# Migrating existing file storage to Amazon FSx
<a name="migrate-to-fsx"></a>

Amazon FSx for Windows File Server has the features, performance, and compatibility to help you easily lift and shift enterprise applications to the Amazon Web Services Cloud. The process to migrate your on-premises Microsoft Windows File Server storage to FSx for Windows File Server has the following four major steps:

1. Migrate your files to FSx for Windows File Server. For more information, see [Migrating existing file storage to FSx for Windows File Server](migrate-files-fsx.md).

1. Migrate your file share configuration to FSx for Windows File Server. For more information, see [Migrating your on-premises file share configurations to Amazon FSx](migrate-file-share-config-to-fsx.md).

1. Associate your existing DNS name as a DNS alias for your Amazon FSx file system. For more information, see [Associating a DNS alias with Amazon FSx](migrate-dns-config.md).

1. Cut over to FSx for Windows File Server. For more information, see [Cutting over operations to Amazon FSx for Windows File Server](cutover-to-fsx.md).

You can find the details for each step in the process in the following sections.

**Topics**
+ [Migrating existing file storage to FSx for Windows File Server](migrate-files-fsx.md)
+ [Migrating your on-premises file share configurations to Amazon FSx](migrate-file-share-config-to-fsx.md)
+ [Migrating your on-premises DNS configuration to FSx for Windows File Server](migrate-dns-config.md)
+ [Cutting over operations to Amazon FSx for Windows File Server](cutover-to-fsx.md)

# Migrating existing file storage to FSx for Windows File Server
<a name="migrate-files-fsx"></a>

To migrate your existing files to FSx for Windows File Server file systems, we recommend using AWS DataSync, an online data transfer service designed to simplify, automate, and accelerate copying large amounts of data to and from AWS storage services. DataSync copies data over the internet or Direct Connect. As a fully managed service, DataSync removes much of the need to modify applications, develop scripts, or manage infrastructure. For more information, see [Migrating existing files to FSx for Windows File Server using AWS DataSync](migrate-files-to-fsx-datasync.md).

As an alternative solution, you can use Robust File Copy, or Robocopy, which is a command line directory and file replication command set for Microsoft Windows. For detailed procedures on how to use Robocopy to migrate file storage to FSx for Windows File Server, see [Migrating existing files to FSx for Windows File Server using Robocopy](migrate-files-to-fsx.md).

## Best practices for migrating existing file storage to FSx for Windows File Server
<a name="migrate-best-practices"></a>

To migrate large amounts of data to FSx for Windows File Server as quickly as possible, use Amazon FSx file systems configured with solid state drive (SSD) storage. After the migration is complete, you can move the data to Amazon FSx file systems using hard disk drive (HDD) storage if that is the best solution for your application.

To move data from an Amazon FSx file system using SSD storage to HDD storage, you can take the following steps. (Note that HDD file systems have a minimum 2TB storage capacity, and you cannot change storage capacity when restoring from a backup.)

1. Take a backup of your SSD file system. For more information, see [Creating user-initiated backups](creating-backups.md).

1. Restore the backup to a file system using HDD storage. For more information, see [Restoring backups to new file system](using-backups.md#restoring-backups).

# Migrating existing files to FSx for Windows File Server using AWS DataSync
<a name="migrate-files-to-fsx-datasync"></a>

We recommend using AWS DataSync to transfer data between FSx for Windows File Server file systems. DataSync is a data transfer service that simplifies, automates, and accelerates moving and replicating data between on-premises storage systems and other AWS storage services over the internet or Direct Connect. DataSync can transfer your file system data and metadata, such as ownership, timestamps, and access permissions.

DataSync supports copying NTFS access control lists (ACLs), and also supports copying file audit control information, also known as NTFS system access control lists (SACLs), which are used by administrators to control audit logging of user attempts to access files.

You can use DataSync to transfer files between two FSx for Windows File Server file systems, and also move data to a file system in a different AWS Region or AWS account. You can use DataSync with FSx for Windows File Server file systems for other tasks. For example, you can perform one-time data migrations, periodically ingest data for distributed workloads, and schedule replication for data protection and recovery.

