Using a self-managed Microsoft Active Directory - Amazon FSx for Windows File Server
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using a self-managed Microsoft Active Directory

If your organization manages identities and devices using a self-managed Active Directory on-premises or in the cloud, you can join an FSx for Windows File Server file system your Active Directory domain at creation.when you create. You can join an file system to a self-managed active directoryWhen you create a new FSx for Windows File Server file system choose Self-managed Microsoft Active Directory under Windows Authentication. Provide the following details for your self-managed Active Directory:

  • A fully qualified domain name for your self-managed directory

    Note

    The domain name must not be in the Single Label Domain (SLD) format. Amazon FSx doesn't currently support SLD domains.

    Note

    For Single-AZ 2 and Multi-AZ file systems, the Active Directory domain name can't exceed 47 characters.

  • DNS server IP addresses for your domain

    The DNS server IP addresses, Active Directory domain controller IP addresses, and client network must meet the following requirements:

    For file systems created before December 17, 2020 For file systems created after December 17, 2020

    IP addresses must be in an RFC 1918 private IP address range:

    • 10.0.0.0/8

    • 172.16.0.0/12

    • 192.168.0.0/16

    IP addresses can be in any range, except:

    • IP addresses that conflict with Amazon Web Services owned IP addresses in that Amazon Region. For a list of Amazon owned IP addresses by region, see the Amazon IP address ranges.

    • IP addresses in the following CIDR block range: 198.19.0.0/16

    Note

    Your Active Directory domain controllers must be writable.

  • User name and password for a service account on your Active Directory domain, for Amazon FSx to use to join the file system to your Active Directory domain

  • (Optional) The Organizational Unit (OU) in your domain in which you want your file system to be joined

  • (Optional) The domain group to which you want to delegate authority to perform administrative actions on your file system. For example, this domain group might manage Windows file shares, manage Access Control Lists (ACLs) on the file system's root folder, take ownership of files and folders, and so on. If you don’t specify this group, Amazon FSx delegates this authority to the Domain Admins group in your Active Directory domain by default.

    Note

    The domain group name you provide must be unique in your Active Directory. FSx for Windows File Server will not create the domain group under the following circumstances:

    • If a group already exists with the name you specify

    • If you do not specify a name, and a group named "Domain Admins" already exists in your Active Directory.

    For more information, see Joining an Amazon FSx file system to a self-managed Microsoft Active Directory domain.

Important

Amazon FSx only registers DNS records for a file system if you are using Microsoft DNS as the default DNS service. If you are using a third-party DNS, you will need to manually set up DNS entries for your Amazon FSx file systems after you create them.

When you join your file system directly to your self-managed Active Directory, your FSx for Windows File Server resides in the same Active Directory forest (the top logical container in an Active Directory configuration that contains domains, users, and computers) and in the same Active Directory domain as your users and existing resources (including existing file servers).

Note

You can isolate your resources—including your Amazon FSx file systems—into a separate Active Directory forest from the one where your users reside. To do this, join your file system to an Amazon Managed Active Directory and establish a one-way forest trust relationship between an Amazon Managed Active Directory that you create and your existing self-managed Active Directory.

Prerequisites

Before you create an FSx for Windows File Server file system and join to your self-managed Microsoft Active Directory domain, you need to review the following prerequisites. You need to ensure that your networking and Active Directory configurations meet these requirements to help ensure that you can successfully join your file system to your Active Directory.

On-premises configurations

You have an existing self-managed Microsoft Active Directory, either an on-premises or cloud-based, that you will join the Amazon FSx file system to. Your self-managed Active Directory needs to meet the following requirements:

  • The Active Directory domain controller has a domain functional level at Windows Server 2008 R2 or higher.

  • The IP addresses for the DNS server and the Active Directory domain controller meet the following requirements, which vary depending on when your Amazon FSx file system was created:

    For file systems created before December 17, 2020 For file systems created after December 17, 2020

    IP addresses must be in an RFC 1918 private IP address range:

    • 10.0.0.0/8

    • 172.16.0.0/12

    • 192.168.0.0/16

    IP addresses can be in any range, except:

    • IP addresses that conflict with Amazon Web Services owned IP addresses in the Amazon Web Services Region that the file system is in. For a list of Amazon owned IP addresses by region, see the Amazon IP address ranges.

    • IP addresses in the CIDR block range of 198.19.0.0/16

    If you need to access an FSx for Windows File Server file system that was created before December 17, 2020 using a non-private IP address range, you can create a new file system by restoring a backup of the file system. For more information, see Restoring a backup to a new file system.

  • The domain name that isn't in Single Label Domain (SLD) format. Amazon FSx doesn't support SLD domains.

  • For Single-AZ 2 and all Multi-AZ file systems, the Active Directory domain name cannot exceed 47 characters.

  • If you have Active Directory sites defined:

    • The subnets in the VPC that's associated with your file system must be defined in an Active Directory site.

    • There are no conflicts between the VPC subnets and any of the Active Directory site subnets.

