Create a directory for WorkSpaces Personal

With WorkSpaces Personal, you can provision virtual, cloud-based Microsoft Windows, Amazon Linux 2, Ubuntu Linux, or Red Hat Enterprise Linux desktops for your users.

Personal WorkSpaces use WorkSpaces Personal directories to store and manage information for your WorkSpaces and users. The following are options for creating a WorkSpaces Personal directory:

• Create a Simple AD directory.

• Create an AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD.

• Connect to an existing Microsoft Active Directory by using Active Directory Connector.

• Create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain.

Identify the computer name

The Computer Name value shown for a WorkSpace in the Amazon WorkSpaces console varies, depending on which type of WorkSpace you've launched (Amazon Linux, Ubuntu, or Windows). The computer name for a WorkSpace can be in one of these formats:

• Amazon Linux: A-xxxxxxxxxxxxx

• Red Hat Enterprise Linux: R-xxxxxxxxxxxxx

• Ubuntu: U-xxxxxxxxxxxxx

• Windows: IP-Cxxxxxx or WSAMZN-xxxxxxx or EC2AMAZ-xxxxxxx

For Windows WorkSpaces, the computer name format is determined by the bundle type, and in the case of WorkSpaces created from public bundles or from custom bundles based on public images, by when the public images were created.

Starting June 22, 2020, Windows WorkSpaces launched from public bundles have the WSAMZN-xxxxxxx format for their computer names instead of the IP-Cxxxxxx format.

For custom bundles based on a public image, if the public image was created before June 22, 2020, the computer names are in the EC2AMAZ-xxxxxxx format. If the public image was created on or after June 22, 2020, the computer names are in the WSAMZN-xxxxxxx format.

For Bring Your Own License (BYOL) bundles, either the DESKTOP-xxxxxxx or the EC2AMAZ-xxxxxxx format is used for the computer names by default.

If you've specified a custom format for the computer names in your custom or BYOL bundles, your custom format overrides these defaults. To specify a custom format, see Create a custom WorkSpaces image and bundle for WorkSpaces Personal.

Important

If you change the computer name for a WorkSpace through the Windows system settings, you will no longer be able to access the WorkSpace.

Note

• Shared directories are not currently supported for use with Amazon WorkSpaces.

• If you configure your AWS Managed Microsoft AD directory for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.

• Simple AD and AD Connector are made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD or AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.

The following tutorials show you how to create a WorkSpaces Personal directory.

Before you begin creating a directory

• WorkSpaces is not available in every Region. Verify the supported Regions and select a Region for your WorkSpaces. For more information about the supported Regions, see WorkSpaces Pricing by AWS Region.

• Create a virtual private cloud with at least two private subnets. For more information, see Configure a VPC for WorkSpaces Personal. The VPC must be connected to your on-premises network through a virtual private network (VPN) connection or AWS Direct Connect. For more information, see AD Connector Prerequisites in the AWS Directory Service Administration Guide.

• Provide access to the internet from the WorkSpace. For more information, see Provide internet access for WorkSpaces Personal.

Create an AWS Managed Microsoft AD directory

In this tutorial, we create an AWS Managed Microsoft AD directory. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

First, create an AWS Managed Microsoft AD directory. AWS Directory Service creates two directory servers, one in each of the private subnets of your VPC. Note that there are no users in the directory initially. You will add a user in the next step when you launch the WorkSpace.

Note

• Shared directories are not currently supported for use with Amazon WorkSpaces.

• If your AWS Managed Microsoft AD directory has been configured for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.

To create an AWS Managed Microsoft AD directory

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose Directories.

3. Choose Set up Directory, Create Microsoft AD.

4. Configure the directory as follows:

   1. For Organization name, enter a unique organization name for your directory (for example, my-demo-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.

   2. For Directory DNS, enter the fully-qualified name for the directory (for example, workspaces.demo.com).

      Important

      If you need to update your DNS server after launching your WorkSpaces, follow the procedure in Update DNS servers for WorkSpaces Personal to ensure that your WorkSpaces get properly updated.

   3. For NetBIOS name, enter a short name for the directory (for example, workspaces).

   4. For Admin password and Confirm password, enter a password for the directory administrator account. For more information about the password requirements, see Create Your AWS Managed Microsoft AD Directory in the AWS Directory Service Administration Guide.

   5. (Optional) For Description, enter a description for the directory.

   6. For VPC, select the VPC that you created.

   7. For Subnets, select the two private subnets (with the CIDR blocks 10.0.1.0/24 and 10.0.2.0/24).

   8. Choose Next Step.

5. Choose Create Microsoft AD.

6. Choose Done. The initial status of the directory is Creating. When directory creation is complete, the status is Active.

After you've created a WorkSpaces Personal directory, you can create a personal WorkSpace. For more information, see Create a WorkSpace in WorkSpaces Personal

Create a Simple AD directory

In this tutorial, we launch a WorkSpace that uses Simple AD. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

Note

• Simple AD is not available in every Region. Verify the supported Regions and select a Region for your Simple AD directory. For more information about the supported Regions for Simple AD, see Region Availability for AWS Directory Service.

• Simple AD is made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.

When you create a Simple AD directory. AWS Directory Service creates two directory servers, one in each of the private subnets of your VPC. There are no users in the directory initially. Add a user after you create the WorkSpace. For more information, see Create a WorkSpace in WorkSpaces Personal

To create a Simple AD directory

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose Directories.

