- Newest
- Most votes
- Most comments
Thanks for that Francisco_L, I checked all that and everything was wide open.
Due to expediency, I opened a support ticket. My problem was that when I created the FSX filesystem, I created the FSXService service account and an FSXAdmin AD group to manage it. I assumed that because I was logged in with domain admin credentials, I should be able to make shares.
I had to add my domain admin credentials to the FSXAdmin AD group also.
Hello! To connect to a FSx share from the AWS DC, please ensure the following:
- The security group in use by FSx needs to allow TCP 445 traffic inbound from the AWS DC's IP address/subnet/VPC/security group.
- The AWS DC needs to allow outbound traffic to the FSx IP addresses on TCP 445 as well.
- Any network ACL, assuming that it has been customized instead of the default allow all inbound/outbound rule must allow the traffic as well. On the AWS DC, outbound TCP 445 and inbound ephemeral ports need to be allowed. On FSx, inbound TCP 445 and outbound ephemeral traffic.
- Any custom firewall/security software inside the AWS DC (if applicable) must allow the traffic as well.
For more information, please check this link https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-manage-prereqs.html#network-configs
Hello,
Thank you for your response.
I understand that you have created a support case for the issue now. Our Support engineers will be able to help by looking into the resources, settings and suggest further.
One thing which you can consider to check is the Trust relationship between on-prem domain and AWS Managed AD. I did not find any mention about the trust in place.
Relevant content
- asked 2 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 years ago
Thanks for that Francisco_L, I checked all that and everything was wide open. I appreciate your prompt response. All info is good info.
We will be ready to continue assisting you in the support case. One important note regarding trusts: the client needs to be able to reach the trusted domain as well. Just having both directories communicate with each other is not enough. This is explained in our article "Everything you need to know about trusts" here https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/