# Accessing your data
You can access your Amazon FSx file systems using a variety of supported clients and methods from both the AWS Cloud and on-premises environments.
**Topics**
+ [Supported clients](#supported-clients-fsx)
+ [Accessing data from within the AWS Cloud](#access-environments)
+ [Accessing data from on-premises](#on-premise-access)
+ [Accessing data using default DNS names](#dns-name)
+ [Support for Distributed File System (DFS) namespaces](#dfs-namespace)
+ [Accessing data using DNS aliases](dns-aliases.md)
+ [Accessing data using file shares](using-file-shares.md)
+ [Creating, updating, removing file shares](managing-file-shares.md)
## Supported clients
FSx for Windows File Server supports the Server Message Block (SMB) protocol versions 2.0 through 3.1.1, giving you the flexibility to connect to your file systems using a wide variety of compute instances and operating systems.
The following AWS compute instances are supported for use with Amazon FSx:
+ Amazon Elastic Compute Cloud (Amazon EC2) instances, including Microsoft Windows, Mac, Amazon Linux and Amazon Linux 2 instances. For more information, see [Mapping file shares](using-file-shares.md#mapping-file-shares).
+ Amazon Elastic Container Service (Amazon ECS) containers. For more information, see [ FSx for Windows File Server volumes](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/wfsx-volumes.html) in the *Amazon Elastic Container Service Developer Guide*.
+ WorkSpaces instances – To learn more, see the AWS blog post [ Using FSx for Windows File Server with Amazon WorkSpaces](https://aws.amazon.com/blogs/desktop-and-application-streaming/using-amazon-fsx-for-windows-file-server-with-amazon-workspaces/).
+ Amazon AppStream 2.0 instances – To learn more, see the AWS blog post [ Using Amazon FSx with Amazon AppStream 2.0](https://aws.amazon.com/blogs/desktop-and-application-streaming/using-amazon-fsx-with-amazon-appstream-2-0/).
+ VMs running in VMware Cloud on AWS environments – To learn more, see the AWS blog post [Storing and Sharing Files with FSx for Windows File Server in a VMware Cloud on AWS Environment](https://aws.amazon.com/blogs/apn/storing-and-sharing-files-with-amazon-fsx-in-a-vmware-cloud-on-aws-environment/).
The following operating systems are supported for use with Amazon FSx:
+ Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.
+ Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (including the Windows 7 and Windows 10 desktop experiences of WorkSpaces), and Windows 11.
+ Linux, using the `cifs-utils` tool.
+ macOS
## Accessing data from within the AWS Cloud
Each Amazon FSx file system is associated with a Virtual Private Cloud (VPC). You can access your FSx for Windows File Server file system from anywhere in the file system's VPC, regardless of Availability Zone. You can also access your file system from VPCs that are in different AWS accounts or AWS Regions than the file system. In addition to the requirements described in the following sections for accessing FSx for Windows File Server resources, you also need to ensure that your file system's VPC security group is configured so that data and management traffic can flow between your file system and clients. For more information about configuring security groups with the required ports, see [File system access control with Amazon VPC](limit-access-security-groups.md).
You can access FSx for Windows File Server file system from supported clients that are in the same VPC as your file system.
The following table illustrates the environments from which Amazon FSx supports access from clients in each of the supported environments, depending on when the file system was created.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/WindowsGuide/supported-fsx-clients.html)
**Note**
In some cases, you might want to access a file system that was created before December 17, 2020 from on-premises using a non-private IP address range. To do this, create a new file system from a backup of the file system. For more information, see [Protecting your data with backups](using-backups.md).
### Accessing data from a different VPC, AWS account, or AWS Region
You can access your FSx for Windows File Server file system from support clients that are located in a different VPC, AWS account, or AWS Region than what is associated with your file system using VPC peering or transit gateways. When you use a VPC peering connection or transit gateway to connect VPCs, compute instances that are in one VPC can access Amazon FSx file systems that are in another VPC. This access is possible even if the VPCs belong to different AWS accounts, and even if the VPCs reside in different AWS Regions.
A *VPC peering connection* is a networking connection between two VPCs that you can use to route traffic between them using private IPv4 or IP version 6 (IPv6) addresses. You can use VPC peering to connect VPCs within the same AWS Region or between AWS Regions. For more information on VPC peering, see [What is VPC Peering?](https://docs.aws.amazon.com/vpc/latest/peering/Welcome.html) in the *Amazon VPC Peering Guide*.
A *transit gateway* is a network transit hub that you can use to interconnect your VPCs and on-premises networks. For more information about using VPC transit gateways, see [Getting Started with Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html) in the *Amazon VPC Transit Gateways*.
After you set up a VPC peering or transit gateway connection, you can access your file system using its DNS name. You do so just as you do from compute instances within the associated VPC.
## Accessing data from on-premises
FSx for Windows File Server supports the use of AWS Direct Connect or Site-to-Site VPN to access your file systems from your on-premises compute instances. With support for AWS Direct Connect, FSx for Windows File Server enables you to access your file system over a dedicated network connection from your on-premises environment. With support for Site-to-Site VPN, FSx for Windows File Server enables you to access your file system from your on-premises devices over a secure and private tunnel.
After you connect your on-premises environment to the VPC associated with your Amazon FSx file system, you can access your file system using its DNS name or a DNS alias. You do so just as you do from compute instances within the VPC. For more information on Direct Connect, see the *[Direct Connect User Guide](https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html)*. For more information on setting up Site-to-Site VPN connections, see [VPN Connections](https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html) in the *Amazon VPC User Guide*.
**Note**
In some cases, you might want to access a file system that was created before December 17, 2020 from on-premises using a non-private IP address range. To do this, create a new file system from a backup of the file system. For more information, see [Protecting your data with backups](using-backups.md).
FSx for Windows File Server also supports the use of Amazon FSx File Gateway to provide low latency, seamless access to your in-cloud FSx for Windows File Server file shares from your on-premises compute instances. For more information, see the *[Amazon FSx File Gateway User Guide](https://docs.aws.amazon.com/filegateway/latest/filefsxw/what-is-file-fsxw.html)*.
**Note**
Amazon FSx File Gateway is no longer available to new customers. Existing customers of FSx File Gateway can continue to use the service normally. For capabilities similar to FSx File Gateway, visit [this blog post](https://aws.amazon.com/blogs/storage/switch-your-file-share-access-from-amazon-fsx-file-gateway-to-amazon-fsx-for-windows-file-server/).
## Accessing data using default DNS names
FSx for Windows File Server provides a Domain Name System (DNS) name for every file system. You access your FSx for Windows File Server file system by mapping a drive letter on your compute instance to your Amazon FSx file share using this DNS name. To learn more, see [Accessing data using file shares](using-file-shares.md).
**Important**
Amazon FSx only registers DNS records for a file system if you are using Microsoft DNS as the default DNS. If you are using a third-party DNS, you must manually set up DNS entries for your Amazon FSx file systems. For information about choosing the correct IP addresses to use for the file system, see [Getting the correct file system IP addresses to use for manual DNS entries](file-system-ip-addresses-for-dns.md).
