Using a self-managed Microsoft Active Directory
If your organization manages identities and devices using a self-managed Active Directory on-premises or in the cloud, you can join an FSx for Windows File Server file system to your Active Directory domain at creation.
When you join your file system to your self-managed Active Directory, your FSx for Windows File Server file system resides in the same Active Directory forest (the top logical container in an Active Directory configuration that contains domains, users, and computers) and in the same Active Directory domain as your users and existing resources (including existing file servers).
Note
You can isolate your resources—including your Amazon FSx file systems—into a separate Active Directory forest from the one where your users reside. To do this, join your file system to an AWS Managed Microsoft Active Directory and establish a one-way forest trust relationship between an AWS Managed Microsoft Active Directory that you create and your existing self-managed Active Directory.
- 
    User name and password for a service account on your Active Directory domain, for Amazon FSx to use to join the file system to your Active Directory domain. 
- 
    (Optional) The Organizational Unit (OU) in your domain in which you want your file system to be joined. 
- 
    (Optional) The domain group to which you want to delegate authority to perform administrative actions on your file system. For example, this domain group might manage Windows file shares, manage Access Control Lists (ACLs) on the file system's root folder, take ownership of files and folders, and so on. If you don’t specify this group, Amazon FSx delegates this authority to the Domain Admins group in your Active Directory domain by default. NoteThe domain group name you provide must be unique in your Active Directory. FSx for Windows File Server will not create the domain group under the following circumstances: - If a group already exists with the name you specify 
- If you do not specify a name, and a group named "Domain Admins" already exists in your Active Directory. 
 For more information, see Joining an Amazon FSx file system to a self-managed Microsoft Active Directory domain. 
Topics
Prerequisites
Before you join an FSx for Windows File Server file system to your self-managed Microsoft Active Directory domain, review the following prerequisites to help ensure that you can successfully join your Amazon FSx file system to your self-managed Active Directory.
On-premises configurations
These are the prerequisites for your self-managed Microsoft Active Directory, either an on-premises or cloud-based, that you will join the Amazon FSx file system to.
- 
   The Active Directory domain controllers: - Must have a domain functional level at Windows Server 2008 R2 or higher. 
- Must be writable. 
- At least one of the reachable domain controllers must be a Global Catalog of the forest. 
 
- 
     The DNS server must be able to resolve names as follows: - In the domain that you are joining the file system 
- In the root domain of the forest 
 
- 
		 The DNS server and Active Directory domain controller IP addresses must meet the following requirements, which vary depending on when your Amazon FSx file system was created: For file systems created before December 17, 2020 For file systems created after December 17, 2020 IP addresses must be in an RFC 1918 private IP address range: - 10.0.0.0/8 
- 172.16.0.0/12 
- 192.168.0.0/16 
 IP addresses can be in any range, except: - IP addresses that conflict with Amazon Web Services owned IP addresses in the AWS Region that the file system is in. For a list of AWS owned IP addresses by region, see the AWS IP address ranges. 
- IP addresses in the CIDR block range of 198.19.0.0/16 
 If you need to access an FSx for Windows File Server file system that was created before December 17, 2020 using a non-private IP address range, you can create a new file system by restoring a backup of the file system. For more information, see Restoring a backup to a new file system. 
- 
       The domain name of your self-managed Active Directory must meet the following requirements: - The domain name isn't in Single Label Domain (SLD) format. Amazon FSx doesn't support SLD domains. 
- For Single-AZ 2 and all Multi-AZ file systems, the domain name cannot exceed 47 characters. 
 
