# Troubleshooting Amazon FSx
Use the following sections to help troubleshoot problems you have with Amazon FSx.
If you encounter problems not listed following while using Amazon FSx, try asking a question in the [Amazon FSx forum](https://forums.aws.amazon.com/forum.jspa?forumID=308).
**Topics**
+ [You can't access your file system](unable-to-access.md)
+ [Creating a new Amazon FSx file system fails](unable-to-create-fs.md)
+ [File system is in a misconfigured state](misconfigured-ad-config.md)
+ [You can't configure DFS-R on a Multi-AZ or Single-AZ 2 file system](dfs-r.md)
+ [Storage or throughput capacity updates fail](admin-actions-ts.md)
# You can't access your file system
There are a number of potential causes for being unable to access your file system, each with their own resolution, as follows.
**Topics**
+ [The file system elastic network interface was modified or deleted](#eni-deleted)
+ [The Elastic IP address attached to the file system elastic network interface was deleted](#eni-epi-removed)
+ [The file system security group lacks the required inbound or outbound rules.](#sg-lacks-inbound-rules)
+ [The compute instance's security group lacks the required outbound rules](#compute-instance-lacks-inbound-rules)
+ [Compute instance not joined to an Active Directory](#fs-not-joined-to-ad)
+ [The file share doesn't exist](#file-share-doesnt-exist)
+ [Active Directory user lacks required permissions](#ad-user-lacks-permission)
+ [Allow Full control NTFS ACL permissions removed](#removed-allow-full-control)
+ [Can't access a file system using an on-premises client](#non-private-ips-onprem)
+ [New file system is not registered in DNS](#fs-dns-not-registered)
+ [Can't access the file system using a DNS alias](#cant-connect-using-dns-alias)
+ [Can't access the file system using an IP address](#cant-connect-using-ip-address)
## The file system elastic network interface was modified or deleted
You must not modify or delete the file system's elastic network interface. Modifying or deleting the network interface can cause a permanent loss of connection between your VPC and your file system. Create a new file system, and do not modify or delete the Amazon FSx elastic network interface. For more information, see [File system access control with Amazon VPC](limit-access-security-groups.md).
## The Elastic IP address attached to the file system elastic network interface was deleted
Amazon FSx doesn't support accessing file systems from the public internet. Amazon FSx automatically detaches any Elastic IP address, which is a public IP address reachable from the internet, that gets attached to a file system's elastic network interface. For more information, see [Accessing your data](supported-fsx-clients.md).
## The file system security group lacks the required inbound or outbound rules.
Review the inbound rules specified in [Amazon VPC Security Groups](limit-access-security-groups.md#fsx-vpc-security-groups), and make sure that the security group associated with your file system has the corresponding inbound rules.
## The compute instance's security group lacks the required outbound rules
Review the outbound rules specified in [Amazon VPC Security Groups](limit-access-security-groups.md#fsx-vpc-security-groups), and make sure that the security group associated with your compute instance has the corresponding outbound rules.
## Compute instance not joined to an Active Directory
Your compute instances might not be correctly joined to one of two types of Active Directory:
+ The AWS Managed Microsoft AD directory to which your file system is joined.
+ A Microsoft Active Directory directory that has a one-way forest trust relationship established with the AWS Managed Microsoft AD directory.
Make sure that your compute instances are joined to one of two types of directory. One type is the AWS Managed Microsoft AD directory to which your file system is joined. The other type is a Microsoft Active Directory directory that has a one-way forest trust relationship established with the AWS Managed Microsoft AD directory. For more information, see [Using Amazon FSx with AWS Directory Service for Microsoft Active Directory](fsx-aws-managed-ad.md).
## The file share doesn't exist
The Microsoft Windows file share that you're attempting to access doesn't exist.
If you're using an existing file share, make sure that the file system DNS name and the share name are correctly specified. To manage your file shares, see [Creating, updating, removing file shares](managing-file-shares.md).
## Active Directory user lacks required permissions
The Active Directory user that you're accessing the file share as lacks the necessary access permissions.
Make sure that the access permissions for the file share and Windows access control lists (ACLs) for the shared folder allow access to the Active Directory users that need to access it.
## Allow Full control NTFS ACL permissions removed
If you remove **Allow Full control** NTFS ACL permissions for the SYSTEM user on a folder that you shared, that share can become inaccessible and any file system backups taken from that point onwards may not be usable.
You will need to re-create the affected file share. For more information, see [Creating, updating, removing file shares](managing-file-shares.md). After you recreate the folder or share, you can map and use the Windows file shares from your compute instances.
