By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't Create FSx Shares in Extended Premise AD

0

Our internal on-premise AD is extended to AWS. I just successfully created a FSx filesystem and created a DNS alias for the filesystem. The firewall is currently wide open between AWS and on-premise. I can see the DNS alias/share from inside and even make folders within the share. I have also been trying all my tests using the DNS name and NOT the DNS alias as well. No real luck either way.

Problem 1: I cannot connect to the FSx share from the AWS DC. (either a routing or access issue, I think) Problem 2: It seems like I need to have Domain Admins added to the default share, but I can't access there.

I am not to the point of running a DataSync yet. I just want to create a couple shares and test permissions and mapping and such.

Any help would be appreciated.

Topics
AWS Well-Architected Framework
Tags
Security
Language
English
Steve K-8239683
asked a month ago255 views
3 Answers
0

Thanks for that Francisco_L, I checked all that and everything was wide open.

Due to expediency, I opened a support ticket. My problem was that when I created the FSX filesystem, I created the FSXService service account and an FSXAdmin AD group to manage it. I assumed that because I was logged in with domain admin credentials, I should be able to make shares.

I had to add my domain admin credentials to the FSXAdmin AD group also.

Steve K-8239683
answered a month ago
0

Hello! To connect to a FSx share from the AWS DC, please ensure the following:

  1. The security group in use by FSx needs to allow TCP 445 traffic inbound from the AWS DC's IP address/subnet/VPC/security group.
  2. The AWS DC needs to allow outbound traffic to the FSx IP addresses on TCP 445 as well.
  3. Any network ACL, assuming that it has been customized instead of the default allow all inbound/outbound rule must allow the traffic as well. On the AWS DC, outbound TCP 445 and inbound ephemeral ports need to be allowed. On FSx, inbound TCP 445 and outbound ephemeral traffic.
  4. Any custom firewall/security software inside the AWS DC (if applicable) must allow the traffic as well.

For more information, please check this link https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-manage-prereqs.html#network-configs

AWS
SUPPORT ENGINEER
Francisco_L
answered a month ago
profile picture
EXPERT
Osvaldo Marte
reviewed 25 days ago
0

Hello,

Thank you for your response.

I understand that you have created a support case for the issue now. Our Support engineers will be able to help by looking into the resources, settings and suggest further.

One thing which you can consider to check is the Trust relationship between on-prem domain and AWS Managed AD. I did not find any mention about the trust in place.

anish
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content