Administering FSx for Windows file systems - Amazon FSx for Windows File Server
Using the Amazon FSx custom PowerShell
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Administering FSx for Windows file systems

Amazon FSx provides a wide range of administrative capabilities that help you easily manage and grow your Amazon FSx for Windows File Server file systems to meet changing workload and user requirements, and your organizations regulatory and compliance needs. The following is a list of some of the file system configurations that you can manage using the Amazon Web Services Management Console, Amazon CLI and API, the Amazon FSx CLI for remote management on PowerShell, and native Microsoft Windows Server graphical interfaces.

  • Storage capacity

  • Storage type

  • SSD IOPS

  • Throughput capacity

  • DNS aliases

  • Data deduplication

  • Shadow copies

  • Storage quotas

  • File access auditing

  • File shares

The following sections provide information about the file system administrative features and setting that are available to you. We've included guidance to help you determine which options are best for your situation, and best practices where applicable.

Topics

Using the Amazon FSx CLI for PowerShell

This chapter describes how to access the Amazon FSx CLI for remote management on PowerShell to perform file system administrative tasks for FSx for Windows file systems. You can also use the Microsoft Windows–native graphical user interface (GUI) to perform some administrative tasks.

The Amazon FSx CLI for remote management on PowerShell enables file system administration for users in the file system administrators group. To start a remote PowerShell session on your FSx for Windows File Server file system, you first need to meet the following prerequisites:

  • Be able to connect to a Windows compute instance that has network connectivity with your FSx for Windows File Server file system.

  • Be logged into the Windows compute instance as a member of the file system administrators group. If you are using Amazon Managed Microsoft AD, that is the Amazon Delegated FSx Administrators group. If you are using a self-managed Microsoft Active Directory, that is the Domain Admins group or the custom group that you specified for administration when you created your file system. For more information, see Self-managed Active Directory best practices.

  • Your file system's VPC security group inbound rules allow traffic on port 5985.

The Amazon FSx CLI for remote management on PowerShell uses the following security features:

  • User credentials are authenticated using Kerberos authentication.

  • Management session communications between the connected client and file system are encrypted using Kerberos.

You have two options to run remote management CLI commands on your Amazon FSx file system:

  • You can establish a long-running Remote PowerShell session and run the commands inside the session.

  • You can use the Invoke-Command to run a single command or a single block of commands without establishing a long-running Remote PowerShell session.

If you want to set and pass variables as parameters to the remote management command, you will need to use Invoke-Command.

Note

For Multi-AZ file systems, you can only use the Amazon FSx CLI for Remote Management while the file system is using its preferred file server. For more information, see Availability and durability: Single-AZ and Multi-AZ file systems.

You need to use the file system's Windows Remote PowerShell Endpoint when using the Remote PowerShell. Using the Amazon Web Services Management Console, you can find the endpoint in the Network & security tab, on the File system details page. Using the Amazon CLI describe-file-systems command, the RemoteAdministrationEndpoint property is returned in the response. The remote administration endpoint uses the format amznfsxctlyaa1k.ActiveDirectory-DNS-name, for example, amznfsxctlyaa1k.corp.example.com.

You can use the Get-Command cmdlet to get information about the cmdlets, functions, and aliases available in PowerShell. For more information, see the Microsoft Get-Command documentation.

You can also run Amazon FSx CLI for remote management CLI on PowerShell commands on your file system using the Invoke-Command cmdlet, using the following syntax.

PS C:\Users\delegateadmin> Invoke-Command -ComputerName amznfsxctlyaa1k.corp.example.com -ConfigurationName FSxRemoteAdmin -scriptblock { fsx-command}

For instructions on how to start a long-lived Remote PowerShell session on your FSx for Windows File Server files system, see Starting an Amazon FSx remote PowerShell session

One-time setup tasks using the Amazon FSx CLI for remote management on PowerShell

Use the following Amazon FSx CLI for Remote Management on PowerShell commands to quickly implement these best practices on your file systems.

Managing storage consumption

Use the following commands to manage your file system storage consumption.

  • To turn on data deduplication with the default schedule, run the following command.

    Invoke-Command -ComputerName $FSxWindowsRemotePowerShellEndpoint -ConfigurationName FSxRemoteAdmin -ScriptBlock { Enable-FsxDedup }

    Optionally, use the following command to get data deduplication operating on your files soon after a file is created, without requiring any minimum file age.

    Invoke-Command -ComputerName $FSxWindowsRemotePowerShellEndpoint -ConfigurationName FSxRemoteAdmin -ScriptBlock { Set-FSxDedupConfiguration -MinimumFileAgeDays 0 }

    For more information, see Reducing storage costs with Data Deduplication.

     

  • Use the following command to turn on user storage quotas in “Track” mode, which is for reporting purposes only and not for enforcement.

    $QuotaLimit = Quota limit in bytes
$QuotaWarningLimit = Quota warning threshold in bytes
Invoke-Command -ComputerName $FSxWindowsRemotePowerShellEndpoint -ConfigurationName FSxRemoteAdmin -ScriptBlock { Enable-FSxUserQuotas -Track -DefaultLimit $Using:QuotaLimit -DefaultWarningLimit $Using:QuotaWarningLimit }

    For more information, see Managing storage quotas.

Turning on shadow copies to enable end-users to recover files and folders to previous versions

Turn on shadow copies with the default schedule (weekdays 7 AM and 12 noon), as follows.

Invoke-Command -ComputerName $FSxWindowsRemotePowerShellEndpoint -ConfigurationName FSxRemoteAdmin -ScriptBlock { Set-FsxShadowStorage -Default }
     
Invoke-Command -ComputerName $FSxWindowsRemotePowerShellEndpoint -ConfigurationName FSxRemoteAdmin -ScriptBlock { Set-FsxShadowCopySchedule -Default -Confirm:$False}

For more information, see Configuring shadow copies to use the default storage and schedule.

Enforcing encryption in transit

The following command enforces encryption for clients connecting to your file system.

Invoke-Command -ComputerName $FSxWindowsRemotePowerShellEndpoint -ConfigurationName FSxRemoteAdmin -ScriptBlock { Set-FsxSmbServerConfiguration -EncryptData $True -RejectUnencryptedAccess $True -Confirm:$False}

You can close all open sessions and force clients currently connected to reconnect using encryption.

Invoke-Command -ComputerName $FSxWindowsRemotePowerShellEndpoint -ConfigurationName FSxRemoteAdmin -ScriptBlock { Close-FSxSmbSession -Confirm:$False}

For more information, see Managing encryption in transit and User sessions and open files.

Starting an Amazon FSx remote PowerShell session

This topic provides instructions for starting a long-lived remote PowerShell session on your FSx for Windows File Server file server.

To start a remote PowerShell session on your file system

  1. Connect to a compute instance that has network connectivity with your file system as a user that is a member of the delegated FSx Administrators Group that you chose when you created the file system.

  2. Open a Windows PowerShell window on the compute instance.

  3. In the PowerShell, enter the following command to open a long-lived remote session on your Amazon FSx file system. Replace Remote-PowerShell-Endpoint with the Windows Remote PowerShell endpoint of file system that you want to administer. Use FsxRemoteAdmin as the session configuration name.

    PS C:\Users\delegateadmin> enter-pssession -ComputerName Remote-PowerShell-Endpoint -ConfigurationName FsxRemoteAdmin
[fs-0123456789abcdef0]: PS>

    If your instance is not part of the Amazon FSx Active Directory domain, you are prompted to enter user credentials in a pop-up. Enter the credentials of the user that is a member of the FSx Administrators Group. If your instance is joined to the domain, you will not be asked for credentials.