In order to join an AWS WorkSpace to and then login using existing “on-prem” Active Directory domain credentials, a WorkSpace directory using an AD Connector must be created.
Amazon WorkSpaces uses a directory to store and manage information for your WorkSpaces and users.
AD Connector Prerequisites
Before jumping directly into creating the AD Connector, be sure to check out the required prerequisites. Don’t gloss over the AD service account! I say that because I did….but as stated on the prerequisites page, create a group or an account and use the Delegation of Control wizard to delegate the appropriate domain privileges of read users and groups, create computer objects, and join computers to the domain. Personally, I created a user account (only a member of Domain Users) and then delegated the required specific privileges to it.
Setting up an AD Connector for an Existing AD Domain
- Login to the AWS Management Console and under the Desktop & App Streaming heading, click WorkSpaces.
- If this is the first time WorkSpaces has been launched, click Get Started Now
- On the Get Started with Amazon WorkSpaces page, click Advanced Setup | Launch.
- On the Choose directory type page, click Create AD Connector
- On the Directory Details page, specify the following information for your organization and existing AD details:
- Organization Name
- Enter a unique name for your directory. The name must be at least four characters long, consisting of alphanumeric characters and hyphens only.
- Connected directory DNS
- the FQDN of your existing AD domain
- Connected directory NetBIOS name
- specify the short name of your existing AD domain
- Connector account username
- type the domain username for the account that was delegated the read users and groups, create computer objects, and join computers to the domain rights
- Connector account password | Confirm password
- enter the password for the specified domain account
- DNS address
- type the IP address of at least one DNS server in the AD domain
- Description (optional)
- type a directory description
- Size (Small or Large)
- Keep in mind that AD connectors CAN cost you money. Why do I say can? Simple AD and AD Connector are made available to you free of cost to use with WorkSpaces, WorkMail, or WorkDocs. BUT, if there are no WorkSpaces being used with your Simple AD or AD Connector for 30 consecutive days, you may be charged for this directory as per the AWS Directory Service pricing terms. The small connector will support up to 500 users at a cost of $.05/hr and a large connector will support up to 5,000 users at a cost of $.15/hr so you need to keep in mind that if you create an AD Connector for AWS WorkSpaces and then you delete all of your WorkSpaces, be sure to also delete your AD Connector to avoid being charged for it.
- Organization Name
- With the directory details filled out, scroll down (if you have a small-ish monitor) to see the VPC Details. In order to use an AD Connector, you must select a VPC and two subnets, each in a different Availability Zone. Also, the DNS servers you specified in step #5 must be accessible from the subnets you specify. When the appropriate VPC and Subnets have been selected, click Next Step.
- On the Review page, verify the directory information and details are correct and click Create AD Connector. It will take several minutes before the AD Connector is ready and as the connector is built you will see its Status change from Requested, to Creating, to Active.
Keep in mind that AD connectors CAN cost you money!! Simple AD and AD Connector are made available to you free of cost to use with WorkSpaces, WorkMail, or WorkDocs. BUT, if there are no WorkSpaces being used with your Simple AD or AD Connector for 30 consecutive days, you may be charged for this directory as per the AWS Directory Service pricing terms. The small connector will support up to 500 users at a cost of $.05/hr and a large connector will support up to 5,000 users at a cost of $.15/hr. Delete AD Connectors that are not being used.
Registering a Directory with AWS WorkSpaces
To allow AWS WorkSpaces to use it, you must register the AD Connector. Initially I thought this would happen automatically, however, I had to manually register my new AD Connector.
8. On the WorkSpaces | Directories page, select the AD Connector you wish to use for WorkSpaces and click Actions | Register
9. On the Register directory window, you’ll be able to enable/disable Amazon WorkDocs if it is available in your region. Select whether or not to enable Amazon WorkDocs and then click Register.
10. Within a few moments, the AD Connector’s Registered status should read Yes as shown below. You will now be able to join AWS WorkSpace VMs to your domain and login to them with AD domain credentials!
What do you mean an ‘Unsupported Subnet’!?!?
The last screenshot you see above of a successful domain registration was actually my second attempt to register my domain. The first attempt resulted in an error message indicating I was using an ‘Unsupported Subnet’….what the heck does that mean? Why not provide some clue as to what the unsupported subnet is?
What I can tell you is that when I built the first AD Connector, on the VPC Details selections I chose private subnets residing within us-east-1c and us-east-1d. I then created two new private subnets in us-east-1a and us-east-1b and upon created the second AD connector, I chose these subnets when selecting the VPC details, and was I was then able to successfully register the domain. This is when I opened a case with AWS Support to determine what was going on. I found the answer (shown below) pretty interesting:
I understand that when you were trying to register your AD Connector with Amazon WorkSpace, you receive an error that the WorkSpace is being launched in unsupported subnets. The reason for this error was because Amazon WorkSpaces are not supported in all availability zones in us-east-1 region and in the meantime, we only have 3 Availability Zones are supported in this region “US-East-1”
By checking the Availability Zones associated to your AWS account, here’s the list of the support and unsupported AZs.
Supported Availability zones/Subnets :
Unsupported Availability zones/Subnets :
Kindly note that the mappings for unsupported/supported AZ’s I have listed are specific to this AWS account only.
I replied back asking if there was some way for me to know or find out what AZs are supported for WorkSpaces for my specific account and received the following:
Unfortunately, we do not have a public documentation with the list of unsupported AZs for WorkSpaces. An Availability Zone is represented by a region code followed by a letter identifier; for example, us-east-1a. To ensure that resources are distributed across the Availability Zones for a region, AWS independently map Availability Zones to identifiers for each account. For example, your Availability Zone us-east-1a might not be the same location as us-east-1a for another account.
Due to this reason, we are not able to publish which AZs are supported for WorkSpaces and which are not.
Please note that the service team is already aware of this problem and they are actively working to provide a mechanism to allow the customers to query which AZs are supported.
So apparently, if you want to create an AD Connector today, I hope your subnets are in AZs that are supported for your specific account. If you want to use WorkSpaces with an AD Connector, I advise that you open a case with AWS Support to have them tell you which AZs are supported for your account to avoid the aggravation that will come from guessing and hoping for the best. Once you have your list of supported/unsupported AZs, verify the AZs in which your subnets reside, creating new ones if necessary.
If you want to join AWS WorkSpace VMs to and login using existing AD credentials with an AD Connector, I leave you with these final thoughts:
- Don’t gloss over the prerequisites!
- Document the AZs in which your AWS subnets exist today and open a case with AWS Support to have them provide you the list of AZs supported/unsupported for your AWS account.
- Make sure your DNS servers you specify on the Directory Details page are accessible from the AWS subnets you select under the VPC Details heading.
- Remember that an AD Connector CAN cost you money….if an AD Connector is not in use, delete it to avoid being charged for it.
If you keep these things in mind, the setup of your AD Connector for AWS WorkSpaces will be a breeze.