AWS Storage Blog

Integrating Amazon FSx for NetApp ONTAP and Amazon FSx for Windows File Server with Microsoft Entra ID

Organizations are increasingly adopting cloud-based identity solutions to reduce infrastructure overhead and improve their security posture. For customers running file workloads on AWS, both Amazon FSx for NetApp ONTAP and Amazon FSx for Windows File Server require joining a Microsoft Active Directory domain to serve SMB file shares and support Windows-based authentication. When customers have retired their Active Directory (AD) in favor of Microsoft Entra ID, neither FSx for NetApp ONTAP nor FSx for Windows File Server can authenticate directly against it. Deploying a standalone AD just to support these services defeats the purpose of cloud consolidation and creates identity silos.

Microsoft Entra Domain Services provides managed domain services that automatically sync with Entra ID, exposing traditional AD protocols while maintaining a single identity source—effectively acting as a bridge between Amazon FSx and Entra ID.

In this post, you will learn how to connect FSx for NetApp ONTAP and FSx for Windows File Server to Entra ID on Azure using Entra Domain Services. The solution presented is designed for cloud architects and storage administrators managing multi-cloud environments who need secure integration between AWS storage services and Azure-based identity management.

Solution overview

Figure 1 shows the high-level architecture for integrating FSx for NetApp ONTAP or FSx for Windows File Server on AWS with Entra Domain Services.

Hybrid architecture diagram showing Microsoft Entra ID integration with Amazon FSx through a site-to-site VPN connection between Azure and AWS.

Figure 1: Reference Architecture: Entra ID Integration with Amazon FSx

The workflow consists of the following key steps:

  1. Users, groups, and password hashes are synchronized from Entra ID to managed domain controllers.
  2. A domain-joined virtual machine (VM) is used to configure DNS PTR records, manage organizational units (OUs), and validate the AD sync.
  3. An encrypted tunnel bridges Azure Virtual Network and Amazon Virtual Private Cloud (Amazon VPC).
  4. LDAP, Kerberos, and NTLM protocols are made available over the VPN tunnel. An Amazon FSx storage virtual machine (SVM) or FSx for Windows File Server instance joins the Entra Domain Services managed domain using Kerberos or LDAP.
  5. DNS queries for the managed domain (for example, fsxblog.local) are forwarded through the VPN to Entra Domain Services.
  6. Windows desktop joins the Entra Domain Services managed domain using Kerberos or LDAP.
  7. Users authenticate with Entra ID credentials to access SMB shares; admins manage SMB configuration.

Microsoft Entra Domain Services acts as a bridge between Entra ID and Amazon FSx. It deploys managed domain controllers that synchronize users, groups, and credentials from your Entra ID tenant and expose traditional Active Directory protocols (LDAP, Kerberos, NTLM) that Amazon FSx requires for SMB authentication. The site-to-site VPN connects your Azure Virtual Network to your VPC, enabling the Amazon FSx SVM or FSx for Windows instance to join the Entra Domain Services managed domain and authenticate users over SMB. Synchronization from Entra ID to Entra Domain Services is one-way and automatic—password changes propagate without manual intervention. In the following sections, we walk through the steps to integrate Amazon FSx with Entra ID:

  1. Configure reverse DNS pointer (PTR) records for Entra Domain Services (only needed for FSx for NetApp ONTAP).
  2. Create an FSx for NetApp ONTAP or FSx for Windows File Server file system.
  3. If using FSx for NetApp ONTAP:
    • Create an SVM and join the SVM to the Entra Domain Services managed domain.
    • Create a CIFS server on FSx for NetApp ONTAP.
  4. If using FSx for Windows File Server:
    • Join the FSx for Windows File Server instance to the Entra Domain Services managed domain during the creation of the file system.
  5. Map the SMB share on an Amazon EC2 Windows instance to validate authentication.

Prerequisites

Make sure the following Azure resources are preconfigured before you begin:

You must also set up the following AWS resources:

Configure reverse DNS (PTR) records for Entra Domain Services

For Amazon FSx to successfully join the Entra Domain Services managed domain (Figure 2), you must configure reverse DNS pointer (PTR) records that map the domain controller IP addresses back to their fully qualified domain names:

  1. Connect to the Azure MGMT VM that is joined to the Entra Domain Services domain using Remote Desktop.
  2. Open Server Manager as a domain administrator. Navigate to Tools and choose DNS.
  3. In the Azure portal, navigate to your Entra Domain Services instance. Note the two domain controller IP addresses (for example, 10.1.0.4 and 10.1.0.5).
  4. Create the reverse lookup zone:
    1. In DNS Manager, choose (right-click) Reverse Lookup Zones and choose New Zone.
    2. Select Primary zone and select Store the zone in Active Directory.
  5. Choose To all DNS servers running on domain controllers in this domain.
  6. Select IPv4 Reverse Lookup Zone.
  7. Enter the network ID (for example, 10.1.0 for a 10.1.0.0/24 subnet). Allow only secure dynamic updates.
  8. Create the PTR records:
    1. Expand Reverse Lookup Zones and select your zone.
    2. Choose (right-click) the zone and choose New Pointer (PTR).
    3. Enter the first domain controller IP address (for example, 10.1.0.4) and the FQDN (for example, DC1.fsxblog.local),
    4. Choose OK.
    5. Repeat these steps for the second domain controller.

