How-To

Setting Up and Working with Amazon WorkSpaces, Part 1

Tom Fenton begins a series of how-to articles about the Desktop-as-a-Service solution, Amazon WorkSpaces, which usually requires Active Directory (AD) services delivered to WorkSpaces desktops. Here, he outlines various methods to deliver AD services to WorkSpaces desktops.

• By Tom Fenton
• 11/06/2020

WorkSpaces is Amazon's Desktop-as-a-Service (DaaS) solution which, in most cases, requires an organization to have Active Directory (AD) services for their desktops, unless they only have a few desktops.

Fortunately, Amazon provides various methods to deliver AD to WorkSpace desktops. In this article, my first in a series on WorkSpaces, I will outline these methods, and then in the next article I will show you how I implemented one of them.

In creating these articles, I relied heavy on Amazon's WorkSpaces documentation, and in particular their Amazon WorkSpaces Proof-of-Concept document.

The basic Amazon architectural diagram below shows how users can access WorkSpaces via the internet through a public AWS, as well as and one way that AD services can be supplied to WorkSpaces.

Although the diagram above shows an AD server residing in AWS, there are different ways that Amazon allows you to use AD services with your WorkSpaces; for instance, running a full or simple AD server inside of AWS, or extending an existing external AD server to WorkSpaces.

For organizations that want AWS to host an actual Microsoft Windows Server Active Directory, they offer AWS Directory Service for Microsoft Active Directory (also known as AWS Managed Microsoft AD). This offering gives an organization the whole range of AD services for their WorkSpaces, but with Amazon handling the monitoring, daily snapshots, and recovery aspects. AWS Managed Microsoft AD is available in two editions: Standard and Enterprise. The Standard Edition support up to 30,000 directory objects (i.e., users, groups, and computers), and is designed for organizations with less than 5,000 users. On the other hand, the Enterprise Edition is the most expensive AD option for WorkSpaces, and is designed to handle up to 500,000 directory objects, or about 80,000 users.

For organizations that only need basic AD services, such as user accounts and group memberships, Amazon offers Simple AD, which is powered by Samba 4, and, like AWS Managed Microsoft AD, runs in AWS with Amazon handling the monitoring, daily snapshots, and recovery as part of this offering. Simple AD has two sizes available: a small size which supports 500 users, and a large size which supports up to 5,000 users.

AD Connector is a directory gateway, rather than an AD server, which allows you to redirect directory requests to your on-premise Microsoft Active Directory and then to your WorkSpaces. AD Connector also allows your existing AD users to log on to their WorkSpaces. In my regions (US West), this offering cost the same as a small simple AD and less than AWS Managed Microsoft AD.

As I only needed to host a small deployment for demonstration purposes, AWS Managed Microsoft AD was overkill, so that left Simple AD and AD Connector; I went with Simple AD because I didn't need to extend my existing on-premise AD.

In my next articles in this series, I will show you how I set up a WorkSpace using Simple AD. Update: Part 2 is now available here.