Best practices for joining FSx for Windows File Server file systems to a self-managed Microsoft Active Directory domain - Amazon FSx for Windows File Server
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Best practices for joining FSx for Windows File Server file systems to a self-managed Microsoft Active Directory domain

We recommend these best practices when joining Amazon FSx for Windows File Server file systems to your self-managed Microsoft Active Directory.

Delegating privileges to the Amazon FSx service account

Make sure to configure the service account that you provide to Amazon FSx with the minimum privileges required. In addition, segregate the Organizational Unit (OU) from other domain controller concerns.

To join Amazon FSx file systems to your domain, make sure that the service account has delegated privileges. Members of the Domain Admins group have sufficient privileges to perform this task. However, as a best practice, use a service account that only has the minimum privileges necessary to do this. The following procedures demonstrates how to delegate just the privileges necessary to join Amazon FSx file systems to your domain.

You use either Delegate Control or Advanced Features in the Active Directory User and Computers MMC snap-in to assign these permissions.

Perform either of these procedures on a machine that is joined to your active directory and has the Active Directory User and Computers MMC snap-in installed.

To assign permissions to a service account or group using Delegate Control
  1. Log in to your system as a domain administrator for your Active Directory domain.

  2. Open the Active Directory User and Computers MMC snap-in.

  3. In the task pane, expand the domain node.

  4. Locate and open the context (right-click) menu for the OU that you want to modify, and then choose Delegate Control.

  5. On the Delegation of Control Wizard page, choose Next.

  6. Choose Add to add the name of your Amazon FSx service account or group, and then choose Next.

  7. On the Tasks to Delegate page, choose Create a custom task to delegate, and then choose Next.

  8. Choose Only the following objects in the folder, and then choose Computer objects.

  9. Choose Create selected objects in this folder and Delete selected objects in this folder. Then choose Next.

  10. For Permissions, choose the following:

    • Reset Password

    • Read and write Account Restrictions

    • Validated write to DNS host name

    • Validated write to service principal name

  11. Choose Next, and then choose Finish.

  12. Close the Active Directory User and Computers MMC snap-in.

To assign permissions using Advanced Features
  1. Log in to your system as a domain administrator for your Active Directory domain.

  2. Open the Active Directory User and Computers MMC snap-in.

  3. Select View from the menu bar and ensure that Advanced Features is enabled (a check mark will appear next to it if the feature is enabled).

  4. In the task pane, expand the domain node.

  5. Locate and open (right-click) the context menu for the OU that you want to modify, and then choose Properties.

  6. In the OU Properties pane, select the Security tab.

  7. In the Security tab, select Advanced. Then select Add.

  8. On the Permission Entry page, choose Select a principal and enter the name of your Amazon FSx service account or group. For Applies to:, choose Descendant Computer objects. Ensure that the following are selected:

    • Modify permissions

    • Create Computer Objects

    • Delete Computer Objects

  9. Select Apply, and then select OK.

  10. Close the Active Directory User and Computers MMC snap-in.

Important

Do not move computer objects that Amazon FSx creates in the OU after your file system is created. Doing so will cause your file system to become misconfigured. If you update your file system with a new service account, ensure that the new service account has Full control permissions for the existing computer objects associated with the file system.

Changing the Amazon FSx service account

If you change the service account for an existing Amazon FSx file system, the new service account must have the required permissions and privileges to join your Active Directory and take ownership over the existing computer objects associated with the file system.

When changing the service account for Amazon FSx, ensure that the new service account has the following settings:

  • The new service account has Full control permissions for the existing computer objects associated with the file system.

  • The new service account is part of the trusted accounts with the Domain controller: Allow computer account re-use during domain join Group Policy setting enabled on all domain controllers in the Active Directory.

If the new service account does not meet these requirements, the following conditions could occur:

  • For Single-AZ file systems, the file system could become MISCONFIGURED_UNAVAILABLE.

  • For Multi-AZ file systems, the file system could become MISCONFIGURED and the RemotePowerShell endpoint name might change.

Configuring a domain controller's Group Policy

The following Microsoft recommended procedure describes how to use the domain controller Group Policy to configure the allow list policy.

To configure a domain controller's allow list policy
  1. Install the September 12, 2023 or later Microsoft Windows updates on all member computers and domain controllers in your self-managed Microsoft Active Directory.

  2. In a new or existing group policy that applies to all domain controllers in your self-managed Active Directory, configure the following settings.

    1. Navigate to Computer Configuration>Policies>Windows Settings>Security Settings> Local Policies>Security Options.

    2. Double-click Domain controller: Allow computer account re-use during domain join.

    3. Select Define this policy setting and <Edit Security…>.

    4. Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.

      Warning

      Limit membership to the policy to trusted users and service accounts. Do not add authenticated users, everyone or other large groups to this policy. Instead, add specific trusted users and service accounts to groups and add those groups to the policy.

  3. Wait for the Group Policy refresh interval or run gpupdate /force on all domain controllers.

  4. Verify that the HKLM\System\CCS\Control\SAM – “ComputerAccountReuseAllowList” registry key is populated with the desired SDDL. Do not manually edit the registry.

  5. Attempt to join a computer that has the September 12, 2023, or later updates installed. Ensure that one of the accounts listed in the policy owns the computer account. Also ensure that its registry does not have the NetJoinLegacyAccountReuse key enabled (set to 1). If the domain join fails, check the c:\windows\debug\netsetup.log.

Keeping your Active Directory configuration updated

To help ensure continuous, uninterrupted availability of your Amazon FSx file system, you need to update the file system's Active Directory configuration any time that you make changes to your self-managed Active Directory setup.

For example, if your Active Directory uses a time-based password reset policy, as soon as the password is reset, make sure to update the service account password with Amazon FSx. Similarly, if the DNS server IP addresses change for your Active Directory domain, as soon as the change occurs, update the DNS server IP addresses with Amazon FSx. For more information, see Updating the self-managed Active Directory configuration.

When you update the self-managed Active Directory configuration for your Amazon FSx file system, your file system's state switches from Available to Updating while the update is applied. Verify that the state switches back to Available after the update has been applied – note that the update can take up to several minutes to complete. For more information, see Monitoring self-managed Active Directory updates.

If there's an issue with the updated self-managed Active Directory configuration, the file system state switches to Misconfigured. This state shows an error message and recommended corrective action beside the file system description in the console, API, and CLI. After taking the recommended corrective action, verify that your file system's state eventually changes to Available.

To learn more about troubleshooting possible self-managed Active Directory misconfigurations, see File system is in a misconfigured state.

Using security groups to limit traffic within your VPC

To limit network traffic in your virtual private cloud (VPC), you can implement the principle of least privilege in your VPC. In other words, you can limit privileges to the minimum ones necessary. To do this, use security group rules. To learn more, see Amazon VPC Security Groups.

Creating outbound security group rules for your file system's network interface

For greater security, consider configuring a security group with outbound traffic rules. These rules should allow outbound traffic only to your self-managed Microsoft Active Directory domains controllers or within the subnet or security group. Apply this security group to the VPC associated with your Amazon FSx file system's elastic network interface. To learn more, see File System Access Control with Amazon VPC.