• Walkthrough 6: Scaling out performance with shards (p. 168)
• Walkthrough 7: Copying a backup to another AWS Region (p. 170)
Walkthrough 1: Prerequisites for getting started
Before you can complete the getting started exercise, you must already have a Microsoft Windows–based Amazon EC2 instance joined to your AWS Directory Service directory. You must also be signed into the instance over Windows Remote Desktop Protocol as the Admin user for your directory. The following walkthrough shows you how to perform these necessary prerequisite actions.
Topics
• Step 1: Set up Active Directory (p. 154)
• Step 2: Launch a Windows instance in the Amazon EC2 console (p. 155)
• Step 3: Connect to your instance (p. 156)
• Step 4: Join your instance to your AWS Directory Service directory (p. 157)
Step 1: Set up Active Directory
With Amazon FSx, you can operate fully managed file storage for Windows-based workloads. Likewise, AWS Directory Service provides fully managed directories to use in your workload deployment. If you have an existing corporate AD domain running in AWS in a virtual private cloud (VPC) using EC2 instances, you can enable user-based authentication and access control. You do this by establishing a trust relationship between your AWS Managed Microsoft AD and your corporate domain. For Windows authentication in Amazon FSx, you only need a one-way directional forest trust, where the AWS managed forest trusts the corporate domain forest.
Your corporate domain takes the role of the trusted domain, and the AWS Directory Service managed domain takes the role of the trusting domain. Validated authentication requests travel between the domains in only one direction—allowing accounts in your corporate domain to authenticate against resources shared in the managed domain. In this case, Amazon FSx interacts only with the managed domain. The managed domain then passes on the authentication requests to your corporate domain.
NoteYou can also use an external trust type with Amazon FSx for trusted domains.
Step 2: Launch a Windows instance in the Amazon EC2 console
Your Active Directory security group must enable inbound access from the Amazon FSx file system’s security group.
To create an AWS Directory Services for Microsoft AD
• If you don't already have one, use the AWS Directory Service to create your AWS Managed Microsoft AD directory. For more information, see Create Your AWS Managed Microsoft AD directory in the AWS Directory Service Administration Guide.
Important
Remember the password you assign to your Admin user; you need it later in this getting started exercise. If you forget the password, you need to repeat steps in this exercise with the new AWS Directory Service directory and Admin user.
• If you have an existing AD, create a trust relationship between your AWS Managed Microsoft AD and your existing AD. For more information, see When to Create a Trust Relationship in the AWS Directory Service Administration Guide.
Step 2: Launch a Windows instance in the Amazon EC2 console
You can launch a Windows instance using the AWS Management Console as described in the following procedure. This is intended to help you launch your first instance quickly, so it doesn't cover all possible options. For more information about the advanced options, see Launching an Instance.
To launch an instance
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. From the console dashboard, choose Launch Instance.
3. The Choose an Amazon Machine Image (AMI) page displays a list of basic configurations, called Amazon Machine Images (AMIs), that serve as templates for your instance. Select the AMI for Windows Server 2016 Base or Windows Server 2012 R2 Base. Notice that these AMIs are marked
"Free tier eligible."
4. On the Choose an Instance Type page, you can select the hardware configuration of your instance.
Select the t2.micro type, which is selected by default. Notice that this instance type is eligible for the free tier.
5. Choose Review and Launch to let the wizard complete the other configuration settings for you.
6. On the Review Instance Launch page, under Security Groups, a security group appears that the wizard created and selected for you. You can use this security group, or you can choose the security group that you created when getting set up using the following steps:
a. Choose Edit security groups.
b. On the Configure Security Group page, ensure that Select an existing security group is selected.
c. Select your security group from the list of existing security groups, and then choose Review and Launch.
7. On the Review Instance Launch page, choose Launch.
8. When prompted for a key pair, select Choose an existing key pair, then select the key pair that you created when getting set up.
