# Creating, updating, removing file shares
<a name="managing-file-shares"></a>

This topic describes how you can manage file shares by performing the following tasks.
+ Create a new file share
+ Modify an existing file share
+ Remove an existing file share

You can use the Windows-native Shared Folders GUI and the Amazon FSx CLI for remote management on PowerShell to manage file shares on your FSx for Windows File Server file system. You might experience delays when using the Shared Folder GUI (**fsmgmt.msc**) when first opening the context menu for shares located on a different file system. To avoid these delays, use PowerShell to manage file shares that are located on multiple file systems.

Microsoft Windows enforces rules and limitations for naming files and directories. To ensure that you can successfully create and access your data, you should name your files and directories according to these Windows guidelines. For more information, see [Naming Conventions](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions).

**Warning**  
Amazon FSx requires that the SYSTEM user has **Full control** NTFS ACL permissions on every folder on which you create an SMB file share. Do not change the NTFS ACL permissions for this user on your folders, as doing so can make your file shares inaccessible.

## Managing file shares with the Shared Folders GUI
<a name="shared-folders-tool"></a>

To manage file shares on your Amazon FSx file system, you can use the Shared Folders GUI. The Shared Folders GUI provides a central location for managing all shared folders on a Windows server. The following procedures describe how to manage your file shares.

**To connect shared folders to your FSx for Windows File Server file system**

1. Launch your Amazon EC2 instance and connect it to the Microsoft Active Directory that your Amazon FSx file system is joined to. To do this, choose one of the following procedures from the *AWS Directory Service Administration Guide*:
   + [Seamlessly join a Windows EC2 instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html)
   + [Manually join a Windows instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html)

1. Connect to your instance as a user that is a member of the file system administrators group. In AWS Managed Microsoft Active Directory, this group is called AWS Delegated FSx Administrators. In your self-managed Microsoft Active Directory, this group is called Domain Admins or the custom name for the administrators group that you provided during creation. For more information, see [Connect to your Windows instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the Amazon Elastic Compute Cloud User Guide for Windows Instances.

1. Open the **Start** menu and run **fsmgmt.msc** using **Run As Administrator**. Doing this opens the Shared Folders GUI tool.

1. For **Action**, choose **Connect to another computer**.

1. For **Another computer**, enter the Domain Name System (DNS) name for your Amazon FSx file system, for example **amznfsxabcd0123.corp.example.com**. 

   To find your file system's DNS name on the Amazon FSx console, choose **File systems**, choose your file system, and then check the **Network & Security** section of the file system details page. You can also get the DNS name in the response of the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation.

1. Choose **OK**. An entry for your Amazon FSx file system then appears in the list for the Shared Folders tool.

Now that Shared Folders is connected to your Amazon FSx file system, you can manage the Windows file shares on the file system. The default share is called `\share`. You can do so with the following actions:
+ **Create a new file share** – In the Shared Folders tool, choose **Shares** in the left pane to see the active shares for your Amazon FSx file system. Choose **New Share** and complete the Create a Shared Folder wizard.

  You have to create the local folder prior to creating the new file share. You can do so as follows: 
  + Using the Shared Folders tool: click on "Browse" when specifying local folder path and click on "Make new folder" to create the local folder.
  + Using command line:

    ```
    New-Item -Type Directory -Path \\amznfsxabcd0123.corp.example.com\D$\share\MyNewShare
    ```
+ **Modify a file share** – In the Shared Folders tool, open the context (right-click) menu for the file share that you want to modify in the right pane, and choose **Properties**. Modify the properties and choose **OK**.
+ **Remove a file share** – In the Shared Folders tool, open the context (right-click) menu for the file share that you want to remove in the right pane, and then choose **Stop Sharing**.
**Note**  
For Single-AZ 2 and Multi-AZ file systems, removing file shares or modifying file shares (including updating permissions, user limits, and other properties) using the Shared Folders GUI tool is possible only if you connect to **fsmgmt.msc** using the DNS Name of the Amazon FSx file system. The Shared Folders GUI tool does not support these actions if you connect using the IP address or DNS alias name of the file system.
**Note**  
If you are using the **fsmgmt.msc** Shared Folders GUI tool to access shares located on multiple FSx for Windows File Server file systems, you may experience delays when first opening the file share context menu for a share that is located on a different file system. To avoid these delays, you can manage file shares using PowerShell as described below.