In AWS DataSync, a *location* for FSx for Windows File Server is an endpoint for an FSx for Windows File Server. You can transfer files between a location for FSx for Windows File Server and a location for other file systems. For information, see [Working with Locations](https://docs.aws.amazon.com/datasync/latest/userguide/working-with-locations.html) in the *AWS DataSync User Guide*.

DataSync accesses your FSx for Windows File Server using the Server Message Block (SMB) protocol. It authenticates with the user name and password that you configure in the AWS DataSync console or AWS CLI.

## Prerequisites
<a name="migrate-data-sync-prereq"></a>

To migrate data into your Amazon FSx for Windows File Server setup, you need a server and network that meet the DataSync requirements. To learn more, see [Requirements for DataSync](https://docs.aws.amazon.com/datasync/latest/userguide/requirements.html) in the *AWS DataSync User Guide*.

If you are performing a large data migration, or a migration involving many small files, we recommend using an Amazon FSx File System with SSD storage type. This is because DataSync tasks involve scans of file metadata which can exhaust the disk IOPS limits of HDD file systems, leading to long-running migrations and file system performance impact. For more information, see: [Best practices for migrating existing file storage to FSx for Windows File Server](migrate-files-fsx.md#migrate-best-practices).

 If your dataset consists of mostly small files, with file counts in the millions, or if you have more available network bandwidth than a single DataSync task can consume, you can also accelerate your data transfers with scale out architecture. For more information, see: [How to accelerate your data transfers with AWS DataSync scale out architectures](https://aws.amazon.com/blogs/storage/how-to-accelerate-your-data-transfers-with-aws-datasync-scale-out-architectures/). 

You can monitor the disk I/O utilization of your file system using [FSx performance metrics](monitoring-cloudwatch.md).

## Basic steps for migrating files using DataSync
<a name="migrate-data-sync-basic-steps"></a>

To transfer files from a source location to a destination location using DataSync, take the following basic steps:
+ Download and deploy an agent in your environment and activate it.
+ Create and configure a source and destination location.
+ Create and configure a task.
+ Run the task to transfer files from the source to the destination.

To learn how to transfer files from an existing on-premises file system to your FSx for Windows File Server, see [Data transfer between self-managed storage and AWS](https://docs.aws.amazon.com/datasync/latest/userguide/how-datasync-works.html#onprem-aws), [Creating a location for SMB](https://docs.aws.amazon.com/datasync/latest/userguide/create-smb-location.html), and [Creating a location for Amazon FSx for Windows File Server](https://docs.aws.amazon.com/datasync/latest/userguide/create-fsx-location.html) in the *AWS DataSync User Guide*.

To learn how to transfer files from an existing in-cloud file system to your FSx for Windows File Server, see [Deploy your agent as an Amazon EC2 instance](https://docs.aws.amazon.com/datasync/latest/userguide/deploy-agents.html#ec2-deploy-agent) in the *AWS DataSync User Guide*. 

## Migrating between two Amazon FSx file systems
<a name="migrating-between-two-systems"></a>

 You can use DataSync to migrate data between two Amazon FSx file systems. This can be helpful if you need to move your workload from an existing file system to a new file system with a different configuration, such as from a Single-AZ to a Multi-AZ configuration. You can also use DataSync to split your workload between two file systems. 

 Here is a sample overview of the migration process: 

1. Create DataSync locations for the source and destination file systems. Note that the source and destination must belong to the same Active Directory (AD) domain, or have an AD trust relationship between their domains.

1. Create and configure a DataSync task to transfer data from the source to the destination. You can run the task as a one-time instance, or set the task to run automatically on a schedule that you configure.

1. After the task completes successfully, the data in your destination file system is an exact copy of your source. Note that you will need to temporarily pause any write activity or file updates on your source file system to complete the task. You can then cut over to your destination file system and delete the source file system.

Before migrating from your production file system, you can test the migration process on a file system that's restored from a recent backup. This enables you to estimate how long the data transfer process takes, and to troubleshoot DataSync errors in advance.