To find the DNS name:
+ In the Amazon FSx console, choose **File systems**, and then choose **Details**. View the DNS name in the **Network & Security** section.
+ Or, view it in the response of the **CreateFileSystem** or **DescribeFileSystems** API command.
For all Single-AZ file systems joined to an AWS Managed Microsoft Active Directory, the DNS name has the following format: `fs-0123456789abcdef0.ad-dns-domain-name`
For all Single-AZ file systems joined to a self-managed Active Directory, and any Multi-AZ file system, the DNS name has the following format: `amznfsxaa11bb22.ad-domain.com`
### Using Kerberos authentication with DNS names
We recommend that you use Kerberos-based authentication and encryption in transit with Amazon FSx. Kerberos provides the most secure authentication for clients accessing your file system. To enable Kerberos-based authentication and encryption of data in transit for your SMB sessions, use the file system's DNS name provided by Amazon FSx to access your file system.
If you have an external trust configured between your AWS Managed Microsoft Active Directory and your on-premises Active Directory, to use the Amazon FSx Remote PowerShell with Kerberos authentication, you must configure a local group policy on the client for forest search order. For more information, see [Configure Kerberos Forest Search Order (KFSO)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/hh921473(v=ws.10)?redirectedfrom=MSDN) in the Microsoft documentation.
## Support for Distributed File System (DFS) namespaces
FSx for Windows File Server supports the use of Microsoft DFS Namespaces. Use DFS Namespaces to organize file shares that are located on multiple file systems into one common folder structure (a namespace) that you use to access the entire file dataset. You can use a name in your DFS Namespace to access your Amazon FSx file system by configuring its link target to be the file system's DNS name. For more information, see [Group multiple FSx for Windows File Server file systems with DFS Namespaces](using-dfs-namespaces.md#group-file-systems).
# Accessing data using DNS aliases
FSx for Windows File Server provides a DNS name for every file system that you can use to access your file shares. You can also access your file shares using DNS names other than the default DNS name by registering DNS aliases for your FSx for Windows File Server file systems.
Using DNS aliases, you can move your Windows file share data to FSx for Windows File Server and continue using the existing DNS names to access data on Amazon FSx. DNS aliases also allow you to use meaningful names that make it easier to administer tools and applications to connect to your Amazon FSx file systems. You can associate up to 50 DNS aliases with a file system at any one time. For more information about associating and disassociating DNS aliases with an FSx for Windows File Server file system, see [Managing DNS aliases](managing-dns-aliases.md).
To configure access to your FSx for Windows File Server file systems using DNS aliases, you must perform the following steps:
1. [Associate DNS aliases with your file system](step1-assign-dns-alias.md).
1. [Create a DNS CNAME record](step4-configure-dns-cname.md) for the file system and the DNS aliases associated with it.
For more information about using DNS aliases with FSx for Windows File Server file systems, see [Managing DNS aliases](managing-dns-aliases.md).
## Using Kerberos authentication and encryption with DNS aliases
We recommend that you use Kerberos-based authentication and encryption in transit with Amazon FSx. Kerberos provides the most secure authentication for clients accessing your file system. To enable Kerberos authentication for clients that access Amazon FSx using a DNS alias, you must add service principal names (SPNs) that correspond to the DNS alias on your Amazon FSx file system’s Active Directory computer object.
To set up Kerberos authentication and encryption when accessing your file system using DNS aliases, see [Configure service principal names (SPNs) for Kerberos](step2-configure-spn-kerberos.md).
You can optionally enforce clients that access the file system using a DNS alias to use Kerberos authentication and encryption by setting the following Group Policy Objects (GPOs) in your Active Directory:
+ **Restrict NTLM: Outgoing NTLM traffic to remote servers** - Use this policy setting to deny or audit outgoing NTLM traffic from a computer to any remote server running the Windows operating system.
+ **Restrict NTLM: Add remote server exceptions for NTLM authentication** - Use this policy setting to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers* policy setting is configured.
To enforce Kerberos authentication and encryption when accessing your file system using DNS aliases, see [Enforcing Kerberos authentication using Group Policy Objects (GPOs)](enforce-kerberos.md).
For more information about configure your file system to use DNS aliases, see the following procedures:
+ [Associate DNS aliases with your file system](step1-assign-dns-alias.md)
+ [Configure service principal names (SPNs) for Kerberos](step2-configure-spn-kerberos.md)
+ [Update or create a DNS CNAME record](step4-configure-dns-cname.md)
+ [Enforcing Kerberos authentication using Group Policy Objects (GPOs)](enforce-kerberos.md)
# Associate DNS aliases with your file system
You can associate DNS aliases with existing FSx for Windows File Server file systems, when you create new file systems, and when you create a new file system from a backup using the Amazon FSx console, CLI, and API. If you are creating an alias with a different domain name, input the full name, including parent domain, to associate an alias.
This procedure describes how to associate DNS aliases when creating a new file system using the Amazon FSx console. For information about associating DNS aliases with existing file systems, and details about using the CLI and API, see [Managing DNS aliases](managing-dns-aliases.md).
**To associate DNS aliases when creating a new file system**
1. Open the Amazon FSx console at [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/).
1. Follow the procedure for creating a new file system as described in [Step 5. Create your file system](getting-started.md#getting-started-step1) of the Getting Started section.
1. In the **Access - optional** section of the **Create file system** wizard, enter the DNS aliases that you want to associate with your file system.
Use the following guidelines when specifying DNS aliases:
+ Must be formatted as a fully qualified domain name (FQDN) `hostname.domain`, for example, `accounting.example.com`.
+ Can contain alphanumeric characters and hyphens (‐).
+ Cannot start or end with a hyphen.
+ Can start with a numeric.
For DNS alias names, Amazon FSx stores alphabetic characters as lowercase letters (a-z), regardless of how you specify them: as uppercase letters, lowercase letters, or the corresponding letters in escape codes.
1. For **Maintenance preferences**, make any changes that you want.
1. In the **Tags - optional** section, add any tags that you need, and then choose **Next**.
1. Review the file system configuration shown on the **Create file system** page. Choose **Create file system** to create the file system.
# Configure service principal names (SPNs) for Kerberos
We recommend that you use Kerberos-based authentication and encryption in transit with Amazon FSx. Kerberos provides the most secure authentication for clients that access your file system.
To enable Kerberos authentication for clients that access Amazon FSx using a DNS alias, you must add service principal names (SPNs) that correspond to the DNS alias on your Amazon FSx file system’s Active Directory computer object. An SPN can only be associated with a single Active Directory computer object at a time. If you have existing SPNs for the DNS name configured for your original file system's Active Directory computer object, you must delete them first.
