Questions tagged with Amazon FSx for Windows File Server
Content language: English
Sort by most recent
Feature Request per case XXXXXXXXXX - Feature Request for function to back out enabled deduplication
In testing deduplication enablement, it appears that by disabling deduplication, it leaves existing deduplication in state (forever). Would like to be able to completely disable and re-inflate data if performance issues encountered due to deduplication enablement. -- Re: existing ticket XXXXXXXXXX
*Edit: Removed case ID
— John M.
I have an ECS service which is of Launch Type EC2 owned by an AWS account A. Our IT team has created an FSx storage owned by an AWS Account B -
[see simple diagram here](https://i.stack.imgur.com/MyU1d.png)
When I try to launch tasks I get this error in the Stopped reason section of the task:
```
Stopped reason
Fsx describing filesystem(s) from the service for [fs-0c52aba0aac20c744]: FileSystemNotFound: File system 'fs-0c52aba0aac20c744' does not exist.
```
I have attached those 2 policies to the EC2 (container host) instance:
- AmazonFSxReadOnlyAccess (AWS Managed)
- fsx_mount (Customer Managed)
fsx_mount:
```
{
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-west-2:111111111111:secret:dev/rushmore/ad-account-NKOkyh"
},
{
"Action": [
"fsx:*",
"ds:DescribeDirectories"
],
"Effect": "Allow",
"Resource": "arn:aws:fsx:us-west-2:222222222222:file-system/fs-0c52aba0aac20c744"
}
],
"Version": "2012-10-17"
}
```
**Note** that the account id of 222222222222 represents AWS Account B. Also, **VPC Peering is in place between the EC2 instance VPC and the FileSystem VPC**.
Terraform aws_ecs_task_definition:
```
resource "aws_ecs_task_definition" "participants_task" {
volume {
name = "FSxStorage"
fsx_windows_file_server_volume_configuration {
file_system_id = "fs-0c52aba0aac20c744"
root_directory = "\\data"
authorization_config {
credentials_parameter = aws_secretsmanager_secret_version.fsx_account_secret.arn
domain = var.domain
}
}
}
...
}
```
I am not sure why ECS cannot find the FSx file system. Surely it must be because it is in another AWS account but I don't know what changes are required in order to fix this.
Is it possible to recover individual file or folder from FSX file system.
My container is configured to mount an FSx volume, which succeeds on first run.
But... each time the task runs and the container exits, it leaves in place the SMB mapping on the EC2 instance:
PS C:\Windows\system32> gdr -PSProvider 'FileSystem'
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
C 33.87 66.12 FileSystem C:\ Windows\system32
D 0.09 31.91 FileSystem \\amznfsxka9h1c5....
E 0.09 31.91 FileSystem \\amznfsxka9h1c5....
F 0.09 31.91 FileSystem \\amznfsxka9h1c5....
G 0.09 31.91 FileSystem \\amznfsxka9h1c5....
H 0.09 31.91 FileSystem \\amznfsxka9h1c5....
.
.
.
Z 0.09 31.91 FileSystem \\amznfsxka9h1c5....
PS C:\Windows\system32>
Eventually the instance runs out of drive letters, leading to this:
STOPPED (Could not find an available drive letter to mount fsxwindowsfileserver resource on the container instance)
Is there some cleanup I should be doing to ensure the container doesn't leave behind these drive letters?
Hi there,
I managed to add FSx for NetApp ONTAP to our domain with FSxServiceAccount as described on the product page. However, I am running into issues when I am trying to attach it to my Windows instance.
(It works fine on Linux). I see the following issues:
- When I am running this command New-SmbGlobalMapping -Persistent $true -RemotePath \\<IO of my smb>\share -Credential $creds -LocalPath G:` I get the following error: `New-SmbGlobalMapping : Access is denied.` - I am using domain admin credentials
- When I am running this command `net use Z: \\<dns address of the smb>\share` I got the following error: `System error 5 has occurred. Access is denied.` - Also with domain admin creds
- I can successfully attach via File Explorer > This PC > Computer >Map network drive, however I can not read/write to it. If I check the FIle permission mode in Propertires I can see that only the owner (FSxServiceAccount?) is allowed to write, however Read should work, but I can not change the permissions as domain Admin.
I am using Directory Service Standard Edition.
Did you guys experience issues with this? What am I doing wrong?
**Update:**
I managed to attach the disk, but I can not write or read any file on the disk.
It is in OU=Computers, and allowed Everyone Full Access, also allowed Everyone Read/Write the NFS filesystems attached to the AD, but still not working. I am suspecting this is something NetApp specific, but we will see.
**Update #2**
Based on CloudWreck's comment I found the following:
I am using mixed style.
I use the following code:
```
net use P: \\WINDOWS\vol1
$CurTgt = "P:"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $CurTgt
```
Get-Acl returns
```
Path Owner Access
---- ----- ------
P:\ Everyone Everyone Allow -1
```
Also using this one:
```
$CurTgt = "P:"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr)
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $CurTgt
```
Also tried this:
```
takeown /F * /R
takeown : ERROR: File ownership cannot be applied on insecure file systems;
```
But I am still unable to write/read files or create folders.