To minimize your cutover time, you can run DataSync tasks in advance, moving the majority of your data from your source file system to your destination file system. After stopping traffic to your source file system, you can run one final task transfer to sync any data that’s been newly updated since you stopped traffic, and then cut over to your destination file system.

You can configure DataSync tasks to only run in certain directories, or to include or exclude certain paths. This can be useful if you’re running multiple tasks in parallel, or if you want to migrate a subset of your data.

You can create a DNS alias on your destination file system that's the same as the DNS name of your source file system. This enables your end-users and applications to continue accessing file data using the DNS name of your source file system. For more information about how to set up a DNS alias, see: [Accessing data using DNS aliases](dns-aliases.md).

When performing this type of migration, we recommend the following:
+ Schedule your migration to avoid any file system backups, your weekly maintenance window, and `Data Deduplication` jobs. Specifically, we recommend disabling the `Data Deduplication GarbageCollection` job if it coincides with your planned migration.
+ Use an SSD storage type for both your source and destination file systems. You can switch between HDD and SSD storage types by restoring from backup. For more information see: [Migrating existing file storage to FSx for Windows File Server](migrate-files-fsx.md).
+ Configure your source and destination file systems with sufficient throughput capacity for the amount of data that you need to transfer. During DataSync task processes, monitor the performance utilization of both the source and the destination file systems. For more information, see: [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md).
+ Set up [DataSync monitoring](https://docs.aws.amazon.com/datasync/latest/userguide/monitor-datasync.html) to help you understand the progress of ongoing tasks. You can also send DataSync logs to the Amazon CloudWatch Logs group to assist you with debugging your tasks if you encounter any errors. 

# Migrating existing files to FSx for Windows File Server using Robocopy
<a name="migrate-files-to-fsx"></a>

Built on Microsoft Windows Server, Amazon FSx for Windows File Server enables you to migrate your existing datasets fully into your Amazon FSx file systems. You can migrate the data for each file. You can also migrate all the relevant file metadata including attributes, timestamps, access control lists (ACLs), owner information, and auditing information. With this total migration support, Amazon FSx enables moving your Windows-based workloads and applications relying on these file datasets to the Amazon Web Services Cloud.

Use the following topics as a guide through the process for copying existing file data. As you perform this copy, you preserve all file metadata from your on-premises data centers or from your self-managed file servers on Amazon EC2.

## Prerequisites for file migration with Robocopy
<a name="fsx-migrate-prereqs"></a>

Before you begin, make sure that you do the following:
+ Establish network connectivity (by using Direct Connect or VPN) between your on-premises Active Directory and the VPC where you want to create the Amazon FSx file system.
+ Create a service account on your Active Directory with delegated permissions to join computers to the domain. For more information, see [Delegate Privileges to Your Service Account](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/prereq_connector.html#connect_delegate_privileges) in the *AWS Directory Service Administration Guide*.
+ Create an Amazon FSx file system, joined to your self-managed (on-premises) Microsoft AD directory.
+ Note the location (for example, `\\Source\Share`) of the file share (either on-premises or in AWS) that contains the existing files you want to transfer over to Amazon FSx.
+ Note the location (for example, `\\Target\Share`) of the file share on your Amazon FSx file system to which you want to transfer over your existing files.

The following table summarizes the source and destination file system accessibility requirements for three migration user access models.


| Migration user access model | Source file system accessibility requirements | Destination FSx file server accessibility requirements | 
| --- | --- | --- | 
| Direct read/write permissions model | The user needs to have at least read permissions (NTFS ACLs) on the files and folders being migrated. | The user needs to have at least write permissions (NTFS ACLs) on the files and folders being migrated. | 
| Backup/restore privilege model to override access permissions | The user needs to be a member of the on-premises Active Directory's Backup Operators group, and use the /b flag with RoboCopy. | The user needs to be a member of the Amazon FSx file system's administrators group\$1, and use the /b flag with RoboCopy. | 
| Domain administrator (full) privilege model to override access permissions | The user needs to be a member of the on-premises Active Directory's Domain Admins group. | The user needs to be a member of the Amazon FSx file system's administrators group\$1, and use the /b flag with RoboCopy | 

**Note**  
\$1 For file systems joined to an AWS Managed Microsoft AD, the Amazon FSx file system administrators group is **AWS Delegated FSx Administrators**. In your self-managed Microsoft AD, the Amazon FSx file system administrators group is **Domain Admins** or the custom group that you specified for administration when you created your file system.

