AWS Storage Blog

Using Amazon FSx for Windows File Server with an on-premises Active Directory

Customers looking to move their on-premises file storage to the cloud or join to self-managed directories seek to do so with minimal disruption to their applications and workloads. For some, this means extending their existing Active Directory environment for an easy lift-and-shift without modifying their existing applications and file-level security settings.

Amazon FSx for Windows File Server (Amazon FSx) provides a native Microsoft Windows file system that enables you to move your Windows-based applications that require shared storage to AWS. Built on Windows Server, Amazon FSx is fully managed and natively supports the SMB protocol, Windows NTFS, and Microsoft Active Directory.

Last year, we launched a significant enterprise-ready enhancement to Amazon FSx: it is now possible to join an Amazon FSx file server into a self-managed Active Directory forest. Previously, Amazon FSx file servers could only be joined to an AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). This added functionality offers a greater flexibility for migrating Windows file shares to the cloud, as well as easier administration of the content deployed in Amazon FSx.

In this post, I walk you through creating an Amazon FSx file server that is joined to a customer managed Active Directory. This directory can be deployed on premises or in Amazon Virtual Private Cloud (Amazon VPC).

Prerequisites

For more information about prerequisites, visit the Amazon FSx User Guide.

  1. You are the Domain Administrator in your on-premises or self-managed Active Directory. The address space where this Active Directory is deployed should fall within the following private IP address ranges:

10.0.0.0–10.255.255.255 (10/8 prefix)

172.16.0.0–172.31.255.255 (172.16/12 prefix)

192.168.0.0–192.168.255.255 (192.168/16 prefix)

  1. Amazon VPC with at least one subnet.
  2. VPC security group rules and domain controller firewall rules that allow traffic between your Amazon FSx file system and your self-managed Active Directory domain controllers.
  3. You need at least one, but no more than two, DNS Server addresses that can be used for Active Directory name resolution. Most likely these are Active Directory DNS Servers.
  4. As a best practice, consider using the fsxservice account, which is used to join the Amazon FSx file server to the self-managed Active Directory. For more details please refer to this best practices document.
  5. The FSxAdmins group: the group that is delegated necessary permissions to perform Amazon FSx administrative functions (optional). If you do not have this group, the Domain Admins group is delegated required permissions.
  6. Organizational Unit where the Amazon FSx file servers are deployed (optional).

Perform the following steps:

  1. Log into the Amazon FSx Console – https://console.aws.amazon.com/fsx.
  2. Select Create File System.
  3. On Select File System Type select Amazon FSx for Windows File Server and choose Next.
  4. Fill in the required information about the size, name, network, and security groups. Select Self-Managed Microsoft Active Directory in the Windows Authentication section.
  5. Provide required information about your Active Directory (as shown in the following screenshot).

Self-managed Microsoft Active Directory - provide the required details

  1. Choose Next and Create File System on the next page.

After the file system is created, you can verify that it is indeed part of the self-managed Active Directory by opening the Network & Security tab:

After the file ysstem is created, verify that it is part of the self-managed Active Directory by opening the Network & Security tab

Here you can update the DNS Server’s IP addresses and Service Account credentials by choosing the Update button.

Using AWS CLI to create an Amazon FSx for Windows File Server joined to the self-managed Active Directory

  1. On the Windows computer, install the latest version of AWS Command Line Interface (AWS CLI) and configure required security credentials. For more information on installing AWS CLI refer to the following documentation.
  2. Open Windows command prompt.
  3. The following command deploys an Amazon FSx file server in the us-east-2 Region. It also deploys a self-managed Active Directory with DNS name corp.com with the Name Tag set to FSX23:
aws --region us-east-2 fsx create-file-system --file-system-type WINDOWS --storage-capacity 300 --security-group-ids 
sg-026491be633efda94 --subnet-ids subnet-0424772e5baebc793 --tags Key=Name,Value=FSX23 --windows-configuration 
ThroughputCapacity=8,SelfManagedActiveDirectoryConfiguration="{DomainName=\"corp.com\",OrganizationalUnitDistinguishedName=\
"OU=FileSystems,DC=corp,DC=com\",FileSystemAdministratorsGroup=\"FSXAdmins\",UserName="fsxservice",Password=\"Password\",DnsIps=["10.0.0.57"]}"

Please note the syntax for escaping the characters when using AWS CLI from Windows command prompt. For more information about AWS CLI syntax when used on different Operating systems, check this AWS documentation.

