Creating a file system joined to a self-managed Active Directory fails - Amazon FSx for Windows File Server
Duplicate file system administrators group namesDNS servers or domain controllers unreachableInvalid service account credentialsInsufficient service account permissionsService account capacity exceededCan't access the OUBad file system admin groupAmazon FSx lost connectivity in domainService account does not have correct permissionsUnicode characters used in creation parameters
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a file system joined to a self-managed Active Directory fails

Duplicate file system administrators group names

Creating a file system joined to your self-managed Active Directory fails with the following error message:

File system creation failed. Amazon FSx is unable to apply your Microsoft Active Directory configuration with the 
specified file system administrators group. Please ensure that your Active Directory does not contain multiple domain 
groups with the name: domain_group.

Amazon FSx did not create the file system because there are multiple administrator groups in the domain with the same name.

If you don't specify a group name, Amazon FSx will attempt to use the default value "Domain Admins" as the administrator group. The request will fail if there is more than one group using the default "Domain Admins" name.

Use the following steps to resolve the issue.

  1. Review the prerequisites for joining your file system to your self-managed Active Directory.

  2. Use the Amazon FSx Active Directory Validation Tool to validate your self-managed Active Directory configuration prior to creating an FSx for Windows File Server file system that's joined to a self-managed Active Directory.

  3. Create a new file system using the Amazon Web Services Management Console or Amazon CLI. For more information, see Joining an Amazon FSx file system to a self-managed Microsoft Active Directory domain.

  4. Provide a name for the file system administrator group that is unique in the domain for your self-managed Active Directory.

DNS servers or domain controllers unreachable

Creating a file system joined to your self-managed Active Directory fails with the following error message:

Amazon FSx can't reach the DNS servers provided or the domain controllers for your self-managed directory in Microsoft Active Directory. 
File system creation failed. Amazon FSx is unable to communicate with your Microsoft Active Directory domain controllers. 
This is because Amazon FSx can't reach the DNS servers provided or domain controllers for your domain. 
To fix this problem, delete your file system and create a new one with valid DNS servers and networking configuration that allows 
traffic from the file system to the domain controller.

Use the following steps to troubleshoot and resolve the issue.

  1. Verify that you followed the prerequisites for having network connectivity and routing established between the subnet where you're creating an Amazon FSx file system, and your self-managed Active Directory. For more information, see Prerequisites for using a self-managed Microsoft Active Directory.

    Use the Amazon FSx Active Directory Validation tool to test and verify these network settings.

    Note

    If you have multiple Active Directory sites defined, ensure that the subnets in the VPC associated with your Amazon FSx file system are defined in an Active Directory site and that no IP conflicts exist between the subnets in your VPC and the subnets in your other sites. You can view and change these settings using the Active Directory Sites and Services MMC snap-in.

  2. Verify that you configured the VPC security groups that you associated with your Amazon FSx file system, along with any VPC network ACLs, to allow outbound network traffic on all ports.

    Note

    If you want to implement least privilege, you can allow outbound traffic only to the specific ports required for communication with the Active Directory domain controllers. For more information, see the Microsoft Active Directory documentation.

  3. Verify that the values for Microsoft Windows file server or network administrative properties do not contain non-Latin-1 characters. For example, the file system creation fails if you use Domänen-Admins as the name of the file system administrators group.

  4. Verify that your Active Directory domain's DNS servers and domain controllers are active and able to respond to requests for the domain provided.

  5. Ensure that the functional level of your Active Directory domain is Windows Server 2008 R2 or higher.

  6. Make sure that the firewall rules on your Active Directory domain's domain controllers allow traffic from your Amazon FSx file system. For more information, see the Microsoft Active Directory documentation.

Invalid service account credentials

Creating a file system joined to a self-managed Active Directory fails with the following error message:

Amazon FSx is unable to establish a connection with your Microsoft Active Directory domain controllers 
because the service account credentials provided are invalid. To fix this problem, delete your file 
system and create a new one using a valid service account.

Use the following steps to troubleshoot and resolve the issue.

  1. Verify that you're entering only the user name as input for the Service account username, such as ServiceAcct, in the self-managed Active Directory configuration.

    Important

    DO NOT include a domain prefix (corp.com\ServiceAcct) or domain suffix (ServiceAcct@corp.com) when entering the service account user name.

    DO NOT use the distinguished name (DN) when entering the service account user name (CN=ServiceAcct,OU=example,DC=corp,DC=com).

  2. Verify that the service account that you provided exists in your Active Directory domain.

  3. Make sure that you delegated the required permissions to the service account that you provided. The service account must be able to create and delete computer objects in the OU in the domain to which you're joining the file system. The service account also needs, at a minimum, to have permissions to do the following:

    • Reset passwords

    • Restrict accounts from reading and writing data

    • Validated ability to write to the DNS hostname

    • Validated ability to write to the service principal name

    For more information about creating a service account with correct permissions, see Delegating privileges to your Amazon FSx service account .

Insufficient service account permissions

Creating a file system joined to your self-managed Active Directory fails with the following error message:

Amazon FSx is unable to establish a connection with your
Microsoft Active Directory domain controllers. This is because the service account provided does not 
have permission to join the file system to the domain with the specified organizational unit. 
To fix this problem, delete your file system and create a new one using a service account with 
permission to join the file system to the domain with the specified organizational unit.

Use the following procedure to troubleshoot and resolve the issue.

  • Make sure that you delegated the required permissions to the service account that you provided. The service account must be able to create and delete computer objects in the OU in the domain to which you're joining the file system. The service account also needs, at a minimum, to have permissions to do the following:

    • Reset passwords

    • Restrict accounts from reading and writing data

    • Validated ability to write to the DNS hostname

    • Validated ability to write to the service principal name

    For more information about creating a service account with correct permissions, see Delegating privileges to your Amazon FSx service account .