![\[Diagram displaying the configuration of the source and destination file system for data migration using Robocopy.\]](http://docs.aws.amazon.com/fsx/latest/WindowsGuide/images/fsx-migrate-existing.png)


## Migrating files using Robocopy
<a name="fsx-migrate-procedure"></a>

You can migrate your existing files from your on-premises file systems to FSx for Windows File Server file systems by using the following procedure.

**To migrate existing files to Amazon FSx using Robocopy**

1. Launch a Windows Server 2016 Amazon EC2 instance in the same Amazon VPC as that of your Amazon FSx file system.

1. Connect to your Amazon EC2 instance. For more information, see [Connecting to Your Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the *Amazon EC2 User Guide for Windows Instances*.

1. Open **Command Prompt** and map the source file share on your existing file server (on-premises or in AWS) to a drive letter (for example, *Y*:) as follows. As part of this, you provide credentials for a member of your on-premises Active Directory's **Domain Administrators** group.

   ```
   C:\>net use Y: \\fileserver1.mydata.com\localdata /user:mydata.com\Administrator
   Enter the password for ‘fileserver1.mydata.com’: _
   
   Drive Y: is now connected to \\fileserver1.mydata.com\localdata.
   
   The command completed successfully.
   ```

1. Map the target file share on your Amazon FSx file system to a different drive letter (for example, *Z*:) on your Amazon EC2 instance as follows. As part of this, you provide credentials for a user account that is a member of your on-premises Active Directory's domain administrators group and your Amazon FSx file system’s administrators group. For file systems joined to an AWS Managed Microsoft AD, that group is **AWS Delegated FSx**** Administrators**. In your self-managed Microsoft AD, that group is **Domain Admins** or the custom group that you specified for administration when you created your file system.

   For more information, see the table of [source and destination file system accessibility requirements](#role-access-table) in the [Prerequisites for file migration with Robocopy](#fsx-migrate-prereqs).

   ```
   C:\>net use Z: \\amznfsxabcdef1.mydata.com\share /user:mydata.com\Administrator
   Enter the password for 'amznfsxabcdef1.mydata.com': _
   
   Drive Z: is now connected to \\amznfsxabcdef1.mydata.com\share.
   
   The command completed successfully.
   ```

1. Choose **Run as Administrator** from the context menu. Open **Command Prompt** or **Windows PowerShell** as an administrator, and run the following Robocopy command to copy the files from the source share to the target share. 

   The `ROBOCOPY` command is a flexible file-transfer utility with multiple options to control the data transfer process. Because of this `ROBOCOPY` command process, all the files and directories from the source share are copied to the Amazon FSx target share. The copy preserves file and folder NTFS ACLs, attributes, timestamps, owner information, and auditing information.

   ```
   robocopy Y:\ Z:\ /copy:DATSOU /secfix /e /b /MT:8
   ```

   The example command preceding uses the following elements and options:
   + Y – Refers to the source share located in the on-premises Active Directory forest mydata.com.
   + Z – Refers to the target share \$1\$1amznfsxabcdef1.mydata.com\$1share on Amazon FSx.
   + /copy – Specifies the following file properties to be copied: 
     + D – data
     + A – attributes
     + T – timestamps
     + S – NTFS ACLs
     + O – owner information
     + U – auditing information.
   + /secfix – Fixes file security on all files, even skipped ones.
   + /e – Copies subdirectories, including empty ones.
   + /b – Uses the backup and restore privilege in Windows to copy files even if their NTFS ACLs deny permissions to the current user.
   + /MT:8 – Specifies how many threads to use for performing multithreaded copies.

**Note**  
If you are copying large files over a slow or unreliable connection, you can enable restartable mode by using the **/zb** option with the **robocopy** in place of the **/b** option. With restartable mode, if the transfer of a large file is interrupted, a subsequent Robocopy operation can pick up in the middle of the transfer instead of having to re-copy the entire file from the beginning. Enabling restartable mode can reduce the data transfer speed.