## Can't access a file system using an on-premises client
You're using your Amazon FSx file system from on-premises using Direct Connect or VPN, and you're using a non-private IP address range for the on-premises client.
Amazon FSx only supports access from on-premises clients with non-private IP addresses on file systems created after December 17, 2020.
If you need to access your FSx for Windows File Server file system that was created before December 17, 2020 using a non-private IP address range, you can create a new file system by restoring a backup of the file system. For more information, see [Protecting your data with backups](using-backups.md).
## New file system is not registered in DNS
For file systems joined to a self-managed Active Directory, Amazon FSx did not register the file system DNS when it was created because the customer network does not use Microsoft DNS.
Amazon FSx does not register file systems in DNS if your network uses a third-party DNS service instead of Microsoft DNS. You must manually set up DNS A entries for your Amazon FSx file systems. For Single-AZ 1 file systems, you will need to add one DNS A entry; for Single-AZ 2 and Multi-AZ file systems, you will need to add two DNS A entries. Use the following procedure to obtain the file system IP address or addresses to use when manually adding the DNS A entries.
1. In the [https://console.aws.amazon.com/fsx/](https://console.aws.amazon.com/fsx/), choose the file system that you want to obtain the IP address of to display the file system details page.
1. In the **Network & security** tab do one of the following:
+ For a Single-AZ 1 file system:
+ In the **Subnet** panel, choose the elastic network interface shown under **Network interface** to open the **Network Interfaces** page in the Amazon EC2 .
+ The IP address for the Single-AZ 1 file system to use is shown in the **Primary private IPv4 IP** column.
+ For a Single-AZ 2 or Multi-AZ file system:
+ In the **Preferred subnet** panel, choose the elastic network interface shown under **Network interface** to open the **Network Interfaces** page in the Amazon EC2 .
+ The IP address for the preferred subnet to use is shown in the **Secondary private IPv4 IP** column.
+ In the Amazon FSx **Standby subnet** panel, choose the elastic network interface shown under **Network interface** to open the **Network Interfaces** page in the Amazon EC2 console.
+ The IP address for the standby subnet to use is shown in the **Secondary private IPv4 IP** column.
## Can't access the file system using a DNS alias
If you're unable to access a file system using a DNS alias, use the following procedure to troubleshoot the issue.
1. Verify that the alias is associated with the file system by doing either of the following steps:
1. **Using the Amazon FSx console** – Choose the file system that you're trying to access. On the **File system details** page, the **DNS aliases** are shown on the **Network & security** tab.
1. **Using the CLI or API** – Use the [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/fsx/describe-file-system-aliases.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/fsx/describe-file-system-aliases.html) CLI command, or the [DescribeFileSystemAliases](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystemAliases.html) API operation to retrieve the aliases currently associated with the file system.
1. If the DNS alias is not listed, you must associate it with the file system. For more information, see [Managing DNS aliases on existing file systems](manage-aliases-existing-fs.md).
1. If the DNS alias is associated with the file system, verify that you've also configured the following required items:
+ Created service principal names (SPNs) corresponding to the DNS alias on your Amazon FSx file system's Active Directory computer object.
For more information, see [Configure service principal names (SPNs) for Kerberos](step2-configure-spn-kerberos.md).
+ Created a DNS CNAME record for the DNS alias that resolves to the default DNS name of the Amazon FSx file system.
For more information, see [Update or create a DNS CNAME record](step4-configure-dns-cname.md).
1. If you created valid SPNs and a DNS CNAME record, verify that the client's DNS has the DNS CNAME record that resolves to the correct file system.
1. Run `nslookup` to confirm that the record exists and that it resolves to the file system's default DNS name.
1. If the DNS CNAME resolves to another file system, wait for the client's DNS cache to refresh, and then check the CNAME record again. You can accelerate the process by flushing the client's DNS cache using the following command.
```
ipconfig /flushdns
```
1. If the DNS CNAME record resolves to the Amazon FSx file system's default DNS, and the client is still unable to access the file system, see [You can't access your file system](#unable-to-access) for additional troubleshooting steps.
## Can't access the file system using an IP address
If you're unable to access your file system using an IP address, try using the DNS name or associated DNS alias instead.
You can find the file system's DNS name and any associated DNS aliases on the [Amazon FSx console](https://console.aws.amazon.com/fsx) by choosing **Windows File Server**, **Network & security**. Or, you can find them in the response of the [CreateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateFileSystem.html) or [DescribeFileSystems](https://docs.aws.amazon.com/fsx/latest/APIReference/API_DescribeFileSystems.html) API operation. For more information about using DNS aliases, see [Managing DNS aliases](managing-dns-aliases.md).
