After completing Step 1 (p. 65) and Step 2 (p. 67), use the following procedure to verify that your updated DNS server settings are working as expected.
In the following procedure, the current and new DNS server IP address values are referred to as follows:
• Current DNS IP addresses: OldIP1, OldIP2
• New DNS IP addresses: NewIP1, NewIP2
Note
If this is the second time you're performing this procedure, replace OldIP1 with OldIP2 and NewIP1 with NewIP2.Test the updated DNS server settings for Windows WorkSpaces
1. Shut down the OldIP1 DNS server.
2. Log in to a Windows WorkSpace.
3. On the Windows Start menu, choose Windows System, then choose Command Prompt.
Step 3: Test the updated DNS server settings
4. Run the following command, where AD_Name is the name of your Active Directory (for example, corp.example.com).
nslookup AD_Name
The nslookup command should return the following output. (If this is the second time you're performing this procedure, you should see NewIP2 in place of OldIP2.)
Server: Full_AD_Name Address: NewIP1 Name: AD_Name Addresses: OldIP2 NewIP1
5. If the output is not what you were expecting or if you receive any errors, repeat Step 1 (p. 65).
6. Wait for an hour and confirm that no user issues have been reported. Verify that NewIP1 is getting DNS queries and responding with answers.
7. After you've verified that the first DNS server is working properly, repeat Step 1 (p. 65) to update the second DNS server, this time replacing OldIP2 with NewIP2. Then repeat Step 2 and Step 3.
Test the updated DNS server settings for Linux WorkSpaces
1. Shut down the OldIP1 DNS server.
2. Log in to a Linux WorkSpace.
3. On your Linux WorkSpace, open a Terminal window (Applications > System Tools > MATE Terminal).
4. The DNS server IP addresses returned in the DHCP response are written to the local /etc/
resolv.conf file on the WorkSpace. Run the following command to view the contents of the / etc/resolv.conf file.
cat /etc/resolv.conf
You should see the following output. (If this is the second time you're performing this procedure, you should see NewIP2 in place of OldIP2.)
; This file is generated by Amazon WorkSpaces
; Modifying it can make your WorkSpace inaccessible until reboot options timeout:2 attempts:5
; generated by /usr/sbin/dhclient-script search region.compute.internal
nameserver NewIP1 nameserver OldIP2 nameserver WorkSpaceIP
Note
If you make manual modifications to the /etc/resolv.conf file, those changes are lost when the WorkSpace is restarted.5. If the output is not what you were expecting or if you receive any errors, repeat Step 1 (p. 65).
6. The actual DNS server IP addresses are stored in the /etc/dhcp/dhclient.conf file. To see the contents of this file, run the following command.
sudo cat /etc/dhcp/dhclient.conf
Delete a directory
You should see the following output. (If this is the second time you're performing this procedure, you should see NewIP2 in place of OldIP2.)
# This file is generated by Amazon WorkSpaces
# Modifying it can make your WorkSpace inaccessible until rebuild prepend domain-name-servers NewIP1, OldIP2; # skylight
7. Wait for an hour and confirm that no user issues have been reported. Verify that NewIP1 is getting DNS queries and responding with answers.
8. After you've verified that the first DNS server is working properly, repeat Step 1 (p. 65) to update the second DNS server, this time replacing OldIP2 with NewIP2. Then repeat Step 2 and Step 3.
Delete the directory for your WorkSpaces
You can delete the directory for your WorkSpaces if it is no longer in use by other WorkSpaces or other applications, such as Amazon WorkDocs, Amazon WorkMail, or Amazon Chime. Note that you must deregister a directory before you can delete it.
Note
Simple AD and AD Connector are made available to you free of charge to use with WorkSpaces.
If there are no WorkSpaces being used with your Simple AD or AD Connector directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.
If you delete your Simple AD or AD Connector directory, you can always create a new one when you want to start using WorkSpaces again.
What happens when you delete a directory
When a Simple AD or AWS Directory Service for Microsoft Active Directory directory is deleted, all of the directory data and snapshots are deleted and cannot be recovered. After the directory is deleted, any Amazon EC2 instances that are joined to the directory remain intact. You cannot, however, use your directory credentials to log in to these instances. You need to log in to these instances with a user account that is local to the instance.
When an AD Connector directory is deleted, your on-premises directory remains intact. Any Amazon EC2 instances that are joined to the directory also remain intact and remain joined to your on-premises directory. You can still use your directory credentials to log in to these instances.
To delete a directory
1. Delete all WorkSpaces in the directory. For more information, see Delete a WorkSpace (p. 143).
2. Find and remove all of the applications and services that are registered to the directory. For more information, see Delete Your Directory in the AWS Directory Service Administration Guide.
3. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.
