# Using Amazon FSx with AWS Directory Service for Microsoft Active Directory
AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) provides fully managed, highly available, actual Active Directory directories in the cloud. You can use these Active Directory directories in your workload deployment.
If your organization is using AWS Managed Microsoft AD to manage identities and devices, we recommend that you integrate your Amazon FSx file system with AWS Managed Microsoft AD. By doing this, you get a turnkey solution using Amazon FSx with AWS Managed Microsoft AD. AWS handles the deployment, operation, high availability, reliability, security, and seamless integration of the two services, enabling you to focus on operating your own workload effectively.
To use Amazon FSx with your AWS Managed Microsoft AD setup, you can use the Amazon FSx console. When you create a new FSx for Windows File Server file system in the console, choose **AWS Managed Active Directory** under the **Windows Authentication** section. You also choose the specific directory that you want to use. For more information, see [Step 5. Create your file system](getting-started.md#getting-started-step1).
Your organization might manage identities and devices on a self-managed Active Directory domain (on-premises or in the cloud). If so, you can join your Amazon FSx file system directly to your existing, self-managed Active Directory domain. For more information, see [Using a self-managed Microsoft Active Directory](self-managed-AD.md).
Additionally, you can also set up your system to benefit from a resource forest isolation model. In this model, you isolate your resources, including your Amazon FSx file systems, into a separate Active Directory forest from the one where your users are.
**Important**
For Single-AZ 2 and all Multi-AZ file systems, the Active Directory fully qualified domain name (FQDN) cannot exceed 47 characters.
## Networking prerequisites
Before you create an FSx for Windows File Server file system joined to your AWS Microsoft Managed Active Directory domain, make sure that you have created and set up the following network configurations:
+ For **VPC security groups**, the default security group for your default Amazon VPC is already added to your file system in the console. Please ensure that the security group and the VPC Network ACLs for the subnet(s) where you're creating your FSx file system allow traffic on the ports and in the directions shown in the following diagram.
![\[FSx for Windows File Server port configuration requirements for VPC security groups and network ACLs for the subnets where the file system is being created.\]](http://docs.aws.amazon.com/fsx/latest/WindowsGuide/images/Windows-port-requirements.png)
The following table identifies the role of each port.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/fsx/latest/WindowsGuide/fsx-aws-managed-ad.html)
**Important**
Allowing outbound traffic on TCP port 9389 is required for Single-AZ 2 and all Multi-AZ file system deployments.
**Note**
If you're using VPC network ACLs, you must also allow outbound traffic on dynamic ports (49152-65535) from your FSx file system.
+ If you are connecting your Amazon FSx file system to an AWS Managed Microsoft Active Directory in a different VPC or account, then ensure connectivity between that VPC and the Amazon VPC where you want to create the file system. For more information, see [Using Amazon FSx with AWS Managed Microsoft AD in a different VPC or account](shared-mad.md).
**Important**
While Amazon VPC security groups require ports to be opened only in the direction that network traffic is initiated, VPC network ACLs require ports to be open in both directions.
Use the [Amazon FSx Network Validation tool](validate-ad-domain-controllers.md#test-ad-controller-connectivity) to validate connectivity to your Active Directory domain controllers.
## Using a resource forest isolation model
You join your file system to an AWS Managed Microsoft AD setup. You then establish a one-way forest trust relationship between an AWS Managed Microsoft AD domain that you create and your existing self-managed Active Directory domain. For Windows authentication in Amazon FSx, you only need a one-way directional forest trust, where the AWS managed forest trusts the corporate domain forest.
Your corporate domain takes the role of the trusted domain, and the Directory Service managed domain takes the role of the trusting domain. Validated authentication requests travel between the domains in only one direction—allowing accounts in your corporate domain to authenticate against resources shared in the managed domain. In this case, Amazon FSx interacts only with the AWS managed domain. In a Kerberos authentication scenario, authentication requests originating from a corporate client get validated by the corporate domain, which then refers it to the AWS Managed Microsoft AD, and eventually the client presents its service ticket to your FSx for Windows File Server file system. For more information about trusts, see the post [ Everything you wanted to know about trusts with AWS Managed Microsoft AD](https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/) in the AWS Security Blog.