There are two required SPNs for Kerberos authentication:
```
HOST/alias
HOST/alias.domain
```
If the alias is `finance.domain.com`, the following are the two required SPNs:
```
HOST/finance
HOST/finance.domain.com
```
**Note**
You will need to delete any existing HOST SPNs that correspond to the DNS alias on the Active Directory computer object before you create new HOST SPNs for your Amazon FSx file system's Active Directory (AD) computer object. Attempts to set SPNs for your Amazon FSx file system will fail if an SPN for the DNS alias exists in the AD.
The following procedures describes how to do the following:
+ Find any existing DNS alias SPNs on the original file system's Active Directory computer object.
+ Delete the existing SPNs found, if any.
+ Create new DNS alias SPNs for your Amazon FSx file system's Active Directory computer object.
**To install the required PowerShell Active Directory module**
1. Log on to a Windows instance joined to the Active Directory to which your Amazon FSx file system is joined.
1. Open PowerShell as administrator.
1. Install the PowerShell Active Directory module using the following command.
```
Install-WindowsFeature RSAT-AD-PowerShell
```
**To find and delete existing DNS alias SPNs on the original file system's Active Directory computer object**
If you have SPNs configured for the DNS alias that you've assigned to another file system on a computer object in your Active Directory, you must first remove those SPNs before adding SPNs to your file system’s computer object.
1. Find any existing SPNs by using the following commands. Replace `alias_fqdn` with the DNS alias that you associated with the file system in [Step 1](step1-assign-dns-alias.md).
```
## Find SPNs for original file system's AD computer object
$ALIAS = "alias_fqdn"
SetSPN /Q ("HOST/" + $ALIAS)
SetSPN /Q ("HOST/" + $ALIAS.Split(".")[0])
```
1. Delete the existing HOST SPNs returned in the previous step by using the following example script.
+ Replace `alias_fqdn` with the full DNS alias that you associated with the file system in [Step 1](step1-assign-dns-alias.md).
+ Replace `file_system_DNS_name` with the original file system's DNS name.
```
## Delete SPNs for original file system's AD computer object
$Alias = "alias_fqdn"
$FileSystemDnsName = "file_system_dns_name"
$FileSystemHost = (Resolve-DnsName ${FileSystemDnsName} | Where Type -eq 'A')[0].Name.Split(".")[0]
$FSxAdComputer = (Get-AdComputer -Identity ${FileSystemHost})
SetSPN /D ("HOST/" + ${Alias}) ${FSxAdComputer}.Name
SetSPN /D ("HOST/" + ${Alias}.Split(".")[0]) ${FSxAdComputer}.Name
```
1. Repeat the previous steps for each DNS alias that you've associated with the file system in [Step 1](step1-assign-dns-alias.md).
**To set SPNs on your Amazon FSx file system’s Active Directory computer object**
1. Set new SPNs for your Amazon FSx file system by running the following commands.
+ Replace `file_system_DNS_name` with the DNS name that Amazon FSx assigned to the file system.
To find your file system's DNS name on the Amazon FSx console, choose **File systems**, choose your file system, and then choose the **Network & security** pane on the file system details page.
You can also get the DNS name in the response of the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation.
+ Replace `alias_fqdn` with the full DNS alias that you associated with the file system in [Step 1](step1-assign-dns-alias.md).
```
## Set SPNs for FSx file system AD computer object
$FSxDnsName = "file_system_DNS_name"
$Alias = "alias_fqdn"
$FileSystemHost = (Resolve-DnsName $FSxDnsName | Where Type -eq 'A')[0].Name.Split(".")[0]
$FSxAdComputer = (Get-AdComputer -Identity $FileSystemHost)
##Use the following command to set both the full FQDN and Alias SPNs
Set-AdComputer -Identity $FSxAdComputer -Add @{"msDS-AdditionalDnsHostname" = @($Alias, $Alias.Split(".")[0])}
```
**Note**
Setting an SPN for your Amazon FSx file system will fail if an SPN for the DNS alias exists in the AD for the original file system's computer object. For information about finding and deleting existing SPNs, see [To find and delete existing DNS alias SPNs on the original file system's Active Directory computer object](#find-delete-existing-spns).
1. Verify that the new SPNs are configured for the DNS alias using the following example script. Ensure that the response includes two HOST SPNs, `HOST/alias` and `HOST/alias_fqdn`, as described previously in this procedure.
Replace `file_system_DNS_name` with the DNS name that Amazon FSx assigned to your file system. To find your file system's DNS name on the Amazon FSx console, choose **File systems**, choose your file system, and then choose the **Network & security** pane on the file system details page.
You can also get the DNS name in the response of the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation.
```
## Verify SPNs on FSx file system AD computer object
$FileSystemDnsName = "file_system_dns_name"
$FileSystemHost = (Resolve-DnsName ${FileSystemDnsName} | Where Type -eq 'A')[0].Name.Split(".")[0]
$FSxAdComputer = (Get-AdComputer -Identity ${FileSystemHost})
SetSpn /L ${FSxAdComputer}.Name
```
1. Repeat the previous steps for each DNS alias that you've associated with the file system in [Step 1](step1-assign-dns-alias.md).
# Update or create a DNS CNAME record
After you properly configure SPNs for your file system, you can cut over to Amazon FSx by replacing each DNS record that resolved to the original file system with a DNS record that resolves to the default DNS name of the Amazon FSx file system.
The `dnsserver` and `activedirectory` Windows modules are required to run the commands presented in this section.
**To install the required PowerShell modules**
1. Log on to a Windows instance joined to the same Active Directory that your Amazon FSx file system is joined to as a user that is a member of a group that has DNS administration permissions (**AWS Delegated Domain Name System Administrators** in AWS Managed Microsoft AD, and **Domain Admins** or another group to which you've delegated DNS administration permissions in your self-managed Active Directory).
For more information, see [Connecting to Your Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the *Amazon EC2 User Guide*.
1. Open PowerShell as administrator.
1. The PowerShell DNS Server module is required to perform the instructions in this procedure. Install it using the following command.
```
Install-WindowsFeature RSAT-DNS-Server
```
**To update or create a custom DNS name to your Amazon FSx file system**
1. Connect to your Amazon EC2 instance as a user that is a member of a group that has DNS administration permissions (**AWS Delegated Domain Name System Administrators** in AWS Managed Active Directory, and **Domain Admins** or another group to which you've delegated DNS administration permissions in your self-managed Active Directory).
For more information, see [Connecting to Your Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the *Amazon EC2 User Guide*.
1. At the command prompt, run the following script. This script migrates any existing DNS CNAME records to your Amazon FSx file system. If none are found, it creates a new DNS CNAME record for the DNS alias `alias_fqdn` that resolves to the default DNS name for your Amazon FSx file system.
To run the script:
+ Replace `alias_fqdn` with the DNS alias that you associated with the file system.
+ Replace `file_system_DNS_name` with the DNS name Amazon FSx has assigned to the file system.