- 
       Any Active Directory sites that you have defined must meet the following prerequisites: - The subnets in the VPC that's associated with your file system must be defined in an Active Directory site. 
- There are no conflicts between the VPC subnets and any of the Active Directory site subnets. 
 Amazon FSx requires connectivity to the domain controllers or Active Directory sites you have defined in your Active Directory environment. Amazon FSx will ignore any domain controllers with TCP and UDP blocked on port 389. For the remaining domain controllers in your Active Directory, ensure that they meet the Amazon FSx connectivity requirements. Additionally, verify that any changes to your service account are propagated to all these domain controllers. ImportantDo not move computer objects that Amazon FSx creates in the OU after your file system is created. Doing so will cause your file system to become misconfigured. 
You can validate your Active Directory configuration, including testing connectivity of multiple domain controllers, using the Amazon FSx Active Directory Validation tool. To limit the number of domain controllers that require connectivity, you can also build a trust relationship between your on-premise domain controllers and AWS Managed Microsoft AD. For more information, see Using a resource forest isolation model.
Important
Amazon FSx only registers the DNS records for a file system if you are using Microsoft DNS as the default DNS service. If you are using a third-party DNS, you will need to manually set up DNS record entries for your file system after you create it.
Network configurations
This section describes the network configuration requirements for joining a file system to your self-managed Active Directory. We strongly recommend that you use the Amazon FSx Active Directory validation tool to test your network settings before attempting to join your file system to your self-managed Active Directory.
- Ensure that your firewall rules will allow ICMP traffic between your Active Directory domain controllers and Amazon FSx. 
- 
     Connectivity must be configured between the Amazon VPC where you want to create the file system and your self-managed Active Directory. You can set up this connectivity using AWS Direct Connect, AWS Virtual Private Network, VPC peering, or AWS Transit Gateway. 
- 
     The default VPC security group for your default Amazon VPC must be added to your file system using the Amazon FSx console. Ensure that the security group and the VPC Network ACLs for the subnets where you create your file system allow traffic on the ports and in the direction shown in the following diagram.   The following table identifies the protocol, ports, and its role. Protocol Ports Role TCP/UDP 53 Domain Name System (DNS) TCP/UDP 88 Kerberos authentication TCP/UDP 464 Change/set password TCP/UDP 389 Lightweight Directory Access Protocol (LDAP) UDP 123 Network Time Protocol (NTP) TCP 135 Distributed Computing Environment/End Point Mapper (DCE/EPMAP) TCP 445 Directory Services SMB file sharing TCP 636 Lightweight Directory Access Protocol over TLS/SSL (LDAPS) TCP 3268 Microsoft Global Catalog TCP 3269 Microsoft Global Catalog over SSL TCP 5985 WinRM 2.0 (Microsoft Windows Remote Management) TCP 9389 Microsoft Active Directory DS Web Services, PowerShell ImportantAllowing outbound traffic on TCP port 9389 is required for Single-AZ 2 and Multi-AZ file system deployments. TCP 49152 - 65535 Ephemeral ports for RPC These traffic rules need to also be mirrored on the firewalls that apply to each of the Active Directory domain controllers, DNS servers, FSx clients, and FSx administrators. 
Note
If you're using VPC network ACLs, you must also allow outbound traffic on dynamic ports (49152-65535) from your file system.
Important
While Amazon VPC security groups require ports to be opened only in the direction that network traffic is initiated, most Windows firewalls and VPC network ACLs require ports to be open in both directions.
Service account permissions
You need to have a service account in your self-managed Microsoft Active Directory with delegated permissions to join computer objects to your self-managed Active Directory domain. A service account is a user account in your self-managed Active Directory that has been delegated certain tasks.
The following is the minimum set of permissions that must be delegated to the Amazon FSx service account in the OU that you're joining the file system to.
- If using Delegate Control in the Active Directory User and Computers MMC: - 
      Reset passwords 
- 
      Read and write Account Restrictions 
- 
      Validated write to DNS host name 
- 
      Validated write to service principal name 
 
- 
      
- 
     If using Advanced Features in the Active Directory User and Computers MMC: -      
     Modify permissions 
- 
     Create computer objects 
- 
     Delete computer objects 
 
