Microsoft Workloads on AWS
Amazon FSx for Windows File Server and AWS Managed Microsoft AD Multi-Administrator Deployment
In this blog post, I will demonstrate how to configure your Amazon FSx for Windows File Server and AWS Managed Microsoft Active Directory (AD) to give separate teams administrative control over each individual Amazon FSx for Windows File Server.
I was working with a customer that deployed Amazon FSx for Windows File Server with AWS Managed Microsoft AD and realized there was only a single Active Directory group to manage all Amazon FSx for Windows File Server deployments integrated with that AWS Managed Microsoft AD. The customer wanted to give separate teams administrative control over each individual Amazon FSx for Windows File Server. After some thought on the issue, I decided to try deploying Amazon FSx for Windows File Server using the self-managed Microsoft Active Directory deployment type. It worked. The rest of this post describes this relatively straightforward solution.
Prerequisites
You will need the following deployed if you want to follow along with this post:
- An active AWS Managed Microsoft AD directory. Open AWS Managed Microsoft AD workshop module if you need to deploy AWS Managed Microsoft AD. Note: I am using the domain name of corp.example.com for all examples in this post. Make sure you use that name in the appropriate areas for all examples in this post.
- An Amazon EC2 Windows Server instance (referred to as the “MGMT EC2 Instance” in this post) joined to your AWS Microsoft Managed AD directory with the Active Directory Administration Tools installed. To join and configure an instance for your AWS Microsoft Managed AD, open AWS Managed Microsoft AD workshop.
If you want to fully deploy this entire solution in a testing capacity, I have created an AWS CloudFormation template that will set all of this up in a new Amazon Virtual Private Cloud (Amazon VPC). You can get the template from URL.
You will create the architecture presented in Figure 1 if you follow the steps in this post or deploy the CloudFormation template.
Figure 1: Overview of Resources in this Solution
Solution overview
To implement this solution, you need to choose the Self-managed Microsoft Active Directory Windows authentication option when deploying the Amazon FSx for Windows File Server filesystem. When choosing this option, you will need to specify additional details that AWS Managed Microsoft Active Directory Windows authentication option does not require. To simplify this for you, I will provide a PowerShell script that will do it for you.
Prior to the Amazon FSx for Windows File Server deployment in this post, a few objects in the AWS Managed Microsoft AD domain need to be set up:
- A separate service account for each Amazon FSx for Windows File Server deployment
- A separate Organizational Unit (OU) for each Amazon FSx for Windows File Server deployment
- A separate delegated file system administrators’ group for each Amazon FSx for Windows File Server deployment
While you can reuse the same service accounts, OUs, or administrative groups, I recommended you split these items up. By doing so, you will increase your security boundary and reduce the potential blast radius from a misconfiguration.
Step-by-step instructions
Create AD Objects for the Amazon FSx for Windows File Server Deployments
In this set of instructions, you are going to create all of the AD objects required to perform an Amazon FSx for Windows File Server deployment with the Self-managed Microsoft Active Directory Windows authentication option. You are going to use a PowerShell script to generate all of the prerequisites prior to deploying Amazon FSx for Windows File Server. Specifically, you will be creating:
- OUs for Amazon FSx for Windows File Server named FSx-A and FSx-B.
- Service Accounts for Amazon FSx for Windows File Server named FSxServiceAccount-A and FSxServiceAccount-B with proper least-privilege permissions.
- Administrative Groups for Amazon FSx for Windows File Server named FSxAdmins-A and FSxAdmins-B.
- Using Remote Desktop, log into the MGMT EC2 Instance, which was created as a prerequisite. You can use any account that is a member of the AWS Delegated Administrators group including the Admin account that was provisioned with your directory.
- In the Remote Desktop session, right-click the Start button and select Windows PowerShell (Admin) to open an elevated PowerShell window. Run the following command, which will create the Amazon FSx for Windows File Server prerequisites. Leave the PowerShell window open after the command completes.
Invoke-WebRequest -Uri 'https://d2908q01vomqb2.cloudfront.net/artifacts/WorkloadsBlog/msft-on-aws/P59717159/Set-FSxAdObjects.ps1' -OutFile 'C:\Set-FSxAdObjects.ps1'
- In the same elevated PowerShell window, run the following code to create the Amazon FSx for Windows File Server prerequisites. Note: A prompt will appear twice asking you to enter a password. The entered passwords are for the Amazon FSx for Windows File Server service accounts. You will need to input them when you deploy the Amazon FSx for Windows File Servers in the next section.
