Using Amazon FSx with your self-managed Microsoft Active Directory - Amazon FSx for Windows File Server
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon FSx with your self-managed Microsoft Active Directory

If your organization manages identities and devices on a self-managed Active Directory on-premises or in the cloud, you can join your Amazon FSx file system directly to your existing self-managed Active Directory domain. To use Amazon FSx with Amazon Managed Microsoft AD, you can use the Amazon FSx console. When you create a new FSx for Windows File Server file system in the console, choose Self-managed Microsoft Active Directory under Windows Authentication. Provide the following details for your self-managed Active Directory:

  • A fully qualified domain name for your self-managed directory


    The domain name must not be in the Single Label Domain (SLD) format. Amazon FSx doesn't currently support SLD domains.


    For Single-AZ 2 and Multi-AZ file systems, the Active Directory domain name can't exceed 47 characters.

  • DNS server IP addresses for your domain

    The DNS server IP addresses, Active Directory domain controller IP addresses, and client network must meet the following requirements:

    For file systems created before December 17, 2020 For file systems created after December 17, 2020

    IP addresses must be in an RFC 1918 private IP address range:




    IP addresses can be in any range, except:

    • IP addresses that conflict with Amazon Web Services owned IP addresses in that Amazon Region. For a list of Amazon owned IP addresses by region, see the Amazon IP address ranges.

    • IP addresses in the following CIDR block range:


    Your Active Directory domain controllers must be writable.

  • User name and password for a service account on your Active Directory domain, for Amazon FSx to use to join the file system to your Active Directory domain

  • (Optional) The Organizational Unit (OU) in your domain in which you want your file system to be joined

  • (Optional) The domain group to which you want to delegate authority to perform administrative actions on your file system. For example, this domain group might manage Windows file shares, manage Access Control Lists (ACLs) on the file system's root folder, take ownership of files and folders, and so on. If you don’t specify this group, Amazon FSx delegates this authority to the Domain Admins group in your Active Directory domain by default.


    The domain group name you provide must be unique in your Active Directory. FSx for Windows File Server will not create the domain group under the following circumstances:

    • If a group already exists with the name you specify

    • If you do not specify a name, and a group named "Domain Admins" already exists in your Active Directory.

    For more information, see Joining an Amazon FSx file system to a self-managed Microsoft Active Directory domain.


Amazon FSx only registers DNS records for a file system if you are using Microsoft DNS as the default DNS service. If you are using a third-party DNS, you will need to manually set up DNS entries for your Amazon FSx file systems after you create them.

When you join your file system directly to your self-managed Active Directory, your FSx for Windows File Server resides in the same Active Directory forest (the top logical container in an Active Directory configuration that contains domains, users, and computers) and in the same Active Directory domain as your users and existing resources (including existing file servers).


You can isolate your resources—including your Amazon FSx file systems—into a separate Active Directory forest from the one where your users reside. To do this, join your file system to an Amazon Managed Active Directory and establish a one-way forest trust relationship between an Amazon Managed Active Directory that you create and your existing self-managed Active Directory.