SOLVED: "There was an issue joining the WorkSpace to your domain. Verify that  your service account is allowed to complete domain join operations. If  you continue to see an issue, contact AWS Support."


Overview

I recently created a number of WorkSpaces in AWS to address capacity concerns around the Coronavirus Lockdown.

After creating a couple of test WorkSpaces which worked well, I made a custom image to roll out to more users, and soon had nine identical machines running.

The system works well, machine spawning takes about twenty minutes whether spawning a single machine or multiple machines. Software installed as part of the custom build persists as you as you'd expect from what is essentially a cloned VM (so long as it isn't installed to the user profile).

Because our Active Directory is connected to AWS via an AD connector, it's possible to auto-join WorkSpaces to Active Directory during creation, so users can log in using their AD credentials right after machine creation.

Domain joining also means WorkSpaces VMs are configured by group policy and any other controls that form part of the domain, making for a smoother and more consistent user experience.


The Issue

After a couple of weeks, one of our IT team needed to do some WorkSpaces support. We went to create a machine for him to test with, but when we ran through the process for the tenth machine, it aborted at the domain join phase with the following error:

"There was an issue joining the WorkSpace to your domain. Verify that  your service account is allowed to complete domain join operations. If  you continue to see an issue, contact AWS Support."

As you might expect, AWS uses a service account when joining a WorkSpaces workstation to the domain. It isn't/doesn't need to be a domain admin, so long as it has permissions to add workstations to the domain which standard user accounts do by default.

As well as the fact it had already added 9 workstations to the domain successfully, matters become more confusing when you consider that the AWS Directory Connector status screen showed the AD Connector as working, and other fucntions that we use via the same connector were all fine, suggesting there's no problem with the service account, its password or permissions.


One of the flaws of AWS (in my opinion) is the high cost of support, which is based on your monthly AWS spend. The pricing starts at 3% of your bill for basic support, or 10% for the fully fledged version. This was a barrier to me being able to log a ticket with AWS, so I spoke to our account manager.

After some toing and froing, our account manager contacted a member of the AWS support team directly and highlighted the issue, given that it was impeding our spend ability (call me cynical).

AWS support pointed out that there's a limit in Active Directory which controls the number of machines that any single user may add to the domain. By default the limit is ten, which means the tenth WorkSpaces VM you try to add will fail.


The Fix

In order to get your tenth WorkSpaces VM working, you'll need to run through the following procedure to increase the limit on users joining domain machines:

  • Open ADSIedit.msc
  • Choose the 'Default naming context' (if prompted_.
  • Right click on the top-level CN descriptor for your domain, shown below:
  • Chose Properties.
  • On the Attribute Editor tab, scroll down to ms-DS-MachineAccountQuota
  • The value of this property defines how many machines a single user can add to Active Directory. The default is 10.
  • Change value to one of your choice and Apply the change.

Subject to replication of the setting change between DC's, you should be able to add new WorkSpaces VMs to your AWS account.


Further reading - Microsoft's KB article, which higlights the limit.