Recently I encountered a challenge while I was working on Amazon FSx for Windows File server. I have observed that multiple AD Computer Objects are created for each FSx File share, and this creation gets troublesome when we have to correlate a computer object to its respective FSx file share. In order to mitigate this issue, I have come up with this know-how article.
Computer Objects created for Multi-AZ FSx
Whenever a Multi-AZ FSx is spun up, four computer objects are created as part of the deployment. Among those four objects created in the AD, three of them are for the AZ-2 file system, and another object for the AZ-1 file system.
Details of those four computer objects are:
- First object is for File System's DNS.
- 2nd object is for Windows Remote PowerShell Endpoint.
- 3rd object is for Primary private IPv4 IP of the ENI in the standby subnet.
- 4th object is for Failover cluster virtual network name account.
Challenges
Is there a way to correlate these computer objects to their respective FSx?
Currently there is no efficient way to identify the objects corresponding to each specific file system. But AWS is aware of this issue and it is considering updating the description of the AD objects to include the file system id as a feature release in the future.
Till then one could make use of this workaround: Use Get-ADComputer command in PowerShell to list Active Directory computer objects.
Get-ADComputer -Filter 'Name -like \"AMZN*\"' -Properties IPv4Address,Created,Modified,Description | sort Created | FT Name,Description,DNSHostName,IPv4Address,Created,Modified -A
The above command has an output of: computer objects name beginning with \”AMZNFSX\" along with date and time when this object was created, but making use of these fields one can easily correlate with the creation time of FSx in AWS console to identify computer object to its respective file system.
The below screenshot contains entries for 2 FSx clusters, and the creation time of computer objects, and the creation time of FSx needs to be matched to find the right computer objects.
Are FSx Computer Objects automatically deleted in AD when FSx is terminated?
When FSx is deleted, FSx’s computer objects are also deleted as part of \”DeleteFileSystem\” delete workflow, provided the service account in Microsoft AD has the relevant delegated permissions to delete computer objects in the domain. Detailed description here.
Best Practices on AD Structure
Based on our experience it is recommended to create a dedicated OU for FSx in your AD and specify to join that OU when an FSx file system is created. This avoids the confusion on the AD objects created by FSx. But this approach works fine only for Self-Managed AD though!
This is because AWS Managed AD automatically creates the FSx compute objects in a dedicated OU which is under the “AWS Reserved.” This OU stores all AWS management specific accounts. Moving the FSx computer objects away from this OU to another one can prevent FSx from working as it should.
Top comments (0)