4. In the navigation pane, choose Directories.
5. Select the directory and choose Actions, Deregister.
6. When prompted for confirmation, choose Deregister.
7. Select the directory again and choose Actions, Delete.
8. When prompted for confirmation, choose Delete.
Note
Removing application assignments can sometimes take more time than expected. If you receive the following error message, verify that you've removed all application assignments, and then wait 30 to 60 minutes before trying again to delete the directory:Enable Amazon WorkDocs for AWS Managed Microsoft AD
An Error Has Occurred
Cannot delete the directory because it still has authorized applications.
Additional directory details can be viewed at the Directory Service console.
9. (Optional) After you delete all resources in the virtual private cloud (VPC) for your directory, you can delete the VPC and release the Elastic IP address used for the NAT gateway. For more information, see Deleting your VPC and Working with Elastic IP addresses in the Amazon VPC User Guide.
10. (Optional) To delete any custom bundles and images that you are finished with, see Delete a custom WorkSpaces bundle or image (p. 161).
Enable Amazon WorkDocs for AWS Managed Microsoft AD
If you're using AWS Managed Microsoft AD with Amazon WorkSpaces, you can enable Amazon WorkDocs for your directory through either the Amazon WorkDocs console or the AWS Directory Service console.
Note
Amazon WorkDocs is not available in all of the AWS Regions where Amazon WorkSpaces is available. For more information, see Amazon WorkDocs Pricing.To enable WorkDocs through the Amazon WorkDocs console
1. Open the Amazon WorkDocs console at https://console.aws.amazon.com/zocalo/.
2. Choose Create a New WorkDocs Site.
3. Under Standard Setup, choose Launch.
4. Select the directory and create your site name.
5. Specify the user who will administer the WorkDocs site. You can use the admin or any user created in the directory.
For more information, see Getting Started with AWS Managed Microsoft AD in the Amazon WorkDocs Administration Guide.
To enable WorkDocs through the AWS Directory Service console
1. Open the AWS Directory Service console at https://console.aws.amazon.com/directoryservicev2/.
2. In the navigation pane, choose Directories.
3. On the Directories page, choose your directory.
4. On the Directory details page, choose the Application management tab.
5. In the Application access URL section, if an access URL has not been assigned to the directory, the Create button is displayed. Enter a directory alias and choose Create. For more information, see Creating an Access URL in the AWS Directory Service Administration Guide.
6. In the Application access URL section, choose Enable to enable single sign-on for Amazon WorkDocs. For more information, see Single Sign-On in the AWS Directory Service Administration Guide.
Set up Directory Administration
Set up Active Directory Administration Tools for WorkSpaces
You'll perform most administrative tasks for your WorkSpaces directory using directory management tools, such as the Active Directory Administration Tools. However, you'll use the WorkSpaces
console to perform some directory-related tasks. For more information, see Manage directories for WorkSpaces (p. 59).
If you create a directory with AWS Managed Microsoft AD or Simple AD that includes five or more WorkSpaces, we recommend that you centralize administration on an Amazon EC2 instance. Although you can install the directory management tools on a WorkSpace, using an Amazon EC2 instance is a more robust solution.
To set up the Active Directory Administration Tools
1. Launch an Amazon EC2 Windows instance and join it to your WorkSpaces directory by using one of the following options:
• If you don't already have an existing Amazon EC2 Windows instance, you can join the instance to your directory domain when you launch the instance. For more information, see Seamlessly join a Windows EC2 instance in the AWS Directory Service Administration Guide.
• If you already have an existing Amazon EC2 Windows instance, you can join it to your directory manually. For more information, see Manually Add a Windows Instance in the AWS Directory Service Administration Guide.
2. Install the Active Directory Administration Tools on the Amazon EC2 Windows instance. For more information, see Installing the Active Directory Administration Tools in the AWS Directory Service Administration Guide.
Note
When you're installing the Active Directory Administration Tools, make sure to also select Group Policy Management to install the Group Policy Management Editor (gpmc.msc) tool.When the feature installation is finished, the Active Directory tools are available on the Windows Start menu under Windows Administrative Tools.
3. Run the tools as a directory administrator as follows:
a. On the Windows Start menu, open Windows Administrative Tools.
b. Hold down the Shift key, right-click the shortcut for the tool you want to use, and choose Run as different user.
c. Type the username and password for the administrator. With Simple AD, the username is Administrator and with AWS Managed Microsoft AD, the administrator is Admin.
You can now perform directory administration tasks using the Active Directory tools that you are familiar with. For example, you can use the Active Directory Users and Computers Tool to add users, remove users, promote a user to directory administrator, or reset a user password. Note that you must be logged into your Windows instance as a user that has permissions to manage users in the directory.
To promote a user to a directory administrator
Note
This procedure applies only to directories created with Simple AD, not AWS Managed AD. For directories created with AWS Managed AD, see Manage Users and Groups in AWS Managed Microsoft AD in the AWS Directory Service Administration Guide.1. Open the Active Directory Users and Computers tool.
