HAQM FSx for Windows File Server and AWS Managed Microsoft AD Multi-Administrator Deployment

In this blog post, I will demonstrate how to configure your HAQM FSx for Windows File Server and AWS Managed Microsoft Active Directory (AD) to give separate teams administrative control over each individual HAQM FSx for Windows File Server.

I was working with a customer that deployed HAQM FSx for Windows File Server with AWS Managed Microsoft AD and realized there was only a single Active Directory group to manage all HAQM FSx for Windows File Server deployments integrated with that AWS Managed Microsoft AD. The customer wanted to give separate teams administrative control over each individual HAQM FSx for Windows File Server. After some thought on the issue, I decided to try deploying HAQM FSx for Windows File Server using the self-managed Microsoft Active Directory deployment type. It worked. The rest of this post describes this relatively straightforward solution.

Prerequisites

You will need the following deployed if you want to follow along with this post:

• An active AWS Managed Microsoft AD directory. Open AWS Managed Microsoft AD workshop module if you need to deploy AWS Managed Microsoft AD. Note: I am using the domain name of corp.example.com for all examples in this post. Make sure you use that name in the appropriate areas for all examples in this post.
• An HAQM EC2 Windows Server instance (referred to as the “MGMT EC2 Instance” in this post) joined to your AWS Microsoft Managed AD directory with the Active Directory Administration Tools installed. To join and configure an instance for your AWS Microsoft Managed AD, open AWS Managed Microsoft AD workshop.

If you want to fully deploy this entire solution in a testing capacity, I have created an AWS CloudFormation template that will set all of this up in a new HAQM Virtual Private Cloud (HAQM VPC). You can get the template from URL.

You will create the architecture presented in Figure 1 if you follow the steps in this post or deploy the CloudFormation template.

Figure 1: Overview of Resources in this Solution

Solution overview

To implement this solution, you need to choose the Self-managed Microsoft Active Directory Windows authentication option when deploying the HAQM FSx for Windows File Server filesystem. When choosing this option, you will need to specify additional details that AWS Managed Microsoft Active Directory Windows authentication option does not require. To simplify this for you, I will provide a PowerShell script that will do it for you.

Prior to the HAQM FSx for Windows File Server deployment in this post, a few objects in the AWS Managed Microsoft AD domain need to be set up:

• A separate service account for each HAQM FSx for Windows File Server deployment
• A separate Organizational Unit (OU) for each HAQM FSx for Windows File Server deployment
• A separate delegated file system administrators’ group for each HAQM FSx for Windows File Server deployment

While you can reuse the same service accounts, OUs, or administrative groups, I recommended you split these items up. By doing so, you will increase your security boundary and reduce the potential blast radius from a misconfiguration.

Step-by-step instructions

Create AD Objects for the HAQM FSx for Windows File Server Deployments

In this set of instructions, you are going to create all of the AD objects required to perform an HAQM FSx for Windows File Server deployment with the Self-managed Microsoft Active Directory Windows authentication option. You are going to use a PowerShell script to generate all of the prerequisites prior to deploying HAQM FSx for Windows File Server. Specifically, you will be creating:

• OUs for HAQM FSx for Windows File Server named FSx-A and FSx-B.
• Service Accounts for HAQM FSx for Windows File Server named FSxServiceAccount-A and FSxServiceAccount-B with proper least-privilege permissions.
• Administrative Groups for HAQM FSx for Windows File Server named FSxAdmins-A and FSxAdmins-B.

1. Using Remote Desktop, log into the MGMT EC2 Instance, which was created as a prerequisite. You can use any account that is a member of the AWS Delegated Administrators group including the Admin account that was provisioned with your directory.
2. In the Remote Desktop session, right-click the Start button and select Windows PowerShell (Admin) to open an elevated PowerShell window. Run the following command, which will create the HAQM FSx for Windows File Server prerequisites. Leave the PowerShell window open after the command completes.

Invoke-WebRequest -Uri 'http://d2908q01vomqb2.cloudfront.net/artifacts/WorkloadsBlog/msft-on-aws/P59717159/Set-FSxAdObjects.ps1' -OutFile 'C:\Set-FSxAdObjects.ps1'

3. In the same elevated PowerShell window, run the following code to create the HAQM FSx for Windows File Server prerequisites. Note: A prompt will appear twice asking you to enter a password. The entered passwords are for the HAQM FSx for Windows File Server service accounts. You will need to input them when you deploy the HAQM FSx for Windows File Servers in the next section.

