Error when building FSx server with on-premise AD

Question

We are trying to build a file server on AWS FSx Windows Server, with Active Directory on-premise (Azure due to budget concerns).
I have followed the tutorial and run it, but cannot build it successfully.
I ran the troubleshooting tool and got the following error.

Do you know the cause of the problem?

```
Test 7 - Validate Admin Group ...
No admin group supplied, defaulting to 'Domain Admins'
WARNING: Please validate service account user has 'Read' permission on both Users and Computers AD containers.
Skipping Validate that provided EC2 Subnets belong to a single AD Site ...
Skipping Validate connectivity with DNS Servers ...
Skipping Validate FSx service user credentials ...
Skipping Validate 'Create Computer Objects' permission ...
Skipping Validate 'Validated write to DNS host name' permission ...
Skipping Validate 'Validated write to service principal name' permission ...
Skipping Validate 'Reset Password' permission ...
Skipping Validate 'This Organization' list children permission ...
Skipping Validate 'Read and write Account Restrictions' permission ...
Skipping Validate 'Delete Computer Objects' permission ...
10 of 17 tests skipped.
FAILURE - Tests failed. Please see error details below:

Name                                Value
----                                -----
UnauthorizedReadOnDefaultContainers @{ServiceAccount=FSx; UsersContainer=CN=Users,
```

Accepted Answer

We solved the problem by pointing the DNS of the test source EC2 to the Windows Server instance.

Answer

I thought so too and tried several times, but I get the same error.
```
Test 6 - Validate organizational unit ...
No organizational unit supplied, defaulting to domain Computers container CN=Computers,DC=,DC=org
Default CN=Computers container detected.

DistinguishedName                      Name      ObjectClass ObjectGUID
-----------------                      ----      ----------- ----------
CN=Computers,DC=,DC=org Computers container   4cff1d75-0d17-4e8f-bc72-980d549497f0

Test 7 - Validate Admin Group ...
No admin group supplied, defaulting to 'Domain Admins'
WARNING: Please validate service account user has 'Read' permission on both Users and Computers AD containers.
Skipping Validate that provided EC2 Subnets belong to a single AD Site ...
Skipping Validate connectivity with DNS Servers ...
Skipping Validate FSx service user credentials ...
Skipping Validate 'Create Computer Objects' permission ...
Skipping Validate 'Validated write to DNS host name' permission ...
Skipping Validate 'Validated write to service principal name' permission ...
Skipping Validate 'Reset Password' permission ...
Skipping Validate 'This Organization' list children permission ...
Skipping Validate 'Read and write Account Restrictions' permission ...
Skipping Validate 'Delete Computer Objects' permission ...
10 of 17 tests skipped.
FAILURE - Tests failed. Please see error details below:

Name                                Value
----                                -----
UnauthorizedReadOnDefaultContainers @{ServiceAccount=FSx; UsersContainer=CN=Users,DC=,DC=org; ComputersContainer=CN=Computers,DC=,DC=org}
```

Answer

Specifying a different OU will still require access privileges to Computer and Users.

Answer

From the error message, it appears that your FSx service account doesn't have the required 'Read' permissions on the default 'Users' containers in Azure Active Directory. Use the Active directory admin tools to add read permissions (an any other needed permissions) to the users OU for your FSx service account. Right click on the OU and select "delegate control" and follow the prompts to add permission for your service account, and run your tests again.

Good luck, if this helped please remember to mark this as the accepted answer.

Error when building FSx server with on-premise AD

関連するコンテンツ