Set up Directory Administration
2. Navigate to the Users folder under your domain and select the user to promote.
3. Choose Action, Properties.
4. In the username Properties dialog box, choose Member Of.
5. Add the user to the following groups and choose OK.
• Administrators
• Domain Admins
• Enterprise Admins
• Group Policy Creator Owners
• Schema Admins
To add or remove users
You can create new users from the Amazon WorkSpaces console only during the process of launching a WorkSpace, and you cannot delete users through the Amazon WorkSpaces console. Most user management tasks, including managing user groups, must be performed through your directory.
Important
Before you can remove a user, you must delete the WorkSpace assigned to that user. For more information, see Delete a WorkSpace (p. 143).
The process you use for managing users and groups depends on which type of directory you're using.
• If you're using AWS Managed Microsoft AD, see Manage Users and Groups in AWS Managed Microsoft AD in the AWS Directory Service Administration Guide.
• If you're using Simple AD, see Manage Users and Groups in Simple AD in the AWS Directory Service Administration Guide.
• If you use Microsoft Active Directory through AD Connector or a trust relationship, you can manage users and groups by using Active Directory.
To reset a user password
When you reset the password for an existing user, do not set User must change password at next logon.
Otherwise, the users cannot connect to their WorkSpaces. Instead, assign a secure temporary password to each user and then ask the users to manually change their passwords from within the WorkSpace the next time they log on.
Note
If you're using AD Connector or if your users are in the AWS GovCloud (US-West) Region, your users won't be able to reset their own passwords. (The Forgot password? option on the WorkSpaces client application login screen won't be available .)
Launch a virtual desktop using WorkSpaces
With WorkSpaces, you can provision virtual, cloud-based Microsoft Windows or Amazon Linux desktops for your users, known as WorkSpaces.
Note
The Computer Name value shown for a WorkSpace in the Amazon WorkSpaces console varies, depending on which type of WorkSpace you've launched (Linux or Windows). The computer name for a WorkSpace can be in one of these formats:• Linux: A-1xxxxxxxxxxxx
• Windows: IP-Cxxxxxx or WSAMZN-xxxxxxx or EC2AMAZ-xxxxxxx
For Windows WorkSpaces, the computer name format is determined by the bundle type, and in the case of WorkSpaces created from public bundles or from custom bundles based on public images, by when the public images were created.
Starting June 22, 2020, Windows WorkSpaces launched from public bundles have the WSAMZN-xxxxxxx format for their computer names instead of the IP-Cxxxxxx format.
For custom bundles based on a public image, if the public image was created before June 22, 2020, the computer names are in the EC2AMAZ-xxxxxxx format. If the public image was created on or after June 22, 2020, the computer names are in the WSAMZN-xxxxxxx format.
For Bring Your Own License (BYOL) bundles, either the DESKTOP-xxxxxxx or the EC2AMAZ-xxxxxxx format is used for the computer names by default.
If you've specified a custom format for the computer names in your custom or BYOL bundles, your custom format overrides these defaults. To specify a custom format, see Create a custom WorkSpaces image and bundle (p. 145).
Important — If you change the computer name for a WorkSpace through the Windows system settings, you will no longer be able to access the WorkSpace.
WorkSpaces uses a directory to store and manage information for your WorkSpaces and users. You can do any of the following:
• Create a Simple AD directory.
• Create an AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD.
• Connect to an existing Microsoft Active Directory by using Active Directory Connector.
• Create a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain.
Note
• Shared directories are not currently supported for use with Amazon WorkSpaces.
• If you configure your AWS Managed Microsoft AD directory for multi-Region replication, only the directory in the primary Region can be registered for use with Amazon WorkSpaces.
Attempts to register the directory in a replicated Region for use with Amazon WorkSpaces will fail. Multi-Region replication with AWS Managed Microsoft AD isn't supported for use with Amazon WorkSpaces within replicated Regions.
• Simple AD and AD Connector are made available to you free of charge to use with
WorkSpaces. If there are no WorkSpaces being used with your Simple AD or AD Connector
Launch using AWS Managed Microsoft AD
directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.
To delete empty directories, see Delete the directory for your WorkSpaces (p. 69). If you delete your Simple AD or AD Connector directory, you can always create a new one when you want to start using WorkSpaces again.
The following tutorials show you how to launch a WorkSpace by using the supported directory service options.
Tutorials
• Launch a WorkSpace using AWS Managed Microsoft AD (p. 74)
• Launch a WorkSpace using Simple AD (p. 77)
• Launch a WorkSpace using AD Connector (p. 80)
• Launch a WorkSpace using a trusted domain (p. 83)
Launch a WorkSpace using AWS Managed Microsoft AD
WorkSpaces enables you to provision virtual, cloud-based Windows desktops for your users, known as WorkSpaces.
WorkSpaces uses directories to store and manage information for your WorkSpaces and users. For your directory, you can choose from Simple AD, AD Connector, or AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD. In addition, you can establish a trust relationship between your AWS Managed Microsoft AD directory and your on-premises domain.
In this tutorial, we launch a WorkSpace that uses AWS Managed Microsoft AD. For tutorials that use the other options, see Launch a virtual desktop using WorkSpaces (p. 73).
Tasks
• Before you begin (p. 74)