```
$Alias="alias_fqdn"
$FSxDnsName="file_system_dns_name"
$AliasHost=$Alias.Split('.')[0]
$ZoneName=((Get-WmiObject Win32_ComputerSystem).Domain)
$DnsServerComputerName = (Resolve-DnsName $ZoneName -Type NS | Where Type -eq 'A' | Select -ExpandProperty Name) | Select -First 1
Add-DnsServerResourceRecordCName -Name $AliasHost -ComputerName $DnsServerComputerName -HostNameAlias $FSxDnsName -ZoneName $ZoneName
```
1. Repeat the previous step for each DNS alias that you associated with the file system in [Step 1](step1-assign-dns-alias.md).
You've now added a DNS CNAME value for your Amazon FSx file system with the DNS alias. You can now use the DNS alias to access your data.
**Note**
When updating a DNS CNAME record to point to an Amazon FSx file system previously pointed to another file system, clients might not be able to connect with file system for a brief period of time. When the client DNS cache refreshes, they should be able to connect using the DNS alias. For more information, see [Can't access the file system using a DNS alias](unable-to-access.md#cant-connect-using-dns-alias).
# Enforcing Kerberos authentication using Group Policy Objects (GPOs)
You can enforce Kerberos authentication when accessing the file system by setting the following Group Policy Objects (GPOs) in your Active Directory:
+ **Restrict NTLM: Outgoing NTLM traffic to remote servers** - Use this policy setting to deny or audit outgoing NTLM traffic from a computer to any remote server running the Windows operating system.
+ **Restrict NTLM: Add remote server exceptions for NTLM authentication** - Use this policy setting to create an exception list of remote servers to which client devices are allowed to use NTLM authentication if the *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers* policy setting is configured.
1. Log on to a Windows instance joined to the Active Directory to which your Amazon FSx file system is joined as an administrator. If you are configuring a self-managed Active Directory, apply these steps directly to your Active Directory.
1. Choose **Start**, choose **Administrative Tools**, and then choose **Group Policy Management**.
1. Choose **Group Policy Objects**.
1. If your Group Policy Object does not already exist, create it.
1. Locate the existing **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy. (If there is no existing policy, create a new policy.) In the **Local security setting** tab, open the context (right-click) menu, and choose **Properties**.
1. Choose **Deny all**.
1. Choose **Apply** to save the security setting.
1. To set exceptions for NTLM connections to specific remote servers for the client, locate the **Network security: Restrict NTLM: Add remote server exceptions**.
Open the context (right-click) menu, and choose **Properties** in the **Local security setting** tab.
1. Enter the names of any servers to add to the exception list.
1. Choose **Apply** to save the security setting.
# Accessing data using file shares
A Microsoft Windows *file share* is a specific folder or directory on your file system. It includes any sub folders that might exist. Clients access the file shares on your file system using the Server Message Block (SMB) protocol. Your FSx for Windows File Server file system comes with a default Windows file share, named `share`. You can create and manage as many other file shares as you want by using the Windows *Shared Folders* graphical user interface (GUI) tool.
Microsoft Windows continuously available (CA) shares provide the primary benefit of maintaining uninterrupted access to shared files even when a server node within a cluster fails. Using CA file shares can minimize interruptions to the server applications that are storing their data files on these file shares during file system maintenance windows.
For more information about creating and managing file shares on your FSx for Windows File Server file system, including CA shares, see [Creating, updating, removing file shares](managing-file-shares.md).
## Mapping file shares
To access your file shares, use the Windows Map Network Drive functionality to map a drive letter on your compute instance to your Amazon FSx file share. The process of mapping a file share to a drive on your compute instance is known as *mounting* a file share in Linux. This process differs depending on the type of compute instance and the operating system. After your file share is mapped, your applications and users can access files and folders on your file share as if they are local files and folders.
For more information about mapping and mounting file shares to access data on your file system, see the following procedures:
+ [Mapping a file share on an Amazon EC2 Windows instance](map-share-windows.md).
+ [Mounting a file share on an Amazon EC2 Mac instance](map-share-mac.md)
+ [Mounting a file share on an Amazon EC2 Linux instance](map-shares-linux.md)
# Mapping a file share on an Amazon EC2 Windows instance
You can map a file share on an EC2 Windows instance to access your FSx for Windows File Server file system by using the Windows File Explorer or the command prompt.
## To map a file share on an Amazon EC2 Windows instance (File Explorer)
1. Launch the EC2 Windows instance and connect it to the Microsoft Active Directory that you joined your Amazon FSx file system to. To do this, choose one of the following procedures from the *AWS Directory Service Administration Guide*:
+ [Seamlessly join a Windows EC2 instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html)
+ [Manually join a Windows instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html)
1. Connect to your EC2 Windows instance. For more information, see [Connecting to your Windows instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the *Amazon EC2 User Guide*.
1. After you're connected, open File Explorer.
1. In the navigation pane, open the context (right-click) menu for **Network**, and choose **Map Network Drive**.
1. For **Drive**, choose a drive letter.
1. For **Folder**, enter either the file system's DNS name or a DNS alias associated with the file system, and the share name.
**Important**
Using an IP address instead of the DNS name could result in unavailability during the failover process of the Multi-AZ file system. Also, DNS names or associated DNS aliases are required for Kerberos-based authentication in Multi-AZ and Single-AZ file systems.
You can find the file system's DNS name and any associated DNS aliases on the [Amazon FSx console](https://console.aws.amazon.com/fsx) by choosing **Windows File Server**, **Network & security**. Or, you can find them in the response of the [CreateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateFileSystem.html) or [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation. For more information about using DNS aliases, see [Managing DNS aliases](managing-dns-aliases.md).
+ For a Single-AZ file system joined to an AWS Managed Microsoft Active Directory, the DNS name looks like the following.
```
fs-0123456789abcdef0.ad-domain.com
```
+ For a Single-AZ file system joined to a self-managed Active Directory, and any Multi-AZ file system, the DNS name looks like the following.
```
amznfsxaa11bb22.ad-domain.com
```
For example, to use a Single-AZ file system's DNS name, enter the following for **Folder**.
```
\\fs-0123456789abcdef0.ad-domain.com\share
```
To use a Multi-AZ file system's DNS name, enter the following for **Folder**.
```
\\amznfsxaa11bb22.ad-domain.com\share
```
To use a DNS alias associated with the file system, enter the following for **Folder**.
```
\\fqdn-dns-alias\share
```
1. Choose an option for **Reconnect at sign-in**, which indicates whether the file share should reconnect at sign-in, and then choose **Finish**.
## To map a file share on an Amazon EC2 Windows instance (command prompt)
1. Launch the EC2 Windows instance and connect it to the Microsoft Active Directory that you joined your Amazon FSx file system to. To do this, choose one of the following procedures from the *AWS Directory Service Administration Guide*:
+ [Seamlessly join a Windows EC2 instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html)
+ [Manually join a Windows instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html)
1. Connect to your EC2 Windows instance as a user in your AWS Managed Microsoft AD directory. For more information, see [Connecting to your Windows instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the *Amazon EC2 User Guide*.
