Skip to main content

FSx for Windows Creation Fails: TCP 9389 Unreachable to Self-Managed AD

Checo6/4/26About 2 minAWSWindowsAWSFSxActive DirectoryADWSTCP 9389

FSx for Windows Creation Fails: TCP 9389 Unreachable to Self-Managed AD

When creating FSx for Windows File Server using a self-managed Active Directory, if Single-AZ 2 or Multi-AZ file system creation fails and reports Get-ADComputer: Unable to contact the server, focus on checking TCP 9389 connectivity from the FSx subnet to the domain controllers.

Symptoms

FSx creation fails, with the following appearing in the console or error message:

setupFileServerRole failed
Get-ADComputer : Unable to contact the server.
This may be because this server does not exist, it is currently down,
or it does not have the Active Directory Web Services running.

This error typically occurs when FSx is setting up the file server role, joining, or querying AD objects.

Root Cause

Get-ADComputer depends on Active Directory Web Services, i.e., ADWS. ADWS uses:

TCP 9389

For FSx for Windows Single-AZ 2 and Multi-AZ types, FSx needs to access the domain controller's TCP 9389. If this port is blocked by security groups, NACLs, enterprise firewalls, or cross-region network policies, file system creation will fail.

Verification Method

On a domain-joined EC2 Windows instance in the same subnet and same security group as FSx, run the AD validation tool.

Install-WindowsFeature RSAT-AD-PowerShell

Invoke-WebRequest `
  "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/samples/AmazonFSxADValidation.zip" `
  -OutFile "AmazonFSxADValidation.zip"

Expand-Archive -Path "AmazonFSxADValidation.zip"
Import-Module .\AmazonFSxADValidation

$Credential = Get-Credential
$Args = @{
  DomainDNSRoot  = "example.com"
  DnsIpAddresses = @("DC_IP_1", "DC_IP_2")
  SubnetIds      = @("subnet-xxxxxxxx")
  Credential     = $Credential
}

$Result = Test-FSxADConfiguration @Args
$Result.Failures

If the output contains a TCP 9389 failure entry, you can confirm it is an ADWS port connectivity issue.

Why Single-AZ 1 Might Succeed

Single-AZ 1 has different requirements for TCP 9389 and may succeed in the same environment. This can help determine whether service account permissions, DNS, and basic AD ports are functioning properly.

If Single-AZ 1 succeeds but Single-AZ 2 / Multi-AZ fails, the troubleshooting focus should shift to TCP 9389.

Solution

Allow TCP 9389 from the FSx subnet to all domain controllers:

  • FSx security group outbound rules.
  • Domain controller security group inbound rules.
  • Network ACL rules in both directions.
  • Local or cross-region firewall policies.
  • Intermediate firewalls in enterprise networks.

After allowing access, re-run the validation tool to confirm there are no failures, then recreate FSx.

Summary

When FSx for Windows fails to join a self-managed AD, don't only check common ports like 389, 445, and 88. For Single-AZ 2 and Multi-AZ, TCP 9389 is equally critical.

When you see Get-ADComputer or ADWS-related errors, prioritize verifying 9389 connectivity from the FSx subnet to all DCs.

Edit this page
Last Updated:
Contributors: sergioperezcheco
© 2026 Checo's Blog. All rights reserved.
Copyright © 2026 Checo