You can't access your file system - Amazon FSx for Windows File Server
The file system elastic network interface was modified or deletedThe Elastic IP address attached to the file system elastic network interface was deletedThe file system security group lacks the required inbound or outbound rules.The compute instance's security group lacks the required outbound rulesCompute instance not joined to an Active DirectoryThe file share doesn't existActive Directory user lacks required permissionsAllow Full control NTFS ACL permissions removedCan't access a file system using an on-premises clientNew file system is not registered in DNSCan't access the file system using a DNS aliasCan't access the file system using an IP address

You can't access your file system

There are a number of potential causes for being unable to access your file system, each with their own resolution, as follows.

The file system elastic network interface was modified or deleted

You must not modify or delete the file system's elastic network interface. Modifying or deleting the network interface can cause a permanent loss of connection between your VPC and your file system. Create a new file system, and do not modify or delete the Amazon FSx elastic network interface. For more information, see File System Access Control with Amazon VPC.

The Elastic IP address attached to the file system elastic network interface was deleted

Amazon FSx doesn't support accessing file systems from the public internet. Amazon FSx automatically detaches any Elastic IP address, which is a public IP address reachable from the internet, that gets attached to a file system's elastic network interface. For more information, see Supported clients, access methods, and environments for Amazon FSx for Windows File Server.

The file system security group lacks the required inbound or outbound rules.

Review the inbound rules specified in Amazon VPC Security Groups, and make sure that the security group associated with your file system has the corresponding inbound rules.

The compute instance's security group lacks the required outbound rules

Review the outbound rules specified in Amazon VPC Security Groups, and make sure that the security group associated with your compute instance has the corresponding outbound rules.

Compute instance not joined to an Active Directory

Your compute instances might not be correctly joined to one of two types of Active Directory:

  • The AWS Managed Microsoft AD directory to which your file system is joined.

  • A Microsoft Active Directory directory that has a one-way forest trust relationship established with the AWS Managed Microsoft AD directory.

Make sure that your compute instances are joined to one of two types of directory. One type is the AWS Managed Microsoft AD directory to which your file system is joined. The other type is a Microsoft Active Directory directory that has a one-way forest trust relationship established with the AWS Managed Microsoft AD directory. For more information, see Using Amazon FSx with AWS Directory Service for Microsoft Active Directory.

The file share doesn't exist

The Microsoft Windows file share that you're attempting to access doesn't exist.

If you're using an existing file share, make sure that the file system DNS name and the share name are correctly specified. To manage your file shares, see File shares.

Active Directory user lacks required permissions

The Active Directory user that you're accessing the file share as lacks the necessary access permissions.

Make sure that the access permissions for the file share and Windows access control lists (ACLs) for the shared folder allow access to the Active Directory users that need to access it.

Allow Full control NTFS ACL permissions removed

If you remove Allow Full control NTFS ACL permissions for the SYSTEM user on a folder that you shared, that share can become inaccessible and any file system backups taken from that point onwards may not be usable.

You will need to re-create the affected file share. For more information, see File shares. After you recreate the folder or share, you can map and use the Windows file shares from your compute instances.

Can't access a file system using an on-premises client

You're using your Amazon FSx file system from on-premises using AWS Direct Connect or VPN, and you're using a non-private IP address range for the on-premises client.

Amazon FSx only supports access from on-premises clients with non-private IP addresses on file systems created after December 17, 2020.

If you need to access your FSx for Windows File Server file system that was created before December 17, 2020 using a non-private IP address range, you can create a new file system by restoring a backup of the file system. For more information, see Working with backups.

New file system is not registered in DNS

For file systems joined to a self-managed Active Directory, Amazon FSx did not register the file system DNS when it was created because the customer network does not use Microsoft DNS.

Amazon FSx does not register file systems in DNS if your network uses a third-party DNS service instead of Microsoft DNS. You must manually set up DNS A entries for your Amazon FSx file systems. For Single-AZ 1 file systems, you will need to add one DNS A entry; for Single-AZ 2 and Multi-AZ file systems, you will need to add two DNS A entries. Use the following procedure to obtain the file system IP address or addresses to use when manually adding the DNS A entries.

  1. In the https://console.aws.amazon.com/fsx/, choose the file system that you want to obtain the IP address of to display the file system details page.

  2. In the Network & security tab do one of the following:

    • For a Single-AZ 1 file system:

      • In the Subnet panel, choose the elastic network interface shown under Network interface to open the Network Interfaces page in the Amazon EC2 .

      • The IP address for the Single-AZ 1 file system to use is shown in the Primary private IPv4 IP column.

    • For a Single-AZ 2 or Multi-AZ file system:

      • In the Preferred subnet panel, choose the elastic network interface shown under Network interface to open the Network Interfaces page in the Amazon EC2 .

      • The IP address for the preferred subnet to use is shown in the Secondary private IPv4 IP column.

      • In the Amazon FSx Standby subnet panel, choose the elastic network interface shown under Network interface to open the Network Interfaces page in the Amazon EC2 console.

      • The IP address for the standby subnet to use is shown in the Secondary private IPv4 IP column.

Can't access the file system using a DNS alias

If you're unable to access a file system using a DNS alias, use the following procedure to troubleshoot the issue.

  1. Verify that the alias is associated with the file system by doing either of the following steps:

    1. Using the Amazon FSx console – Choose the file system that you're trying to access. On the File system details page, the DNS aliases are shown on the Network & security tab.

    2. Using the CLI or API – Use the describe-file-system-aliases CLI command, or the DescribeFileSystemAliases API operation to retrieve the aliases currently associated with the file system.

  2. If the DNS alias is not listed, you must associate it with the file system. For more information, see Managing DNS aliases on existing file systems.

  3. If the DNS alias is associated with the file system, verify that you've also configured the following required items:

  4. If you created valid SPNs and a DNS CNAME record, verify that the client's DNS has the DNS CNAME record that resolves to the correct file system.

    1. Run nslookup to confirm that the record exists and that it resolves to the file system's default DNS name.

    2. If the DNS CNAME resolves to another file system, wait for the client's DNS cache to refresh, and then check the CNAME record again. You can accelerate the process by flushing the client's DNS cache using the following command.

      ipconfig /flushdns

  5. If the DNS CNAME record resolves to the Amazon FSx file system's default DNS, and the client is still unable to access the file system, see You can't access your file system for additional troubleshooting steps.

Can't access the file system using an IP address

If you're unable to access your file system using an IP address, try using the DNS name or associated DNS alias instead.

You can find the file system's DNS name and any associated DNS aliases on the Amazon FSx console by choosing Windows File Server, Network & security. Or, you can find them in the response of the CreateFileSystem or DescribeFileSystems API operation. For more information about using DNS aliases, see Managing DNS aliases.

  • For a Single-AZ file system joined to an AWS Managed Microsoft Active Directory, the DNS name looks like the following.

    fs-0123456789abcdef0.ad-domain.com

  • For all Multi-AZ file systems, and Single-AZ file systems joined to a self-managed Active Directory, the DNS name looks like the following.

    amznfsxaa11bb22.ad-domain.com