## Test your Active Directory configuration
Before creating your Amazon FSx file system, we recommend that you validate the connectivity to your Active Directory domain controllers using the Amazon FSx Network Validation tool. For more information, see [Validating connectivity to your Active Directory domain controllers](validate-ad-domain-controllers.md).
The following related resources can help you as you use AWS Directory Service for Microsoft Active Directory with FSx for Windows File Server:
+ [What is Directory Service](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/what_is.html) in the *AWS Directory Service Administration Guide*
+ [Create your AWS Managed Active Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_create_directory.html) in the *AWS Directory Service Administration Guide*
+ [When to Create a Trust Relationship](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_setup_trust.html) in the *AWS Directory Service Administration Guide*
# Using Amazon FSx with AWS Managed Microsoft AD in a different VPC or account
You can join your FSx for Windows File Server file system to an AWS Managed Microsoft AD directory that's in a different VPC within the same account by using VPC peering. You can also join your file system to an AWS Managed Microsoft AD directory that's in a different AWS account by using directory sharing.
**Note**
You can only select an AWS Managed Microsoft AD within the same AWS Region as your file system. If you want to use a cross-Region VPC peering setup, you should use a self-managed Microsoft Active Directory. For more information, see [Using a self-managed Microsoft Active Directory](self-managed-AD.md).
The workflow for joining your file system to an AWS Managed Microsoft AD that's in a different VPC involves the following steps:
1. Set up your networking environment.
1. Share your directory.
1. Join your file system to the shared directory.
For more information, see [Share your directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html) in the *Directory Service Administration Guide*.
To set up your networking environment you can use AWS Transit Gateway or Amazon VPC and create a VPC peering connection. In addition, make sure that network traffic is allowed between the two VPCs.
A *transit gateway *is a network transit hub that you can use to interconnect your VPCs and on-premises networks. For more information about using VPC transit gateways, see [Getting Started with Transit Gateways](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-getting-started.html) in the *Amazon VPC Transit Gateways Guide*.
A *VPC peering connection* is a networking connection between two VPCs. This connection enables you to route traffic between them using private Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses. You can use VPC peering to connect VPCs within the same AWS Region or between AWS Regions. For more information on VPC peering, see [What is VPC Peering?](https://docs.aws.amazon.com/vpc/latest/peering/Welcome.html) in the *Amazon VPC Peering Guide*.
There is another prerequisite when you join your file system to an AWS Managed Microsoft AD directory in a different account than that of your file system. You also need to share your Microsoft Active Directory with the other account. To do this, you can use AWS Managed Microsoft Active Directory's directory sharing feature. To learn more, see [Share your directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_directory_sharing.html) in the *AWS Directory Service Administration Guide*.
# Validating connectivity to your Active Directory domain controllers
Before you create an FSx for Windows File Server file system joined to your Active Directory, use the Amazon FSx Active Directory Validation tool to validate the connectivity to your Active Directory domain. You can use this test whether you are using FSx for Windows File Server with AWS Managed Microsoft Active Directory or with a self-managed Active Directory configuration. The Domain Controller Network Connectivity test (Test-FSxADControllerConnection) does not run the full suite of network connectivity checks against every domain controller in the domain. Instead, use this test to run network connectivity validation against a specific set of domain controllers.
**To validate connectivity to your Active Directory domain controllers**
1. Launch an Amazon EC2 Windows instance in the same subnet and with the same Amazon VPC security groups that you will use for your FSx for Windows File Server file system. For Multi-AZ deployment types, use the subnet for the preferred active file server.
1. Join your EC2 Windows instance to your Active Directory. For more information, see [Manually Join a Windows Instance](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_windows_instance.html) in the *AWS Directory Service Administration Guide*.