**Update#3**
I ran the following commands and changed the permission from the ONTAP side
```
vserver security file-directory show -vserver windows -path /vol1
vserver security file-directory ntfs create -ntfs-sd sd1 -owner DomainName\Administrator
vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type success -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files
vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type allow -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files
vserver security file-directory policy create -policy-name policy1
vserver security file-directory policy task add -policy-name policy1 -path /vol1 -ntfs-sd sd1
vserver security file-directory apply -policy-name policy1
vserver security file-directory show -path /vol1 -expand-mask true
```
It changed the file permissions (mode), however I am still unable to read/write files.
These are the current settings:
```
File Path: /vol1
File Inode Number: 64
Security Style: mixed
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: 0x10
...0 .... .... .... = Offline
.... ..0. .... .... = Sparse
.... .... 0... .... = Normal
.... .... ..0. .... = Archive
.... .... ...1 .... = Directory
.... .... .... .0.. = System
.... .... .... ..0. = Hidden
.... .... .... ...0 = Read Only
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
```
```
ALLOW-Everyone-0x1f01ff-OI|CI
0... .... .... .... .... .... .... .... = Generic Read
.0.. .... .... .... .... .... .... .... = Generic Write
..0. .... .... .... .... .... .... .... = Generic Execute
...0 .... .... .... .... .... .... .... = Generic All
.... ...0 .... .... .... .... .... .... = System Security
.... .... ...1 .... .... .... .... .... = Synchronize
.... .... .... 1... .... .... .... .... = Write Owner
.... .... .... .1.. .... .... .... .... = Write DAC
.... .... .... ..1. .... .... .... .... = Read Control
.... .... .... ...1 .... .... .... .... = Delete
.... .... .... .... .... ...1 .... .... = Write Attributes
.... .... .... .... .... .... 1... .... = Read Attributes
.... .... .... .... .... .... .1.. .... = Delete Child
.... .... .... .... .... .... ..1. .... = Execute
.... .... .... .... .... .... ...1 .... = Write EA
.... .... .... .... .... .... .... 1... = Read EA
.... .... .... .... .... .... .... .1.. = Append
.... .... .... .... .... .... .... ..1. = Write
.... .... .... .... .... .... .... ...1 = Read
```
Hi there,
When I am trying to join my domain (using Directory service), I am receiving the following error:
```
Amazon FSx is unable to establish a connection with your Active Directory domain controller(s) because the service account credentials provided are invalid. To fix this problem, delete your storage virtual machine and create a new one using a valid service account as recommended in the Amazon FSx user guide.
```
I have read the user guide, and followed all the steps.
Now, I am using the same security group as the domain controller and allowing all traffic inside the sg. I checked with Reachability analyzer, the ENI from fsx can communicate with the domain controller's domain controller.
I also tried to use the domain admin, just to make sure - but for some reason it does not work. Did any of you experienced something similar?
Hello,
Is normal that FSX allocates a new IP always data sync run?
I've been checking and most of these IPs are 'available'.
Setting aside single-AZ vs multi-AZ, we offer [two different pricing tiers][1] for FSx, those being with and without data deduplication. Looking at storage costs, the pricing with deduplication enabled is half that of non-deduped FSx with the assumption of a typical 50% deduplication rate. We've also documented that deduplication is transparent to the end user and [doesn't significantly affect the file system's performance][2]. With that said, are there any potential reasons customers should not enable deduplication?
[1]: https://aws.amazon.com/fsx/windows/pricing/
[2]: https://docs.aws.amazon.com/fsx/latest/WindowsGuide/using-data-dedup.html
asked 2 years ago
A customer has deployed an Amazon FSx for Windows File Server joined to his self-managed Active Directory. He noticed that Amazon FSx is creating 4 different computer objects into its OU for 1 file system, 4 new computer objects for another file system, etc. which will result in a very difficult situation to manage those file systems at scale.
[Nothing in particular is mentioned within our documentation except to not move computer objects that Amazon FSx creates in the OU after your file system is created][1]
Is it the normal behavior of Amazon FSx for Windows File Server with self-managed AD? Do you have any clue which may help to better understand Amazon FSx behavior? Thank you very much in advance for your feedback
[1]: https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-managed-AD-best-practices.html
asked 2 years ago
Hi,
I am trying to increase an FSx for Windows Storage Capacity from 3TB to 4TB. I increased it yesterday from 2TB to 3TB and it worked fine. Today, when I try to do it, it gives me this message:
Unable to perform the storage capacity update; there is a request already in progress.
But the increase from yesterday finished, so why can't I increase it today?
Thanks.
Paul
I've created an FSx file system but I can't seem to access it via a cname. I can access it fine via the DNS name from Amazon. However, when I create the cname record if I browse to the root \[cname]\ it comes back with "This folder is empty." If I include a share name like \[cname]\IT it gives me a hard failure telling me, "windows cannot access \[fileshare]".
The storage type is SSD and single-AZ 2.
Any suggestions or additional information needed?
A customer is interested in accessing FSx for Windows from remote clients and their office network without using VPN since they only have a few users and are not storing sensitive data.
* Is it possible to expose FSx over public internet? It seems that FSx only gets assigned a private IP.
* Are there any workarounds that can be done that will be cheaper than running VPN?
Thank You!