I want to validate my self-managed Active Directory configuration for an Amazon FSx for Windows File Server.
Short description
To validate your AWS Managed Active Directory configuration of an Amazon FSx for Windows File Server, use the AWSSupport-ValidateFSxWindowsADConfig AWS Systems Manager automation runbook.
This runbook creates a temporary Amazon Elastic Compute Cloud (Amazon EC2) instance in the same subnet as the FSx for Windows File Server. Then, the runbook runs the FSx validation script. If Amazon FSx is a multi-AZ deployment, then the runbook launches another EC2 instance in the standby subnet. This second instance is used to test network ports from both subnets.
Resolution
Prerequisites:
- Make sure that your AWS Identity and Access Management (IAM) user or role has the required permissions. For more information, see the Required IAM permissions section of AWSSupport-ValidateFSxWindowsADConfig.
- Create an AWS Secrets Manager secret to store the Amazon FSx service account username and password as described in prerequisites section of AWSSupport-ValidateFSxWindowsADConfig.
Existing Amazon FSx file servers
Complete the following steps:
- Open the Systems Manager console.
- In the navigation pane, under Shared Resources, choose Documents.
- Search for AWSSupport-Validate-FSxWindowsADConfig.
- Choose the document title to view details.
- Choose Execute Automation, and then choose Simple execution.
- For Input parameters, enter the following information:
(Optional) For AutomationAssumeRole, enter the ARN of the IAM role that allows Systems Manager Automation to perform the actions on your behalf.
For FSxID, enter the Amazon FSx for Windows File Server ID. This ID is required to validate existing failed or misconfigured Amazon FSx for Windows.
For SecretArn, enter the ARN of your Secrets Manager secret that contains the Amazon FSx service account username and password. You must use a key/value pair to store the username and password in the following format: {"username":"EXAMPLE-USER","password":"EXAMPLE-PASSWORD"}. The CloudFormation stack creates the validation instance with permissions to perform GetSecretValue to this ARN.
For FSxSecurityGroupId, enter the security group ID for the Amazon FSx for Windows.
For BucketName, enter the Amazon S3 bucket to upload the validation results to. Make sure that the bucket is configured with server-side encryption (SSE). The bucket policy also must not grant any unnecessary read or write permissions to parties that don't need to access the logs. Make sure that the EC2 Windows instance has necessary access to the Amazon S3 bucket.
- Choose Execute.
After the automation completes, review the results in the Outputs section. The complete script output is uploaded to the S3 bucket.
New Amazon FSx file servers
Complete the following steps:
- Open the Systems Manager console.
- In the navigation pane, under Shared Resources, choose Documents.
- Search for AWSSupport-Validate-FSxWindowsADConfig.
- Choose the document title to view details.
- Choose Execute Automation, and then choose Simple execution.
- For Input parameters, enter the following information:
(Optional) For AutomationAssumeRole, enter the ARN of the IAM role that allows Systems Manager Automation to perform the actions on your behalf.
For SecretArn, enter the ARN of your Secrets Manager secret that contains the Amazon FSx service account username and password. You must use a key/value pair to store the username and password in the following format: {"username":"EXAMPLE-USER","password":"EXAMPLE-PASSWORD"}. The CloudFormation stack creates the validation instance with permissions to perform GetSecretValue to this ARN.
For FSxID, enter the Amazon FSx for Windows File Server ID. This ID is required to validate existing failed or misconfigured Amazon FSx for Windows.
For BucketName, enter the Amazon S3 bucket to upload the validation results to.
Note: As of January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and don’t affect your performance. You can configure your bucket with SSE, if required.
The bucket policy also must not grant any unnecessary read or write permissions to parties that don't need to access the logs. Make sure that the EC2 Windows instance has necessary access to the Amazon S3 bucket.
For FSxPreferredSubnetID, enter the preferred subnet for Amazon FSx for Windows File Server.
For DomainName, enter the fully qualified domain name of your self-managed Microsoft Active Directory domain.
(Optional) For DnsIpAddresses, enter up to two DNS server or domain controller IP addresses in your self-managed active directory domain. If you enter two IP addresses, then separate the addresses with a comma.
For FSxAdminsGroup, enter the delegated file system administrators group of the Amazon FSx for Windows File Server. The default value for this option is Domain Admins.
For FSxOrganizationalUnit, enter the distinguished name (DN) of the Organizational Unit that you want to join your file system to. Do not enter the default "Computers" common name (CN).
- Choose Execute.
After the automation completes, review the results in the Outputs section. The complete script output is uploaded to the S3 bucket.
Related information
Run an automated operation powered by Systems Manager Automation
Setting up Automation