AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約

How do I set up an Active Directory to manage and configure WorkSpaces?

所要時間5分
0

I want to use an Active Directory such as Microsoft Entra Domain Services (formerly Azure Active Directory Domain Services) to manage and configure my Amazon WorkSpaces.

Resolution

Before you set up WorkSpaces, you must set up a supported Active Directory to store and manage WorkSpaces and user sources.

AD Connector

Use AD Connector to use your existing on-premises Microsoft Active Directory. For information on prerequisites and how to connect your existing directory to AD Connector, see Getting started with AD Connector.

If you encounter connectivity issues when you create AD Connector, then run the AWSSupport-TroubleshootADConnectorConnectivity automation documentation.

To manually verify network connectivity, use the DirectoryServicePortTest.exe tool. Then, confirm the DNS query from Windows testing instances to the on-premises domain controllers. Complete the following steps:

  1. Launch two testing Amazon Elastic Compute Cloud (Amazon EC2) Windows instances in each subnet located in the same subnet as the AD Connector.

  2. Configure the DNS IP address to point to the on-premises DNS server. Then, manually join the EC2 instances to your on-premises domain.

  3. Download the DirectoryServicePortTest test application to both EC2 instances.

  4. To test the connection to on-premises controllers with specific DNS IP addresses and ports, run the following commands on both EC2 instances:

    DirectoryServicePortTest.exe -d example.com -ip DNS_IP_ADDRESS_1 -tcp "53,88,389" -udp "53,88,389"
    DirectoryServicePortTest.exe -d example.com -ip DNS_IP_ADDRESS_2 -tcp "53,88,389" -udp "53,88,389"

    Note: Replace example.com with your domain, and DNS_IP_ADDRESS_1 and DNS_IP_ADDRESS_2 with your domain's IP addresses.

  5. Open the command prompt on the Windows instances. To clear your DNS cache, run the following command:

    ipconfig /flushdns
  6. To open the nslookup command console, run the following command:

    nslookup
  7. To confirm that the testing instances can resolve the DNS records for the on-premises domain, run the following commands in the nslookup command console:
    To display all DNS record types, run the following command:

    set type=all

    To specify the DNS IP address of your domain IP address, run the following command:

    server DNS_IP_ADDRESS_1

    Note: Replace DNS_IP_ADDRESS_1 with your domain IP address.
    To resolve your domain name, run the following command:

     example.com

    Note: Replace example.com with your domain.
    To get your LDAP record information, run the following command:

    _ldap._tcp.example.com

    Note: Replace example.com with your domain.
    To get your Kerberos record information, run the following command:

    _kerberos._tcp.example.com

    Note: Replace example.com with your domain.
    If you have more DNS IP address, then run the preceding commands for each DNS IP address.

Microsoft Entra Domain Services

To use Microsoft Entra Domain Services as an Active Directory, you must run AD Connector. To set up this Active Directory, complete the following steps:

  1. Add Microsoft Entra Domain Services.
  2. Create a service account in Microsoft Entra Domain Services.
  3. Create an AD Connector.
  4. Register your AD Connector with the WorkSpaces service.
  5. Deploy WorkSpaces.

For more information and prerequisites, see Add your WorkSpaces to Azure AD using Azure Active Directory Domain Services.

AWS Managed Microsoft AD

Use AWS Directory Service for Microsoft Active Directory to create a Microsoft Active Directory hosted on AWS. For information on prerequisites and how to create a new AWS Managed Microsoft AD, see Getting started with AWS Managed Microsoft AD.

Note:

  • If you create a trust relationship with an on-premises domain, then you must use a unique name for Directory DNS name and Directory NetBIOS name. It can't be the same name as your on-premises domain.
  • AWS Managed Microsoft AD is a standalone forest and domain. You can't synchronize on-premises domain users to the AWS Managed Microsoft AD. This is true even if you use the same DNS name and NetBIOS name as your on-premises domain. You must create new Active Directory users for WorkSpaces on the AWS Managed Microsoft AD.

Simple AD

Use Simple AD to create a standalone directory that's compatible with Microsoft Active Directory and hosted on AWS. For information on prerequisites and how to create a new Simple AD, see Getting started with Simple AD.

If you use unsupported VPC endpoints in the VPC where you create the Simple AD, then you encounter the following error: "An internal service error has been encountered during directory creation. Please retry the operation." Simple AD doesn't support the following VPC endpoints:

  • Amazon Route 53 VPC endpoints that include DNS conditional overrides for *.amazonaws.com that resolve to non-public AWS IP addresses
  • Amazon CloudWatch VPC endpoint: monitoring.region-name.amazonaws.com
  • AWS Systems Manager VPC endpoint: ssm.region-name.amazonaws.com
  • AWS Security Token Service (AWS STS) VPC endpoint: sts.region-name.amazonaws.com

If you create an unsupported VPC endpoint after you create the Simple AD, then you can't recover or restore the directory. To restore or launch new directories, remove these endpoints. Or, use an Active Directory that allows these endpoints, such as AWS Managed Microsoft AD.

AWS公式
AWS公式更新しました 4ヶ月前
コメントはありません

関連するコンテンツ