# Migrating your on-premises file share configurations to Amazon FSx
<a name="migrate-file-share-config-to-fsx"></a>

You can migrate an existing file share configuration to Amazon FSx by using the following procedure. In this procedure, the source file server is the file server whose file share configuration you want to migrate to Amazon FSx.

**Note**  
First migrate your files to Amazon FSx before migrating your file share configuration. For more information, see [Migrating existing file storage to FSx for Windows File Server](migrate-files-fsx.md).

**To migrate existing file shares to FSx for Windows File Server**

1. On the source file server, choose **Run as Administrator** from the context menu. Open **Windows PowerShell** as an administrator.

1. Export the source file server's file shares to a file named `SmbShares.xml` by running the following commands in the PowerShell. Replace F: in this example with the drive letter on your file server from which you are exporting file shares.

   ```
   $shareFolder = Get-SmbShare -Special $false | ? { $_.Path -like “F:\*” }
   $shareFolder | Export-Clixml -Path F:\SmbShares.xml
   ```

1. Edit the `SmbShares.xml` file, replacing all references to F: (your drive letter) to D:\$1share as Amazon FSx file systems reside on D:\$1share.

1. Import the existing file share configuration to FSx for Windows File Server. On a client that has access to your destination Amazon FSx file system and the source file server, copy the saved file share configuration. Then import it into a variable by using the following command.

   ```
   $shares = Import-Clixml -Path F:\SmbShares.xml
   ```

1. Prepare the credential object required to create the file shares on your FSx for Windows File Server file server using one of the following options.

   To generate the credential object interactively, use the following command.

   ```
   $credential = Get-Credential
   ```

   To generate the credential object using an AWS Secrets Manager resource, use the following command.

   ```
   $credential = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $AdminSecret).SecretString
   $FSxAdminUserCredential = (New-Object PSCredential($credential.UserName,(ConvertTo-SecureString $credential.Password -AsPlainText -Force)))
   ```

1. Migrate the file share configuration to your Amazon FSx file server using the following script.

   ```
   $FSxAcceptedParameters = ("ContinuouslyAvailable", "Description", "ConcurrentUserLimit", "CATimeout", "FolderEnumerationMode", "CachingMode", "FullAccess", "ChangeAccess", "ReadAccess", "NoAccess", "SecurityDescriptor", "Path", "Name", "EncryptData")
   ForEach ($item in $shares) {
       $param = @{};
       Foreach ($property in $item.psObject.properties) {
           if ($property.Name -In $FSxAcceptedParameters) {
               $param[$property.Name] = $property.Value
           }
       }
       Invoke-Command -ConfigurationName FSxRemoteAdmin -ComputerName amznfsxxxxxxxxx.corp.com -ErrorVariable errmsg -ScriptBlock { New-FSxSmbShare -Credential $Using:credential @Using:param }
   }
   ```

# Migrating your on-premises DNS configuration to FSx for Windows File Server
<a name="migrate-dns-config"></a>

FSx for Windows File Server provides a default Domain Name System (DNS) name for every file system that you can use to access the data on your file system. You can also access your file systems using any DNS name of your choosing by configuring the alternate DNS name as a DNS alias for your Amazon FSx file system. 

With DNS aliases, you can continue to use your existing DNS names to access data stored on Amazon FSx when migrating file system storage from on-premises to Amazon FSx. This helps eliminate the need to update any tools or applications that use your DNS names when migrating to Amazon FSx. You can associate DNS aliases with existing FSx for Windows File Server file systems, when you create new file systems, and when you create a new file system from a backup. You can associate up to 50 DNS aliases with a file system at any one time. For more information, see [Managing DNS aliases](managing-dns-aliases.md). 

A DNS alias name has to meet the following requirements:
+ Must be formatted as a fully qualified domain name (FQDN), for example, `accounting.example.com`.
+ Can contain alphanumeric characters and the hyphen (‐).
+ Cannot start or end with a hyphen.
+ Can start with a numeric.

For DNS alias names, Amazon FSx stores alphabetic characters as lowercase letters (a-z), regardless of how you specify them: as uppercase letters, lowercase letters, or the corresponding letters in escape codes.

