Using
multi-Region AWS Managed Active Directory with Amazon WorkSpaces
AWS Directory Service for Microsoft Active Directory (MAD)
is a fully managed Microsoft Active Directory (AD) that can be paired with Amazon WorkSpaces. Customers choose AWS Managed Microsoft AD because it has built-in
high availability, monitoring, and backups. AWS Managed Microsoft AD Enterprise edition adds the ability to configure
Multi-Region Replication.
This feature automatically configures inter-region networking connectivity, deploys domain controllers, and replicates all the Active Directory data across multiple regions,
ensuring that Windows and Linux workloads residing in those regions can connect to and use AWS MAD with low latency and high performance. Replicated MAD regions
cannot be directly registered with WorkSpaces,
however a replicated MAD directory can be registered with WorkSpaces by configuring an AD Connector (ADC) to point to your replicated Domain Controllers.
The best practice when deploying AD Connectors with MAD is to create an AD Connector for each business unit within your WorkSpaces environment.
This will allow you to align each business unit with a specific Organizational Unit within Active Directory. You can then assign AD Group Policy Objects
at the Organization Unit level that directly align with the business unit in question.
Architecture
Implementation
To register your replicated MAD region to WorkSpaces, you will
need to create an AD Connector pointed to your MAD Domain
Controller IPs. You can find your MAD Domain Controller IP
addresses by going to the
AWS Directory Service console navigation pane, selecting
Directories and then choosing the correct directory ID. To
create these AD Connectors, follow this
guide.
Once they are created, you can
register
them for WorkSpaces. Before you deploy WorkSpaces in your
new region, ensure you have updated your VPCs
DHCP
options set.