+ For a Single-AZ file system joined to an AWS Managed Microsoft Active Directory, the DNS name looks like the following.
```
fs-0123456789abcdef0.ad-domain.com
```
+ For all Multi-AZ file systems, and Single-AZ file systems joined to a self-managed Active Directory, the DNS name looks like the following.
```
amznfsxaa11bb22.ad-domain.com
```
# Creating a new Amazon FSx file system fails
There are a number of potential causes when a file system creation request fails, as described in the following section.
**Topics**
+ [Misconfigured VPC security group and network ACLs](#network-acls-sg-config)
+ [Duplicate file system administrators group names](#w2aac37c11c15)
+ [DNS servers or domain controllers unreachable](#w2aac37c11c17)
+ [Invalid service account credentials](#w2aac37c11c19)
+ [Amazon FSx can't access your Active Directory service account credentials in AWS Secrets Manager](#fsx-cant-access-ad-account-creds)
+ [Insufficient service account permissions](#w2aac37c11c23)
+ [Service account capacity exceeded](#w2aac37c11c25)
+ [Amazon FSx can't access the organizational unit (OU)](#w2aac37c11c27)
+ [Service account can't access the administrators group](#w2aac37c11c29)
+ [Amazon FSx lost connectivity in domain](#w2aac37c11c31)
+ [Service account does not have correct permissions](#w2aac37c11c33)
+ [Unicode characters used in creation parameters](#w2aac37c11c35)
+ [Switching storage type to HDD while restoring a backup fails](#create-fs-from-backup-fails)
## Misconfigured VPC security group and network ACLs
Make sure that the VPC security groups and network ACLs are configured using the recommended security group configuration. For more information, see [Creating security groups](limit-access-security-groups.md#vpc-sg-step6).
## Duplicate file system administrators group names
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
File system creation failed. Amazon FSx is unable to apply your Microsoft Active Directory configuration with the
specified file system administrators group. Please ensure that your Active Directory does not contain multiple domain
groups with the name: domain_group.
```
Amazon FSx did not create the file system because there are multiple administrator groups in the domain with the same name.
If you don't specify a group name, Amazon FSx will attempt to use the default value "Domain Admins" as the administrator group. The request will fail if there is more than one group using the default "Domain Admins" name.
Use the following steps to resolve the issue.
1. Review the [prerequisites](self-managed-AD.md#self-manage-prereqs) for joining your file system to your self-managed Active Directory.
1. Use the [Amazon FSx Active Directory Validation Tool](validate-ad-config.md) to validate your self-managed Active Directory configuration prior to creating an FSx for Windows File Server file system that's joined to a self-managed Active Directory.
1. Create a new file system using the AWS Management Console or AWS CLI. For more information, see [Joining an Amazon FSx file system to a self-managed Microsoft Active Directory domain](creating-joined-ad-file-systems.md).
1. Provide a name for the file system administrator group that is unique in the domain for your self-managed Active Directory.
## DNS servers or domain controllers unreachable
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
Amazon FSx can't reach the DNS servers provided or the domain controllers for your self-managed directory in Microsoft Active Directory.
File system creation failed. Amazon FSx is unable to communicate with your Microsoft Active Directory domain controllers.
This is because Amazon FSx can't reach the DNS servers provided or domain controllers for your domain.
To fix this problem, delete your file system and create a new one with valid DNS servers and networking configuration that allows
traffic from the file system to the domain controller.
```
Use the following steps to troubleshoot and resolve the issue.
1. Verify that you followed the prerequisites for having network connectivity and routing established between the subnet where you're creating an Amazon FSx file system, and your self-managed Active Directory. For more information, see [Prerequisites](self-managed-AD.md#self-manage-prereqs).
Use the [Amazon FSx Active Directory Validation tool](validate-ad-config.md) to test and verify these network settings.
**Note**
If you have multiple Active Directory sites defined, ensure that the subnets in the VPC associated with your Amazon FSx file system are defined in an Active Directory site and that no IP conflicts exist between the subnets in your VPC and the subnets in your other sites. You can view and change these settings using the Active Directory Sites and Services MMC snap-in.
1. Verify that you configured the VPC security groups that you associated with your Amazon FSx file system, along with any VPC network ACLs, to allow outbound network traffic on all ports.
**Note**
If you want to implement least privilege, you can allow outbound traffic only to the specific ports required for communication with the Active Directory domain controllers. For more information, see the [Microsoft Active Directory documentation](https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts).
1. Verify that the values for Microsoft Windows file server or network administrative properties do not contain non-Latin-1 characters. For example, the file system creation fails if you use `Domänen-Admins` as the name of the file system administrators group.