The following procedures describe how to associate DNS aliases with your existing FSx for Windows File Server file systems using the Amazon FSx console, CLI, and API. For more information about associating DNS aliases when creating new file systems, including new file systems from a backup, see [Associating DNS aliases with file systems](add-alias-new-filesystem.md).<a name="associate-dns-alias"></a>

**To associate DNS aliases with an existing file system (console)**

1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).

1. Navigate to **File systems**, and choose the Windows file system that you want to associate your DNS aliases with.

1. On the **Network & security** tab, choose **Manage** for **DNS aliases** to open the **Manage DNS aliases** dialog box.  
![\[FSx console Manage DNS aliases window, use this window for associating and disassociating DNS aliases with an FSx for Windows File Server file system.\]](http://docs.aws.amazon.com/fsx/latest/WindowsGuide/images/FSxW-manage-aliases.png)

1. In the **Associate new aliases** box, enter the DNS aliases that you want to associate.

1. Choose **Associate** to add the aliases to the file system.

   You can monitor the status of the aliases that you just associated in the **Current aliases** list. When the status reads **Available**, the alias is associated with the file system (a process that can take up to 2.5 minutes).

**To associate DNS aliases with an existing file system (CLI)**
+ Use the `associate-file-system-aliases` CLI command or the [AssociateFileSystemAliases](https://docs.aws.amazon.com/fsx/latest/APIReference/API_AssociateFileSystemAliases.html) API operation to associate DNS aliases with an existing file system. 

  The following CLI request associates two aliases with the specified file system.

  ```
  aws fsx associate-file-system-aliases \
      --file-system-id fs-0123456789abcdef0 \
      --aliases financials.corp.example.com transfers.corp.example.com
  ```

  The response shows the status of the aliases that Amazon FSx is associating with the file system.

  ```
  {
        "Aliases": [
            {
                "Name": "financials.corp.example.com",
                "Lifecycle": CREATING
            },
            {
                "Name": "transfers.corp.example.com",
                "Lifecycle": CREATING
            }
        ]
    }
  ```

  To monitor the status of the aliases that you are associating, use the `describe-file-system-aliases` CLI command ([DescribeFileSystemAliases](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystemAliases.html) is the equivalent API operation). When `Lifecycle` for an alias has a value of AVAILABLE, you can use it to access the file system (a process that can take up to 2.5 minutes).

# Cutting over operations to Amazon FSx for Windows File Server
<a name="cutover-to-fsx"></a>

After you have migrated your on-premises file storage, file share configuration, and DNS configuration, the next step is cutting over your operations to the FSx for Windows File Server file systems. To cut over to your FSx for Windows File Server file system, you perform the following steps:
+ Prepare for the cut over.
  + Temporarily disconnect SMB clients from the original file system.
  + Perform a final file and file share configuration sync.
+ Configure service principal names (SPNs) for your Amazon FSx file system.
+ Update DNS CNAME records to point to your Amazon FSx file system.

The procedures to perform each of these steps are provided in the following sections.

**Topics**
+ [Preparing for the cutover to Amazon FSx](#final-sync-and-disconnect)
+ [Configure SPNs for Kerberos authentication](#configure-spns)
+ [Update the DNS CNAME records for the Amazon FSx file system](#update-dns-cname)

## Preparing for the cutover to Amazon FSx
<a name="final-sync-and-disconnect"></a>

To prepare for the cutover to your Amazon FSx file system, you must do the following:
+ Disconnect all clients that write to the original file system.
+ Perform a final file sync using AWS DataSync or Robocopy. For more information, see [Migrating existing file storage to FSx for Windows File Server](migrate-files-fsx.md). 
+ Perform a final file share configuration sync. For more information, see [Migrating your on-premises file share configurations to Amazon FSx](migrate-file-share-config-to-fsx.md).

## Configure SPNs for Kerberos authentication
<a name="configure-spns"></a>

We recommend that you use Kerberos-based authentication and encryption in transit with Amazon FSx. Kerberos provides the most secure authentication for clients that access your file system. To enable Kerberos authentication for clients accessing Amazon FSx using a DNS alias, you must add service principal names (SPNs) that correspond to the DNS alias on your Amazon FSx file system’s Active Directory computer object. 