## Managing file shares with PowerShell
<a name="manage-file-shares-pwrshell"></a>

You can manage file shares using custom FSx for Windows File Server remote-management commands for PowerShell. These commands can help you to automate managing file share tasks such as:
+ Migrating file shares from existing file servers to Amazon FSx
+ Synchronizing file shares across AWS Regions for disaster recovery
+ Programmatically managing ongoing file shares workflows, such as team file-share provisioning

To learn how to use the Amazon FSx CLI for remote management on PowerShell, see [Using the Amazon FSx CLI for PowerShell](administering-file-systems.md#remote-pwrshell).

The following table lists the Amazon FSx CLI remote management PowerShell commands that you can use to manage file shares on FSx for Windows File Server file systems.


| Share Management Command | Description | 
| --- | --- | 
| **New-FSxSmbShare** | Creates a new file share. | 
| **Remove-FSxSmbShare** | Removes a file share. | 
| **Get-FSxSmbShare** | Retrieves existing file shares. | 
| **Set-FSxSmbShare** | Sets properties for a share. | 
|  **Get-FSxSmbShareAccess**  |  Retrieves the access control list (ACL) of a share.   | 
|  **Grant-FSxSmbShareAccess**  |  Adds an allow access control entry (ACE) for a trustee to the security descriptor of a share.  | 
|  **Revoke-FSxSmbShareAccess**  |  Removes all of the allow ACEs for a trustee from the security descriptor of a share.  | 
|  **Block-FSxSmbShareAccess**  |  Adds a deny ACE for a trustee to the security descriptor of a share.  | 
|  **Unblock-FSxSmbShareAccess**  |  Removes all of the deny ACEs for a trustee from the security descriptor of a share.  | 

The online help for each command provides a reference of all command options. To access this help, run the command with a `-?`, for example `New-FSxSmbShare -?`. 

### Passing credentials to New-FSxSmbShare
<a name="pass-credentials-to-new-fsxsmbshare"></a>

You can pass credentials to New-FSxSmbShare so that you can run it in a loop to create hundreds or thousands of shares without having to re-enter credentials each time.

Prepare the credential object required to create the file shares on your FSx for Windows File Server file server using one of the following options.
+ To generate the credential object interactively, use the following command.

  ```
  $credential = Get-Credential
  ```
+ To generate the credential object using an AWS Secrets Manager resource, use the following command.

  ```
  $credential = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $AdminSecret).SecretString
  $FSxAdminUserCredential = (New-Object PSCredential($credential.UserName,(ConvertTo-SecureString $credential.Password -AsPlainText -Force)))
  ```

## To create a continuously available (CA) share
<a name="create-ca-share"></a>

You can create continuously available (CA) shares using the Amazon FSx CLI for Remote Management on PowerShell. CA shares created on an FSx for Windows File Server Multi-AZ file system are highly durable and highly available. An Amazon FSx Single-AZ file system is built on a single node cluster. As a result, CA shares created on a Single-AZ file system are highly durable, but are not highly available. Use the `New-FSxSmbShare` command with the `-ContinuouslyAvailable` option set to `$True` to specify that the share is a continuously available share. The following is an example command to create a CA share. 

```
New-FSxSmbShare -Name "New CA Share" -Path "D:\share\new-share" -Description "CA share" -ContinuouslyAvailable $True 
```

You can modify the `-ContinuouslyAvailable` option on an existing file share using the `Set-FSxSmbShare` command.

### Determine if an existing file share is continuously available
<a name="determine-if-ca-enabled"></a>

Use the following command to view the value of the Continuously Available property for an existing file share.

```
Invoke-Command -ComputerName powershell_endpoint -ConfigurationName FSxRemoteAdmin -scriptblock { get-fsxsmbshare -name share_name }
```

If CA is enabled, the output will include the following line:

```
[...]
ContinuouslyAvailable : True
[...]
```

 If CA is not enabled, the output will include the following line:

```
[...]
ContinuouslyAvailable : False
[...]
```

To enable Continuously Available on an existing file share, use the following command:

```
Invoke-Command -ComputerName powershell_endpoint -ConfigurationName FSxRemoteAdmin -scriptblock { set-fsxsmbshare -name share_name -ContinuouslyAvailable $True}
```

# New-FSxSmbShare command fails with a one-way trust
<a name="new-smbshare-fails"></a>

Amazon FSx does not support executing the `New-FSxSmbShare` PowerShell command in cases where you have a one-way trust and the domain in which the user resides is not configured to trust the domain associated with Amazon FSx file system.

You can resolve this situation using one of following solutions:
+ The user executing the `New-FSxSmbShare` command needs to be in the same domain as the FSx file system.
+ You can use the fsmgmt.msc GUI to create shares on your file system. For more information, see [Managing file shares with the Shared Folders GUI](managing-file-shares.md#shared-folders-tool).