Single sign on For Directory Admin
To save having to login twice, first thing to do is to add the On-premise administrator to the Delegated Admins group on AWS. This will allow to the admin to log into into the AWS jump box using a RDP client on a logged in administrator PC on premises without having to perform a second login.
For this example, we consider the migration of files from a on-premises file server to AWS FSx. The best way to do this is using the DFS (Distributed File System) . This allows the creation of a namespace which provides a logical abstraction of the file server.
DFS Namespaces
DFS Namespaces is a role service in Windows Server that enables you to group shared folders located on different servers into one or more logically structured namespaces. This makes it possible to give users a virtual view of shared folders, where a single path leads to files located on multiple servers.
Here’s a description of the elements that make up a DFS namespace:
- Namespace server – A namespace server hosts a namespace. The namespace server can be a member server or a domain controller.
- Namespace root – The namespace root is the starting point of the namespace. For example \\domain\root.
- Folder – Folders without folder targets add structure and hierarchy to the namespace, and folders with folder targets provide users with actual content. When users browse a folder that has folder targets in the namespace, the client computer receives a referral that transparently redirects the client computer to one of the folder targets. These act a bit like symlinks
- Folder targets – A folder target is the UNC path of a shared folder or another namespace that is associated with a folder in a namespace. The folder target is where data and content is stored. A folder can have multiple targets and the user can be automatically directed to the nearest target
Replication Group
Set up the on premise file server root folder, and the FSx root as the two folder targets, and set up a replication group. This will keep the on premise and AWS files in sync. Applications need to be updated to use the namespace root folder and not the file server name.
Once this is done then the data is synchronized and Active Directory will resolve the folder to the one nearest to the client.
If a full migration to cloud is taking place then the on premise folder target can be disabled and the on premise fileserver decommissioned
Security Groups
If using WorkSpaces that the WorkspaceMembers security group needs to be included in the Inbound rules for the FSx security group to allow the workspace to access the server.