1. Verify that your Active Directory domain's DNS servers and domain controllers are active and able to respond to requests for the domain provided.
1. Ensure that the functional level of your Active Directory domain is Windows Server 2008 R2 or higher.
1. Make sure that the firewall rules on your Active Directory domain's domain controllers allow traffic from your Amazon FSx file system. For more information, see the [Microsoft Active Directory documentation](https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts).
## Invalid service account credentials
Creating a file system joined to a self-managed Active Directory fails with the following error message:
```
Amazon FSx is unable to establish a connection with your Microsoft Active Directory domain controllers
because the service account credentials provided are invalid. To fix this problem, delete your file
system and create a new one using a valid service account.
```
Use the following steps to troubleshoot and resolve the issue.
**Case 1: If you are using an AWS Secrets Manager secret to store your Active Directory credentials**
1. Review [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD.md#bp-store-ad-creds-using-secret-manager-windows).
1. at the secret ARN is correct and follows the proper format: `arn:aws:secretsmanager:region:account-id:secret:secret-name-6chars`.
1. Verify that the secret contains both required fields with non-empty values:
+ `CUSTOMER_MANAGED_ACTIVE_DIRECTORY_USERNAME` – Your AD service account username.
+ `CUSTOMER_MANAGED_ACTIVE_DIRECTORY_PASSWORD` – Your AD service account password.
1. Verify that the secret and key have a resource-based policy that grants the Amazon FSx service principal `fsx.amazonaws.com` permission to retrieve the secret value.
**Case 2: If you are using plaintext credentials to join your Active Directory**
1. Verify that you're entering only the user name as input for the **Service account username**, such as `ServiceAcct`, in the self-managed Active Directory configuration.
**Important**
DO NOT include a domain prefix (`corp.com\ServiceAcct`) or domain suffix (`ServiceAcct@corp.com`) when entering the service account user name.
DO NOT use the distinguished name (DN) when entering the service account user name (CN=ServiceAcct,OU=example,DC=corp,DC=com).
1. Verify that the service account that you provided exists in your Active Directory domain.
1. Make sure that you delegated the required permissions to the service account that you provided. The service account must be able to create and delete computer objects in the OU in the domain to which you're joining the file system. The service account also needs, at a minimum, to have permissions to do the following:
+ Reset passwords
+ Restrict accounts from reading and writing data
+ Validated ability to write to the DNS hostname
+ Validated ability to write to the service principal name
For more information about creating a service account with correct permissions, see [Amazon FSx service account](self-managed-AD.md#self-managed-AD-service-account).
## Amazon FSx can't access your Active Directory service account credentials in AWS Secrets Manager
The following sections describe common issues and how to resolve them.
**Joining a file system to your self-managed Active Directory fails with the following error message:**
`You can't provide both username/password and a domain join service account secret to connect to your Active Directory. Provide only one set of credentials.`
**To resolve this issue**
1. Choose whether you want to provide credentials stored in a Secrets Manager secret, or in plaintext.
1. When joining an Active Directory, only provide one of those parameters and not both.
**Joining a file system to your self-managed Active Directory fails with the following error message:**
`The domain join service account secret ARN format you entered isn't valid. Use the format: arn:partition:secretsmanager:region:account-id:secret:secret-name-6chars`
**To resolve this issue**
1. Review [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD.md#bp-store-ad-creds-using-secret-manager-windows).
1. Verify that the ARN format you are entering is correct. A correct format example is `arn:aws:secretsmanager:us-east-1:123456789012:secret:MyDatabaseSecret-Ab3d5f`.
**Joining a file system to your self-managed Active Directory fails with the following error message:**
`Amazon FSx can't access the domain join service account secret [ARN]. Add a resource permission to the secret that grants the FSx service principal (fsx.amazonaws.com) permission to access it.`
**To resolve this issue**
1. Review [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD.md#bp-store-ad-creds-using-secret-manager-windows).
1. Verify that the Secrets Manager secret you are providing has the correct policies that allow Amazon FSx to use the secret.
**Joining a file system to your self-managed Active Directory fails with the following error message:**
`You don't have permission to access the domain join service account secret [ARN]. A resource permission needs to be added to the secret to grant you access.`
**To resolve this issue**
+ The Secrets Manager secret owner or administrator needs to give your account access to use this secret. For more information, see [Identity-based policies](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_iam-policies.html).