$FSxDeployments = @(
@{
AdminGroupName = 'FSxAdmins-A'
OUName = 'FSx-A'
SvcAccountName = 'FSxServiceAccount-A'
SvcAccountPw = Get-Credential -Message 'Please provide a password for the FSx Service Account FSxServiceAccount-A' -User 'FSxServiceAccount-A' -ErrorAction Stop | Select-Object -ExpandProperty 'Password'
},
@{
AdminGroupName = 'FSxAdmins-B'
OUName = 'FSx-B'
SvcAccountName = 'FSxServiceAccount-B'
SvcAccountPw = Get-Credential -Message 'Please provide a password for the FSx Service Account FSxServiceAccount-B' -User 'FSxServiceAccount-B' -ErrorAction Stop | Select-Object -ExpandProperty 'Password'
}
)
Foreach ($FSxDeployment in $FSxDeployments) {
C:\Set-FSxAdObjects.ps1 -FSxAdminGroupName $FSxDeployment.AdminGroupName -FSxOUName $FSxDeployment.OUName -FSxSvcAccountName $FSxDeployment.SvcAccountName -FSxSvcAccountPw $FSxDeployment.SvcAccountPw
}
Deploy Amazon FSx for Windows File Servers
Next, you will be deploying two Amazon FSx for Windows File Servers using the Self-managed Microsoft Active Directory Windows authentication option. Prior to the deployment, you will need to get some information from the AWS Managed Microsoft AD.
Get AWS Managed Microsoft AD DNS IP Addresses
- In the AWS Directory Service console navigation pane, choose Directories.
- Choose Directory ID of the AWS Managed Microsoft AD.
- Take note of the DNS address values from the Networking details section Networking & security tab of your directory, shown in Figure 2:
Figure 2: AWS Managed Microsoft AD DNS IPs
Deploy the first Amazon FSx for Windows File Server
You can find the detailed Amazon FSx for Windows File Server deployment steps in the documentation. Follow these steps until you reach the Windows authentications.
The Windows authentication options step (at the time of this writing, step 12) in the deployment procedure covers these settings. Input the following items (shown in Figure 3):
- For Choose an Active Directory to provide user authentication and access control for your file system, choose Self-managed Microsoft Active Directory.
- For Active Directory domain name, enter the domain name you are using for this example. In my example, it is corp.example.com.
- For DNS server IP addresses, enter the IP address of your AWS Managed Microsoft AD that you obtained earlier, as explained in the previous section.
- For Service account username, enter FSxServiceAccount-A
- For Service account password and Confirm password, enter the password you set for FSxServiceAccount-A when you created the service accounts.
- For Organizational Unit (OU) within which you want to join your file system – optional, enter the distinguished path of the first OU you created, FSx-A. In my example, this value is OU=FSx-A,OU=CORP,DC=corp,DC=example,DC=com. If your AWS Managed Microsoft AD directory has a different DNS name, this value will differ.
- For Delegated file system administrators group – optional, enter FSxAdmins-A.
Figure 3: Amazon FSx for Windows File Server Windows Authentication Options
Repeats steps 1 -7 for the second Amazon FSx for Windows File Server deployment. Ensure that you change the service account username, Organizational Unit, and delegated file system administrators’ group name from ending with a -A to a -B.
- For Service account username, enter FSxServiceAccount-B.
- For Service account password and Confirm password, enter the password you set for FSxServiceAccount-B when you created the service accounts.
- For Organizational Unit (OU) within which you want to join your file system – optional, enter the distinguished path of the first OU you created, FSx-B. In my example, this value is OU=FSx-B,OU=CORP,DC=corp,DC=example,DC=com. If your AWS Managed Microsoft AD directory has a different DNS name, this value will differ.
- For Delegated file system administrators group – optional, enter FSxAdmins-B.
Summary
Now that you have integrated your Amazon FSx for Windows File Server deployments with AWS Managed Microsoft AD using the Self-managed Microsoft Active Directory Windows authentication option, you can now delegate access to each file system individually as needed.
In summary, we answered the question, “What can a customer do if they want to have different sets of users or groups manage individual Amazon FSx for Windows File Server deployments?” by explaining how you can choose a different Amazon FSx for Windows File Server Windows authentication option for AWS Managed Microsoft AD directories.
AWS can help you assess how your company can get the most out of cloud. Join the millions of AWS customers that trust us to migrate and modernize their most important applications in the cloud. To learn more on modernizing Windows Server or SQL Server, visit Windows on AWS. Contact us to start your modernization journey today.