Setting up AWS WorkSpaces and Instance-based Windows File Share in a Microsoft Managed AD-backed Directory

7 min readJun 24, 2024

This solution includes the creation of a Microsoft Managed AD to support a WorkSpaces deployment. Additionally, it includes the creation of a utility EC2 joined to the domain as a basic file server.

This was a quick documentation as I went through the process a couple of times until repeated success. Hope this helps.

Prerequisites

Authenticate to the account that will host to understand your Availability Zone mappings. This can be found on the EC2 dashboard after authenticating to the management console.

Reference your account’s mappings against the supported AZ list in the WorkSpaces Administration Guide. When building the VPC, you will need to be considerate in which AZs to build the private subnets to allow WorkSpaces to be built later in this guide.

Zone Name and Zone ID mapping for demo account

⚠ The following is consideration for the account being used to build this document. The Zone name to Zone ID mapping will likely be different in your experience and account.

For the sake of this example, we will be using us-east-1. The account being used has AZ mappings as follows:

At the latest update to this document, the supported AZs (per the Administrator Guide link above) include az2, az4, and az6 as seen below.

This indicates we should plan to build the private subnets in us-east-1c (az2), us-east-1d (az4), and/or us-east-1a (az6) for this account due to the Zone name to Zone ID mapping above.

Create VPC

IaC may be provided at a later date. For ease, we will use the management console.

Create a new VPC. Be sure to customize the VPC creation with additional resources by choosing “VPC and more.”

Feel free to customize the tag auto-generation.

Under Number of Availability Zones, click customize AZs and choose the availability zones identified in your account as described in the prerequisites above. In this example, we will use 1c (az2) and 1d (az4). This will be unique to your account.

Add a NAT Gateway in at least 1 AZ.

Remove the S3 Gateway endpoint.

Leave all other settings default and create the VPC.

The VPC Preview pane should look similar to the following, with the appropriate AZs for your account.:

⚠ Before leaving the VPC service, navigate to Subnets on the left menu. Notate the subnet IDs for the private subnets just created. This will be needed in the upcoming steps to register the directory with the WorkSpaces service.

Create Directory

From the Directory Services console, click Set up directory.

Choose AWS Managed Microsoft AD and Next.

Select Standard Edition and complete the information based on your preferences.

On the subsequent page, choose the VPC and Subnets built in previous steps. If you do not see the subnets as expected, refer back to the Prerequisites section above for troubleshooting. Click Next.

On the following page, confirm details and Create directory.

When returned to the Directories list, you will be prompted for an expected wait before continuing on.

Register the Directory with WorkSpaces

Confirm the directory status is Active in the Directory Services Directories list before proceeding.

Navigate to the WorkSpaces service and select Directories from the menu on the left. You should see the same list as from the Directory Services screen with different column headers. Your newly created directory should show the value False under the Registered column.

Select your directory, click on Actions, and choose Register.

From the last step in the VPC creation, you should have the subnet ID for the private subnets. If not, find those and return here. Provide the private subnets and click Register.

Launch a Workspace

From the WorkSpaces service, select WorkSpaces from the left menu. Click Create WorkSpaces.

Select your directory and click Next.

Click Create additional user and create a user that will be used for additional setup. This should be considered an administrator account separate from the Admin service account created with the directory.

Click Next.

Select the newly created user and click Next.

Select the bundle of your choice. Note Standard with Windows 10 is free tier eligible.

Download the WorkSpaces client.

Wait for the welcome email. It will contain a link to set your password, the registration code needed for the client, and your user name.

Complete the password reset and log into the WorkSpaces client.

Create an EC2 instance to serve as File Share/Admin Server

Create an instance profile. Go to the IAM service and select Roles from the left menu. Create an instance profile by selecting the EC2 service as the trusted entity.

Add the managed policies AmazonSSMDirectoryServiceAccess and AmazonSSMManagedInstanceCore. Select a name for the role click Create.

Launch an EC2 instance.

Choose latest Windows Server Base AMI.

While the t2.micro is still free tier, it is not advised for this use case. Select a medium in the family of your choosing.

Create or select existing key pair.

Update VPC settings.

Choose the new VPC and a private Subnet.

Customize security group name and RDP rule. Select Custom Source type and identify the sg with the description including the new directory service and ends in workspacesMembers.This will allow the new workspace to RDP into the EC2 instance for configuration.

Select storage needs.

Expand Advanced Details. Choose the newly created domain under Domain join directory.

Add the new instance profile created in the IAM service.

Launch the instance.

Take note of the Private IP Address on the EC2 summary after it has completed launching.

Configure EC2

Return to the WorkSpace configured in Launch a WorkSpace previously in this guide.

Launch the Remote Desktop Connection App. Supply the Private IP address of the EC2. Authenticate using the domain\Admin where domain is your NETBIOS name from earlier. Use the password set up during the Directory Service setup.

⚠ If you need to reset the Admin password, this can be done by going to the Directory in the Directory Services dashboard, selecting Actions> Reset user password.

Enable User Management

Enable the Remote Server Administration Tools Feature on the EC2 instance.

Once installed, you should be able to go to Start and search for Users and Computers for user management.

Create at least one AD security group to use for permissions to the shared drive in the next step. Add users as members accordingly.

Enable File Shares

Navigate to the EC2 service. Go to Volumes on the left menu and create disks to meet your needs for file sharing segmentation. Here we will create an additional disk and add it to the instance.

Click Create Volume. Choose the appropriate storage for your use case. Be sure to create the image in the same availability zone as your instance.

Once the volume is created, select it in the EC2> Volumes dashboard. Click on Actions and choose Attach volume. Select the instance and choose the device name and attach it to the selected instance.

Log into the server. Navigate to Disk Management. The newly attached disk should show here as Offline. Right click on the disk number and click Online. Reassign drive letters and rename before proceeding.

⚠ Before sharing any drives or folders, be sure to change the name of the server if you wish. This will have an impact on the shares’ paths.

⚠ To allow mapping of network drives with least privilege, you will need to update your instance security group to allow TCP445,137–139, and 49152–65535, as well as UDP 137–139.

From here, you should be able to share out the new volume (or specific folders therein) using the preferred approach to building Windows File Shares with the AD Users and Groups management you see fit.