Validating Your Active Directory Configuration - Amazon FSx for Windows File Server

Validating Your Active Directory Configuration

Before you create an Amazon FSx for Windows File Server file system joined to your Active Directory, we recommend that you validate your Active Directory configuration using the Amazon FSx Active Directory Validation tool.

To validate your Active Directory configuration

  1. Launch an Amazon EC2 Windows instance in the same subnet and with the same Amazon VPC security groups that you will use for your Amazon FSx for Windows File Server file system. Please ensure that your EC2 instance has the required AmazonEC2ReadOnlyAccess IAM permissions. You can validate EC2 instance role permissions using the IAM policy simulator. For more information, see Testing IAM Policies with the IAM Policy Simulator in the IAM User Guide.

  2. Join your EC2 Windows instance to your Active Directory. For more information, see Manually Join a Windows Instance in the AWS Directory Service Administration Guide.

  3. Connect to your EC2 instance. For more information, see Connecting to Your Windows Instance in the Amazon EC2 User Guide for Windows Instances.

  4. Open a Windows PowerShell window (using Run as Administrator) on the EC2 instance.

    To test whether the required Active Directory module for Windows PowerShell is installed, use the following test command.

    PS C:\> Import-Module ActiveDirectory

    If above returns an error, install it using the following command.

    PS C:\> Install-WindowsFeature RSAT-AD-PowerShell
  5. Download the network validation tool using the following command.

    PS C:\> Invoke-WebRequest "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/samples/AmazonFSxADValidation.zip" -OutFile "AmazonFSxADValidation.zip"
  6. Expand the zip file by using the following command.

    PS C:\> Expand-Archive -Path "AmazonFSxADValidation.zip"
  7. Add the AmazonFSxADValidation module to the current session.

    PS C:\> Import-Module .\AmazonFSxADValidation
  8. Set required parameters by substituting into the following command your:

    • Active Directory domain name (DOMAINNAME.COM)

    • Service account username (SERVICE_ACCOUNT_USER)

    • Service account password (SERVICE_ACCOUNT_PASSWORD)

    • DNS server IP addresses (IP_ADDRESS_1, IP_ADDRESS_2)

    • Subnet ID(s) for subnets where you plan to create your Amazon FSx file system (SUBNET_1, SUBNET_2, for example, subnet-04431191671ac0d19).

    PS C:\> # Credential for Amazon FSx service account $Password = ConvertTo-SecureString 'SERVICE_ACCOUNT_PASSWORD' -AsPlainText -Force $Credential = New-Object System.Management.Automation.PSCredential ('SERVICE_ACCOUNT_USER', $Password) $FSxADValidationArgs = @{ # DNS root of ActiveDirectory domain DomainDNSRoot = 'DOMAINNAME.COM' # IP v4 addresses of DNS servers DnsIpAddresses = @('IP_ADDRESS_1', 'IP_ADDRESS_2') # Subnet IDs for Amazon FSx file server(s) SubnetIds = @('SUBNET_1', 'SUBNET_2') Credential = $Credential }
  9. (Optional) Set Organizational Unit, Delegated Administrators group, and enable service account permission validation by following instructions in the included README.md file prior to running the validation tool.

  10. Run the validation tool by using this command.

    PS C:\> $Result = Test-FSxADConfiguration @FSxADValidationArgs
  11. The following is an example of a successful test result.

    Test 1 - Validate EC2 Subnets ... ... Test 16 - Validate 'Delete Computer Objects' permission ... Test computer object amznfsxtestd53f deleted! ... SUCCESS - All tests passed! Please proceed to creating an Amazon FSx file system. For your convenience, SelfManagedActiveDirectoryConfiguration of result can be used directly in CreateFileSystemWindowsConfiguration for New-FSXFileSystem PS C:\AmazonFSxADValidation> $Result.Failures.Count 0 PS C:\AmazonFSxADValidation> $Result.Warnings.Count 0

    The following is an example of a test result with errors.

    Test 1 - Validate EC2 Subnets ... ... Test 7 - Validate that provided EC2 Subnets belong to a single AD Site ... Name DistinguishedName Site ---- ----------------- ---- 10.0.0.0/19 CN=10.0.0.0/19,CN=Subnets,CN=Sites,CN=Configuration,DC=test-ad,DC=local CN=SiteB,CN=Sites,CN=Configu... 10.0.128.0/19 CN=10.0.128.0/19,CN=Subnets,CN=Sites,CN=Configuration,DC=test-ad,DC=local CN=Default-First-Site-Name,C... 10.0.64.0/19 CN=10.0.64.0/19,CN=Subnets,CN=Sites,CN=Configuration,DC=test-ad,DC=local CN=SiteB,CN=Sites,CN=Configu... Best match for EC2 subnet subnet-092f4caca69e360e7 is AD site CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=te st-ad,DC=local Best match for EC2 subnet subnet-04431191671ac0d19 is AD site CN=SiteB,CN=Sites,CN=Configuration,DC=test-ad,DC=local WARNING: EC2 subnets subnet-092f4caca69e360e7 subnet-04431191671ac0d19 matched to different AD sites! Make sure they are in a single AD site. ... 9 of 16 tests skipped. FAILURE - Tests failed. Please see error details below: Name Value ---- ----- SubnetsInSeparateAdSites {subnet-04431191671ac0d19, subnet-092f4caca69e360e7} Please address all errors and warnings above prior to re-running validation to confirm fix. PS C:\AmazonFSxADValidation> $Result.Failures.Count 1 PS C:\AmazonFSxADValidation> $Result.Failures Name Value ---- ----- SubnetsInSeparateAdSites {subnet-04431191671ac0d19, subnet-092f4caca69e360e7} PS C:\AmazonFSxADValidation> $Result.Warnings.Count 0

    If you receive warnings or errors when you run the validation tool, refer to the Troubleshooting guide included in the validation tool package (TROUBLESHOOTING.md) and Troubleshooting Amazon FSx.