Preparing for the cutover to Amazon FSx Configure SPNs for Kerberos authentication Update the DNS CNAME records for the Amazon FSx file system

Cutting over operations to Amazon FSx for Windows File Server

After you have migrated your on-premises file storage, file share configuration, and DNS configuration, the next step is cutting over your operations to the FSx for Windows File Server file systems. To cut over to your FSx for Windows File Server file system, you perform the following steps:

Prepare for the cut over.
- Temporarily disconnect SMB clients from the original file system.
- Perform a final file and file share configuration sync.
Configure service principal names (SPNs) for your Amazon FSx file system.
Update DNS CNAME records to point to your Amazon FSx file system.

The procedures to perform each of these steps are provided in the following sections.

Topics

Preparing for the cutover to Amazon FSx
Configure SPNs for Kerberos authentication
Update the DNS CNAME records for the Amazon FSx file system

Preparing for the cutover to Amazon FSx

To prepare for the cutover to your Amazon FSx file system, you must do the following:

Disconnect all clients that write to the original file system.
Perform a final file sync using AWS DataSync or Robocopy. For more information, see Migrating existing file storage to FSx for Windows File Server.
Perform a final file share configuration sync. For more information, see Migrating your on-premises file share configurations to Amazon FSx.

Configure SPNs for Kerberos authentication

We recommend that you use Kerberos-based authentication and encryption in transit with Amazon FSx. Kerberos provides the most secure authentication for clients that access your file system. To enable Kerberos authentication for clients accessing Amazon FSx using a DNS alias, you must add service principal names (SPNs) that correspond to the DNS alias on your Amazon FSx file system’s Active Directory computer object.

There are two required SPNs for Kerberos authentication.


HOST/alias
HOST/alias.domain

As an example, if the alias is finance.domain.com, the two required SPNs are as follows.


HOST/finance
HOST/finance.domain.com

An SPN can only be associated with a single Active Directory computer object at a time. If there are existing SPNs for the DNS name configured for your original file system's Active Directory computer object, you must delete them before creating SPNs for your Amazon FSx file system.

The following procedures describe how to find any existing SPNs, delete them, and create new SPNs for your Amazon FSx file system's Active Directory computer object.

To install the required PowerShell Active Directory module

Log on to a Windows instance joined to the Active Directory that your Amazon FSx file system is joined to.
Open PowerShell as administrator.
Install the PowerShell Active Directory module using the following command.
```
Install-WindowsFeature RSAT-AD-PowerShell
```

To find and delete existing DNS alias SPNs on the original file system's Active Directory computer object

Find any existing SPNs by using the following commands. Replace alias_fqdn with the DNS alias that you associated with the file system in Migrating your on-premises DNS configuration to FSx for Windows File Server.
```
## Find SPNs for original file system's AD computer object
$ALIAS = "alias_fqdn"
SetSPN /Q ("HOST/" + $ALIAS)
SetSPN /Q ("HOST/" + $ALIAS.Split(".")[0])
```

Delete the existing HOST SPNs returned in the previous step by using the following example script.

Replace alias_fqdn with the full DNS alias that you associated with the file system in Migrating your on-premises DNS configuration to FSx for Windows File Server.
Replace file_system_DNS_name with the original file system's DNS name .


## Delete SPNs for original file system's AD computer object
$Alias = "alias_fqdn"
$FileSystemDnsName = "file_system_dns_name"
$FileSystemHost = (Resolve-DnsName ${FileSystemDnsName} | Where Type -eq 'A')[0].Name.Split(".")[0]
$FSxAdComputer = (Get-AdComputer -Identity ${FileSystemHost})

SetSPN /D ("HOST/" + ${Alias}) ${FSxAdComputer}.Name
SetSPN /D ("HOST/" + ${Alias}.Split(".")[0]) ${FSxAdComputer}.Name

Repeat these steps for each DNS alias that you associated with the file system in Migrating your on-premises DNS configuration to FSx for Windows File Server.

To set SPNs on your Amazon FSx file system’s Active Directory computer object

Set new SPNs for your Amazon FSx file system by running the following commands.
- Replace file_system_DNS_name with the DNS name that Amazon FSx assigned to the file system.
  