**Joining a file system to your self-managed Active Directory fails with the following error message:**
`The domain join service account secret format or content isn't valid. Make sure the secret includes both CUSTOMER_MANAGED_ACTIVE_DIRECTORY_USERNAME and CUSTOMER_MANAGED_ACTIVE_DIRECTORY_PASSWORD fields with non-empty values.`
**To resolve this issue**
1. Review [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD.md#bp-store-ad-creds-using-secret-manager-windows).
1. Verify that the Secrets Manager secret you are providing has both of the required fields.
## Insufficient service account permissions
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
Amazon FSx is unable to establish a connection with your
Microsoft Active Directory domain controllers. This is because the service account provided does not
have permission to join the file system to the domain with the specified organizational unit.
To fix this problem, delete your file system and create a new one using a service account with
permission to join the file system to the domain with the specified organizational unit.
```
Use the following procedure to troubleshoot and resolve the issue.
+ Make sure that you delegated the required permissions to the service account that you provided. The service account must be able to create and delete computer objects in the OU in the domain to which you're joining the file system. The service account also needs, at a minimum, to have permissions to do the following:
+ Reset passwords
+ Restrict accounts from reading and writing data
+ Validated ability to write to the DNS hostname
+ Validated ability to write to the service principal name
For more information about creating a service account with correct permissions, see [Amazon FSx service account](self-managed-AD.md#self-managed-AD-service-account).
## Service account capacity exceeded
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
Amazon FSx can't establish a connection with your Microsoft Active Directory
domain controllers. This is because the service account provided has reached the
maximum number of computers that it can join to the domain. To fix this problem,
delete your file system and create a new one, supplying a service account that
is able to join new computers to the domain.
```
To resolve the issue, verify that the service account you provided has reached the maximum number of computers it can join to the domain. If it has reached the maximum limit, create a new service account with the correct permissions. Use the new service account and create a new file system. For more information, see [Amazon FSx service account](self-managed-AD.md#self-managed-AD-service-account).
## Amazon FSx can't access the organizational unit (OU)
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
Amazon FSx can't establish a connection with your Microsoft Active Directory domain controller(s).
This is because the organizational unit you specified either doesn't exist or isn't accessible
to the service account provided. To fix this problem, delete your file system and create a new one specifying an
organizational unit to which the service account can join the file system.
```
Use the following steps to troubleshoot and resolve the issue.
1. Verify that the OU you provided is in your Active Directory domain.
1. Make sure that you have delegated the required permissions to the service account that you provided. The service account must be able to create and delete computer objects in the OU in the domain that you're joining the file system to. The service account also needs to have, at a minimum, permissions to do the following:
+ Reset passwords
+ Restrict accounts from reading and writing data
+ Validated ability to write to the DNS hostname
+ Validated ability to write to the service principal name
+ Be delegated control to create and delete computer objects
+ Validated ability to read and write Account Restrictions
For more information about creating a service account with the correct permissions, see [Amazon FSx service account](self-managed-AD.md#self-managed-AD-service-account).
## Service account can't access the administrators group
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
Amazon FSx is unable to apply your Microsoft Active Directory configuration. This is because the file system
administrators group you provided either doesn't exist or isn't accessible to the service account you
provided. To fix this problem, delete your file system and create a new one specifying a file
system administrators group in the domain that is accessible to the service account
provided.
```
Use the following steps to troubleshoot and resolve the issue.
1. Ensure that you’re providing just the name of the group as a string for the administrators group parameter.
**Important**
DO NOT include a domain prefix (`corp.com\FSxAdmins`) or domain suffix (`FSxAdmins@corp.com`) when providing the group name parameter.
DO NOT use the distinguished name (DN) for the group. An example of a distinguished name is CN=FSxAdmins,OU=example,DC=corp,DC=com.
1. Ensure that the administrators group provided exists in the same Active Directory domain as the one that you want to join the file system to.
1. If you did not provide an administrator group parameter, Amazon FSx attempts to use the `Builtin Domain Admins` group in your Active Directory domain. If the name of this group has been changed, or if you’re using a different group for domain administration, you need to provide that name for the group.
## Amazon FSx lost connectivity in domain
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
Amazon FSx is unable to apply your Microsoft Active Directory configuration. To fix this problem, delete your file system and create a new one
meeting the pre-requisites described in the Amazon FSx user guide.
```
When creating your file system, Amazon FSx was able to reach your Active Directory domain’s DNS servers and domain controllers, and join the file system successfully to your Active Directory domain. However, while completing file system creation, Amazon FSx lost connectivity to or membership in your domain. Use the following steps to troubleshoot and resolve the issue.
1. Ensure that network connectivity continues to exist between your Amazon FSx file system and your Active Directory. And, ensure that network traffic continues to be allowed between them by using routing rules, VPC security group rules, VPC network ACLs, and domain controller firewall rules.