3. Choose Set up Directory, Simple AD, and Next.

4. Configure the directory as follows:

   1. For Organization name, enter a unique organization name for your directory (for example, my-example-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.

   2. For Directory DNS name, enter the fully-qualified name for the directory (for example, example.com).

      Important

      If you need to update your DNS server after launching your WorkSpaces, follow the procedure in Update DNS servers for WorkSpaces Personal to ensure that your WorkSpaces get properly updated.

   3. For NetBIOS name, enter a short name for the directory (for example, example).

   4. For Admin password and Confirm password, enter a password for the directory administrator account. For more information about the password requirements, see How to Create a Microsoft AD Directory in the AWS Directory Service Administration Guide.

   5. (Optional) For Description, enter a description for the directory.

   6. For Directory size, choose Small.

   7. For VPC, select the VPC that you created.

   8. For Subnets, select the two private subnets (with the CIDR blocks 10.0.1.0/24 and 10.0.2.0/24).

   9. Choose Next.

5. Choose Create directory.

6. The initial status of the directory is Requested and then Creating. When directory creation is complete (this might take a few minutes), the status is Active.

What happens during directory creation

WorkSpaces completes the following tasks on your behalf:

• Creates an IAM role to allow the WorkSpaces service to create elastic network interfaces and list your WorkSpaces directories. This role has the name workspaces_DefaultRole.

• Sets up a Simple AD directory in the VPC that is used to store user and WorkSpace information. The directory has an administrator account with the user name Administrator and the specified password.

• Creates two security groups, one for directory controllers and another for WorkSpaces in the directory.

After you've created a WorkSpaces Personal directory, you can create a personal WorkSpace. For more information, see Create a WorkSpace in WorkSpaces Personal

Create an AD Connector

In this tutorial, we create an AD Connector. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

Create an AD Connector

Note

AD Connector is made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.

To delete empty directories, see Delete a directory for WorkSpaces Personal. If you delete your AD Connector directory, you can always create a new one when you want to start using WorkSpaces again.

To create an AD Connector

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose Directories.

3. Choose Set up Directory, Create AD Connector.

4. For Organization name, enter a unique organization name for your directory (for example, my-example-directory). This name must be at least four characters in length, consist of only alphanumeric characters and hyphens (-), and begin or end with a character other than a hyphen.

5. For Connected directory DNS, enter the fully-qualified name of your on-premises directory (for example, example.com).

6. For Connected directory NetBIOS name, enter the short name of your on-premises directory (for example, example).

7. For Connector account username, enter the user name of a user in your on-premises directory. The user must have permissions to read users and groups, create computer objects, and join computers to the domain.

8. For Connector account password and Confirm password, enter the password for the on-premises user.

9. For DNS address, enter the IP address of at least one DNS server in your on-premises directory.

   Important

   If you need to update your DNS server IP address after launching your WorkSpaces, follow the procedure in Update DNS servers for WorkSpaces Personal to ensure that your WorkSpaces get properly updated.

10. (Optional) For Description, enter a description for the directory.

11. Keep Size as Small.

12. For VPC, select your VPC.

13. For Subnets, select your subnets. The DNS servers that you specified must be accessible from each subnet.

14. Choose Next Step.

15. Choose Create AD Connector. It takes several minutes for your directory to be connected. The initial status of the directory is Requested and then Creating. When directory creation is complete, the status is Active.

Create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain

In this tutorial, we create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain. For tutorials that use the other options, see Create a directory for WorkSpaces Personal.

Note

Launching WorkSpaces with AWS accounts in a separate trusted domain works with AWS Managed Microsoft AD when it is configured with a trust relationship to your on-premises directory. However, WorkSpaces using Simple AD or AD Connector cannot launch WorkSpaces for users from a trusted domain.

To set up the trust relationship

1. Set up AWS Managed Microsoft AD in your virtual private cloud (VPC). For more information, see Create Your AWS Managed Microsoft AD directory in the AWS Directory Service Administration Guide.

   Note

   • Shared directories are not currently supported for use with Amazon WorkSpaces.

   • If your AWS Managed Microsoft AD directory has been configured for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces. Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.

2. Create a trust relationship between your AWS Managed Microsoft AD and your on-premises domain. Ensure that the trust is configured as a two-way trust. For more information, see Tutorial: Create a Trust Relationship Between Your AWS Managed Microsoft AD and Your On-Premises Domain in the AWS Directory Service Administration Guide.

A one-way or two-way trust can be used to manage and authenticate with WorkSpaces, and so that WorkSpaces can be provisioned to on-premises users and groups. For more information, see Deploy Amazon WorkSpaces using a One-Way Trust Resource Domain with AWS Directory Service.

Note

• Red Hat Enterprise Linux and Ubuntu WorkSpaces use System Security Services Daemon (SSSD) for Active Directory integration, and SSSD does not support forest trust. Configure external trust instead. Two-way trust is recommended for Amazon Linux, Ubuntu, and Red Hat Enterprise Linux WorkSpaces.

• You cannot use a web browser (Web Access) to connect to Linux WorkSpaces.

To delete empty directories, see Delete a directory for WorkSpaces Personal. If you delete your Simple AD or AD Connector directory, you can always create a new one when you want to start using WorkSpaces again.