Alternatively, you can create a new key pair. Select Create a new key pair, enter a name for the key pair, and then choose Download Key Pair. This is the only chance for you to save the private key file, so be sure to download it. Save the private key file in a safe place. You'll need to provide the name of
your key pair when you launch an instance and the corresponding private key each time you connect to the instance.
Warning
Don't select the Proceed without a key pair option. If you launch your instance without a key pair, then you can't connect to it.
When you are ready, select the acknowledgement check box, and then choose Launch Instances.
9. A confirmation page lets you know that your instance is launching. Choose View Instances to close the confirmation page and return to the console.
10. On the Instances screen, you can view the status of the launch. It takes a short time for an instance to launch. When you launch an instance, its initial state is pending. After the instance starts, its state changes to running and it receives a public DNS name. (If the Public DNS (IPv4) column is hidden, choose Show/Hide Columns (the gear-shaped icon) in the top right corner of the page and then select Public DNS (IPv4).)
11. It can take a few minutes for the instance to be ready so that you can connect to it. Check that your instance has passed its status checks; you can view this information in the Status Checks column.
Important
Make a note of the ID of the security group that was created when you launched this instance.
You'll need it when you create your Amazon FSx file system.
Now that your instance is launched, you can connect to your instance.
Step 3: Connect to your instance
To connect to a Windows instance, you must retrieve the initial administrator password and then specify this password when you connect to your instance using Remote Desktop.
The name of the administrator account depends on the language of the operating system. For example, for English it's Administrator, for French it's Administrateur, and for Portuguese it's Administrador. For more information, see Localized Names for Administrator Account in Windows in the Microsoft TechNet Wiki.
If you joined your instance to a domain, you can connect to your instance using domain credentials you defined in AWS Directory Service. On the Remote Desktop login screen, don't use the local computer name and the generated password. Instead, use the fully qualified user name for the administrator and the password for this account. An example is corp.example.com\Admin.
The license for the Windows Server operating system (OS) allows two simultaneous remote connections for administrative purposes. The license for Windows Server is included in the price of your Windows instance. If you need more than two simultaneous remote connections, you must purchase a Remote Desktop Services (RDS) license. If you attempt a third connection, an error occurs. For more information, see Configure the Number of Simultaneous Remote Connections Allowed for a Connection.
To connect to your Windows instance using an RDP client
1. In the Amazon EC2 console, select the instance, and then choose Connect.
2. In the Connect to Your Instance dialog box, choose Get Password (it takes a few minutes after the instance is launched before the password is available).
3. Choose Browse and navigate to the private key file you created when you launched the instance.
Select the file and choose Open to copy the entire contents of the file into the Contents field.
4. Choose Decrypt Password. The console displays the default administrator password for the instance in the Connect to Your Instance dialog box, replacing the link to Get Password shown previously with the actual password.
Step 4: Join your instance to your AWS Directory Service directory
5. Record the default administrator password, or copy it to the clipboard. You need this password to connect to the instance.
6. Choose Download Remote Desktop File. Your browser prompts you to either open or save the .rdp file. Either option is fine. When you have finished, you can choose Close to dismiss the Connect to Your Instance dialog box.
• If you opened the .rdp file, you see the Remote Desktop Connection dialog box.
• If you saved the .rdp file, navigate to your downloads directory, and open the .rdp file to display the dialog box.
7. You may get a warning that the publisher of the remote connection is unknown. You can continue to connect to your instance.
8. When prompted, log in to the instance, using the administrator account for the operating system and the password that you recorded or copied previously. If your Remote Desktop Connection already has an administrator account set up, you might have to choose the Use another account option and type the user name and password manually.
NoteSometimes copying and pasting content can corrupt data. If you encounter a "Password Failed" error when you log in, try typing in the password manually.