  To find your file system's DNS name on the Amazon FSx console, choose File systems, and choose your file system. Choose the Network & security pane of the file system details page. You can also get the DNS name in the response of the DescribeFileSystems API operation.
- Replace alias_fqdn with the full DNS alias that you associated with the file system in Migrating your on-premises DNS configuration to FSx for Windows File Server.
```
## Set SPNs for FSx file system AD computer object
$FSxDnsName = "file_system_DNS_name"
$Alias = "alias_fqdn"
$FileSystemHost = (Resolve-DnsName $FSxDnsName | Where Type -eq 'A')[0].Name.Split(".")[0]
$FSxAdComputer = (Get-AdComputer -Identity $FileSystemHost)

Set-AdComputer -Identity $FSxAdComputer -Add @{"msDS-AdditionalDnsHostname"="$Alias"}
SetSpn /S ("HOST/" + $Alias.Split('.')[0]) $FSxAdComputer.Name
SetSpn /S ("HOST/" + $Alias) $FSxAdComputer.Name
```
Note
Setting an SPN for your Amazon FSx file system will fail if an SPN for the DNS alias exists in the AD for the original file system's computer object. For information about finding and deleting existing SPNs, see To find and delete existing DNS alias SPNs on the original file system's Active Directory computer object.
Verify that the new SPNs are configured for the DNS alias using the following example script. Ensure that the response includes two HOST SPNs, HOST/alias and HOST/alias_fqdn.

Replace file_system_DNS_name with the DNS name that Amazon FSx assigned to your file system. To find your file system's DNS name on the Amazon FSx console, choose File systems, choose your file system, and then choose the Network & security pane on the file system details page.

You can also get the DNS name in the response of the DescribeFileSystems API operation.
```
## Verify SPNs on FSx file system AD computer object
$FileSystemDnsName = "file_system_dns_name"
$FileSystemHost = (Resolve-DnsName ${FileSystemDnsName} | Where Type -eq 'A')[0].Name.Split(".")[0]
$FSxAdComputer = (Get-AdComputer -Identity ${FileSystemHost})
SetSpn /L ${FSxAdComputer}.Name
```
Repeat the previous steps for each DNS alias that you've associated with the file system in Migrating your on-premises DNS configuration to FSx for Windows File Server.

Note

You can enforce Kerberos authentication and encryption in transit with clients connecting to your file system using DNS aliases by setting the following Group Policy Objects (GPOs) in your Active Directory:

Restrict NTLM: Outgoing NTLM traffic to remote servers
Restrict NTLM: Add remote server exceptions for NTLM authentication

For more information, see Enforcing Kerberos authentication using Group Policy Objects (GPOs) in Walkthrough 5: Using DNS aliases to access your file system.

Update the DNS CNAME records for the Amazon FSx file system

After you properly configure SPNs for your file system, you can cut over to Amazon FSx by replacing each DNS record that resolved to the original file system with a DNS record that resolves to the default DNS name of the Amazon FSx file system.

To install the required PowerShell cmdlets

Log on to a Windows instance joined to the Active Directory that your Amazon FSx file system is joined to as a user that is a member of a group that has DNS administration permissions (AWS Delegated Domain Name System Administrators in AWS Managed Microsoft Active Directory, and Domain Admins or another group to which you've delegated DNS administration permissions in your self-managed Active Directory)

For more information, see Connecting to your Windows instance in the Amazon EC2 User Guide.
Open PowerShell as administrator.
The PowerShell DNS server module is required to perform the instructions in this procedure. Install it using the following command.
```
Install-WindowsFeature RSAT-DNS-Server
```

To update an existing a DNS CNAME record

The following script updates any existing DNS CNAME records for the alias_fqdn to your Amazon FSx file system's computer object. If none is found, it creates a new DNS CNAME record for the DNS alias alias_fqdn that resolves to the default DNS name for your Amazon FSx file system.

To run the script:
- Replace alias_fqdn with the DNS alias that you associated with the file system.
- Replace file_system_DNS_name with the default DNS name Amazon FSx has assigned to the file system.
```
$Alias="alias_fqdn"
$FSxDnsName="file_system_dns_name"
$AliasHost=$Alias.Split('.')[0]
$ZoneName=((Get-WmiObject Win32_ComputerSystem).Domain)
$DnsServerComputerName = (Resolve-DnsName $ZoneName -Type NS | Where Type -eq 'A' | Select -ExpandProperty Name)[0]

Add-DnsServerResourceRecordCName -Name $AliasHost -ComputerName $DnsServerComputerName -HostNameAlias $FSxDnsName -ZoneName $ZoneName
```
Repeat the previous step for each DNS alias that you associated with the file system in Migrating your on-premises DNS configuration to FSx for Windows File Server.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Migrating your on-premises DNS configuration to FSx for Windows File Server

Monitoring file systems