1. After you're connected, open a command prompt window.
1. Mount the file share using a drive letter of your choice, the file system's DNS name, and the share name. You can find the DNS name using the [Amazon FSx console](https://console.aws.amazon.com/fsx) by choosing **Windows File Server**, **Network & security**. Or, you can find them in the response of the `CreateFileSystem` or `DescribeFileSystems` API operation.
+ For a Single-AZ file system joined to an AWS Managed Microsoft Active Directory, the DNS name looks like the following.
```
fs-0123456789abcdef0.ad-domain.com
```
+ For a Single-AZ file system joined to a self-managed Active Directory, and any Multi-AZ file system, the DNS name looks like the following.
```
amznfsxaa11bb22.ad-domain.com
```
The following is an example command to mount the file share.
```
$ net use H: \\amzfsxaa11bb22.ad-domain.com\share /persistent:yes
```
Instead of the `net use` command, you can also use any supported PowerShell command to mount a file share.
# Mounting a file share on an Amazon EC2 Mac instance
You can mount a file share on an Amazon EC2 Mac instance that is either joined to your Active Directory or not joined to access your FSx for Windows File Server file system. If the instance is not joined to your Active Directory, be sure to update the DHCP options set for the Amazon Virtual Private Cloud (Amazon VPC) in which the instance resides to include the DNS name servers for your Active Directory domain. Then relaunch the instance.
## To mount a file share on an Amazon EC2 Mac instance (GUI)
1. Launch the EC2 Mac instance. To do this, choose one of the following procedures from the *Amazon EC2 User Guide*:
+ [Launch a Mac instance using the console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-launch)
+ [Launch a Mac instance using the AWS CLI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-launch-cli)
1. Connect to your EC2 Mac instance using Virtual Network Computing (VNC). For more information, see [Connect to your instance using VNC](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-vnc) in the *Amazon EC2 User Guide*.
1. On your EC2 Mac instance, connect to your Amazon FSx file share, as follows:
1. Open Finder, choose **Go**, and then choose **Connect to Server**.
1. In the **Connect to Server** dialog box, enter either the file system's DNS name or a DNS alias associated with the file system, and the share name. Then choose **Connect**.
You can find the file system's DNS name and any associated DNS aliases on the [Amazon FSx console](https://console.aws.amazon.com/fsx) by choosing **Windows File Server**, **Network & security**. Or, you can find them in the response of the [CreateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateFileSystem.html) or [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation. For more information about using DNS aliases, see [Managing DNS aliases](managing-dns-aliases.md).
![\[Mac connection screenshot showing the DNS and share names of the file system pane.\]](http://docs.aws.amazon.com/fsx/latest/WindowsGuide/images/mac-instance-connect1.png)
1. On the next screen, choose **Connect** to continue.
1. Enter your Microsoft Active Directory (AD) credentials for the Amazon FSx service account, as shown in the following example. Then choose **Connect**.
![\[Mac connection screenshot showing how to enter user credentials for the file system pane.\]](http://docs.aws.amazon.com/fsx/latest/WindowsGuide/images/mac-instance-connect2.png)
1. If the connection is successful, you can see the Amazon FSx share, under **Locations** in your Finder window.
## To mount a file share on an Amazon EC2 Mac instance (command line)
1. Launch the EC2 Mac instance. To do this, choose one of the following procedures from the *Amazon EC2 User Guide*:
+ [Launch a Mac instance using the console](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-launch)
+ [Launch a Mac instance using the AWS CLI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-launch-cli)
1. Connect to your EC2 Mac instance using Virtual Network Computing (VNC). For more information, see [Connect to your instance using VNC](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-mac-instances.html#mac-instance-vnc) in the *Amazon EC2 User Guide*.
1. Mount the file share with the following command.
```
mount_smbfs //file_system_dns_name/file_share mount_point
```
You can find the DNS name on the [Amazon FSx console](https://console.aws.amazon.com/fsx) by choosing **Windows File Server**, **Network & security**. Or, you can find them in the response of the `CreateFileSystem` or `DescribeFileSystems` API operation.
+ For a Single-AZ file system joined to an AWS Managed Microsoft Active Directory, the DNS name looks like the following.
```
fs-0123456789abcdef0.ad-domain.com
```
+ For a Single-AZ file system joined to a self-managed Active Directory, and any Multi-AZ file system, the DNS name looks like the following.
```
amznfsxaa11bb22.ad-domain.com
```
The mount command used in this procedure does the following at the given points:
+ `//file_system_dns_name/file_share` – Specifies the DNS name and share of the file system to mount.
+ *mount\$1point* – The directory on the EC2 instance that you are mounting the file system to.
# Mounting a file share on an Amazon EC2 Linux instance
You can mount an FSx for Windows File Server file share on an Amazon EC2 Linux instance that is either joined to your Active Directory or not joined to access your FSx for Windows File Server file system.
**Note**
The following commands specify parameters such as SMB protocol, caching, and read and write buffer size as examples only. Parameter choices for the Linux `cifs` command, as well as the Linux kernel version used, can impact throughput and latency for network operations between the client and the Amazon FSx file system. For more information, see `cifs` documentation for the Linux environment you are using.
Linux clients do not support automatic DNS-based failover. For more information, see [Failover experience on Linux clients](high-availability-multiAZ.md#linux-failover).
## To mount a file share on an Amazon EC2 Linux instance joined to an Active Directory
1. If you don't already have a running EC2 Linux instance joined to your Microsoft Active Directory, see [Manually join a Linux instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html) in the *AWS Directory Service Administration Guide* for the instructions to do so.
1. Connect to your EC2 Linux instance. For more information, see [Connect to your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html) in the *Amazon EC2 User Guide*.
1. Run the following command to install the `cifs-utils` package. This package is used to mount network file systems like Amazon FSx on Linux.
```
$ sudo yum install cifs-utils
```
1. Create the mount point directory **/mnt/fsx**. This is where you will mount the Amazon FSx file system.
```
$ sudo mkdir -p /mnt/fsx
```
1. Authenticate with kerberos using the following command.
```
$ kinit
```
1. Mount the file share with the following command.
```
$ sudo mount -t cifs //file_system_dns_name/file_share mount_point --verbose -o vers=SMB_version,sec=krb5,cruid=ad_user,rsize=CIFSMaxBufSize,wsize=CIFSMaxBufSize,cache=none,ip=preferred-file-server-Ip
```
You can find the DNS name on the [Amazon FSx console](https://console.aws.amazon.com/fsx) by choosing **Windows File Server**, **Network & security**. Or, you can find them in the response of `CreateFileSystem` or `DescribeFileSystems` API operation.
+ For a Single-AZ file system joined to an AWS Managed Microsoft Active Directory, the DNS name looks like the following.
```
fs-0123456789abcdef0.ad-domain.com
```
+ For a Single-AZ file system joined to a self-managed Active Directory, and any Multi-AZ file system, the DNS name looks like the following.
```
amznfsxaa11bb22.ad-domain.com
```
Replace `CIFSMaxBufSize` with the largest value allowed by your kernel. Run the following command to get this value.