9. Due to the nature of self-signed certificates, you may get a warning that the security certificate could not be authenticated. Use the following steps to verify the identity of the remote computer, or simply choose Yes or Continue to continue if you trust the certificate.
a. If you are using Remote Desktop Connection from a Windows PC, choose View certificate. If you are using Microsoft Remote Desktop on a Mac, choose Show Certificate.
b. Choose the Details tab, and scroll down to the Thumbprint entry on a Windows PC, or the SHA1 Fingerprints entry on a Mac. This is the unique identifier for the remote computer's security certificate.
c. In the Amazon EC2 console, select the instance, choose Actions, and then choose Get System Log.
d. In the system log output, look for an entry labeled RDPCERTIFICATE-THUMBPRINT. If this value matches the thumbprint or fingerprint of the certificate, you have verified the identity of the remote computer.
e. If you are using Remote Desktop Connection from a Windows PC, return to the Certificate dialog box and choose OK. If you are using Microsoft Remote Desktop on a Mac, return to the Verify Certificate and choose Continue.
f. [Windows] Choose Yes in the Remote Desktop Connection window to connect to your instance.
Now that you're connected to your instance, you can join the instance to your AWS Directory Service directory.
Step 4: Join your instance to your AWS Directory Service directory
The following procedure shows you how to manually join an existing Amazon EC2 Windows instance to your AWS Directory Service directory.
To join a Windows instance to your AWS Directory Service directory 1. Connect to the instance using any Remote Desktop Protocol client.
2. Open the TCP/IPv4 properties dialog box on the instance.
a. Open Network Connections.
TipYou can open Network Connections directly by running the following from a command prompt on the instance.
%SystemRoot%\system32\control.exe ncpa.cpl
b. Open the context (right-click) menu for any enabled network connection and then choose Properties.
c. In the connection properties dialog box, open (double-click) Internet Protocol Version 4.
3. (Optional) Select Use the following DNS server addresses, change the Preferred DNS server and Alternate DNS server addresses to the IP addresses of the AWS Directory Service–provided DNS servers, and choose OK.
4. Open the System Properties dialog box for the instance, choose the Computer Name tab, and choose Change.
TipYou can open the System Properties dialog box directly by running the following from a command prompt on the instance.
%SystemRoot%\system32\control.exe sysdm.cpl
5. In the Member of box, choose Domain, enter the fully qualified name of your AWS Directory Service directory, and choose OK.
6. When prompted for the name and password for the domain administrator, enter the user name and password of the Admin account.
NoteYou can enter either the fully qualified name of your domain or the NetBios name, followed by a backslash (\), and then the user name, in this case, Admin. For example, corp.example.com\Admin or corp\Admin.
7. After you receive the message welcoming you to the domain, restart the instance to have the changes take effect.
8. Reconnect to your instance over RDP, and sign into the instance using the user name and password for your AWS Directory Service directory's Admin user.
Now that your instance has been joined to the domain, you're ready to create your Amazon FSx file system. You can then go on to finish the other tasks in the getting started exercise. For more information, see Getting started with Amazon FSx (p. 7).
Walkthrough 2: Create a file system from a backup
With Amazon FSx, you can create a file system from a backup. When you do so, you can change any of the following elements to better suit the use case you have for your newly created file system:
• Storage type
• Throughput capacity
• VPC
• Availability Zone
• Subnet
• VPC security groups
• Active Directory Configuration
Walkthrough 3: Update an existing file system
• AWS KMS encryption key
• Daily automatic backup start time
• Weekly maintenance window
The following procedure guides you through the process of creating a new file system from a backup.
Before you can create this file system, you must have an existing backup. For more information, see Working with backups (p. 74)
To create a file system from an existing backup
1. Open the Amazon FSx console at https://console.aws.amazon.com/fsx/.
2. From the navigation list at right, choose Backups.
3. From the table on the dashboard, choose the backup that you want to use for creating a new file system.
NoteYou can only restore your backup to a file system of the same storage capacity as the original. You can increase your restored file system's storage capacity after it becomes available. For more information, see Managing storage capacity (p. 120).
