Provisioning an Active Directory service account
If you want to join Amazon FSx for NetApp ONTAP SVMs to your on-premises Active Directory domain, you must maintain a valid Active Directory service account throughout the lifetime of the Amazon FSx file system. Amazon FSx must be able to fully manage the file system and perform tasks that require unjoining and rejoining your Active Directory domain, such as replacing a failed file SVM or patching NetApp ONTAP software. Keep your Active Directory configuration, including the service account credentials, updated in Amazon FSx.
This service account must have the following permissions in Active Directory:
-
Permissions to join computers to the domain
-
In the organizational unit (OU) that you are joining the file system, permissions to:
-
Reset passwords
-
Restrict accounts from reading and writing data
-
Write to the DNS hostname
-
Write to the service principal name
-
Create and delete computer objects
-
Read and write account restrictions
-
An Active Directory domain administrator can create the service account manually by
using the Active Directory User and Computers MMC
snap-in. For instructions, see Delegating permissions to your Amazon FSx service account in the FSx for ONTAP
documentation. You could also configure this account programmatically. For example, you
could use PowerShell
param( [string] $DomainName, [string] $Username, #Service Account username [string] $Firstname, #Service Account Firstname [string] $Lastname, #Service Account Lastname [string] $saOU, #OU where Service Account is created [string] $delegateOrganizationalUnit #OU where Service Account has delegation ) #Retrieve Active Directory domain credentials of a Domain Admin $DomainCredential = ... #Import Active Directory PowerShell module ... #Create Service Account in specified OU New-Active DirectoryUser -Credential $DomainCredential -SamAccountName $Username -UserPrincipalName "$Username@$DomainName" -Name "$Firstname $Lastname" -GivenName $Firstname -Surname $Lastname -Enabled $True -ChangePasswordAtLogon $False -DisplayName "$Lastname, $Firstname" -Path $saOU -CannotChangePassword $True -PasswordNotRequired $True $user = Get-Active Directoryuser -Identity $Username $userSID = [System.Security.Principal.SecurityIdentifier] $user.SID #Connect to Active Directory drive Set-Location Active Directory: $ACL = Get-Acl -Path $delegateOrganizationalUnit $Identity = [System.Security.Principal.IdentityReference] $userSID #GUID of Active Directory Class $Computers = [GUID]"bf967a86-0de6-11d0-a285-00aa003049e2" $ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529" $ValidatedDNSHostName = [GUID]"72e39547-7b18-11d1-adef-00c04fd8d5cd" $ValidatedSPN = [GUID]"f3a64788-5306-11d1-a9c5-0000f80367c1" $AccountRestrictions = [GUID]"4c164200-20c0-11d0-a768-00aa006e0529" #Delegation list $rules = @() $rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "CreateChild, DeleteChild", "Allow", $Computers, "All")) $rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "ExtendedRight", "Allow", $ResetPassword, "Descendents", $Computers)) $rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($Identity, "ReadProperty, WriteProperty", "Allow", $AccountRestrictions, "Descendents", $Computers)) $rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($userSID, "Self", "Allow", $ValidatedDNSHostName, "Descendents", $Computers)) $rules += $(New-Object System.DirectoryServices.ActiveDirectoryAccessRule($userSID, "Self", "Allow", $ValidatedSPN, "Descendents", $Computers)) #Set delegation foreach($rule in $rules) { $ACL.AddAccessRule($rule) } Set-Acl -Path $delegateOrganizationalUnit -AclObject $ACL