-      
     
For more information, see the Microsoft Windows Server documentation
    topic  Error: Access is denied when non-administrator users who have been delegated control try to
     join computers to a domain controller
For more information about setting the required permissions, see Delegating permissions to the Amazon FSx service account or group.
Best practices when using a self-managed Active Directory
We recommend that you follow these best practices when joining an Amazon FSx for Windows File Server file systems to your self-managed Microsoft Active Directory. These best practices will help you in maintaining continuous, uninterrupted availability of your file system.
- Use a separate service account for Amazon FSx
- 
     Use a separate service account to delegate the required privileges for Amazon FSx to fully manage file systems that are joined to your self-managed Active Directory. We do not recommend using the Domain Admins for this purpose. 
- Use an Active Directory group
- Use an Active Directory group to manage Active Directory permissions and configurations associated with the Amazon FSx service account. 
- Segregate the Organizational Unit (OU)
- 
     To make it easier to find and manage your Amazon FSx computer objects, we recommend that you segregate the Organizational Unit (OU) you use for your FSx for Windows File Server file systems from other domain controller concerns. 
- Keep the Active Directory configuration up-to-date
- It is imperative that you keep your file system's Active Directory configuration up-to-date with any changes. For example, if your self-managed Active Directory uses a time-based password reset policy, as soon as the password is reset, make sure to update the service account password on your file system. For more information, see Updating a self-managed Active Directory configuration. 
- Changing the Amazon FSx service account
- 
     If you update your file system with a new service account, it must have the required permissions and privileges to join your Active Directory and have Full control permissions for the existing computer objects associated with the file system. For more information, see Changing the Amazon FSx service account. 
- Assign subnets to a single Microsoft Active Directory site
- 
     If your Active Directory environment has a large number of domain controllers, use Active Directory Sites and Services to assign the subnets used by your Amazon FSx file systems to a single Active Directory site with the highest availability and reliability. Make sure that the VPC security group, VPC network ACL, Windows firewall rules on your DCs, and any other network routing controls you have in your Active Directory infrastructure allow communication from Amazon FSx on the required ports. This allows Windows to revert to other domain controllers if it can't use the assigned Active Directory site. For more information, see File system access control with Amazon VPC. 
- Use security group rules to limit traffic
- Use security group rules to implement the principle of least privilege in your virtual private cloud (VPC). You can limiting the type of inbound and outbound network traffic allowed for your file using VPC security group rules. For example, we recommend only allowing outbound traffic to your self-managed Active Directory domains controllers or to within the subnet or security group you are using. For more information, see File system access control with Amazon VPC. 
- Do not move computer objects created Amazon FSx
- Important- Do not move computer objects that Amazon FSx creates in the OU after your file system is created. Doing so will cause your file system to become misconfigured. 
- Validate your Active Directory configuration
- Before attempting to join an FSx for Windows File Server file system to your Active Directory, we strongly recommend that you validate your Active Directory configuration using the Amazon FSx Active Directory Validation tool. 
Amazon FSx service account
Amazon FSx file systems that are joined to a self-managed Active Directory require a valid service account throughout their lifetime. Amazon FSx uses the service account to fully manage your file systems and perform administrative tasks that require unjoining and rejoining computer objects to your Active Directory domain. These tasks include replacing a failed file server and patching Microsoft Windows Server software. For Amazon FSx to perform these tasks, the Amazon FSx service account must have, at a minimum, the set of permissions that are described in Service account permissions delegated to it.
Although members of the Domain Admins group have sufficient privileges to perform these tasks, we strongly recommend that you use a separate service account to delegate the required privileges to Amazon FSx.
For more information about how to delegate privileges using either the Delegate Control or Advanced Features features in the Active Directory User and Computers MMC snap-in, see Delegating permissions to the Amazon FSx service account or group.
If you update your file system with a new service account, the new service account must have the required permissions and privileges to join your Active Directory and have Full control permissions for the existing computer objects associated with the file system. For more information, see Changing the Amazon FSx service account.