4. Choose Restore backup. This will begin the create file system wizard.
5. Choose the settings that you'd like to change for this new file system. The storage type is set to SSD by default, but you can change it to HDD under the following conditions:
• The file system deployment type is Multi-AZ or Single-AZ 2.
• The storage capacity is at least 2,000 GiB.
6. Choose Review summary to review your settings before creating the file system.
7. Choose Create file system.
You've now successfully created your new file system from an existing backup.
Walkthrough 3: Update an existing file system
There are three elements that you can update with the procedures in this walkthrough. All other elements of your file system that you can update, you can do so from the console. These procedures assume you have the AWS CLI installed and configured on your local computer. For more information, see Install and Configure in the AWS Command Line Interface User Guide.
• AutomaticBackupRetentionDays – the number of days that you want to retain automatic backups for your file system.
• DailyAutomaticBackupStartTime – the time of the day in Coordinated Universal Time (UTC) that you want the daily automatic backup window to start. The window is 30 minutes starting from this specified time. This window can't overlap with the weekly maintenance backup window.
• WeeklyMaintenanceStartTime – the time of the week that you want the maintenance window to start. Day 1 is Monday, 2 is Tuesday, and so on. The window is 30 minutes starting from this specified time. This window can't overlap with the daily automatic backup window.
The following procedures outlines how to update your file system with the AWS CLI.
To update how long automatic backups are retained for your file system 1. Open a command prompt or terminal on your computer.
2. Run the following command, replacing the file system ID with the ID for your file system, and the number of days that you want to retain your automatic backups for.
aws fsx update-file-system --file-system-id fs-0123456789abcdef0 --windows-configuration AutomaticBackupRetentionDays=30
To update the daily backup window of your file system 1. Open a command prompt or terminal on your computer.
2. Run the following command, replacing the file system ID with the ID for your file system, and the time with when you want to begin the window.
aws fsx update-file-system --file-system-id fs-0123456789abcdef0 --windows-configuration DailyAutomaticBackupStartTime=01:00
To update the weekly maintenance window of your file system 1. Open a command prompt or terminal on your computer.
2. Run the following command, replacing the file system ID with the ID for your file system, and the date and time with when you want to begin the window.
aws fsx update-file-system --file-system-id fs-0123456789abcdef0 --windows-configuration WeeklyMaintenanceStartTime=1:01:30
Walkthrough 4: Using Amazon FSx with Amazon AppStream 2.0
By supporting the Server Message Block (SMB) protocol, Amazon FSx for Windows File Server supports accessing your file system from Amazon EC2, VMware Cloud on AWS, Amazon WorkSpaces, and Amazon AppStream 2.0 instances. AppStream 2.0 is a fully managed application streaming service. You centrally manage your desktop applications on AppStream 2.0 and securely deliver them to a browser on any computer. For more information on AppStream 2.0, see the Amazon AppStream 2.0 Administration Guide.
Use this walkthrough as a guide through how to use Amazon FSx with AppStream 2.0 for two use cases:
providing personal persistent storage to each user and providing a shared folder across users to access common files.
Providing personal persistent storage to each user
You can use Amazon FSx to provide every user in your organization a unique storage drive within AppStream 2.0 streaming sessions. A user will have permissions to access only their folder. The drive is automatically mounted at the start of a streaming session and files added or updated to the drive are automatically persisted between streaming sessions.
There are three procedures you'll need to perform to complete this task.
To create home folders for domain users using Amazon FSx
1. Create an Amazon FSx file system. For more information, see Getting started with Amazon FSx (p. 7).
Providing personal persistent storage to each user
2. After the file system is available, create a folder for every domain AppStream 2.0 user within your Amazon FSx file system. The example following uses the domain user name of the user as the name of the corresponding folder. Doing this means that you can build the UNC name of the file share to map easily using the Windows environment variable %username%.
3. Share each of these folders out as a shared folder. For more information, see File shares (p. 91).
3. Share each of these folders out as a shared folder. For more information, see File shares (p. 91).