Roadrunner SMB

Roadrunner SMB™ — Admin Guide

Last Updated: 2026-06-09

This guide covers day-to-day administration of a deployed Roadrunner SMB cluster. It covers only features available in the current release.

Accessing the Admin UI

Open the AdminUIUrl value from your CloudFormation® stack Outputs in a browser. AWS® Marketplace deployments expose the Admin UI over HTTPS on port 443 on the Network Load Balancer (TLS terminates at the NLB). Access is allowed from sources in AdminIngressCidr (default: internet). SMB file access uses NlbDnsName on TCP/445 from networks in SmbClientCidr — not the public internet by default.

https://<AdminUIUrl-hostname>

Port 8888 is an internal service port between the load balancer and RRSMB tasks; it is not the normal Marketplace customer access path. Always use AdminUIUrl (HTTPS/443).

The Admin UI requires authentication. Two account types are supported:

Account type When to use
AD administrator Regular administration — Domain Admins is enabled by default after FTS; production deployments should use a dedicated admin group instead
Appliance Owner Break-glass access (rrsmb-admin); use only if AD is unreachable

Identity and permissions

Roadrunner SMB uses three separate identities (AWS Deployer, Appliance Owner, AD Administrator). The deployer is install-time only; runtime uses stack-created IAM roles.

Three identity domains  separate trust, separate credentials Identity 1 builds it � Identity 3 runs it � Identity 2 rescues it when AD is down Install time Runtime (ongoing) 1 � AWS Deployer IAM user / role Marketplace subscribe CloudFormation launch RRSMB stack ECS � EFS � NLB � DynamoDB parent + nested CFN Stack-created runtime IAM  not your deployer TaskRole � TaskExecutionRole � InstanceRole Appliance uses these at runtime; deployer creds are not used day-to-day 3 � AD Admin Domain join FTS � once net ads join Day-to-day admin Admin UI � Settings SMB client auth (AD) Active Directory Computer object RRSMB-NODE<n> Users � groups � ACLs 2 � Appliance Owner rrsmb-admin (local) Break-glass Admin UI only � not SMB � not AWS AWS IAM Active Directory Appliance local
Identity Used for
AWS Deployer Marketplace subscribe + CloudFormation launch
Appliance Owner (rrsmb-admin) Break-glass Admin UI when AD is unavailable
AD Administrator Domain join (once) + day-to-day Admin UI

Identity 1 builds it. Identity 3 runs it day-to-day. Identity 2 rescues it when AD is down.

Full planning guide: Identity and permissions

Topic Document
Deployer IAM tiers + CloudTrail procedure Identity and permissions
CFN → IAM action matrix Deployer permission matrix
AD join without Domain Admin AD domain join delegation
Pre-deploy summary Quick Start — Identities

Admin UI login: Domain Admins is enabled by default after FTS; production deployments should disable it in Settings and use a dedicated admin AD group. See Settings below.

Dashboard

The Dashboard provides an at-a-glance view of cluster health:

  • Cluster status: overall health (Healthy / Degraded / Recovering)
  • Node count: number of active, healthy nodes
  • Storage status: EFS mount health across the cluster
  • Active shares: number of materialized shares
  • SMB service: whether SMB traffic is being served

Metrics shown on the Dashboard and Cluster page are cluster-wide aggregates collected across all active nodes. They reflect the state of the whole cluster, not a single node.

Shares

Creating a share

  1. Click SharesCreate Share
  2. Enter a share name (alphanumeric and hyphens; 1–64 characters)
  3. Configure permissions:
    • Preset: choose from common permission patterns (e.g. Domain Users: Read/Write)
    • Custom: add specific AD users and groups with Read or Read/Write access
  4. Click Create
  5. Wait for materialization to complete (15–60 seconds)

Billing note: Marketplace ManagedStorageGBHours meters the entire EFS filesystem attached to the share, not only data under the share path. Before attaching a large existing filesystem, read Known Limitations — billing.

