**Troubleshooting**
Use the Active Directory Users and Computers tool to re-add the service account to the `Domain Admins` group.
## The critical Directory Service reserved user is disabled
**Description**
When a Simple AD is created, Directory Service creates a service account in the directory with the name `AWSAdminD-xxxxxxxxx`. This error is received when this service account is disabled. This account must be enabled so that Directory Service can perform maintenance and recovery operations on the directory.
**Troubleshooting**
Use the Active Directory Users and Computers tool to re-enable the service account.
## The main domain controller does not have all FSMO roles
**Description**
All the FSMO roles are not owned by the Simple AD directory controller. Directory Service cannot guarantee certain behavior and functionality if the FSMO roles do not belong to the correct Simple AD directory controller.
**Troubleshooting**
Use Active Directory tools to move the FSMO roles back to the original working directory controller. For more information about moving the FSMO roles, go to [https://docs.microsoft.com/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds](https://docs.microsoft.com/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds). If this does not correct the problem, please contact Support for more assistance.
## Domain controller replication failures
**Description**
The Simple AD directory controllers are failing to replicate with one another. This can be caused by one or more of the following issues:
+ The security groups for the directory controllers does not have the correct ports open.
+ The network ACLs are too restrictive.
+ The VPC route table is not routing network traffic between the directory controllers correctly.
+ Another instance has been promoted to a domain controller in the directory.
**Troubleshooting**
For more information about your VPC network requirements, see either AWS Managed Microsoft AD [Prerequisites for creating a AWS Managed Microsoft AD](ms_ad_getting_started.md#ms_ad_getting_started_prereqs), AD Connector [AD Connector prerequisites](ad_connector_getting_started.md#prereq_connector), or Simple AD [Simple AD prerequisites](simple_ad_getting_started.md#prereq_simple). If there is an unknown domain controller in your directory, you must demote it. If your VPC network setup is correct, but the error persists, please contact Support for more assistance.