Deploy Amazon WorkSpaces using a One-Way Trust Resource Domain with AWS Directory Service
Learn how to set up separate identity and resource Active Directory domains
Amazon WorkSpaces can be integrated with a range of Active Directory Service configuration scenarios. This guide walks you through the process of deploying Amazon WorkSpaces in a one-way trust domain environment with an account and a resource domain configuration. An account/resource configuration consists of two Microsoft Active Directories with a configured Active Directory Trust.
An account domain is an Active Directory domain set up to manage user accounts. A resource domain is used to enhance security, or make the Active Directory structure more logical or manageable. There are Active Directory deployments in which all desktop, or desktop-as-a-service, computers are grouped into a dedicated resource domain. Resource domains are useful when you treat them as management domains.
A one-way trust is a unidirectional authentication path created between two domains (trust flows in one direction, and access flows in the other). With a one-way trust relationship, the Resource domain (trusting) makes its resources available to users in the Account domain (trusted). This means that in a one-way trust between a trusted domain and a trusting domain, users or computers in the trusted domain can access resources in the trusting domain. However, users in the trusting domain cannot access resources in the trusted domain.
Consider the following scenarios which benefit from using account and resource domains with configured trusts:
Isolating resources for external management: This scenario allows users to maintain their Active Directory (AD) credentials. For example, customers can work with a Partner organization to manage their Amazon Work Spaces using AD Group Policies; while not relinquishing control or granting access into the corporate AD account domain.
As an additional example, customers can extend access to their partner managed resources, and have contractors or external providers have user accounts in their resource domain. This configuration allows collaboration while reducing the security impact of allowing third party access to the corporate account domain.
Isolating resources for collaborative projects or short term projects: This scenario allows users to isolate resources in a separate Active Directory that can have a different level of security controls than their existing account domain.
Customers can create new Active Directory user accounts for collaborative projects. The associated AD Computer Objects can be isolated from existing Group Policy
Objects (GPOs) linked to the Organizational Units (OUs), and domain policies linked with the default account domain. This can reduce the potential impact of entangling GPO policies for divestitures, or other short term projects.
The following sections provide details about how to configure Account and Resource domains with Amazon Work Spaces, explain show the Active Directory Connectors are set, and describes design considerations when selecting one-way or two-trusts.
What you will accomplish
In this tutorial, you will:
- This section will walk you through the process a setting up a one-way transitive Active Directory trust for Amazon WorkSpaces.
This deployment configures a trust relationship between two Active Directory domains. In the following example configuration, the account domain is hosted in the customer’s corporate data center. The Amazon WorkSpaces are managed within a separate Active Directory, with users authenticating using their corporate AD credentials.
You must have the following components configured to complete this tutorial:
- AWS Account
- Active Directory (Identity Domain)
- ActiveDirectory (Resource Domain)(Computer objects) such as AWS Directory Service
- Network connectivity between domains:
- The following ports need to be open between domains:
|49152 - 65535
- Active Directory Conditional Forwarder
- Determine AWS Region for Amazon WorkSpaces deployment (same as MAD). Note: Amazon WorkSpaces service is available in select AWS Regions; verify region availability before deployment.
- On the Microsoft Windows Domain Controller, open DNS Manager (Windows Key >Windows Administrative Tools > DNS).
- Right-click Conditional Forwarder and choose New Conditional Forwarder.
- Enterthe DNS Domain Name and the IP Address of the DNS server in the Identity Domain.
- Click OK.
- Repeat steps 1 through 4 for the Identity Domain. Set the Conditional Forwarder IP Address to the Resource Domain for Step 3.
In this tutorial, you created a separate identity and resource Active Directory domains using a one-way domain trust. You configured AWS Directory Service for Microsoft Active Directory to integrate into that environment and ensure that user accounts available from the account domain. Computer objects were deployed and manageable from the resource domain.