When materialization completes, the share is immediately accessible from all cluster nodes via the NLB.

Share access

Shares are accessed via the NLB DNS name:

\\<NlbDnsName>\<sharename>

All access is authenticated via Active Directory®. Guest access is not supported.

Deleting a share

  1. Click Shares
  2. Find the share row and click the delete (trash) icon
  3. Choose whether to keep data on EFS filesystem (checked by default)
  4. Type the share name to confirm, then delete

By default, deletion removes the share from Roadrunner SMB but retains EFS file data and the share’s ACL DynamoDB® table. Uncheck Keep data on EFS filesystem to permanently delete files on EFS and remove the share’s ACL metadata from DynamoDB.

Share permissions

Permissions are enforced using NT ACLs stored in DynamoDB. Changes take effect immediately on all nodes.

Supported permission entries:

  • AD users and security groups
  • Read (list files, open files for reading)
  • Read/Write (full access including create, modify, delete)

Setup (Active Directory)

The Setup page shows the current Active Directory join status and allows re-joining if needed.

Viewing AD status

The page shows:

  • Join status (Joined / Not Joined)
  • Domain FQDN
  • Computer name in AD
  • Status checks: DNS, Test Join, Secure Channel, Kerberos

Re-joining the domain

If the cluster loses its domain trust (rare), you can re-join from the Setup page:

  1. Provide the domain FQDN, a join account username and password
  2. Optionally specify a DC IP if DNS is not yet resolving
  3. Click Join Domain

Re-joining requires a domain account with permission to join computers (or re-join the existing computer account).

Leave Domain is not supported. Changing domain membership (joining a different domain) is not a direct Admin UI action — use Reset Appliance on the Setup page, then complete First-Time Setup again. Reset re-runs product setup while retaining customer shares, EFS data, and ACLs in DynamoDB. Authorize First-Time Setup with the recovery secret from Secrets Manager (see Quick Start — bootstrap credentials).

Cluster

The Cluster page shows all nodes in the cluster and the Customer Cluster Node Target slider (1–4) on CloudFormation-managed deployments:

  • 1–4: desired node count; CloudFormation converges ASG and ECS asynchronously after you click Apply. At least one node must remain so the Admin UI stays reachable (scaling to zero is not available from the UI).

The node table lists runtime state (IP, health probes, cluster ID). Nodes are color-coded:

  • Green: healthy and serving SMB traffic
  • Yellow: temporarily ineligible (fencing); will recover automatically
  • Red/missing: node has been replaced or is starting

If a stack update is already in progress, Apply returns an error — wait for it to finish. If CloudFormation rolls back a resize, the UI refreshes the target after ~15 seconds and shows a rollback message.

Architecture detail: Admin Guide — Software Updates.

CloudWatch Logs

The Admin UI does not include a log viewer. All appliance logs are written to Amazon CloudWatch® Logs® in your AWS account.

Item Detail
Log group CloudFormation output CloudWatchLogGroup (typical pattern /rrsmb/<environment>)
Log streams One stream per ECS task (cluster node)
Multi-node Use CloudWatch Logs Insights or filter by stream to view a specific node

Support Report (Admin UI Support page) bundles the last 72 hours of CloudWatch logs for attachment to support requests.

Example CloudWatch Logs Insights query (replace log group name):

fields @timestamp, @message
| filter @message like /ERROR/ or @message like /auto-update/
| sort @timestamp desc
| limit 100

For operational triage, see Support & Troubleshooting — Where logs come from.

Support

The Support page generates a support report bundle. The report includes:

  • Version and build information
  • Cluster state and node roster
  • Configuration snapshot
  • Last 72 hours of CloudWatch logs
  • Diagnostic data for common triage scenarios

Click Generate Report, download the bundle, and attach it to your support request. Support reports are not uploaded automatically.

Settings

The Settings page allows configuration of:

  • Admin group (Active Directory group with Admin UI access)
  • Domain Admins access to Admin UI

Some configuration is only available via environment variables at deployment time (see Known Limitations).

