Prerequisites for using a self-managed Microsoft Active Directory - Amazon FSx for Windows File Server
On-premises configurationsNetwork configurationsService account permissions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Prerequisites for using a self-managed Microsoft Active Directory

Before you create an Amazon FSx file system joined to your self-managed Microsoft Active Directory domain, review the following prerequisites.

On-premises configurations

Make sure that you have an on-premises or other self-managed Microsoft Active Directory that you can join the Amazon FSx file system to. Your on-premises Active Directory should have the following configuration:

  • Your Active Directory domain controller has a domain functional level at Windows Server 2008 R2 or higher.

  • The DNS server IP addresses and Active Directory domain controller IP addresses are as follows, depending on when your file system was created:

    For file systems created before December 17, 2020 For file systems created after December 17, 2020

    IP addresses must be in an RFC 1918 private IP address range:

    • 10.0.0.0/8

    • 172.16.0.0/12

    • 192.168.0.0/16

    IP addresses can be in any range, except:

    • IP addresses that conflict with Amazon Web Services owned IP addresses in that Amazon Region. For a list of Amazon owned IP addresses by region, see the Amazon IP address ranges.

    • IP addresses in the following CIDR block range: 198.19.0.0/16

    If you need to access an FSx for Windows File Server file system that was created before December 17, 2020 using a non-private IP address range, you can create a new file system by restoring a backup of the file system. For more information, see Working with backups.

  • A domain name that isn't in Single Label Domain (SLD) format. Amazon FSx doesn't support SLD domains.

  • For Single-AZ 2 and all Multi-AZ file systems, the Active Directory domain name cannot exceed 47 characters.

  • If you have Active Directory sites defined, the subnets in the VPC that's associated with your Amazon FSx file system must be defined in an Active Directory site, and no conflicts must exist between the subnets in your VPC and the subnets in your other sites.

  • You may need to add rules to your firewall to allow ICMP traffic between your Active Directory domain controllers and Amazon FSx.

Network configurations

This section describes the network configurations required for joining a file system to your self-managed Active Directory.

We recommend that you use the Amazon FSx Active Directory validation tool to test your network settings before attempting to join your file system to your self-managed Active Directory.

  • Connectivity must be configured between the Amazon VPC where you want to create the file system and your self-managed Active Directory. You can set up this connectivity using Amazon Direct Connect, Amazon Virtual Private Network, VPC peering, or Amazon Transit Gateway.

  • For VPC security groups, the default security group for your default Amazon VPC must be added to your file system in the console. Ensure that the security group and the VPC Network ACLs for the subnets where you create your FSx file system allow traffic on the ports and in the directions shown in the following diagram.

    FSx for Windows File Server port configuration requirements for VPC security groups and network ACLs for the subnets where the file system is created.

    The following table identifies the role of each port.

    Protocol

    Ports

    Role

    TCP/UDP

    53

    Domain Name System (DNS)

    TCP/UDP

    88

    Kerberos authentication

    TCP/UDP

    464

    Change/set password

    TCP/UDP

    389

    Lightweight Directory Access Protocol (LDAP)
    UDP 123

    Network Time Protocol (NTP)
    TCP 135

    Distributed Computing Environment/End Point Mapper (DCE/EPMAP)

    TCP

    445

    Directory Services SMB file sharing

    TCP

    636

    Lightweight Directory Access Protocol over TLS/SSL (LDAPS)

    TCP

    3268

    Microsoft Global Catalog

    TCP

    3269

    Microsoft Global Catalog over SSL

    TCP

    5985

    WinRM 2.0 (Microsoft Windows Remote Management)

    TCP

    9389

    Microsoft Active Directory DS Web Services, PowerShell

    TCP

    49152 - 65535

    Ephemeral ports for RPC

    Ensure that these traffic rules are also mirrored on the firewalls that apply to each of the Active Directory domain controllers, DNS servers, FSx clients, and FSx administrators.

Important

Allowing outbound traffic on TCP port 9389 is required for Single-AZ 2 and Multi-AZ file system deployments.

Note

If you're using VPC network ACLs, you must also allow outbound traffic on dynamic ports (49152-65535) from your FSx file system.

Important

While Amazon VPC security groups require ports to be opened only in the direction that network traffic is initiated, most Windows firewalls and VPC network ACLs require ports to be open in both directions.

Service account permissions

Make sure that you have a service account in your self-managed Microsoft Active Directory with delegated permissions to join computers to the domain. A service account is a user account in your self-managed Microsoft Active Directory that has been delegated certain tasks.

The service account needs to—at a minimum—be delegated the following permissions in the OU that you're joining the file system to:

  • Ability to reset passwords

  • Ability to restrict accounts from reading and writing data

  • Validated ability to write to the DNS host name

  • Validated ability to write to the service principal name

  • Ability (can be delegated) to create and delete computer objects

  • Validated ability to read and write Account Restrictions

  • Ability to modify permissions

These represent the minimum set of permissions that are required to join computer objects to your Active Directory. For more information, see the Microsoft Windows Server documentation topic Error: Access is denied when non-administrator users who have been delegated control try to join computers to a domain controller.

For more information about creating a service account with the correct permissions, see Delegating privileges to your Amazon FSx service account .

Amazon FSx requires a valid service account throughout the lifetime of your Amazon FSx file system. Amazon FSx must be able to fully manage the file system and perform tasks that require unjoining and rejoining your Active Directory domain using the service account. These tasks include replacing a failed file server or patching Windows Server software. It is imperative that you keep your Active Directory configuration, including the service account credentials, updated with Amazon FSx. For more information, see Keeping your Active Directory configuration updated.

Amazon FSx requires connectivity to all domain controllers in your Active Directory environment. If you have multiple domain controllers, ensure that all of them meet the requirements above, and ensure that any changes to your service account are propagated to all domain controllers.

You can validate your Active Directory configuration, including testing connectivity of multiple domain controllers, using the Amazon FSx Active Directory Validation tool. To limit the number of domain controllers that require connectivity, you can also build a trust relationship between your on-premise domain controllers and Amazon Managed Microsoft AD. For more information, see Using a resource forest isolation model.

Important

Do not move computer objects that Amazon FSx creates in the OU after your file system is created. Doing so will cause your file system to become misconfigured.