A company has a shared services VPC containing two domain controllers in private subnets. A new application is being deployed in a separate VPC on an Amazon EC2 Windows Server instance, which needs to join the existing Windows domain hosted by the domain controllers. Both VPCs are connected via a transit gateway, and route tables for the transit gateway, shared services VPC, and new VPC have been updated. Security groups for the domain controllers and instance are configured to allow only necessary domain operation ports. Despite these configurations, the instance cannot join the domain.

Which two actions should be taken to identify the root cause of this issue with minimal operational overhead? (Choose two.)