Categories
Development System & Network

DOMAIN_JOIN_INTERNAL_SERVICE_ERROR – AWS AppStream 2.0 – Active Directory

This has been driving me insane for two months now.

I am using AppStream 2.0 to stream an application to my users. The application uses Windows Integrated Authentication. And, therefore, is connected to my AD domain.

The symptoms I have are as follows: “My fleet instances work for one user but don’t cycle correctly.”

AWS says the following:

“Fleet instances are cycled after a user completes a session, ensuring that each user has a new instance. When the cycled fleet instance is brought online, it joins the domain using the computer name of the previous instance. To ensure that this operation happens successfully, the service account requires Change Password and Reset Password permissions on the organizational unit (OU) to which the computer object is joining. Check the service account permissions and try again.”

I have followed these instructions a hundred times (I exaggerate a little, but it’s probably 10s of times), but I still encounter the “DOMAIN_JOIN_INTERNAL_SERVICE_ERROR” notification code.

Indeed, out of desperation, I am currently using a member of Domain Admins as the Directory Config user that is used to connect to the domain.

What am I missing?!?! For context, I’m not really an Active Directory guy, so I may be missing something obvious.

For now, I have a workaround which involves running a script that cleans up Computer Objects in AD. But it’s flaky.

I would be ever so grateful if anyone could help here. Am pretty sure I have read everything relevant on the internet and I am out of ideas.

Thank you in anticipation.

Neal

Leave a Reply

Your email address will not be published. Required fields are marked *