```
$ modinfo cifs | grep CIFSMaxBufSize
parm: CIFSMaxBufSize:Network buffer size (not including header). Default: 16384 Range: 8192 to 130048 (uint)
```
The output shows that the maximum buffer size is 130048.
1. Verify that the file system is mounted by running the following command, which returns only file systems of the Common Internet File System (CIFS) type.
```
$ mount -l -t cifs
//fs-0123456789abcdef0/share on /mnt/fsx type cifs (rw,relatime,vers=SMB_version,sec=krb5,cache=cache_mode,username=user1@CORP.NETWORK.COM,uid=0,noforceuid,gid=0,noforcegid,addr=192.0.2.0,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
```
The mount command used in this procedure does the following at the given points:
+ `//file_system_dns_name/file_share` – Specifies the DNS name and share of the file system to mount.
+ *mount\$1point* – The directory on the EC2 instance that you are mounting the file system to.
+ `-t cifs vers=SMB_version` – Specifies the type of file system as CIFS and the SMB protocol version. Amazon FSx for Windows File Server supports SMB versions 2.0 through 3.1.1.
+ `sec=krb5` – Specifies to use Kerberos version 5 for authentication.
+ `cache=cache_mode` – Sets the cache mode. This option for CIFS cache can impact performance, and you should test which settings work best (and review Linux documentation) for your kernel and workload. Options `strict` and `none` are recommended, because `loose` can cause data inconsistency due to the looser protocol semantics.
+ `cruid=ad_user` – Sets the uid of the owner of the credentials cache to the AD directory administrator.
+ `/mnt/fsx` – Specifies the mount point for the Amazon FSx file share on your EC2 instance.
+ `rsize=CIFSMaxBufSize,wsize=CIFSMaxBufSize` – Specifies the read and write buffer size as the maximum allowed by the CIFS protocol. Replace `CIFSMaxBufSize` with the largest value allowed by your kernel. Determine the `CIFSMaxBufSize` by running the following command.
```
$ modinfo cifs | grep CIFSMaxBufSize
parm: CIFSMaxBufSize:Network buffer size (not including header). Default: 16384 Range: 8192 to 130048 (uint)
```
The output shows that the maximum buffer size is 130048.
+ `ip=preferred-file-server-Ip` – Sets the destination IP address to that of the file system's preferred file server.
You can retrieve the file system's preferred file server IP address as follows:
+ Using the Amazon FSx console, on the **Network & security** tab of the **File system details** page.
+ In the response of the `describe-file-systems` CLI command or the equivalent [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API command.
# To mount a file share on an Amazon EC2 Linux instance not joined to an Active Directory
The following procedure mounts an Amazon FSx file share to an Amazon EC2 Linux instance that is not joined to your Active Directory (AD). For an EC2 Linux instance that is not joined to your AD, you can only mount an FSx for Windows File Server file share by using its private IP address. You can get the file system's private IP address using the [Amazon FSx console](https://console.aws.amazon.com/fsx), on the **Network & security** tab, in **Preferred File Server IP Address**.
This example uses NTLM authentication. To do this, you mount the file system as a user that is a member of the Microsoft Active Directory domain that the FSx for Windows File Server file system is joined to. The credentials for the user account are provided in a text file that you create on your EC2 instance, `creds.txt`. This file contains the user name, password, and domain for the user.
```
$ cat creds.txt
username=user1
password=Password123
domain=EXAMPLE.COM
```
**To launch and configure the Amazon Linux EC2 instance**
1. Launch an Amazon Linux EC2 instance using the [Amazon EC2 console](https://console.aws.amazon.com/ec2). For more information, see [Launch an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance) in the *Amazon EC2 User Guide*.
1. Connect to your Amazon Linux EC2 instance. For more information, see [Connect to your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html) in the *Amazon EC2 User Guide*.
1. Run the following command to install the `cifs-utils` package. This package is used to mount network file systems like Amazon FSx on Linux.
```
$ sudo yum install cifs-utils
```
1. Create the mount point **/mnt/fsxx** where you plan to mount the Amazon FSx file system.
```
$ sudo mkdir -p /mnt/fsx
```
1. Create the `creds.txt` credentials file in the `/home/ec2-user` directory, using the format shown previously.
1. Set the `creds.txt` file permissions so that only you (the owner) can read and write to the file by running the following command.
```
$ chmod 700 creds.txt
```
**To mount the file system**
1. You mount a file share not joined to your Active Directory by using its private IP address. You can get the file system's private IP address using the [Amazon FSx console](https://console.aws.amazon.com/fsx), on the **Network & security** tab, in the **Preferred File Server IP Address**.
1. Mount the file system using the following command:
```
$ sudo mount -t cifs //file-system-IP-address/file_share /mnt/fsx --verbose -o vers=SMB_version,sec=ntlmsspi,cred=/home/ec2-user/creds.txt,rsize=CIFSMaxBufSize,wsize=CIFSMaxBufSize,cache=none
```
Replace `CIFSMaxBufSize` with the largest value allowed by your kernel. Run the following command to get this value.
```
$ modinfo cifs | grep CIFSMaxBufSize
parm: CIFSMaxBufSize:Network buffer size (not including header). Default: 16384 Range: 8192 to 130048 (uint)
```
The output shows that the maximum buffer size is 130048.
1. Verify that the file system is mounted by running the following command, which returns only CIFS file systems.
```
$ mount -l -t cifs
//file-system-IP-address/file_share on /mnt/fsx type cifs (rw,relatime,vers=SMB_version,sec=ntlmsspi,cache=cache_mode,username=user1,domain=CORP.EXAMPLE.COM,uid=0,noforceuid,gid=0,noforcegid,addr=192.0.2.0,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
```
The mount command used in this procedure does the following at the given points:
+ `//file-system-IP-address/file_share` – Specifies the IP address and share of the file system you're mounting.
+ `-t cifs vers=SMB_version` – Specifies the type of file system as CIFS and the SMB protocol version. Amazon FSx for Windows File Server supports SMB versions 2.0 through 3.1.1.
+ `sec=ntlmsspi` – Specifies to use NT LAN Manager Security Support Provider Interface (NTLMSSPI) for authentication.
+ `cache=cache_mode` – Sets the cache mode. This option for CIFS cache can impact performance, and you should test which settings work best (and review Linux documentation) for your kernel and workload. Options `strict` and `none` are recommended, because `loose` can cause data inconsistency due to the looser protocol semantics.
+ `cred=/home/ec2-user/creds.txt` – Specifies where to get the user credentials.
+ `/mnt/fsx` – Specifies the mount point for the Amazon FSx file share on your EC2 instance.
+ `rsize=CIFSMaxBufSize,wsize=CIFSMaxBufSize` – Specifies the read and write buffer size as the maximum allowed by the CIFS protocol. Replace `CIFSMaxBufSize` with the largest value allowed by your kernel. Determine the `CIFSMaxBufSize` by running the following command.