1. Connect to your EC2 instance. For more information, see [Connecting to Your Windows Instance](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/connecting_to_windows_instance.html) in the *Amazon EC2 User Guide*.
1. Open a Windows PowerShell window (using **Run as Administrator**) on the EC2 instance.
To test whether the required Active Directory module for Windows PowerShell is installed, use the following test command.
```
PS C:\> Import-Module ActiveDirectory
```
If above returns an error, install it using the following command.
```
PS C:\> Install-WindowsFeature RSAT-AD-PowerShell
```
1. Download the network validation tool using the following command.
```
PS C:\> Invoke-WebRequest "https://docs.aws.amazon.com/fsx/latest/WindowsGuide/samples/AmazonFSxADValidation.zip" -OutFile "AmazonFSxADValidation.zip"
```
1. Expand the zip file by using the following command.
```
PS C:\> Expand-Archive -Path "AmazonFSxADValidation.zip"
```
1. Add the AmazonFSxADValidation module to the current session.
```
PS C:\> Import-Module .\AmazonFSxADValidation
```
1. Set the value for the Active Directory domain controller IP address and run the connectivity test using the following commands:
```
$ADControllerIp = '10.0.75.243'
$Result = Test-FSxADControllerConnection -ADControllerIp $ADControllerIp
```
1. The following example demonstrates retrieving the test output, with results of a successful connectivity test.
```
PS C:\AmazonFSxADValidation> $Result
Name Value
---- -----
TcpDetails {@{Port=88; Result=Listening; Description=Kerberos authentication}, @{Port=135; Resul...
Server 10.0.75.243
UdpDetails {@{Port=88; Result=Timed Out; Description=Kerberos authentication}, @{Port=123; Resul...
Success True
PS C:\AmazonFSxADValidation> $Result.TcpDetails
Port Result Description
---- ------ -----------
88 Listening Kerberos authentication
135 Listening DCE / EPMAP (End Point Mapper)
389 Listening Lightweight Directory Access Protocol (LDAP)
445 Listening Directory Services SMB file sharing
464 Listening Kerberos Change/Set password
636 Listening Lightweight Directory Access Protocol over TLS/SSL (LDAPS)
3268 Listening Microsoft Global Catalog
3269 Listening Microsoft Global Catalog over SSL
9389 Listening Microsoft AD DS Web Services, PowerShell
```
The following example shows running the test and getting a failed result.
```
PS C:\AmazonFSxADValidation> $Result = Test-FSxADControllerConnection -ADControllerIp $ADControllerIp
WARNING: TCP 9389 failed to connect. Required for Microsoft AD DS Web Services, PowerShell.
Verify security group and firewall settings on both client and directory controller.
WARNING: 1 ports failed to connect to 10.0.75.243. Check pre-requisites in
https://docs.aws.amazon.com/fsx/latest/WindowsGuide/self-managed-AD.html#self-manage-prereqs
PS C:\AmazonFSxADValidation> $Result
Name Value
---- -----
TcpDetails {@{Port=88; Result=Listening; Description=Kerberos authentication}, @{Port=135; Resul...
Server 10.0.75.243
UdpDetails {@{Port=88; Result=Timed Out; Description=Kerberos authentication}, @{Port=123; Resul...
Success False
FailedTcpPorts {9389}
PS C:\AmazonFSxADValidation> $Result.FailedTcpPorts
9389
```
Windows socket error code mapping
https://msdn.microsoft.com/en-us/library/ms740668.aspx
```
**Note**
As an alternative to the above procedure, you can use the `AWSSupport-ValidateFSxWindowsADConfig` runbook to validate your self-managed Active Directory configuration. For more information, see [https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/awssupport-validate-fsxwindows-adconfig.html](https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/awssupport-validate-fsxwindows-adconfig.html) in the *AWS Systems Manager Automation runbook reference*.