DNS Manager console showing forward and reverse lookup zones configured for the fsxblog.local Active Directory domain.

Figure 2: Domain Services reverse DNS configuration

  1. Verify the PTR records:
    1. Open PowerShell on the Azure MGMT VM.
    2. Run nslookup <DomainController-IP-address>.
    3. Confirm it returns the correct FQDN for each domain controller.

The reverse DNS configuration is now complete and Amazon FSx can perform the necessary DNS lookups during domain join operations.

FSx for NetApp ONTAP: Create FSx for NetApp ONTAP file system

If you already have an existing file system and SVM, you can skip the creation steps and proceed directly to joining the AD.

Create an FSx for NetApp ONTAP file system and SVM in your VPC that has VPN connectivity to Azure. If using the Amazon FSx console, complete the following steps. For detailed instructions on creating file systems, see Creating file systems.

  1. On the Amazon FSx console, choose Standard create.
  2. In the Network & security section, select the VPC that has VPN connectivity to your Azure Virtual Network.
  3. In the Default storage virtual machine configuration section, choose Join an Active Directory.

Join SVM to Azure AD Domain Services managed domain

To join the AD, provide the following information (Figure 3):

AWS console Active Directory configuration for an Amazon FSx for NetApp ONTAP SVM, showing domain join settings with AWS Secrets Manager credentials.

Figure 3: FSx for NetApp ONTAP Active Directory settings

Review your configuration settings, then choose Next and proceed with the file system creation. The file system creation typically takes 20–40 minutes. Wait until the status shows Available.

FSx for NetApp ONTAP: Create CIFS server

After you create and join the SVM to Active Directory, create a CIFS server to enable SMB file sharing (Figure 4). You can create the CIFS server using the NetApp ONTAP CLI from a PowerShell terminal on your Windows EC2 instance. To connect to the NetApp ONTAP management endpoint from the Windows instance, complete the following steps:

  1. Connect to your Windows EC2 instance using Remote Desktop or Session Manager, a capability of AWS Systems Manager.
  2. Open a PowerShell terminal. Connect to the FSx for NetApp ONTAP management endpoint through SSH:

PS C:\> ssh fsxadmin@<management-endpoint-dns-name>Replace <management-endpoint-dns-name> with your file system’s management endpoint (found on the Amazon FSx console).

  1. After you log in, use the vserver cifs create ONTAP CLI command to create an SMB server on the SVM. For more details, see Creating an SMB server in a workgroup. For this post, we use VOL1 as the share name.

PowerShell terminal showing SSH connection to Amazon FSx for NetApp ONTAP to create and verify a CIFS SMB share.

Figure 4: CIFS server creation from the ONTAP CLI

FSx for Windows File Server: Create file system

Create an FSx for Windows File Server file system in your VPC that has VPN connectivity to Azure. For detailed instructions on creating file systems, see Getting started with Amazon FSx for Windows File Server.

To create an FSx for Windows File Server file system, complete the following steps:

  1. On the Amazon FSx console, choose Create file system.
  2. Choose FSx for Windows File Server, then choose Next.
  3. On the Create file system page, provide the following information:
  4. Creation method: Select Standard Create to view all available options.
  5. File system name: Enter a name for your file system (for example, fs-fsxw-blog-01).
  6. Deployment type: Choose your preferred deployment type.
  7. Storage Class: Select between SSD or HDD storage class.
  8. SSD / HDD storage capacity: Specify the storage capacity for your file system.
  9. Throughput capacity: Choose the required throughput capacity.
  10. VPC: Select the VPC that has VPN connectivity to your Azure Virtual Network.
  11. Security Group: Select the VPC Security Group to associate with the file system’s network interface.
  12. Subnet: Specify the subnet in which your file system’s network interface resides.
  13. Network type: Select IPv4 or Dual-stack networking.
  14. Windows Authentication: Select Self-managed Microsoft Active Directory.
  15. Active Directory domain name: Enter your Entra Domain Services domain name (for example, fsxblog.local).
  16. DNS server IP addresses: Enter the IP addresses of your Entra Domain Services domain controllers, separated by commas (for example, 10.1.0.4,10.1.0.5).
  17. Credentials: Use Secrets Manager and provide the AWS secret ARN. For more information, see Storing Active Directory credentials using AWS Secrets Manager.
  18. Service account username: Enter your Entra ID domain administrator account.
  19. Service account password: Enter the password for the service account.
  20. Organizational Unit (OU): (Optional) Specify a custom OU (for example, OU=AADDC Computers,DC=fsxblog,DC=local).
  21. Delegated file system administrators group: (Optional) Specify an Active Directory group for delegated administration (for example, AAD DC Administrators).

