How to resolve problems connecting to Samba4 Active Directory Domain Controller on Ubuntu Micro AWS Instance

I'm trying to set up a Active Directory Domain Controller on an Ubuntu 16.04 instance on Amazon's EC2 micro services. I do everything right (following at least three different tutorials) and get all the server side tests to run and go fine. My most recent attempt used this tutorial:https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller (although I got the kerberos install list from Step 2 of https://www.tecmint.com/install-samba4-active-directory-ubuntu/) . But when I try to connect from Windows 10 (as explained here https://wiki.samba.org/index.php/Windows_DNS_Configuration) , I get the following error: > Note: This information is intended for a network administrator. If > you are not your network's administrator, notify the administrator > that you received this information, which has been recorded in the > file C:\Windows\debug\dcdiag.txt. > > DNS was successfully queried for the service location (SRV) resource > record used to locate a domain controller for domain > "ad.company.com.my": > > The query was for the SRV record for > _ldap._tcp.dc._msdcs.ad.company.com.my > > The following domain controllers were identified by the query: > dc1.ad.company.com.my > > > However no domain controllers could be contacted. > > Common causes of this error include: > > - Host (A) or (AAAA) records that map the names of the domain controllers to their IP addresses are missing or contain incorrect > addresses. > > - Domain controllers registered in DNS are not connected to the network or are not running. My setup: AWS Micro instance running Ubuntu 16.04 LTS. Elastic IP address set so that I have a static IP address for the server. The Windows client is a virtual machine. It has the public IP address of the amazon instance set as per instructed on the samba wiki (https://wiki.samba.org/index.php/Windows_DNS_Configuration) . All of these work: host -t A ad.company.com.my host -t A dc1 ping -c3 ad.company.com.my ping -c3 dc1.ad.company.com.my Configuration files: /etc/network/interfaces: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # Source interfaces # Please check /etc/network/interfaces.d before changing this file # as interfaces may have been defined in /etc/network/interfaces.d # See LP: #1262951 # source /etc/network/interfaces.d/*.cfg auto eth0 iface eth0 inet static address 172.31.36.46 netmask 255.255.240.0 broadcast 172.31.47.255 gateway 172.31.32.1 dns-nameserver 172.31.36.46 # dns-nameserver 172.31.0.2 # dns-nameserver 8.8.8.8 dns-search ad.company.com.my /etc/hosts: 127.0.0.1 localhost localhost.localdomain 172.31.36.46 dc1.ad.company.com.my dc1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 172.31.36.46 search ad.company.com.my /etc/hostname dc1 /etc/krb5.conf [libdefaults] default_realm = AD.COMPANY.COM.MY dns_lookup_realm = false dns_lookup_kdc = true /etc/samba/smb.conf [global] workgroup = AD realm = AD.COMPANY.COM.MY netbios name = DC1 server role = active directory domain controller dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/ad.company.com.my/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Here is the output of the command: nslookup dc1.ad.company.com.my Server: ec2-ADDRESS.ap-southeast-1.compute.amazonaws.com Address: ADDRESS Name: dc1.ad.company.com.my Address: 172.31.36.46 And then doing an SRV check: C:\Users\user>nslookup Default Server: ec2-ADDRESS.ap-southeast-1.compute.amazonaws.com Address: ADDRESS > set type=SRV > _ldap._tcp.ad.company.com.my Server: ec2-ADDRESS.ap-southeast-1.compute.amazonaws.com Address: ADDRESS _ldap._tcp.ad.company.com.my SRV service location: priority = 0 weight = 100 port = 389 svr hostname = dc1.ad.company.com.my I've opened all traffic on the instance so that I know it's not a firewall issue. So, what am I doing wrong?