Target instance cannot connect to Active Directory after migration

When you migrate domain-joined Windows servers, the target instance may fail to authenticate with Active Directory. This prevents login with domain credentials or access to domain resources.

Causes:

Network connectivity – No network path between the target VPC and your AD domain controllers. This requires an AWS Site-to-Site VPN or AWS Direct Connect, and security groups/ACLs must allow AD ports (TCP/UDP 389, 636, 88, 53, 445, 135, 3268, 3269).
DNS resolution – Application Migration Service resets network settings to DHCP during conversion. The VPC's default AmazonProvidedDNS cannot resolve on-premises AD domain names, so the instance cannot locate domain controllers.

Resolution:

Ensure network connectivity – Verify a network path exists between the target VPC and your AD domain controllers. Confirm that security groups, network ACLs, and on-premises firewalls allow AD traffic.
Configure DNS resolution – Use one of these approaches:
- Recommended: Create a Route 53 Resolver outbound endpoint with a forwarding rule for your AD domain. This preserves AWS service endpoint resolution. See Integrating DNS with Route 53 Resolvers.
- Alternative: Create a custom DHCP options set with your AD DNS servers. Note: this may break AWS service endpoint resolution unless your DNS servers also forward AWS domain queries.

Test by launching a test instance in the target VPC before performing a cutover migration.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions