---
title: "AD Server Configuration"
slug: "ad-server-configuration"
updated: 2025-06-19T17:47:08Z
published: 2025-06-19T17:47:08Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.workspot.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AD Server Configuration

This article takes you through the configuration of an Active Directory Domain Controller on a server created by Workspot’s Terraform-based installation script.

> **Note**: You must configure your AD Domain Controller before configuring Workspot Gateways, Enterprise Connector, or Templated. Also, this AD configuration includes DNS setup, which is essential for enabling resource communication.

After the AD server is built via Terraform script (or by other means), we sign in, download and run the PowerShell scripts which that partly automates the configuration, and finish up manually.

## Domain Controller Configuration

Access to your Workspot deployment is limited until this configuration is complete. Our access is currently limited to the Utility Server created with the Terraform script, which the deployment’s only public IP address.

### Prerequisites

- You have access to the AD Server via a jump server (the Utility Server).
- You and have already set the necessary key-pairs and generated the Windows password for both the AD Server and the Utility Server. See [Steps to Log Into Windows Server VMs](https://docs.workspot.com/docs/creating-a-new-workspot-deployment-on-amazon-workspaces-core#steps-to-log-in-to-windows-server-vms).
- Also from [Steps to Log Into Windows Server VMs](https://docs.workspot.com/docs/creating-a-new-workspot-deployment-on-amazon-workspaces-core#steps-to-log-in-to-windows-server-vms), you have the Utility Server’s Windows password and, its public IP address, and its RDP port (usually the default port is used: 3389).

### Sign into the Utility Server

1. Sign into the Utility Server with `mstsc` (Remote Desktop Connection), using its external IP address.

### Sign into the AD Server and run AD Script

1. Open `mstsc `(Remote Desktop Connection) and connect to the AD server.
  - The Terraform script assigns a default IP address of `10.0.255.230` to the AD server.
  - If you specified a non-default address in the Terraform script, use that.
2. Once logged on to the server, download the AD script below:

[](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/Install &amp; Configure AD.ps1)Install & Configure AD2.31 KB[**](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/Install &amp; Configure AD.ps1)

1. Open PowerShell ISE `powershell_ise.exe` with Administrator privileges.
  - **Note:**The script runs reliably with PowerShell ISE but not with regular PowerShell.
  - Note: If running the script fails below, set the Execution Policy to “Unrestricted”:

![](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/ad-server-configuration-image-piahkxor.png)

1. Run the `Install &amp; Configure AD.ps1` script. It will:

- Install Active Directory Roles and Features on the server.
- Prompt your for a Domain Name.
- Configure the AD Forest.

![](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/ad-server-configuration-image-awpmlm8y.png)

1. A window will pop up and prompt you for your domain name.
  - For a Pilot deployment, we recommend a temporary domain name like `wspoc.cloud`instead of your production domain name.
  - Enter your selected Domain Name and click “OK.” The Domain Controller will be configured with this domain name.
2. The configuration will run to completion after this and will reboot the server automatically.

### Finish AD Configuration Manually

1. After reboot, sign into the AD Server via `mstsc `(Remote Desktop Connection) as before, but with these AD credentials:
  - Username: `workspotadmin@[domainname]`
  - Password: `Workspot@1601 &nbsp;`
2. Launch “Active Directory Users & Computers” (ADUC) from the Start menu.
  - You will use utility quite a bit, so you may want to create a shortcut.
  - This default AD view in ADUC is shown below:

![](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/image-1750283494687.png)

#### Create Organizational Units (OUs)

1. Add some Organizational Units (OU) for this project. For simplicity, create these at the root level.
  - Rght-click on the domain name `(wspoc.cloud),` and navigate to “New > Organizational Unit.”

![](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/ad-server-configuration-image-xmqoe7yl.jpg)

- Three OUs are needed for this project:
  - “Cloud PCs” for the virtual desktops.
  - “Workspot Servers” for the virtual servers.
  - “Workspot Users” is currently not used.

![](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/ad-server-configuration-image-ssh3oxkh.jpg)

#### Create Workspot Service Account

Next, we create the Workspot service account and delegate limited permissions to the Cloud PCs and Workspot Servers OUs to provide the required permissions that this account will need.

1. In ADUC, right-click on the Workspot Users OU, select “New > User,” and step through the wizard to create the user.

![A screenshot of a computer Description automatically generated, Picture](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/ad-server-configuration-image-yomgwuqt.jpg) ![A screenshot of a login box Description automatically generated, Picture](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/ad-server-configuration-image-dfonsrup.jpg)

#### Delegate Service Account Permissions

1. This same process will be done for the “Cloud PCs” and “Workspot Servers” OUs.
2. Right-click on the “Cloud PCs” OU and select “Delegate Control” to open the Delegation wizard.
3. Click “Next” on the Intro screen and then click “Add” to bring up the search box to locate and select the Workspot Service account. Click “Next.”
4. On the “Tasks to Delegate” page, select only “Create a custom task to delegate.” Click “Next.”

![Group 2161, Grouped object](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/ad-server-configuration-image-4peo2hdg.png)

1. In the “Active Directory Object Type” page, make the highlighted selections:
  - “Only the following objects in the folder.”
  - “Computer objects.”
  - “Create selected objects in this folder.”
  - “Delete selected objects in this folder.”
  - Click “Next.”

![A screenshot of a computer object Description automatically generated, Picture](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/ad-server-configuration-image-sjxlqez7.jpg)

1. The Permissions page is shown next. Select the following six permissions:
  - Create All Child Objects.
  - Delete All Child Objects.
  - Reset password.
  - Read and write account restrictions.
  - Validated write to DNS host name.
  - Validated write to service principal name.
  - Click “Next.”

![Delegation of Control Wizard showing permissions for user account management tasks.](https://cdn.us.document360.io/ad9153e1-c8de-4f56-94f2-b717a1fc3a68/Images/Documentation/Picture1-2(1).png)

1. AD is now configured.

### Adding Domain User Accounts

This step is required if you will use domain-joined templates.

End-user accounts are created in the usual way. See Microsoft’s [Create a User Account.](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage-user-accounts-in-windows-server#create-a-user-account)