I want to find out why my Amazon FSx for Windows File Server is in a Misconfigured state.
Short description
A FSx for Windows File Server file system can enter a Misconfigured state when a change is made to your Active Directory environment. In a Misconfigured state, your file system is either currently unavailable or at risk of losing availability, and backups might not succeed.
FSx for Windows File Server can enter a Misconfigured state for any of the following reasons:
- The DNS Server IP addresses are no longer valid.
- The service account credentials are no longer valid or lack the required permissions.
- The Active Directory domain controller isn't reachable because of network connectivity issues. These issues can include not valid VPC Security Groups, VPC Network ACL or routing table configuration, or domain controller firewall settings.
Resolution
Amazon FSx can't reach either the DNS servers or domain controllers for your domain
FSx for Windows File Server can go into a Misconfigured state when it can't communicate with Active Directory domain controllers. To troubleshoot why Amazon FSx can't communicate with an Active Directory domain, complete the following tasks:
After you validate that Amazon FSx can reach your DNS servers or domain controllers, update your Active Directory configuration:
- Open the Amazon FSx console.
- In the navigation pane, choose File systems, and then choose the system you want to update.
- On the File system details page, under Networking and security
- Update the DNS servers values, and then choose Update
The service account credentials aren't valid
Amazon FSx can't establish connection to domain controllers when service account credentials aren't valid. To troubleshoot credentials that aren't valid, review your service account user name and password in your Active Directory. Make sure that the information is correct, and then update the configuration.
The Active Directory domain controller isn't reachable because of network connectivity issues
This error message means that Amazon FSx can't establish a connection to your Microsoft Active Directory domain controllers. This error can occur because the service account provided doesn't have permission to join the file system to the domain. Or, the service account might not have access to the organizational unit (OU).
To connect to your domain controllers, the service account must have permission to join the file system to the domain with the specified OU.
Make sure that the service account has the required permissions on OU. If the account doesn't have the correct permissions, then assign the permissions to the account.
Important: It's not a best practice to move objects that Amazon FSx creates in the OU after your file system is created. If you move these objects, then you can cause your file system to become misconfigured.