How can I configure self-managed Microsoft AD Multi-AZ Amazon FSx permissions?

5 minute read
0

I want to create a Multi-AZ Amazon FSx for Windows File Server share using a self-managed AWS Directory Service for Microsoft Active Directory. How do I configure permissions to do that?

Resolution

FSx for Windows File Server offers Single-AZ and Multi-AZ file system deployments. With self-managed Microsoft AD, you can build Single-AZ 1 file shares a limited number of times without configuring the permissions. To create Multi-AZ or Single-AZ 2 shares, however, you must create a service account and delegate the required permissions.

Prerequisites

  • DNS servers for the self-managed Microsoft AD must be reachable within the same virtual private cloud (VPC) that you use for the file share.
  • You must be able to create and grant permissions to a service account within the self-managed Microsoft AD.
  • You must use a fully qualified domain name (FQDN) for the self-managed Microsoft AD. Single Label Domain isn’t supported.

Create a self-managed Microsoft AD user

  1. Sign in as a domain account with permissions to create users in self-managed Microsoft AD.
  2. Open Active Directory Users and Computers.
  3. Open the context (right-click) menu for the organizational unit (OU) that you want to create the service account in, and then choose New, User.
    Note: You can use any OU for the service account. If you want to use a different OU to create Amazon FSx objects, the user must have read access to both OUs.
  4. Fill out the New Object – User name and user logon name fields, and then choose Next.
  5. Create a password for the user, and then choose Next.
    Important: It's a best practice to not select Password never expires, as this can result in a security risk with service accounts using old passwords. When Password never expires is cleared, the account is subject to the default domain policy. Be sure to update the service account credentials when the password expires.
  6. Choose Finish to create the user.

Delegate permissions to the service account

  1. Open Active Directory Users and Computers.
  2. Select the OU that you want to create Amazon FSx computer objects in. If you don't specify this during creation, the default Domainname\Computers OU is used.
    Note: If you don't use the default OU, note the distinguishedName for a later step. From Active Directory Users and Computers, choose View, Advanced Features. Open the context (right-click) menu for the OU that you want to use, and then choose Properties. The distinguishedName is available on the Attribute Editor tab.
  3. Open the context (right-click) menu for the OU that you use for Amazon FSx, and then choose Delegate Control.
  4. Choose Next.
  5. For Selected users and groups, select the service account that you created above, and then choose Next.
  6. Choose Create a custom task to delegate, and then choose Next.
  7. Choose Only the following objects in the folder, and then select Computer objects.
  8. Select Create selected objects in this folder and Delete selected objects in this folder.
  9. Choose Next.
  10. For Permissions, select:
    Reset password
    Read and write account restrictions
    Validated write to DNS host name
    Validated write to service principal name
  11. Choose Next, and then choose Finish.

Create the file system

  1. Open the Amazon FSx console, and then choose Create file system.
  2. Choose Amazon FSx for Windows File Server, and then choose Next.
  3. For File system details, choose Deployment type Multi-AZ, and then specify the Storage Capacity and Throughput capacity that you need.
  4. For Network & security, select the VPC for your self-managed Microsoft AD. Then, select two preferred subnets.
  5. For Windows authentication, choose Self-managed Microsoft Active Directory, and then enter the details for the service account that you created above.
    If you don't use the default Computers OU, enter the distinguishedName of the OU that you noted when delegating permissions to the service account.
    For Delegated file system administrators group, enter the group name if you don't use the default Domain Admins group.
  6. For Encryption, use the default settings, or select different encryption options as needed.
  7. For Backup and maintenance, choose your preferences. The default settings result in zero downtime during the normal maintenance window, because Amazon FSx fails over to the second server.
  8. Choose Next.
  9. Review the Summary.
    Important: The summary indicates whether an attribute can be edited after the file system is created. This is the last chance to changes any attributes that can;t be edited after creation.
  10. Choose Create file system.
  11. The file system creation is now initiated. The process can take a few hours, depending on the size of the share. When complete, a green banner appears at the top of the Amazon FSx console to indicate that the file share is now available.

Related information

Availability and durability: Single-AZ and Multi-AZ file systems

AWS OFFICIAL
AWS OFFICIALUpdated 3 years ago