There are two required SPNs for Kerberos authentication.

```
HOST/alias
HOST/alias.domain
```

As an example, if the alias is `finance.domain.com`, the two required SPNs are as follows.

```
HOST/finance
HOST/finance.domain.com
```

An SPN can only be associated with a single Active Directory computer object at a time. If there are existing SPNs for the DNS name configured for your original file system's Active Directory computer object, you must delete them before creating SPNs for your Amazon FSx file system.

The following procedures describe how to find any existing SPNs, delete them, and create new SPNs for your Amazon FSx file system's Active Directory computer object.

**To install the required PowerShell Active Directory module**

1. Log on to a Windows instance joined to the Active Directory that your Amazon FSx file system is joined to.

1. Open PowerShell as administrator.

1. Install the PowerShell Active Directory module using the following command.

   ```
   Install-WindowsFeature RSAT-AD-PowerShell
   ```<a name="finddelete-existing-spn"></a>

**To find and delete existing DNS alias SPNs on the original file system's Active Directory computer object**

1.  Find any existing SPNs by using the following commands. Replace `alias_fqdn` with the DNS alias that you associated with the file system in [Migrating your on-premises DNS configuration to FSx for Windows File Server](migrate-dns-config.md).

   ```
   ## Find SPNs for original file system's AD computer object
   $ALIAS = "alias_fqdn"
   SetSPN /Q ("HOST/" + $ALIAS)
   SetSPN /Q ("HOST/" + $ALIAS.Split(".")[0])
   ```

1. Delete the existing HOST SPNs returned in the previous step by using the following example script.
   + Replace `alias_fqdn` with the full DNS alias that you associated with the file system in [Migrating your on-premises DNS configuration to FSx for Windows File Server](migrate-dns-config.md).
   + Replace `file_system_DNS_name` with the original file system's DNS name .

   ```
   ## Delete SPNs for original file system's AD computer object
   $Alias = "alias_fqdn"
   $FileSystemDnsName = "file_system_dns_name"
   $FileSystemHost = (Resolve-DnsName ${FileSystemDnsName} | Where Type -eq 'A')[0].Name.Split(".")[0]
   $FSxAdComputer = (Get-AdComputer -Identity ${FileSystemHost})
   
   SetSPN /D ("HOST/" + ${Alias}) ${FSxAdComputer}.Name
   SetSPN /D ("HOST/" + ${Alias}.Split(".")[0]) ${FSxAdComputer}.Name
   ```

1. Repeat these steps for each DNS alias that you associated with the file system in [Migrating your on-premises DNS configuration to FSx for Windows File Server](migrate-dns-config.md).

**To set SPNs on your Amazon FSx file system’s Active Directory computer object**

1. Set new SPNs for your Amazon FSx file system by running the following commands.
   + Replace `file_system_DNS_name` with the DNS name that Amazon FSx assigned to the file system. 

     To find your file system's DNS name on the Amazon FSx console, choose **File systems**, and choose your file system. Choose the **Network & security** pane of the file system details page. You can also get the DNS name in the response of the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation.
   + Replace `alias_fqdn` with the full DNS alias that you associated with the file system in [Migrating your on-premises DNS configuration to FSx for Windows File Server](migrate-dns-config.md).

   ```
   ## Set SPNs for FSx file system AD computer object
   $FSxDnsName = "file_system_DNS_name"
   $Alias = "alias_fqdn"
   $FileSystemHost = (Resolve-DnsName $FSxDnsName | Where Type -eq 'A')[0].Name.Split(".")[0]
   $FSxAdComputer = (Get-AdComputer -Identity $FileSystemHost)
   
   Set-AdComputer -Identity $FSxAdComputer -Add @{"msDS-AdditionalDnsHostname"="$Alias"}
   SetSpn /S ("HOST/" + $Alias.Split('.')[0]) $FSxAdComputer.Name
   SetSpn /S ("HOST/" + $Alias) $FSxAdComputer.Name
   ```
**Note**  
Setting an SPN for your Amazon FSx file system will fail if an SPN for the DNS alias exists in the AD for the original file system's computer object. For information about finding and deleting existing SPNs, see [To find and delete existing DNS alias SPNs on the original file system's Active Directory computer object](#finddelete-existing-spn).