Once the file system is created, you can determine the DNS name of the Amazon FSx file server in the Amazon FSx console. Just open the Network and Security tab as shown in the previous picture.

You can also get the information about the Amazon FSx file system by using the AWS CLI:

aws fsx describe-file-systems --region us-east-2 --file-system-ids fs-07e2369897f233261

The output of the command in the preceding example looks similar to this:

The output of the command in the preceding example

Creating custom file shares using MMC Snap-in

By default, there is a share name called Share, which is originally created on the Amazon FSx file server. Members of the delegated Amazon FSx Administrators group have Full Control over the default Share. If no delegated Amazon FSx Administrators group was specified during the Amazon FSx installation, members of the self-managed Active Directory Domain Admins group have full control.

Members of the Amazon FSx Administrators group (or Domain Admins) can create additional custom shares off the root of the ‘Drive D:’ on the Amazon FSx file server following these steps:

  1. On the member server joined to the self-managed Active Directory, log in with the account that is the member of the Amazon FSx Administrators and Local Administrators groups.
  2. Open the Shared Folder MMC Snapin fsmgmt.msc.
  3. Right Click on Shared Folders and connect to Another computer.
  4. Provide the DNS name of the Amazon FSx file server obtained from the Amazon FSx Console:

Provide the DNS name of the Amazon FSx file server obtained from the Amazon FSx Console

  1. Right click on SharesNew Share, then complete the Create New Share Wizard to create new share anywhere on the Drive D:\ of the Amazon FSx file server.
  2. After the share is created, you can connect to this share by using Windows Explorer or NET USE command from any computer in your organization.

Creating custom file shares using Windows remote PowerShell endpoint

We recently introduced Windows Remote PowerShell Endpoint, which allows administrators to perform remote management of Amazon FSx file servers using PowerShell cmdlets. The Remote PowerShell endpoint can be found in the Network & Security tab of the Amazon FSx file system.

The following set of PowerShell cmdlets creates a new share on the Amazon FSx file server:

md \\amznfsxnzgqbmfi.corp.com\d$\CustomShare

enter-pssession -ComputerName amznfsxnzgqbmfi.corp.com -ConfigurationName FsxRemoteAdmin

New-FSxSmbShare -Name "New Custom Share" -Path "D:\CustomShare" -Description "Custom share"

For the above share, amznfsxnzgqbmfi.corp.com is the Remote PowerShell Endpoint.

The New-SmbShare cmdlet prompts for credentials with permissions to administer the Amazon FSx file system:

The New-SmbShare cmdlet prompts for credentials with permissions to administer the Amazon FSx file system

 

The following script creates file share CAFS on the Amazon FSx and grant Everyone Full Access:

md \\amznfsxnzgqbmfi.corp.com\d$\CAFS

$Username = 'corp\fsxadmin'
$Password = 'Password'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$MyCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username,$Pass
invoke-command -computername amznfsxnzgqbmfi.corp.com -credential $MyCreds -configurationname FSxRemoteAdmin 
-scriptblock { new-fsxsmbshare -name CAFS -path D:\CAFS -credential $Using:MyCreds -FullAccess Everyone }

For more information about using Amazon FSx CLI for Remote Management on PowerShell, check out this documentation.

Summary

In this blog post, I demonstrated the steps that are required to join an Amazon FSx file server to a self-managed Active Directory. First, I created a file system and verified that it was a part of the self managed Active Directory. Then I showed you how to use AWS CLI to create an Amazon FSx file server joined to the self managed Active Directory. I also introduced the new capabilities of managing Amazon FSx file shares using the Windows Remote PowerShell Endpoint. Customers who use an Amazon FSx file server with an on-premises Active Directory can continue to use the same set of the familiar file management tools and operations.

To learn more about using your Amazon FSx for Windows File Server directly with your organization’s self-managed Active Directory, visit the documentation guide. Thank you for reading this post, please leave any questions you have in the comments section!

TAGS: , , ,
Boris Nisenbaum

Boris Nisenbaum

Boris Nisenbaum is a Sr. Solutions Architect at AWS, working on the Specialized Solutions Architecture team. Boris is currently assisting AWS customers with migrating and deploying Microsoft workloads on AWS. Boris has been working with Amazon FSx for Windows File Server since its launch in 2018. Prior to working at AWS, Boris worked at Microsoft.