Validating your Active Directory configuration
Before you create an FSx for Windows File Server file system joined to your Active Directory, we recommend that you validate your Active Directory configuration using the Amazon FSx Active Directory Validation tool. Note that outbound internet connectivity is required to successfully validate the Active Directory configuration.
To validate your Active Directory configuration
Launch an Amazon EC2 Windows instance in the same subnet and with the same Amazon VPC security groups that you use for your FSx for Windows File Server file system. Ensure that your EC2 instance has the required
AmazonEC2ReadOnlyAccessIAM permissions. You can validate EC2 instance role permissions using the IAM policy simulator. For more information, see Testing IAM Policies with the IAM Policy Simulator in the IAM User Guide.Join your EC2 Windows instance to your Active Directory. For more information, see Manually Join a Windows Instance in the AWS Directory Service Administration Guide.
Connect to your EC2 instance. For more information, see Connecting to Your Windows Instance in the Amazon EC2 User Guide for Windows Instances.
Open a Windows PowerShell window (using Run as Administrator) on the EC2 instance.
To test whether the required Active Directory module for Windows PowerShell is installed, use the following test command.
PS C:\>Import-Module ActiveDirectoryIf above returns an error, install it using the following command.
PS C:\>Install-WindowsFeature RSAT-AD-PowerShellDownload the network validation tool using the following command.
PS C:\>Invoke-WebRequest "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/samples/AmazonFSxADValidation.zip" -OutFile "AmazonFSxADValidation.zip"Expand the zip file by using the following command.
PS C:\>Expand-Archive -Path "AmazonFSxADValidation.zip"Add the
AmazonFSxADValidationmodule to the current session.PS C:\>Import-Module .\AmazonFSxADValidationSet required parameters by substituting into the following command your:
Active Directory domain name (
DOMAINNAME.COM)Prepare the
$Credentialobject for the service account password using one of the following options.To generate the credential object interactively, use the following command.
$Credential = Get-CredentialTo generate the credential object using an AWS Secrets Manager resource, use the following command.
$Secret = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $AdminSecret).SecretString $Credential = (New-Object PSCredential($Secret.UserName,(ConvertTo-SecureString $Secret.Password -AsPlainText -Force)))
DNS server IP addresses (
IP_ADDRESS_1,IP_ADDRESS_2)Subnet ID(s) for subnets where you plan to create your Amazon FSx file system (
SUBNET_1,SUBNET_2, for example,subnet-04431191671ac0d19).
PS C:\>$FSxADValidationArgs = @{ # DNS root of ActiveDirectory domain DomainDNSRoot = 'DOMAINNAME.COM' # IP v4 addresses of DNS servers DnsIpAddresses = @('IP_ADDRESS_1', 'IP_ADDRESS_2') # Subnet IDs for Amazon FSx file server(s) SubnetIds = @('SUBNET_1', 'SUBNET_2') Credential = $Credential }(Optional) Set Organizational Unit, Delegated Administrators group, DomainControllersMaxCount, and enable service account permission validation by following instructions in the included
README.mdfile prior to running the validation tool.Note
The
Domain Adminsgroup has a different name if the operating system is not in English. For example, the group is namedAdministrateurs du domainein the French OS version. If you don't specify a value, the defaultDomain Adminsgroup name is used and the file system creation fails.Run the validation tool by using this command.
PS C:\>$Result = Test-FSxADConfiguration @FSxADValidationArgs-
The following is an example of a successful test result.
Test 1 - Validate EC2 Subnets ... ... Test 17 - Validate 'Delete Computer Objects' permission ... Test computer object amznfsxtestd53f deleted! ... SUCCESS - All tests passed! Please proceed to creating an Amazon FSx file system. For your convenience, SelfManagedActiveDirectoryConfiguration of result can be used directly in CreateFileSystemWindowsConfiguration for New-FSXFileSystem PS C:\AmazonFSxADValidation> $Result.Failures.Count 0 PS C:\AmazonFSxADValidation> $Result.Warnings.Count 0The following is an example of a test result with errors.
Test 1 - Validate EC2 Subnets ... ... Test 7 - Validate that provided EC2 Subnets belong to a single AD Site ... Name DistinguishedName Site ---- ----------------- ---- 10.0.0.0/19 CN=10.0.0.0/19,CN=Subnets,CN=Sites,CN=Configuration,DC=test-ad,DC=local CN=SiteB,CN=Sites,CN=Configu... 10.0.128.0/19 CN=10.0.128.0/19,CN=Subnets,CN=Sites,CN=Configuration,DC=test-ad,DC=local CN=Default-First-Site-Name,C... 10.0.64.0/19 CN=10.0.64.0/19,CN=Subnets,CN=Sites,CN=Configuration,DC=test-ad,DC=local CN=SiteB,CN=Sites,CN=Configu... Best match for EC2 subnet subnet-092f4caca69e360e7 is AD site CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=te st-ad,DC=local Best match for EC2 subnet subnet-04431191671ac0d19 is AD site CN=SiteB,CN=Sites,CN=Configuration,DC=test-ad,DC=local WARNING: EC2 subnets subnet-092f4caca69e360e7 subnet-04431191671ac0d19 matched to different AD sites! Make sure they are in a single AD site. ... 9 of 16 tests skipped. FAILURE - Tests failed. Please see error details below: Name Value ---- ----- SubnetsInSeparateAdSites {subnet-04431191671ac0d19, subnet-092f4caca69e360e7} Please address all errors and warnings above prior to re-running validation to confirm fix. PS C:\AmazonFSxADValidation> $Result.Failures.Count 1 PS C:\AmazonFSxADValidation> $Result.Failures Name Value ---- ----- SubnetsInSeparateAdSites {subnet-04431191671ac0d19, subnet-092f4caca69e360e7} PS C:\AmazonFSxADValidation> $Result.Warnings.Count 0If you receive warnings or errors when you run the validation tool, refer to the Troubleshooting guide included in the validation tool package (
TROUBLESHOOTING.md) and Troubleshooting Amazon FSx.