AWS console Windows authentication configuration for Amazon FSx for Windows File Server, showing self-managed Active Directory settings with AWS Secrets Manager credentials.

Figure 5: FSx for Windows File Server Active Directory settings

  1. Review and choose Next.

After you confirm the details of the new file system, the creation and domain join process takes approximately 15–30 minutes.

Validate deployment

Validate that Entra ID users can authenticate and access Amazon FSx shares by mapping a network drive from your Windows EC2 instance:

  1. If using FSx for NetApp ONTAP:
    1. On the Amazon FSx console, navigate to your file system.
    2. On the Storage virtual machines tab, select your SVM.
    3. On the Endpoints tab, note the SMB DNS name.
  2. If using FSx for Windows File Server:
    1. On the Amazon FSx console, navigate to your file system.
    2. On the Network & security tab, note the DNS name.
  3. Connect to your Windows EC2 instance using Remote Desktop or Session Manager.
  4. Open File Explorer and choose This PC.
  5. Choose Map network drive from the toolbar.
  6. In the Map Network Drive dialog box (Figure 6):
    • Drive: Select an available drive letter
    • Folder: Enter \\<smb-dns-name or dns-name>\<share-name>.

For example, if using FSx for NetApp ONTAP, use the SMB DNS name: \\svm-01234567890abcdef.fs-01234567890abcdef.fsx.us-east-1.amazonaws.com\vol1. If using FSx for Windows File Server, use the DNS name: \\amznfsxigfezn7k.fsxblog.local\share.

  1. Select Connect using different credentials and specify an Entra ID user account.
  2. Choose OK.

Windows EC2 instance showing a mapped SMB network drive from Amazon FSx for NetApp ONTAP with the VOL1 share properties dialog displaying 972 GB capacity on NTFS.

Figure 6: Mapping the network drive from Windows Desktop

The network drive is now mapped and accessible. You have successfully validated that Entra ID users can authenticate to FSx for NetApp ONTAP through Entra Domain Services.

Clean up

To avoid incurring additional charges, delete the created resources:

  • MGMT Azure VM
  • EC2 Windows VM
  • FSx for NetApp file system or FSx for Windows File Server instance
  • Entra Domain Services

Conclusion

In this post, we demonstrated how to integrate FSx for NetApp ONTAP or FSx for Windows File Server on AWS with Entra ID using Entra Domain Services. We established site-to-site VPN connectivity between Azure and AWS, deployed Entra Domain Services synchronized with Entra ID, and configured DNS pointer records for proper domain resolution. We then deployed an FSx for NetApp ONTAP file system, joined the storage virtual machine to the Entra Domain Services managed domain, and created a CIFS server for SMB access. We also created an FSx for Windows File Server instance and joined it to the Entra Domain Services managed domain. Finally, we validated that Entra ID users can authenticate and mount Amazon FSx file shares using their cloud-based credentials.This solution alleviates the need for on-premises Active Directory infrastructure while maintaining full SMB protocol support for FSx for NetApp ONTAP or FSx for Windows File Server. Organizations can now consolidate identity management in Entra ID while using enterprise-grade NetApp ONTAP or FSx for Windows File Server storage on AWS. If you have questions or comments, leave them in the comments section.

TAGS: , , ,
Pierre Gueant

Pierre Gueant

Pierre Guéant is a Senior Storage Specialist Solutions Architect at AWS, where he helps customers design and implement storage solutions including Amazon FSx and Amazon S3. Before joining AWS, Pierre built deep expertise in enterprise data management and hybrid cloud environments. In his spare time, Pierre can be found rock climbing — and convincing unsuspecting colleagues to join him on the wall — because scaling isn't just a work thing.

Andrew Peng

Andrew Peng

Andrew Peng is a Senior Storage Specialist Solutions Architect at AWS, where he works with file storage services such as Amazon FSx for Windows File Server. Before joining AWS, Andrew was a ISS Flight Controller, ISS Instructor, and Principal Engineer at NASA. In his spare time, Andrew enjoys voiding warranties on cars, experimenting with open-source technology, and building impractical projects with hilariously overpowered enterprise hardware.

Alexis Roger

Alexis Roger

Alexis Roger is a Specialist Solutions Architect for Infrastructure Migration and Modernization at AWS, with over 20 years of IT experience. He works with customers in France to design and implement cloud migration strategies, helping them modernize legacy infrastructure and optimize workloads on AWS. In his spare time, Alexis applies his architecture skills to home automation — whether it's optimizing his robot mower's patrol routes or fine-tuning pool chemistry with the precision of a well-designed migration plan.