I want to create a Multi-AZ Amazon FSx for Windows File Server share with a self-managed Microsoft Active Directory.
Resolution
To create Multi-AZ or Single-AZ 2 shares, first create a service account, and then delegate the required permissions.
Prerequisites
- The DNS servers for the self-managed Microsoft Active Directory must be reachable within the same virtual private cloud (VPC) that you use for the file share.
- You must be able to create and grant permissions to a service account within the self-managed Microsoft Active Directory.
- You must use a fully qualified domain name (FQDN) for the self-managed Microsoft Active Directory. Single Label Domain isn't supported.
Create a self-managed Microsoft Active Directory user for a service account
- Sign in to the self-managed Microsoft Active Directory server as a domain account with permissions to create users.
- Open Active Directory Users and Computers.
- Open the context (right-click) menu for the organizational unit (OU) where you want to create the service account, and then choose New, and then User.
Note: You can use any OU for the service account. However, to use a different OU to create Amazon FSx objects, the user must have read access to both OUs.
- Enter the information for the New Object - User name and user logon name fields, and then choose Next.
- Create a password for the user, and then choose Next.
Important: It's a best practice that you do not select Password never expires. This choice can result in a security risk with service accounts that use old passwords. When the Password never expires setting is cleared, the account is subject to the default domain policy. Be sure that you update the service account credentials when the password expires.
- To create the user, choose Finish.
Delegate permissions to the service account
- Open Active Directory Users and Computers.
- Select the OU where you want to create Amazon FSx computer objects. If you don't specify this OU during creation, then the default Domainname\Computers OU is used.
Note: If you don't use the default OU, then note the distinguishedName for a later step. To find this value, in Active Directory Users and Computers, choose View and then choose Advanced Features. Open the context (right-click) menu for the OU that you want to use, and then choose Properties. The distinguishedName appears on the Attribute Editor tab.
- Open the context (right-click) menu for the OU that you use for Amazon FSx, and then choose Delegate Control.
- Choose Next.
- For Selected users and groups, select the service account that you created earlier, and then choose Next.
- Choose Create a custom task to delegate, and then choose Next.
- Choose Only the following objects in the folder, and then select Computer objects.
- Select both Create selected objects in this folder and Delete selected objects in this folder.
- Choose Next.
- For Permissions, select the following:
Reset password
Read and write account restrictions
Validated write to DNS host name
Validated write to service principal name
- Choose Next, and then choose Finish.
Create the Amazon FSx for Windows File Server file system
- Open the Amazon FSx console, and then choose Create file system.
- Choose Amazon FSx for Windows File Server, and then choose Next.
- For File system details, choose Deployment type Multi-AZ, and then specify the Storage Capacity and Throughput capacity that you need.
- For Network & security, select the VPC for your self-managed Microsoft Active Directory. Then, select two preferred subnets.
- For Windows authentication, choose Self-managed Microsoft Active Directory, and then enter the details for the service account that you created earlier.
If you don't use the default Computers OU, enter the distinguishedName of the OU that you noted when delegating permissions to the service account.
For Delegated file system administrators group, enter the group name if you don't use the default Domain Admins group.
- For Encryption, use the default settings, or select the encryption options that you want.
- For Backup and maintenance, choose your preferences. Because Amazon FSx fails over to the second server during the normal maintenance window, the default settings won't cause downtime.
- Choose Next.
- Review the Summary.
Important: The summary shows you whether you can edit an attribute after the file system is created. This is your last chance to change any attributes that can't be edited after creation.
- Choose Create file system.
The file system creation begins. The process can take a few hours, depending on the size of the share. When the process is complete, a green banner appears at the top of the Amazon FSx console to show you that the file share is available.
Related information
Availability and durability: Single-AZ and Multi-AZ file systems