Service account capacity exceeded

Creating a file system joined to your self-managed Active Directory fails with the following error message:

Amazon FSx can't establish a connection with your Microsoft Active Directory
domain controllers. This is because the service account provided has reached the
maximum number of computers that it can join to the domain. To fix this problem,
delete your file system and create a new one, supplying a service account that
is able to join new computers to the domain.

To resolve the issue, verify that the service account you provided has reached the maximum number of computers it can join to the domain. If it has reached the maximum limit, create a new service account with the correct permissions. Use the new service account and create a new file system. For more information, see Delegating privileges to your Amazon FSx service account .

Amazon FSx can't access the organizational unit (OU)

Creating a file system joined to your self-managed Active Directory fails with the following error message:

Amazon FSx can't establish a connection with your Microsoft Active Directory domain controller(s). 
This is because the organizational unit you specified either doesn't exist or isn't accessible 
to the service account provided. To fix this problem, delete your file system and create a new one specifying an 
organizational unit to which the service account can join the file system.

Use the following steps to troubleshoot and resolve the issue.

  1. Verify that the OU you provided is in your Active Directory domain.

  2. Make sure that you have delegated the required permissions to the service account that you provided. The service account must be able to create and delete computer objects in the OU in the domain that you're joining the file system to. The service account also needs to have, at a minimum, permissions to do the following:

    • Reset passwords

    • Restrict accounts from reading and writing data

    • Validated ability to write to the DNS hostname

    • Validated ability to write to the service principal name

    • Be delegated control to create and delete computer objects

    • Validated ability to read and write Account Restrictions

    For more information about creating a service account with the correct permissions, see Delegating privileges to your Amazon FSx service account .

Service account can't access the administrators group

Creating a file system joined to your self-managed Active Directory fails with the following error message:

Amazon FSx is unable to apply your Microsoft Active Directory configuration. This is because the file system 
administrators group you provided either doesn't exist or isn't accessible to the service account you 
provided. To fix this problem, delete your file system and create a new one specifying a file 
system administrators group in the domain that is accessible to the service account 
provided.

Use the following steps to troubleshoot and resolve the issue.

  1. Ensure that you’re providing just the name of the group as a string for the administrators group parameter.

    Important

    DO NOT include a domain prefix (corp.com\FSxAdmins) or domain suffix (FSxAdmins@corp.com) when providing the group name parameter.

    DO NOT use the distinguished name (DN) for the group. An example of a distinguished name is CN=FSxAdmins,OU=example,DC=corp,DC=com.

  2. Ensure that the administrators group provided exists in the same Active Directory domain as the one that you want to join the file system to.

  3. If you did not provide an administrator group parameter, Amazon FSx attempts to use the Builtin Domain Admins group in your Active Directory domain. If the name of this group has been changed, or if you’re using a different group for domain administration, you need to provide that name for the group.

Amazon FSx lost connectivity in domain

Creating a file system joined to your self-managed Active Directory fails with the following error message:

Amazon FSx is unable to apply your Microsoft Active Directory configuration. To fix this problem, delete your file system and create a new one 
meeting the pre-requisites described in the Amazon FSx user guide.

When creating your file system, Amazon FSx was able to reach your Active Directory domain’s DNS servers and domain controllers, and join the file system successfully to your Active Directory domain. However, while completing file system creation, Amazon FSx lost connectivity to or membership in your domain. Use the following steps to troubleshoot and resolve the issue.

  1. Ensure that network connectivity continues to exist between your Amazon FSx file system and your Active Directory. And, ensure that network traffic continues to be allowed between them by using routing rules, VPC security group rules, VPC network ACLs, and domain controller firewall rules.

  2. Ensure that the computer objects created by Amazon FSx for your file systems in your Active Directory domain are still active, and were not deleted or otherwise manipulated.

Service account does not have correct permissions

Creating a file system joined to your self-managed Active Directory fails with the following error message:

File system creation failed. Amazon FSx is unable to establish a connection with your Microsoft Active Directory domain controller(s). 
This is because the service account provided does not have permission to join the file system to the domain with the specified 
organizational unit (OU). To fix this problem, delete your file system and create a new one using a service account with permission 
to create computer objects and reset passwords within the specified organizational unit.

Make sure that you have delegated the required permissions to the service account that you provided. Use the following steps to troubleshoot and resolve the issue.

The service account needs to have, at a minimum, the following permissions:

  • Be delegated control to create and delete computer objects in the OU that you’re joining the file system to

  • Have the following permissions in the OU that you’re joining the file system to:

    • Ability to reset passwords

    • Ability to restrict accounts from reading and writing data

    • Validated ability to write to the DNS hostname

    • Validated ability to write to the service principal name

    • Ability (can be delegated) to create and delete computer objects

    • Validated ability to read and write Account Restrictions

    • Ability to modify permissions

    For more information about creating a service account with the correct permissions, see Delegating privileges to your Amazon FSx service account .

Unicode characters used in creation parameters

Creating a file system joined to your self-managed Active Directory fails with the following error message:

File system creation failed. Amazon FSx is unable to create a file system within the specified
Microsoft Active Directory. To fix this problem, please delete your file system and create a new one
meeting the pre-requisites described in the FSx for ONTAP User Guide.

Amazon FSx does not support Unicode characters. Verify that none of the creation parameters have Unicode characters, such as accent marks. This includes parameters that can be left blank where a default value is filled in automatically. Ensure the corresponding default values in your Active Directory also do not contain Unicode characters.

If you encounter problems not listed here while using Amazon FSx, ask a question in the Amazon FSx Forum or contact Amazon Web Services Support.