Sprint 4 Documentation - drewwbikk/capstone GitHub Wiki

FSx for Windows File Server

Prerequisites

Setup managed service account and OU

You will need to set up a service account for FSx to use. In Active Directory Users and Computers, create a new user in the Managed Service Accounts folder. Name is fsx. Now, create a new OU called fsx. Right-click the OU and choose Delegate Control.

Add the fsx user.

image

Then, choose Create a custom task to delegate. Then, select Only the following objects in the folder, and select Computer objects. Also select both Create selected objects in this folder and Delete selected objects in this folder.

image

For permissions, choose the following (these can all be found in the General permissions):

  • Reset Password
  • Read and write Account Restrictions
  • Validated write to DNS host name
  • Validated write to service principal name

Then, finish the wizard.

Use the same wizard on the Computers folder. Add the fsx user.

Choose Create a custom task to delegate. Then, select Only the following objects in the folder, and select Computer objects. Also select Create selected objects in this folder.

Then, add the following permission (this can be found under Creation/deletion of specific child objects):

  • Create All Child Objects

image

Then, finish the wizard.

Create new subnet (optional)

Navigate to the AWS VPC console and create a new subnet; call it fsx-subnet. Use tge CIDR block 192.168.1.0/24.

Select an availability zone that is compatible with FSx (us-east-1a and us-east-1b both work).

image

Next, we'll have to update the VPN settings to include this subnet. On ad02, navigate to the OpenVPN Access Server Admin UI (https://vpn02-yourname:943/admin). Then, add 192.168.1.0/24 as a private subnet accessible to VPN clients.

image

Save your settings and reload the server. Then, restart the client machine on premise.

On premise, navigate to fw01's UI config. Add a static route for the 192.168.1.0/24 subnet to go through the VPN gateway.

image

Next, you'll need to create a subnet in AD Sites and Services for the new subnet. Associate it with the AWS site.

image

Finally, create a reverse lookup zone for the new subnet. Be sure this is replicated across both domain controllers before moving forward with creating the FSx server.

image

Validate AD Config

To ensure that you are meeting all requirements, follow the guide here. You should see a successful test result at the end.

Setup

Visit AWS's page for FSx and click Get Started. It will bring you to the console. Then, click Create file system.

You'll want to choose FSx for Windows File Server. For the purposes of this project, Single-AZ deployment was selected. However, for higher availability, Multi-AZ should be used.

image

If your subnet in AWS is in a compatible availability zone, then select that VPC and subnet. Otherwise, create a new subnet inside your VPC using a compatible availability zone (us-east-1a and us-east-1b are both compatible). See steps for doing that here.

Input all of your domain information, using the service account and OU created earlier.

image

Optionally, expand the Access section, and come up with a custom DNS name you want to associate with the file system.

image

Click Next and then Create file system. This will take several minutes.

Once setup is completed, you should be able to access the new file server \\fsx-dns-name.yourname.local. It should have a default share of share.

image

You can add this share as a new mapped drive (I chose X) to the GPO for mounted file shares from Sprint 1. See instructions here.

image

AWS Backup

On-demand backup

Open the AWS Backup console, and on the side panel, select Protected resources. Then, Create on-demand backup.

Select FSx as the Resource type, and then select the filesystem created in Sprint 3. Use the following settings:

image

Then, Create on-demand backup. You should be redirected to the Jobs section of the AWS Backup console and have a banner message similar to the following:

image

The backup will take several minutes, depending on the size of the filesystem. In the meantime, let's try an on-demand backup for our ad02 EC2 instance.

Create another on-demand backup in the Protected Resources panel.

When completed, the backup will look similar to the following:

image

Then, select EC2 as the Resource type, and select the instance ID of your ad02. Use the following settings:

image

Then, Create on-demand backup. This backup will take several minutes as well.

When completed, the backup will look similar to the following:

image

Scheduled backups

In the AWS Backup console, select Backup plans from the side-panel. Then, Create Backup plan.

You can either start with a template or build a new plan. Because the template with the most frequent backups is only daily, we'll build a new plan so that we can see a backup or two much quicker.

Name the plan (I chose my-backup-plan).

Then, create a backup rule for hourly backups like the screenshot below:

image

Then, select Create plan. Now, you must assign any resources you want backed up using this plan. From the page you were redirected to, select Assign resources.

image

Pick a name (I chose my-resource-assignment), and then you can choose to include all resource types (which will backup everything in your AWS account), or to include specific resource types. Select this option to fine tune what you want backed up.

Then, select EC2 and FSx for resource types.

You can then choose all resources for each of those types, or pick only specific resources. For this assignment, I'm selecting only the fsx fileserver and the EC2 vpn02 instance.

image

Then, click Assign resources. You should see your resource assignment now populated in the backup plan.

image

These backups will now automatically start every hour. Once a backup has been taken, they will populate in the Default backup vault (unless you chose to create or assign a different vault).

Restore a backup

On the AWS Backup console, select Protected resources, and then select the resource ID that you want to restore. For this example, I am choosing the EC2 resource wks02.

Then, choose which backup you'd like to restore to, and click restore.

image

You will have to specify the restore parameters, which will be different for each resource type. For FSx, you'll have to specify the network settings and your AD configuration. For EC2, you'll need to specify network settings.

For Restore Role, choose the Default Role.

Then, click Restore backup.

Now, in the Jobs panel, a Restore jobs section appears. The restore job should look similar to the following:

image

It will take several minutes (and up to several hours) to restore a backup. Be mindful of what time you're choosing to stare backup restorations.

When complete, the restore job will look like this:

image

A backup restore creates a new resource, so if you restore an instance, make sure you change any DNS settings associated with the resource as AWS handles DHCP and will not assign the same IP address as the last version of the instance. Other than that, you should be able to access your resource normally.

image