```
$ modinfo cifs | grep CIFSMaxBufSize
parm: CIFSMaxBufSize:Network buffer size (not including header). Default: 16384 Range: 8192 to 130048 (uint)
```
# Automatically mount file shares on an Amazon EC2 Linux instance
You can automatically mount your FSx for Windows File Server file share to access your FSx for Windows File Server file system whenever the Amazon EC2 Linux instance to which it's mounted reboots. To do so, add an entry to the `/etc/fstab` file on the EC2 instance. The `/etc/fstab` file contains information about file systems. The command **mount -a**, which runs during instance startup, mounts the file systems listed in the `/etc/fstab` file.
For an Amazon EC2 Linux instance that is *not* joined to your Active Directory, you can only mount an FSx for Windows File Server file share by using its private IP address. You can get the file system's private IP address using the [Amazon FSx console](https://console.aws.amazon.com/fsx), on the **Network & security** tab, in **Preferred File Server IP Address**.
The following procedure uses Microsoft NTLM authentication. You mount the file system as a user that is a member of the Microsoft Active Directory domain to which the FSx for Windows File Server file system is joined. You can retrieve the credentials for the user account from the `creds.txt` file using the following command.
```
$ cat creds.txt
username=user1
password=Password123
domain=EXAMPLE.COM
```
## To automatically mount a file share on an Amazon Linux EC2 instance not joined to your Active Directory
**To launch and configure the Amazon Linux EC2 instance**
1. Launch an Amazon Linux EC2 instance using the [Amazon EC2 console](https://console.aws.amazon.com/ec2). For more information, see [Launch an instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance) in the *Amazon EC2 User Guide*.
1. Connect to your instance. For more information, see [Connect to your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html) in the *Amazon EC2 User Guide*.
1. Run the following command to install the `cifs-utils` package. This package is used to mount network file systems like Amazon FSx on Linux.
```
$ sudo yum install cifs-utils
```
1. Create the `/mnt/fsx` directory. This is where you will mount the Amazon FSx file system.
```
$ sudo mkdir /mnt/fsx
```
1. Create the `creds.txt` credentials file in the `/home/ec2-user` directory.
1. Set the file permissions so that only you (the owner) can read the file by running the following command.
```
$ sudo chmod 700 creds.txt
```
**To automatically mount the file system**
1. You automatically mount a file share not joined to your Active Directory by using its private IP address. You can get the file system's private IP address using the [Amazon FSx console](https://console.aws.amazon.com/fsx), on the **Network & security** tab, in **Preferred File Server IP Address**.
1. To automatically mount the file share using its private IP address, add the following line to the `/etc/fstab` file.
```
//file-system-IP-address/file_share /mnt/fsx cifs vers=SMB_version,sec=ntlmsspi,cred=/home/ec2-user/creds.txt,rsize=CIFSMaxBufSize,wsize=CIFSMaxBufSize,cache=none 0 0
```
Replace `CIFSMaxBufSize` with the largest value allowed by your kernel. Run the following command to get this value.
```
$ modinfo cifs | grep CIFSMaxBufSize
parm: CIFSMaxBufSize:Network buffer size (not including header). Default: 16384 Range: 8192 to 130048 (uint)
```
The output shows that the maximum buffer size is 130048.
1. Test the `fstab` entry by using the `mount` command with the 'fake' option in conjunction with the 'all' and 'verbose' options.
```
$ sudo mount -fav
home/ec2-user/fsx : successfully mounted
```
1. To mount the file share, reboot the Amazon EC2 instance.
1. When the instance is available again, verify that the file system is mounted by running the following command.
```
$ sudo mount -l -t cifs
//file-system-IP-address/file_share on /mnt/fsx type cifs (rw,relatime,vers=SMB_version,sec=ntlmsspi,cache=cache_code,username=user1,domain=CORP.EXAMPLE.COM,uid=0,noforceuid,gid=0,noforcegid,addr=192.0.20.0,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
```
The line added to the `/etc/fstab` file in this procedure does the following at the given points:
+ `//file-system-IP-address/file_share` – Specifies the IP address and share of the Amazon FSx file system you're mounting.
+ `/mnt/fsx` – Specifies the mount point for the Amazon FSx file system on your EC2 instance.
+ `cifs vers=SMB_version` – Specifies the type of file system as CIFS and the SMB protocol version. Amazon FSx for Windows File Server supports SMB versions 2.0 through 3.1.1.
+ `sec=ntlmsspi` – Specifies using NT LAN Manager Security Support Provider Interface to facilitate NTLM challenge-response authentication.
+ `cache=cache_mode` – Sets the cache mode. This option for CIFS cache can impact performance, and you should test which settings work best (and review Linux documentation) for your kernel and workload. Options `strict` and `none` are recommended, because `loose` can cause data inconsistency due to the looser protocol semantics.
+ `cred=/home/ec2-user/creds.txt` – Specifies where to get the user credentials.
+ `_netdev` – Tells the operating system that the file system resides on a device that requires network access. Using this option prevents the instance from mounting the file system until the network service is enabled on the client.
+ `0` – Indicates that the file system should be backed up by `dump`, if it's a nonzero value. For Amazon FSx, this value should be `0`.
+ `0` – Specifies the order in which `fsck` checks file systems at boot. For Amazon FSx file systems, this value should be `0` to indicate that `fsck` shouldn't run at start up.
# Creating, updating, removing file shares
This topic describes how you can manage file shares by performing the following tasks.
+ Create a new file share
+ Modify an existing file share
+ Remove an existing file share
You can use the Windows-native Shared Folders GUI and the Amazon FSx CLI for remote management on PowerShell to manage file shares on your FSx for Windows File Server file system. You might experience delays when using the Shared Folder GUI (**fsmgmt.msc**) when first opening the context menu for shares located on a different file system. To avoid these delays, use PowerShell to manage file shares that are located on multiple file systems.
Microsoft Windows enforces rules and limitations for naming files and directories. To ensure that you can successfully create and access your data, you should name your files and directories according to these Windows guidelines. For more information, see [Naming Conventions](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file#naming-conventions).
**Warning**
Amazon FSx requires that the SYSTEM user has **Full control** NTFS ACL permissions on every folder on which you create an SMB file share. Do not change the NTFS ACL permissions for this user on your folders, as doing so can make your file shares inaccessible.
## Managing file shares with the Shared Folders GUI
To manage file shares on your Amazon FSx file system, you can use the Shared Folders GUI. The Shared Folders GUI provides a central location for managing all shared folders on a Windows server. The following procedures describe how to manage your file shares.
**To connect shared folders to your FSx for Windows File Server file system**
1. Launch your Amazon EC2 instance and connect it to the Microsoft Active Directory that your Amazon FSx file system is joined to. To do this, choose one of the following procedures from the *AWS Directory Service Administration Guide*:
+ [Seamlessly join a Windows EC2 instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html)
+ [Manually join a Windows instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html)
1. Connect to your instance as a user that is a member of the file system administrators group. In AWS Managed Microsoft Active Directory, this group is called AWS Delegated FSx Administrators. In your self-managed Microsoft Active Directory, this group is called Domain Admins or the custom name for the administrators group that you provided during creation. For more information, see [Connect to your Windows instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the Amazon Elastic Compute Cloud User Guide for Windows Instances.