Network configurations

This section describes the network configurations requirements for joining a file system to your self-managed Active Directory.

We recommend that you use the Amazon FSx Active Directory validation tool to test your network settings before attempting to join your file system to your self-managed Active Directory.

  • You may need to add rules to your firewall to allow ICMP traffic between your Active Directory domain controllers and Amazon FSx.

  • Connectivity must be configured between the Amazon VPC where you want to create the file system and your self-managed Active Directory. You can set up this connectivity using Amazon Direct Connect, Amazon Virtual Private Network, VPC peering, or Amazon Transit Gateway;.

  • For VPC security groups, the default security group for your default Amazon VPC must be added to your file system in the console. Ensure that the security group and the VPC Network ACLs for the subnets where you create your FSx file system allow traffic on the ports and in the shown in the following diagram.

    FSx for Windows File Server port configuration requirements for VPC security groups and network ACLs for the subnets where the file system is created.

    The following table identifies the role of each port.

    Protocol

    Ports

    Role

    TCP/UDP

    53

    Domain Name System (DNS)

    TCP/UDP

    88

    Kerberos authentication

    TCP/UDP

    464

    Change/set password

    TCP/UDP

    389

    Lightweight Directory Access Protocol (LDAP)

    UDP 123

    Network Time Protocol (NTP)

    TCP 135

    Distributed Computing Environment/End Point Mapper (DCE/EPMAP)

    TCP

    445

    Directory Services SMB file sharing

    TCP

    636

    Lightweight Directory Access Protocol over TLS/SSL (LDAPS)

    TCP

    3268

    Microsoft Global Catalog

    TCP

    3269

    Microsoft Global Catalog over SSL

    TCP

    5985

    WinRM 2.0 (Microsoft Windows Remote Management)

    TCP

    9389

    Microsoft Active Directory DS Web Services, PowerShell

    Important

    Allowing outbound traffic on TCP port 9389 is required for Single-AZ 2 and Multi-AZ file system deployments.

    TCP

    49152 - 65535

    Ephemeral ports for RPC

    These traffic rules need to also be mirrored on the firewalls that apply to each of the Active Directory domain controllers, DNS servers, FSx clients, and FSx administrators.

Note

If you're using VPC network ACLs, you must also allow outbound traffic on dynamic ports (49152-65535) from your FSx file system.

Important

While Amazon VPC security groups require ports to be opened only in the direction that network traffic is initiated, most Windows firewalls and VPC network ACLs require ports to be open in both directions.

Service account permissions

You need to have a service account in your self-managed Microsoft Active Directory with delegated permissions to join computers to the domain. A service account is a user account in your self-managed Microsoft Active Directory that has been delegated certain tasks.

The service account needs to—at a minimum—be delegated the following permissions in the OU that you're joining the file system to:

  • Ability to reset passwords

  • Ability to restrict accounts from reading and writing data

  • Validated ability to write to the DNS host name

  • Validated ability to write to the service principal name

  • Ability (can be delegated) to create and delete computer objects

  • Validated ability to read and write Account Restrictions

  • Ability to modify permissions

These represent the minimum set of permissions that are required to join computer objects to your Active Directory. For more information, see the Microsoft Windows Server documentation topic Error: Access is denied when non-administrator users who have been delegated control try to join computers to a domain controller.

For more information about creating a service account with the correct permissions, see Delegating privileges to the Amazon FSx service account.

If you update your file system with a new service account, ensure that the new service account has Full control permissions for the existing computer objects associated with the file system. In addition, make sure that new service account is part of the trusted accounts with the enabled Group Policy setting Domain controller: Allow computer account re-use during domain join. For more information, see Changing the Amazon FSx service account.

Amazon FSx requires a valid service account throughout the lifetime of your Amazon FSx file system. Amazon FSx must be able to fully manage the file system and perform tasks that require unjoining and rejoining your Active Directory domain using the service account. These tasks include replacing a failed file server or patching Windows Server software. It is imperative that you keep your Active Directory configuration, including the service account credentials, updated with Amazon FSx. For more information, see Keeping the Active Directory configuration updated.

Amazon FSx requires connectivity to all domain controllers in your Active Directory environment. If you have multiple domain controllers, ensure that all of them meet the requirements above, and ensure that any changes to your service account are propagated to all domain controllers.

You can validate your Active Directory configuration, including testing connectivity of multiple domain controllers, using the Amazon FSx Active Directory Validation tool. To limit the number of domain controllers that require connectivity, you can also build a trust relationship between your on-premise domain controllers and Amazon Managed Microsoft AD. For more information, see Using a resource forest isolation model.

Important

Do not move computer objects that Amazon FSx creates in the OU after your file system is created. Doing so will cause your file system to become misconfigured.

Best practices

We recommend that you follow these best practices when joining FSx for Windows File Server file systems to your self-managed Microsoft Active Directory to help maintain continuous, uninterrupted availability of your Amazon FSx file system

Delegating privileges to the Amazon FSx service account

We recommend that you use a separate service account that has the minimum privileges required delegated to the Amazon FSx service account. Although members of the Domain Admins group have sufficient privileges to perform this task, we recommend that you use a separate service account.

