Configuring AWS DataSync transfers with Amazon FSx for Windows File Server - AWS DataSync
Accessing FSx for Windows File Server file systemsCreating your FSx for Windows File Server transfer location

Beginning December 7, 2023, we will discontinue version 1 DataSync agents. Check the Agents page on the DataSync console to see if you have affected agents. If you do, replace those agents before then to avoid data transfer or storage discovery disruptions. If you need more help, contact AWS Support.

Configuring AWS DataSync transfers with Amazon FSx for Windows File Server

To transfer data to or from your Amazon FSx for Windows File Server file system, you must create an AWS DataSync transfer location. DataSync can use this location as a source or destination for transferring data.

Accessing FSx for Windows File Server file systems

DataSync connects to your FSx for Windows File Server with the Server Message Block (SMB) protocol and mounts your file system from your virtual private cloud (VPC) using network interfaces.

Note

VPCs that you use with DataSync must have default tenancy. VPCs with dedicated tenancy are not supported. For more information, see Work with VPCs.

Required authentication protocols

Your FSx for Windows File Server must use NTLM authentication for DataSync to access it. DataSync can't access a file server that uses Kerberos authentication.

Required permissions

DataSync needs a user account with permissions to mount and access your FSx for Windows File Server files, folders, and file metadata.

We recommend that you make this user a member of the file system administrators group. If you're using AWS Directory Service for Microsoft Active Directory with FSx for Windows File Server, the user must be a member of the AWS Delegated FSx Administrators group. If you're using a self-managed Active Directory with your FSx for Windows File Server, the user must be a member of one of two groups:

  • The Domain Admins group.

  • The custom group that you specified for file system administration when you created your file system.

When transferring between an SMB file server and FSx for Windows File Server file system, or between FSx for Windows File Server file systems, the transfer source and destination must:

  • Belong to the same Active Directory domain.

  • Have an Active Directory trust relationship between their domains.

Object ownership and NTFS ACL permissions

To set object ownership, DataSync needs a user with the SE_RESTORE_NAME privilege, which is usually granted to members of the built-in Active Directory groups Backup Operators and Domain Admins. Providing DataSync a user with this privilege also helps ensure sufficient permissions to files, folders, and file metadata except for NTFS system access control lists (SACLs).

Additional privileges are required for DataSync to copy SACLs, specifically the Windows SE_SECURITY_NAME privilege that's granted to members of the Domain Admins group. To configure how DataSync copies ACLs, see Managing how AWS DataSync transfers files, objects, and metadata.

Warning

When copying NTFS ACLs, make sure that the SYSTEM user has Full Control permissions on all folders in your source and destination locations. If you don't, DataSync can change your destination's permissions in a way that makes your FSx for Windows File Server share inaccessible. For more information, see the Amazon FSx for Windows File Server User Guide.

Creating your FSx for Windows File Server transfer location

Before you begin, make sure that you have an existing FSx for Windows File Server in your AWS Region. For more information, see Getting started with Amazon FSx in the Amazon FSx for Windows File Server User Guide.

To create an FSx for Windows File Server location by using the DataSync console

  1. Open the AWS DataSync console at https://console.aws.amazon.com/datasync/.

  2. In the left navigation pane, expand Data transfer, then choose Locations and Create location.

  3. For Location type, choose Amazon FSx.

  4. For FSx file system, choose the FSx for Windows File Server file system that you want to use as a location.

  5. For Share name, enter a mount path for your FSx for Windows File Server using forward slashes.

    This specifies the path where DataSync reads or writes data (depending on if this is a source or destination location).

    You can also include subdirectories (for example, /path/to/directory).

  6. For Security groups, choose up to five security groups that provide access to your file system's preferred subnet.

    Note

    If you choose a security group that doesn't allow connections from within itself, do one of the following:

    • Configure the security group to allow it to communicate within itself.

    • Choose a different security group that can communicate with the mount target's security group.

  7. For User, enter the name of a user that can access your FSx for Windows File Server.

    For more information, see Accessing FSx for Windows File Server file systems.

  8. For Password, enter password of the user name.

  9. (Optional) For Domain, enter the name of the Windows domain that your FSx for Windows File Server belongs to.

    If you have multiple domains in your environment, configuring this setting makes sure that DataSync connects to the right file server.

  10. (Optional) Enter values for the Key and Value fields to tag the FSx for Windows File Server.

    Tags help you manage, filter, and search for your AWS resources. We recommend creating at least a name tag for your location.

  11. Choose Create location.