1. Ensure that the computer objects created by Amazon FSx for your file systems in your Active Directory domain are still active, and were not deleted or otherwise manipulated.
## Service account does not have correct permissions
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
File system creation failed. Amazon FSx is unable to establish a connection with your Microsoft Active Directory domain controller(s).
This is because the service account provided does not have permission to join the file system to the domain with the specified
organizational unit (OU). To fix this problem, delete your file system and create a new one using a service account with permission
to create computer objects and reset passwords within the specified organizational unit.
```
Make sure that you have delegated the required permissions to the service account that you provided. Use the following steps to troubleshoot and resolve the issue.
The service account needs to have, at a minimum, the following permissions:
+ Be delegated control to create and delete computer objects in the OU that you’re joining the file system to
+ Have the following permissions in the OU that you’re joining the file system to:
+ Ability to reset passwords
+ Ability to restrict accounts from reading and writing data
+ Validated ability to write to the DNS hostname
+ Validated ability to write to the service principal name
+ Ability (can be delegated) to create and delete computer objects
+ Validated ability to read and write Account Restrictions
+ Ability to modify permissions
For more information about creating a service account with the correct permissions, see [Amazon FSx service account](self-managed-AD.md#self-managed-AD-service-account).
## Unicode characters used in creation parameters
Creating a file system joined to your self-managed Active Directory fails with the following error message:
```
File system creation failed. Amazon FSx is unable to create a file system within the specified
Microsoft Active Directory. To fix this problem, please delete your file system and create a new one
meeting the pre-requisites described in the FSx for ONTAP User Guide.
```
Amazon FSx does not support Unicode characters. Verify that none of the creation parameters have Unicode characters, such as accent marks. This includes parameters that can be left blank where a default value is filled in automatically. Ensure the corresponding default values in your Active Directory also do not contain Unicode characters.
## Switching storage type to HDD while restoring a backup fails
Creating a file system from a backup fails with the following error message:
`Switching storage type to HDD while creating a file system from backup backup_id is not supported because a storage scaling activity was still under way on the source file system to increase storage capacity from less than 2000 GiB when the backup backup_id was taken, and the minimum storage capacity for HDD storage is 2000 GiB.`
This issue occurs when restoring a backup and you have changed the storage type from SSD to HDD. The restore from backup fails because the backup that you are restoring was taken while a storage capacity increase was still in progress on the original file system. The file system's SSD storage capacity before the increase request was less than 2000 GiB, which is the minimum storage capacity required to create an HDD file system.
Use the following procedure to resolve this issue.
1. Wait for the storage capacity increase request to complete and the file system has at least 2000 GiB of SSD storage capacity. For more information, see [Monitoring storage capacity increases](monitoring-storage-capacity-increase.md).
1. Take a user-initiated backup of the file system. For more information, see [Working with user-initiated backups](using-backups.md#user-initiated-backups).
1. Restore the user-initiated backup to a new file system using HDD storage. For more information, see [Restoring backups to new file system](using-backups.md#restoring-backups).
# File system is in a misconfigured state
An FSx for Windows File Server file system can get into a **Misconfigured** state due to a change in your Active Directory environment. In this state, your file system is either currently unavailable or at risk of losing availability, and backups may not succeed.
The **Misconfigured** state includes an error message and recommended corrective action that you can access using the Amazon FSx console, API, or AWS CLI. After taking the corrective action, verify that your file system's state eventually changes to `Available` – note that this change can take several minutes to complete.
Your file system can get into a **Misconfigured** state for several reasons, such as the following:
+ The DNS Server IP addresses are no longer valid.
+ The service account credentials are no longer valid, or lack required permissions.
+ The Active Directory domain controller is not reachable due to network connectivity issues, such as invalid VPC Security Groups, VPC Network ACL or routing table configuration, or domain controller firewall settings.
**Important**
Do not move computer objects that Amazon FSx creates in the OU after your file system is created. Doing so will cause your file system to become misconfigured.
(For the full list of Active Directory requirements, see [Prerequisites](self-managed-AD.md#self-manage-prereqs). You can also validate that your Active Directory environment is properly configured to meet these requirements by using the [Amazon FSx Active Directory Validation tool](validate-ad-config.md#test-ad-network-config).)
Resolving some of these issues requires directly updating one or more parameters in your file system’s [Active Directory configuration](https://docs.aws.amazon.com/fsx/latest/APIReference/API_SelfManagedActiveDirectoryConfigurationUpdates.html), such as changing DNS Server IP addresses, or changing the service account username or password. In these cases, your corrective action will necessarily involve using the Amazon FSx console, API, or AWS CLI to update the required configuration parameters.