1. Verify that the new SPNs are configured for the DNS alias using the following example script. Ensure that the response includes two HOST SPNs, `HOST/alias` and `HOST/alias_fqdn`.

   Replace `file_system_DNS_name` with the DNS name that Amazon FSx assigned to your file system. To find your file system's DNS name on the Amazon FSx console, choose **File systems**, choose your file system, and then choose the **Network & security** pane on the file system details page. 

   You can also get the DNS name in the response of the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation.

   ```
   ## Verify SPNs on FSx file system AD computer object
   $FileSystemDnsName = "file_system_dns_name"
   $FileSystemHost = (Resolve-DnsName ${FileSystemDnsName} | Where Type -eq 'A')[0].Name.Split(".")[0]
   $FSxAdComputer = (Get-AdComputer -Identity ${FileSystemHost})
   SetSpn /L ${FSxAdComputer}.Name
   ```

1. Repeat the previous steps for each DNS alias that you've associated with the file system in [Migrating your on-premises DNS configuration to FSx for Windows File Server](migrate-dns-config.md).

**Note**  
You can enforce Kerberos authentication and encryption in transit with clients connecting to your file system using DNS aliases by setting the following Group Policy Objects (GPOs) in your Active Directory:  
Restrict NTLM: Outgoing NTLM traffic to remote servers
Restrict NTLM: Add remote server exceptions for NTLM authentication
For more information, see [Enforcing Kerberos authentication using Group Policy Objects (GPOs)](enforce-kerberos.md) in *Walkthrough 5: Using DNS aliases to access your file system*.

## Update the DNS CNAME records for the Amazon FSx file system
<a name="update-dns-cname"></a>

After you properly configure SPNs for your file system, you can cut over to Amazon FSx by replacing each DNS record that resolved to the original file system with a DNS record that resolves to the default DNS name of the Amazon FSx file system.

**To install the required PowerShell cmdlets**

1. Log on to a Windows instance joined to the Active Directory that your Amazon FSx file system is joined to as a user that is a member of a group that has DNS administration permissions (**AWS Delegated Domain Name System Administrators** in AWS Managed Microsoft Active Directory, and **Domain Admins** or another group to which you've delegated DNS administration permissions in your self-managed Active Directory) 

   For more information, see [Connecting to your Windows instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connecting_to_windows_instance.html) in the Amazon EC2 User Guide.

1. Open PowerShell as administrator.

1. The PowerShell DNS server module is required to perform the instructions in this procedure. Install it using the following command.

   ```
   Install-WindowsFeature RSAT-DNS-Server
   ```

**To update an existing a DNS CNAME record**

1. The following script updates any existing DNS CNAME records for the `alias_fqdn` to your Amazon FSx file system's computer object. If none is found, it creates a new DNS CNAME record for the DNS alias `alias_fqdn` that resolves to the default DNS name for your Amazon FSx file system. 

   To run the script:
   + Replace `alias_fqdn` with the DNS alias that you associated with the file system.
   + Replace `file_system_DNS_name` with the default DNS name Amazon FSx has assigned to the file system.

   ```
   $Alias="alias_fqdn"
   $FSxDnsName="file_system_dns_name"
   $AliasHost=$Alias.Split('.')[0]
   $ZoneName=((Get-WmiObject Win32_ComputerSystem).Domain)
   $DnsServerComputerName = (Resolve-DnsName $ZoneName -Type NS | Where Type -eq 'A' | Select -ExpandProperty Name)[0]
   
   Add-DnsServerResourceRecordCName -Name $AliasHost -ComputerName $DnsServerComputerName -HostNameAlias $FSxDnsName -ZoneName $ZoneName
   ```

1. Repeat the previous step for each DNS alias that you associated with the file system in [Migrating your on-premises DNS configuration to FSx for Windows File Server](migrate-dns-config.md).