1. Open the **Start** menu and run **fsmgmt.msc** using **Run As Administrator**. Doing this opens the Shared Folders GUI tool.
1. For **Action**, choose **Connect to another computer**.
1. For **Another computer**, enter the Domain Name System (DNS) name for your Amazon FSx file system, for example **amznfsxabcd0123.corp.example.com**.
To find your file system's DNS name on the Amazon FSx console, choose **File systems**, choose your file system, and then check the **Network & Security** section of the file system details page. You can also get the DNS name in the response of the [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation.
1. Choose **OK**. An entry for your Amazon FSx file system then appears in the list for the Shared Folders tool.
Now that Shared Folders is connected to your Amazon FSx file system, you can manage the Windows file shares on the file system. The default share is called `\share`. You can do so with the following actions:
+ **Create a new file share** – In the Shared Folders tool, choose **Shares** in the left pane to see the active shares for your Amazon FSx file system. Choose **New Share** and complete the Create a Shared Folder wizard.
You have to create the local folder prior to creating the new file share. You can do so as follows:
+ Using the Shared Folders tool: click on "Browse" when specifying local folder path and click on "Make new folder" to create the local folder.
+ Using command line:
```
New-Item -Type Directory -Path \\amznfsxabcd0123.corp.example.com\D$\share\MyNewShare
```
+ **Modify a file share** – In the Shared Folders tool, open the context (right-click) menu for the file share that you want to modify in the right pane, and choose **Properties**. Modify the properties and choose **OK**.
+ **Remove a file share** – In the Shared Folders tool, open the context (right-click) menu for the file share that you want to remove in the right pane, and then choose **Stop Sharing**.
**Note**
For Single-AZ 2 and Multi-AZ file systems, removing file shares or modifying file shares (including updating permissions, user limits, and other properties) using the Shared Folders GUI tool is possible only if you connect to **fsmgmt.msc** using the DNS Name of the Amazon FSx file system. The Shared Folders GUI tool does not support these actions if you connect using the IP address or DNS alias name of the file system.
**Note**
If you are using the **fsmgmt.msc** Shared Folders GUI tool to access shares located on multiple FSx for Windows File Server file systems, you may experience delays when first opening the file share context menu for a share that is located on a different file system. To avoid these delays, you can manage file shares using PowerShell as described below.
## Managing file shares with PowerShell
You can manage file shares using custom FSx for Windows File Server remote-management commands for PowerShell. These commands can help you to automate managing file share tasks such as:
+ Migrating file shares from existing file servers to Amazon FSx
+ Synchronizing file shares across AWS Regions for disaster recovery
+ Programmatically managing ongoing file shares workflows, such as team file-share provisioning
To learn how to use the Amazon FSx CLI for remote management on PowerShell, see [Using the Amazon FSx CLI for PowerShell](administering-file-systems.md#remote-pwrshell).
The following table lists the Amazon FSx CLI remote management PowerShell commands that you can use to manage file shares on FSx for Windows File Server file systems.
| Share Management Command | Description |
| --- | --- |
| **New-FSxSmbShare** | Creates a new file share. |
| **Remove-FSxSmbShare** | Removes a file share. |
| **Get-FSxSmbShare** | Retrieves existing file shares. |
| **Set-FSxSmbShare** | Sets properties for a share. |
| **Get-FSxSmbShareAccess** | Retrieves the access control list (ACL) of a share. |
| **Grant-FSxSmbShareAccess** | Adds an allow access control entry (ACE) for a trustee to the security descriptor of a share. |
| **Revoke-FSxSmbShareAccess** | Removes all of the allow ACEs for a trustee from the security descriptor of a share. |
| **Block-FSxSmbShareAccess** | Adds a deny ACE for a trustee to the security descriptor of a share. |
| **Unblock-FSxSmbShareAccess** | Removes all of the deny ACEs for a trustee from the security descriptor of a share. |
The online help for each command provides a reference of all command options. To access this help, run the command with a `-?`, for example `New-FSxSmbShare -?`.
### Passing credentials to New-FSxSmbShare
You can pass credentials to New-FSxSmbShare so that you can run it in a loop to create hundreds or thousands of shares without having to re-enter credentials each time.
Prepare the credential object required to create the file shares on your FSx for Windows File Server file server using one of the following options.
+ To generate the credential object interactively, use the following command.
```
$credential = Get-Credential
```
+ To generate the credential object using an AWS Secrets Manager resource, use the following command.
```
$credential = ConvertFrom-Json -InputObject (Get-SECSecretValue -SecretId $AdminSecret).SecretString
$FSxAdminUserCredential = (New-Object PSCredential($credential.UserName,(ConvertTo-SecureString $credential.Password -AsPlainText -Force)))
```
## To create a continuously available (CA) share
You can create continuously available (CA) shares using the Amazon FSx CLI for Remote Management on PowerShell. CA shares created on an FSx for Windows File Server Multi-AZ file system are highly durable and highly available. An Amazon FSx Single-AZ file system is built on a single node cluster. As a result, CA shares created on a Single-AZ file system are highly durable, but are not highly available. Use the `New-FSxSmbShare` command with the `-ContinuouslyAvailable` option set to `$True` to specify that the share is a continuously available share. The following is an example command to create a CA share.
```
New-FSxSmbShare -Name "New CA Share" -Path "D:\share\new-share" -Description "CA share" -ContinuouslyAvailable $True
```
You can modify the `-ContinuouslyAvailable` option on an existing file share using the `Set-FSxSmbShare` command.
### Determine if an existing file share is continuously available
Use the following command to view the value of the Continuously Available property for an existing file share.
```
Invoke-Command -ComputerName powershell_endpoint -ConfigurationName FSxRemoteAdmin -scriptblock { get-fsxsmbshare -name share_name }
```
If CA is enabled, the output will include the following line:
```
[...]
ContinuouslyAvailable : True
[...]
```
If CA is not enabled, the output will include the following line:
```
[...]
ContinuouslyAvailable : False
[...]
```
To enable Continuously Available on an existing file share, use the following command:
```
Invoke-Command -ComputerName powershell_endpoint -ConfigurationName FSxRemoteAdmin -scriptblock { set-fsxsmbshare -name share_name -ContinuouslyAvailable $True}
```
# New-FSxSmbShare command fails with a one-way trust
Amazon FSx does not support executing the `New-FSxSmbShare` PowerShell command in cases where you have a one-way trust and the domain in which the user resides is not configured to trust the domain associated with Amazon FSx file system.
You can resolve this situation using one of following solutions:
+ The user executing the `New-FSxSmbShare` command needs to be in the same domain as the FSx file system.
+ You can use the fsmgmt.msc GUI to create shares on your file system. For more information, see [Managing file shares with the Shared Folders GUI](managing-file-shares.md#shared-folders-tool).