Active Directory (Single or Multiple Domains)

In this section, we must configure the information about the Directory Service and the service account used to execute operations on it. The main part is set during the first setup, asking for the following information:

• Directory ID: Automatically populated once created.

• NetBios Name: A shortened version of the domain name, typically up to 15 characters. Example: CLOUD.

• Fully Qualified Domain Name (FQDN or DNS Name): The complete domain name that includes both the hostname and the domain. Example: NUVENS.CLOUD.

• Default OU: The default Organizational Unit (OU) for user accounts in Active Directory, provided in LDAP format using a distinguished name (DN) structure. Example: DC=nuvens,DC=cloud or OU=Sales,DC=nuvens,DC=cloud.

• Service Account: A specialized account for running services, applications, or scheduled tasks in an Active Directory Windows environment. It should have the required permissions for WSM to interact with Active Directory and may need to follow corporate naming conventions. Example: ad.service.

• Service Password: Critical for maintaining security, especially since service accounts typically have elevated permissions.

• Cost Optimizer Bucket: The name of the S3 bucket where the Amazon Cost Optimizer for WorkSpaces management tool stores its data.

• Dry Run Mode: A feature that simulates potential cost-saving actions without applying them.

• Active Directory Integrated: Enhances network and management capabilities by leveraging the security and replication benefits of Active Directory integration.

Multi Domains (Active Directory)

On initial setup, and by default, you will be able to add only one domain. However, we can enable multiple domains by enabling the feature below in Active Directory. You can see additional guidance here.

Once the Multiple Domains option for Active Directory has been enabled, additional configuration elements for the Forest can be defined, such as:

• Forest Service Account: A service account used within the context of an Active Directory forest, which is the top-level structure for managing a group of domains that share a common schema, configuration, and trust relationships.

• Forest Service Password: This password secures the Forest Service Account, which typically has elevated privileges across multiple domains. The security of this password is crucial due to the account's high-level access within the forest.

• Preferred Domain: Refers to the primary or most authoritative domain in the forest, typically used for managing resources, services, and administrative tasks across the entire forest.

• Disable Delete Computer Object: This feature prevents the deletion of computer objects in Active Directory when associated WorkSpaces are deleted, which could otherwise leave orphaned objects in the LDAP directory.

• Disable LDAPS: This disables LDAP over SSL, preventing encrypted communication if LDAPS is not implemented or enabled in the target domain.

When "Multiple Domains" is enabled, WorkSpaces Manager displays all available WorkSpaces directories, allowing each directory to be configured independently. This provides greater flexibility in environments where multiple domains, forests, or directory configurations are in use.

The following settings can be configured per directory:

1. NetBIOS Name: Specifies the short domain name (e.g., CORP) used by legacy authentication protocols and certain domain join operations. This must match the NetBIOS name configured in Active Directory.

2. Fully Qualified Domain Name (FQDN): Defines the domain that WorkSpaces will join (e.g., corp.company.local). This ensures WorkSpaces are associated with the correct Active Directory domain.

3. Default Organizational Unit (OU): Specifies the target OU where computer objects will be created. This allows proper application of Group Policies and organizational structuring.

4. Service Account Credentials (Username and Password): Account used by WorkSpaces Manager to perform domain operations such as joining machines to the domain and deleting computer objects during termination or rebuild. This account must have appropriate delegated permissions in the configured OU.

5. Cost Optimizer S3 Bucket: Defines the S3 bucket used to store reports and data generated by the WorkSpaces Cost Optimizer integration.

6. Cost Optimizer Dry Run Mode: When enabled, Cost Optimizer evaluates recommended changes (e.g., switching between hourly and monthly billing) but does not apply them automatically. This is useful for validation before enabling automated cost adjustments.

7. Active Directory Integrated: Indicates whether the directory is integrated with on-premises or self-managed Active Directory. This setting affects how identity and computer lifecycle operations are handled.

8. Custom KMS Key: Specifies a customer-managed AWS KMS key for encrypting WorkSpaces volumes. This allows compliance with internal security or regulatory encryption requirements. See section Amazon Web Services to enable the usage of Custom KMS Keys.