AWS – Making AWS FSx for Windows Highly Available through Multi AZ Resilience – Part 2: Nameserver Launch and Initial Setup

For our highly available FSx implementation, firstly we will launch and setup (including domain join) our EC2 instances that will become our DFS servers. As the setup for this is similar for both instances, I will only run through the initial launch and domain join once, but indicate the different variables for each DFS server.

Instance Launch

If you already have servers (this can be on-premise or EC2 instances) that you would like to use for the DFS Name servers you can skip ahead to the DFS role installation.

Login to the AWS management console: https://console.aws.amazon.com/console/home?#

Ensure the region your VPC is in is selected in the top right, otherwise your VPC will not show.

From the EC2 services page, click “Launch Instance”

On the launch instance wizard, step 1 is to select your Amazon Machine Image (AMI). For our DFS Servers, we are going to use the “Microsoft Windows Server 2019 Base” AMI. To find this quickly, type “Windows” in the search bar to show only windows AMI images. Find the Image and click “Select”

Step 2 on the wizard, select your instance type. This determines the performance and resources available to the DFS servers, higher performing comes with a higher cost so size this appropriately. This can be changed at a later date if you need to scale vertically (raise or lower performance). For our testing environment, I will be selecting a T3a.small. Select the instance type and click the “Next: Configure instance Details” button in the bottom right.

Step 3 on the wizard, you configure your instance details, this is where we will select which availability zone (AZ) the DFS server will be launched in, this is done by selecting the appropriate subnet for the AZ. For this, I will be selecting the following for each of the servers when launching them to ensure they are in a different AZ:

  • DFS Server in AZ B: TE-FSazB – Subnet “TE-SN-B-1” this is setup for eu-west-2b
  • DFS Server in AZ C: TE-FSazC – Subnet “TE-SN-C-1” this is setup for eu-west-2c

Check other settings for the instance meets your requirements or company policies, such as hosting type (most likely shared will be the best option for you). Once you are happy with the settings click the “Next: Add Storage” button in the bottom right.

Step 4 on the wizard, this is where you configure the storage for the host servers. As no corporate shared data will be kept on the servers, it may not be required to have any additional drives, or a large OS drive. This may be determined by your corporate policy or guidelines for setting up servers or instances. For this setup, the default 30GB drive for the OS is sufficient. It would be recommended to encrypt the OS drive by default, but again, follow any policies you have. Once configured, click “Next: Add Tags” button in the bottom right.

Step 5 on the wizard, you are able to set tags for all resources (such as volumes) on the EC2 instances. For this I generally add a “Name” tag with the name I will set the hostname to, for eg:

  • DFS Server in AZ B: Tag:Name Value:TE-FSazB
  • DFS Server in AZ C: Tag:Name Value:TE-FSazC

Once the tags have been added, click “Next: Configure Security Groups” in the bottom right.

Step 6 of the wizard will allow you to select security groups for your instances, you can either select existing ones, or create new security groups and add access to them at this point. Make sure these SG have access to; the domain controllers, the other file servers and client machines. It may be company policy to restrict access to the least required (its generally a good practice to follow). Once you have a security group selected, click “Next: Review and Launch” in the bottom right.

On step 7, the final wizard page, you can review all settings you have configured within the wizard. Once you are happy with the choices, click “launch” in the bottom right.

Upon clicking launch, you will be prompted to select an existing keypair or create a new keypair. This is the keypair that will be used to decrypt the administrator password to login to the newly created instance.

Instance Initial Configuration (Naming and Domain Join)

For each of our EC2 namespace instances we will need to log into them and complete the initial configuration by changing their hostname and then adding them to the active directory domain. As you should have connectivity to the instances, RDP to the instance using their private IP addresses. If you are unsure how to get the password for the administrator password for the newly spun up instance, follow these steps:

Select the instance you need the password for.

Click the “Actions” button and then select “Get windows password”

In the next menu, you will need to provide the keypair file you selected/created when you launched the instance and then click “decrypt password” to show the password.

Use RDP to the IP address of the EC2 instances we have just created. In our example, it would be:

  • DFS Server in AZ B: TE-FSazB (172.16.5.20)
  • DFS Server in AZ C: TE-FSazC (172.16.10.30)

Once connected, use the “Server Manager” (can be found from the start menu if this does not launch automatically) to edit and manage the local server.

Firstly, click the hostname beside the label “computer name” in order to re-name the server to something that will be more appropriate and recognisable for your domain. The popup menu will allow you to change the hostname, although this is the same menu to change the domain, it is recommended to change the computer name and reboot prior to changing the workgroup to domain and joining the domain.

After a reboot, navigate into the same menu as previously opened to change the hostname. This time, on the “Member Of” section, change “Workgroup” to “Domain” radial button, and then enter the FQDN of your domain. You will be prompted for a domain account belonging to the domain that has permissions to add computers to the domain. Once added, you will need to reboot the server in order to complete the computer join.

If you have any issues joining the domain, some items you may want to check:

  • Your domain account is correct and has the correct permissions to add/join computers
  • You entered the correct FQDN of the domain
  • The FQDN is resolvable (ie when you ping the FQDN, you get a correct IP address of your domain controllers, if this doesn’t work, you may need to check your DHCP Option Sets have set the correct DNS servers for your domain)
  • Check SG’s allow required ports and access or firewalls if your domain controllers are on premise.

Once named and joined to the domain, our instances are now ready to be configured to host the DFS namespaces for our FSx installation.

Continue to Part 3 where we will configure our AWS FSx for Windows filesystems.