Other issues may not require changing any Active Directory configuration parameters, such as changing your domain controller firewall settings or VPC Security Groups. In these cases, however, you will need to take further action before the file system can become `Available`. After ensuring your Active Directory environment is configured properly, select the **Attempt Recovery** button next to the **Misconfigured** status in the Amazon FSx console, or use the `StartMisconfiguredStateRecovery` command in the Amazon FSx console, API, or AWS CLI.
**Topics**
+ [Misconfigured file system: Amazon FSx can't reach either the DNS servers or domain controllers for your domain.](#w2aac37c13c21)
+ [Misconfigured file system: The service account credentials are invalid](#w2aac37c13c23)
+ [Misconfigured file system: The AWS Secrets Manager secret or KMS key is not configured correctly](#w2aac37c13c25)
+ [Misconfigured file system: The service account provided doesn't have permission to join the file system to the domain](#w2aac37c13c27)
+ [Misconfigured file system: The service account can't join any more computers to domain](#w2aac37c13c29)
+ [Misconfigured file system: The service account doesn't have access to the OU](#w2aac37c13c31)
## Misconfigured file system: Amazon FSx can't reach either the DNS servers or domain controllers for your domain.
A file system will go into a `Misconfigured` state when Amazon FSx can't communicate with your Microsoft Active Directory domain controller or controllers.
To resolve this situation, do the following:
1. Make sure that your networking configuration allows traffic from the file system to the domain controller.
1. Use the [ Amazon FSx Active Directory Validation tool](validate-ad-config.md) to test and verify the network settings for your self-managed Active Directory. For more information, see [Using a self-managed Microsoft Active Directory](self-managed-AD.md).
1. Review the file system's self-managed Active Directory configuration in the Amazon FSx console.
1. To update the file system's self-managed Active Directory configuration, you can use the Amazon FSx console.
1. On the navigation pane, choose **File systems**, and choose the file system to update; the **File system details** page appears.
1. On **File system details** page, choose **Update** on the **Networking and security** tab.
You can also use the Amazon FSx CLI `update-file-system` command or the API operation [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html).
## Misconfigured file system: The service account credentials are invalid
Amazon FSx can't establish a connection with your Microsoft Active Directory domain controller or controllers. This is because the service account credentials provided are invalid. For more information, see [Using a self-managed Microsoft Active Directory](self-managed-AD.md).
To resolve the misconfiguration, do the following:
1. Verify that you are using the correct service account, and you are using the correct credentials for that account.
1. Then update the file system's configuration with the correct service account or account credentials using the Amazon FSx console.
1. On the navigation pane, choose **File systems**, and choose the misconfigured file system to update.
1. On the **File system details** page, choose **Update** in the **Networking and security** tab.
You can also use the Amazon FSx API operation `update-file-system`. To learn more, see the [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) in the Amazon FSx API Reference.
## Misconfigured file system: The AWS Secrets Manager secret or KMS key is not configured correctly
Amazon FSx can't establish a connection with your Microsoft Active Directory domain controller or controllers. This is because your AWS Secrets Manager secret or AWS KMS key is not configured correctly. For more information, see [Storing Active Directory credentials using AWS Secrets Manager](self-managed-AD.md#bp-store-ad-creds-using-secret-manager-windows).
To resolve the misconfiguration, do the following:
1. Verify that the secret ARN is correct and follows the proper format: `arn:aws:secretsmanager:region:account-id:secret:secret-name-6chars`.
1. Verify that the secret contains both required fields with non-empty values:
+ `CUSTOMER_MANAGED_ACTIVE_DIRECTORY_USERNAME` – Your AD service account username.
+ `CUSTOMER_MANAGED_ACTIVE_DIRECTORY_PASSWORD` – Your AD service account password.
+ Verify that the secret and key have a resource-based policy that grants the Amazon FSx service principal `fsx.amazonaws.com` permission to retrieve the secret value.
## Misconfigured file system: The service account provided doesn't have permission to join the file system to the domain
Amazon FSx can't establish a connection to your Microsoft Active Directory domain controllers. This is because the service account provided doesn't have permission to join the file system to the domain with the specified OU.
To resolve the misconfiguration, do the following:
1. Add the required permissions to the Amazon FSx service account, or create a new service account with the required permissions. For more information about doing this, see [Amazon FSx service account](self-managed-AD.md#self-managed-AD-service-account).
1. Then update the file system's self-managed Active Directory configuration with the new service account credentials. To update the configuration, you can use the Amazon FSx console.