$FSxDeployments = @(
    @{
        AdminGroupName = 'FSxAdmins-A'
        OUName         = 'FSx-A'
        SvcAccountName = 'FSxServiceAccount-A'
        SvcAccountPw   = Get-Credential -Message 'Please provide a password for the FSx Service Account FSxServiceAccount-A' -User 'FSxServiceAccount-A' -ErrorAction Stop | Select-Object -ExpandProperty 'Password'
    },
    @{
        AdminGroupName = 'FSxAdmins-B'
        OUName         = 'FSx-B'
        SvcAccountName = 'FSxServiceAccount-B'
        SvcAccountPw   = Get-Credential -Message 'Please provide a password for the FSx Service Account FSxServiceAccount-B' -User 'FSxServiceAccount-B' -ErrorAction Stop | Select-Object -ExpandProperty 'Password'
    }
)

Foreach ($FSxDeployment in $FSxDeployments) {
    C:\Set-FSxAdObjects.ps1 -FSxAdminGroupName $FSxDeployment.AdminGroupName -FSxOUName $FSxDeployment.OUName -FSxSvcAccountName $FSxDeployment.SvcAccountName -FSxSvcAccountPw $FSxDeployment.SvcAccountPw
}

Deploy HAQM FSx for Windows File Servers

Next, you will be deploying two HAQM FSx for Windows File Servers using the Self-managed Microsoft Active Directory Windows authentication option. Prior to the deployment, you will need to get some information from the AWS Managed Microsoft AD.

Get AWS Managed Microsoft AD DNS IP Addresses

1. In the AWS Directory Service console navigation pane, choose Directories.
2. Choose Directory ID of the AWS Managed Microsoft AD.
3. Take note of the DNS address values from the Networking details section Networking & security tab of your directory, shown in Figure 2:

Figure 2: AWS Managed Microsoft AD DNS IPs

Deploy the first HAQM FSx for Windows File Server

You can find the detailed HAQM FSx for Windows File Server deployment steps in the documentation. Follow these steps until you reach the Windows authentications.

The Windows authentication options step (at the time of this writing, step 12) in the deployment procedure covers these settings. Input the following items (shown in Figure 3):

1. For Choose an Active Directory to provide user authentication and access control for your file system, choose Self-managed Microsoft Active Directory.
2. For Active Directory domain name, enter the domain name you are using for this example. In my example, it is corp.example.com.
3. For DNS server IP addresses, enter the IP address of your AWS Managed Microsoft AD that you obtained earlier, as explained in the previous section.
4. For Service account username, enter FSxServiceAccount-A
5. For Service account password and Confirm password, enter the password you set for FSxServiceAccount-A when you created the service accounts.
6. For Organizational Unit (OU) within which you want to join your file system – optional, enter the distinguished path of the first OU you created, FSx-A. In my example, this value is OU=FSx-A,OU=CORP,DC=corp,DC=example,DC=com. If your AWS Managed Microsoft AD directory has a different DNS name, this value will differ.
7. For Delegated file system administrators group – optional, enter FSxAdmins-A.

Figure 3: HAQM FSx for Windows File Server Windows Authentication Options

Repeats steps 1 -7 for the second HAQM FSx for Windows File Server deployment. Ensure that you change the service account username, Organizational Unit, and delegated file system administrators’ group name from ending with a -A to a -B.

1. For Service account username, enter FSxServiceAccount-B.
2. For Service account password and Confirm password, enter the password you set for FSxServiceAccount-B when you created the service accounts.
3. For Organizational Unit (OU) within which you want to join your file system – optional, enter the distinguished path of the first OU you created, FSx-B. In my example, this value is OU=FSx-B,OU=CORP,DC=corp,DC=example,DC=com. If your AWS Managed Microsoft AD directory has a different DNS name, this value will differ.
4. For Delegated file system administrators group – optional, enter FSxAdmins-B.

Summary

Now that you have integrated your HAQM FSx for Windows File Server deployments with AWS Managed Microsoft AD using the Self-managed Microsoft Active Directory Windows authentication option, you can now delegate access to each file system individually as needed.

In summary, we answered the question, “What can a customer do if they want to have different sets of users or groups manage individual HAQM FSx for Windows File Server deployments?” by explaining how you can choose a different HAQM FSx for Windows File Server Windows authentication option for AWS Managed Microsoft AD directories.

AWS can help you assess how your company can get the most out of cloud. Join the millions of AWS customers that trust us to migrate and modernize their most important applications in the cloud. To learn more on modernizing Windows Server or SQL Server, visit Windows on AWS. Contact us to start your modernization journey today.