Maintenance and node drain

There is no Maintenance Mode toggle in the Admin UI. The status strip at the top of each page shows SMB state (Serving, Stopped, Fenced, or Blocked when license enforcement applies) as read-only telemetry. The Cluster page shows per-node probe status (including drain) but does not expose controls to enable or disable SMB on a node.

Software updates and CloudFormation stack changes replace ECS tasks in a rolling fashion. During replacement, the fence-agent fences TCP/445 on the node being replaced and the NLB SMB target group health check (GET /ready on port 8888) stops routing new SMB clients to that target. Existing SMB sessions disconnect; clients reconnect via the stable NLB DNS name. The Admin UI remains reachable on other healthy nodes (or on the same node via /ready/admin when the node is fenced but the admin plane is up).

Manual per-node drain for ad-hoc maintenance (for example, taking one node out of rotation while others keep serving) is not available through the Admin UI in the current release.

Software Updates

Roadrunner SMB discovers newer releases through the product release manifest and Marketplace release ECR repository (stable channel). The in-appliance auto-updater polls about every 90 seconds (configurable). When a newer approved immutable release tag is found (tag and digest must match the seller-published approved manifest on the stable channel), the appliance schedules a CloudFormation stack update that changes only BackendImageUri. ECS then performs a rolling task replacement.

RRSMB does not use mutable :latest or :dev-latest tags for Marketplace production release deployment.

Default schedule after detection

When automatic updates are enabled, a newly detected release is scheduled for the next local midnight after detection — the start of the next calendar day in the deployed AWS Region’s timezone (for example, discovery on Tuesday afternoon → apply at Wednesday 00:00 Region-local). This quiet-window default applies only to auto-detected updates.

Stack parameter UpdateScheduleOverride=immediate (or env RRSMB_UPDATE_SCHEDULE_OVERRIDE=immediate) applies auto-detected updates immediately instead of at midnight.

Admin UI — Software Update page

Open Admin → Software Update (/update) for:

Control What it does
Check now Force an immediate release discovery check
Apply latest approved version Update now — apply the detected release immediately (manual trigger; not waiting for midnight)
Defer Postpone a scheduled update by 24 hours (available when an update is pending)
Automatic updates toggle Enable or disable auto-detection and midnight scheduling

Update progress and diagnostics appear in CloudWatch Logs (output CloudWatchLogGroup; log lines tagged [auto-update]).

Deferring an update

When an update is scheduled (pending), click Defer on the Software Update page. Each click postpones the scheduled apply time by one day from the current scheduled time (or from now if the scheduled time has passed).

Disabling auto-update

Auto-update is enabled by default. Toggle Automatic updates off on the Software Update page, or set AutoUpdateEnabled=false at deploy time. Disabling stops auto-detection scheduling; you can still Apply latest approved version manually. Disabling is not recommended for production — security and stability fixes are delivered as updates.

CloudWatch log queries

Find all auto-update events (CloudWatch Logs Insights):

fields @timestamp, @message
| filter @message like "auto-update"
| sort @timestamp desc
| limit 100

Version Information

The current software version and build are visible in the bottom-left sidebar. When an update is available the sidebar also shows the target version and a link to the Software Updates card. See Software Updates above for full details.

References

Home · Documentation · Quick Start · Release Notes · Support

© 2026 Roadrunner SMB, LLC

Roadrunner SMB is an independent software project and is not affiliated with, endorsed by, or sponsored by Amazon Web Services, Inc.
Amazon Web Services, AWS, and Amazon EFS are trademarks of Amazon.com, Inc. or its affiliates.
Microsoft, Windows, and Active Directory are trademarks of the Microsoft Corporation in the United States and/or other countries.
Citrix and SoftNAS are registered trademarks of their respective owners.
Roadrunner SMB and Elastic SMB are trademarks of Roadrunner SMB, LLC. All rights reserved.