1. On the navigation pane, choose **File systems**, and choose the file system to update; the **File system details** page appears.
1. On **File system details** page, choose **Update** on the **Networking and security** tab.
You can also use the Amazon FSx API operation `update-file-system`. To learn more, see the [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) in the Amazon FSx API Reference.
## Misconfigured file system: The service account can't join any more computers to domain
Amazon FSx can't establish a connection to your Microsoft Active Directory domain controllers. In this case, this is because the service account provided has reached the maximum number of computers that it can join to the domain.
To resolve the misconfiguration, do the following:
1. Identify another service account or create a new service account that can join new computers to the domain.
1. Then update the file system's self-managed Active Directory configuration with the new service account credentials using the Amazon FSx console.
1. On the navigation pane, choose **File systems**, and choose the file system to update; the **File system details** page appears.
1. On **File system details** page, choose **Update** on the **Networking and security** tab.
You can also use the Amazon FSx API operation `update-file-system`. To learn more, see the [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) in the Amazon FSx API Reference.
## Misconfigured file system: The service account doesn't have access to the OU
Amazon FSx can't establish a connection to your Microsoft Active Directory domain controllers because the service account provided doesn't have access to the OU specified.
To resolve the misconfiguration, do the following:
1. Identify another service account or create a new service account that has access to the OU.
1. Then update the file system's self-managed Active Directory configuration with the new service account credentials.
1. On the navigation pane, choose **File systems**, and choose the file system to update; the **File system details** page appears.
1. On **File system details** page, choose **Update** on the **Networking and security** tab.
You can also use the Amazon FSx API operation `update-file-system`. To learn more, see the [UpdateFileSystem](https://docs.aws.amazon.com/fsx/latest/APIReference/API_UpdateFileSystem.html) in the Amazon FSx API Reference.
# You can't configure DFS-R on a Multi-AZ or Single-AZ 2 file system
Microsoft Distributed File System Replication (DFS-R) is not supported on Multi-AZ and Single-AZ 2 file systems.
Multi-AZ file systems are configured for redundancy across multiple access zones natively. Use the Multi-AZ deployment type for high availability across multiple Availability Zones. For more information, see [Availability and durability: Single-AZ and Multi-AZ file systems](high-availability-multiAZ.md).
# Storage or throughput capacity updates fail
There are a number of potential causes for file system storage and throughput capacity update requests to fail, each with their own resolution.
## Storage capacity increase fails because Amazon FSx can't access the file system's AWS KMS key
A storage capacity increase request failed because Amazon FSx was unable to access the KMS key used to encrypt file system.
You need to ensure that Amazon FSx has access to the KMS key used to encrypt the file system in order to run the administrative action. Use the following information to resolve the key access issue.
+ If the KMS key has been deleted, the file system and any of its backups using the deleted KMS key are unrecoverable. For more information, see [Deleting AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the AWS Key Management Service Developer Guide.
+ If the KMS key is disabled, and it is a customer managed key, you will need to re-enable it, and then retry the storage capacity increase request. For more information, see [Enabling and disabling keys](https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html) in the AWS Key Management Service Developer Guide.
+ If the key is invalid because of its pending deletion, you must [cancel the key deletion](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-scheduling-key-deletion.html) while it is still in a `PendingDeletion` state. You can retry the request once the KMS key is `Enabled`.
+ If the key is invalid because of its pending import, you must wait until the import has completed, and then retry the storage increase request.
+ If the key's grant limit has been exceeded, you must request an increase in the number of grants for the key. For more information, see [Resource quotas](https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html) in the AWS Key Management Service Developer Guide. When the quota increase is granted, retry the storage increase request.
## Storage or throughput capacity update fails because the self-managed Active Directory is misconfigured
The storage capacity or throughput capacity update request failed because your file system's self-managed Active Directory is in a misconfigured state.
To resolve the specific misconfigured state, see [File system is in a misconfigured state](misconfigured-ad-config.md).
## Storage capacity increase fails because of insufficient throughput capacity
The storage capacity increase request failed because the file system's throughput capacity is set to 8 MBps.
Increase the file system's throughput capacity to a minimum of 16 MBps, then retry the request. For more information, see [Managing throughput capacity](managing-throughput-capacity.md).
## Throughput capacity update to 8 MBps fails
A request to modify a file system's throughput capacity to 8 MBps failed.
This can occur when a storage capacity increase request is pending or in progress. Storage capacity increases require a minimum throughput of 16 MBps. Wait until the storage capacity increase request has completed, and then retry the throughput capacity modification request.