We also recommend that you segregate the Organizational Unit (OU) from other domain controller concerns to make it easier to find and manage your Amazon FSx computer objects.

For more information about the minimum set of privileges that you need to delegate to the Amazon FSx service, see Service account permissions.

For more information about how to delegate privileges using either the Delegate Control or Advanced Features features in the Active Directory User and Computers MMC snap-in, see Delegating permission to the Amazon FSx service account or group.

Important

Do not move computer objects that Amazon FSx creates in the OU after your file system is created. Doing so will cause your file system to become misconfigured. If you update your file system with a new service account, ensure that the new service account has Full control permissions for the existing computer objects associated with the file system.

Changing the Amazon FSx service account

If you change the service account for an existing Amazon FSx file system, the new service account must have the required permissions and privileges to join your Active Directory and take ownership over the existing computer objects associated with the file system.

When changing the service account for Amazon FSx, ensure that the new service account has the following settings:

  • The new service account has Full control permissions for the existing computer objects associated with the file system.

  • The new service account is part of the trusted accounts with the Domain controller: Allow computer account re-use during domain join Group Policy setting enabled on all domain controllers in the Active Directory.

If the new service account does not meet these requirements, the following conditions could occur:

  • For Single-AZ file systems, the file system could become MISCONFIGURED_UNAVAILABLE.

  • For Multi-AZ file systems, the file system could become MISCONFIGURED and the RemotePowerShell endpoint name might change.

Configuring a domain controller's Group Policy

The following Microsoft recommended procedure describes how to use the domain controller Group Policy to configure the allow list policy.

To configure a domain controller's allow list policy
  1. Install the September 12, 2023 or later Microsoft Windows updates on all member computers and domain controllers in your self-managed Microsoft Active Directory.

  2. In a new or existing group policy that applies to all domain controllers in your self-managed Active Directory, configure the following settings.

    1. Navigate to Computer Configuration>Policies>Windows Settings>Security Settings> Local Policies>Security Options.

    2. Double-click Domain controller: Allow computer account re-use during domain join.

    3. Select Define this policy setting and <Edit Security…>.

    4. Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.

      Warning

      Limit membership to the policy to trusted users and service accounts. Do not add authenticated users, everyone or other large groups to this policy. Instead, add specific trusted users and service accounts to groups and add those groups to the policy.

  3. Wait for the Group Policy refresh interval or run gpupdate /force on all domain controllers.

  4. Verify that the HKLM\System\CCS\Control\SAM – “ComputerAccountReuseAllowList” registry key is populated with the desired SDDL. Do not manually edit the registry.

  5. Attempt to join a computer that has the September 12, 2023, or later updates installed. Ensure that one of the accounts listed in the policy owns the computer account. Also ensure that its registry does not have the NetJoinLegacyAccountReuse key enabled (set to 1). If the domain join fails, check the c:\windows\debug\netsetup.log.

Keeping the Active Directory configuration updated

To help ensure continuous, uninterrupted availability of your Amazon FSx file system, you need to update the file system's Active Directory configuration any time that you make changes to your self-managed Active Directory setup.

For example, if your Active Directory uses a time-based password reset policy, as soon as the password is reset, make sure to update the service account password with Amazon FSx. Similarly, if the DNS server IP addresses change for your Active Directory domain, as soon as the change occurs, update the DNS server IP addresses with Amazon FSx. For more information, see Updating a self-managed Active Directory configuration.

When you update the self-managed Active Directory configuration for your Amazon FSx file system, your file system's state switches from Available to Updating while the update is applied. Verify that the state switches back to Available after the update has been applied – note that the update can take up to several minutes to complete. For more information, see Monitoring self-managed Active Directory updates.

If there's an issue with the updated self-managed Active Directory configuration, the file system state switches to Misconfigured. This state shows an error message and recommended corrective action beside the file system description in the console, API, and CLI. After taking the recommended corrective action, verify that your file system's state eventually changes to Available.

Important

If you update your file system with a new service account, ensure that the new service account has Full control permissions for the existing computer objects associated with the file system.

For information about troubleshooting possible issues related to self-managed Active Directory configurations, see File system is in a misconfigured state.

Using security groups to limit traffic within your VPC

To limit network traffic in your virtual private cloud (VPC), you can implement the principle of least privilege in your VPC. In other words, you can limit privileges to the minimum ones necessary. To do this, use security group rules. To learn more, see Amazon VPC Security Groups.

Creating outbound security group rules for your file system's network interface

For greater security, consider configuring a security group with outbound traffic rules. These rules should allow outbound traffic only to your self-managed Microsoft Active Directory domains controllers or within the subnet or security group. Apply this security group to the VPC associated with your Amazon FSx file system's elastic network interface. To learn more, see File System Access Control with Amazon VPC.