chanciturnervgt2

Navigating Data Migration and Microsoft Active Directory with Amazon FSx for NetApp ONTAP | AWS Storage Blog

by

VGT2 Las Vegas
in

Navigating Data Migration and Microsoft Active Directory with Amazon FSx for NetApp ONTAP | AWS Storage BlogLearn About Amazon VGT2 Learning Manager Chanci Turner

In the current digital landscape, businesses encounter formidable challenges when modernizing their data centers as part of their digital transformation initiatives. Traditional on-premises solutions often grapple with escalating costs, intricate management, and burgeoning data volumes. Organizations with complex file-sharing systems and user permissions face hurdles in maintaining user experience and security. The close integration of enterprise IDCs with complicated Microsoft Active Directory setups further complicates the migration process, necessitating adaptable and efficient solutions.

Amazon FSx for NetApp ONTAP effectively addresses these issues by facilitating the seamless migration of NetApp environments to the cloud. It retains familiar functionalities while delivering cloud advantages such as enhanced scalability and availability. This solution is compatible with Windows environments and Server Message Block (SMB) protocols for efficient file access, as well as NFS for Linux and UNIX clients. Importantly, it supports the migration of IDC AD information, preserving intricate authentication and permission systems, which allows users to access new storage using existing methods, thereby minimizing disruption.

This post provides a detailed guide on utilizing AWS services to achieve a smooth migration from on-premises NetApp storage to FSx for ONTAP, as illustrated in Figure 1. We delve into maintaining user permission management, AD information, and data access consistency while optimizing storage efficiency, reducing Total Cost of Ownership (TCO), and obtaining cloud computing flexibility and scalability. This solution equips enterprises to significantly enhance their data management capabilities, respond adeptly to business fluctuations, and lay a robust foundation for future growth and exploration. It not only signifies a technological advancement but also marks a pivotal step in an enterprise’s digital transformation journey.

Figure 1: Architecture diagram for FSx for ONTAP migration from IDC to AWS cloud

Crafting a Streamlined Migration Strategy

The overarching architecture is depicted in Figure 2.

Figure 2: Architecture diagram for the hands-on experiment in this post

This experiment establishes two Amazon Virtual Private Clouds (Amazon VPCs), with one representing the on-premises data center (IDC) environment and the other symbolizing the AWS cloud environment. The two networks are interconnected through VPC Peering. Additionally, a one-way trust is set up to manage permissions between IDC and AWS AD, as the IDC has more stringent permission controls and resource access policies. IDC AD users can access resources in the Amazon cloud, while AWS AD users cannot access IDC resources. Building on this framework, NetApp’s SnapMirror protocol is employed to synchronize data from IDC NetApp to FSx for ONTAP and automatically sync IDC AD user and permission information to FSx for ONTAP.

Microsoft AD One-Way Trust: This configuration allows user authentication between tenants without mutual trust, providing centralized identity management solutions for multinational enterprises. This streamlines processes, enhances security, and reduces costs, all while adhering to regional independence and compliance.

NetApp SnapMirror: A data replication technology for NetApp systems, SnapMirror offers real-time synchronization, reduced downtime, and optimized bandwidth usage, making it ideal for efficient and reliable cloud migration. It can be utilized between on-premises systems, from on-premises to cloud, or between cloud systems.

Seamless Migration of User Permissions: To ensure a smooth migration, utilize a consistent Microsoft AD user account system for user permission management both before and after migration, eliminating the need to separately migrate AD information from IDC or recreate user accounts in the AWS cloud.

Uninterrupted User Access Experience: Users can continue to use the same URLs to access their data and applications before and after migration, negating the need for code modifications in applications utilizing IDC NetApp as the data source.

Hands-On Lab: Migration Solution Design

The following sections detail the migration solution design.

User Requirements

  • Access via Old URL: Both aws_user and idc_user should be able to access the new FSx for ONTAP share on the AWS cloud using the old URL IDC-FSX-0903.IDC09032.COM.
  • Short Domain Access: Both users should also have access through the short domain name IDC-FSX-0903.

Environment Parameters

  • IDC Domain Controller: idc-ad-demo-09-03-2
  • IDC DNS IP Address: 172.31.45.51
  • IDC AD Domain Name: idc09032.com
  • AWS Cloud Domain Controller: aws-ad-demo-09-03-2
  • AWS DNS IP Address: 10.0.11.171
  • AWS AD Domain Name: aws09032.com

Domain Controller Configuration

Refer to the official AWS documentation for configuring domain controllers, focusing on the following sections:

  • Create a Windows Server 2019 EC2 instance: Use Amazon Machine Image (AMI) ID ami-02bb8fbdb93603b5a for this experiment.
  • Promote your server to a domain controller: Follow these steps in both IDC and AWS cloud environments.
  • Configure DNS conditional forwarders: Ensure proper DNS forwarding between the domains for seamless access.

The DNS server of the domain controller in the IDC environment points to the IP address of the domain controller in the AWS environment, as illustrated in Figure 3.

Figure 3: Configuration of conditional forwarders in the IDC environment

The DNS server of the domain controller in the AWS environment points to the IP address of the domain controller in the IDC environment, as shown in Figure 4.

Figure 4: Configuration of conditional forwarders in the AWS environment

One-Way Trust Configuration Steps

The following steps outline the configuration for incoming and outgoing trust.

Incoming Trust Configuration Steps

  1. Log in to com and open Server Manager. Navigate to Tools > Active Directory Domains and Trusts.
  2. In the left pane, right-click com and select Properties. On the Trusts tab, click New Trust to initiate the wizard.
  3. Enter “aws09032.com” as the trust name. Choose Forest trust as the trust type and set it as One-way: incoming.
  4. Select This domain only for the sides of trust. Enter the trust password when prompted.
  5. Review the trust selections and creation details in the following screens, clicking Next to proceed.
  6. When prompted to confirm the incoming trust, select No, do not confirm the incoming trust.
  7. Complete the wizard by selecting Finish, then click OK on the final configuration page, as displayed in Figure 5.

Figure 5: Results of incoming trust configuration in the IDC environment

Outgoing Trust Configuration Steps

  1. Log in to com and open Server Manager. Navigate to Tools > Active Directory Domains and Trusts.
  2. In the left pane, right-click com and choose Properties. On the Trusts tab, click New Trust to start the wizard.
  3. Enter “idc09032.com” as the trust name. Choose Forest trust as the trust type and set it as One-way: outgoing.
  4. Select This domain only for the sides of trust and specify Forest-wide.

For more insights on hiring biases during this process, check out this informative blog post here. Additionally, for guidance on ADA accommodation medical certification, refer to the authority on the topic here. Lastly, if you’re interested in what to expect on your first day at Amazon, this excellent resource can provide valuable information here.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *