AD Server Configuration

  • Updated on Jun 19, 2025
  • Published on Jun 19, 2025
  • 3 minute(s) read
  • Robert Plamondon
 Prev Next

This article takes you through the configuration of an Active Directory Domain Controller on a server created by Workspot’s Terraform-based installation script.

Note: You must configure your AD Domain Controller before configuring Workspot Gateways, Enterprise Connector, or Templated. Also, this AD configuration includes DNS setup, which is essential for enabling resource communication.

After the AD server is built via Terraform script (or by other means), we sign in, download and run the PowerShell scripts which that partly automates the configuration, and finish up manually.

Domain Controller Configuration 

Access to your Workspot deployment is limited until this configuration is complete. Our access is currently limited to the Utility Server created with the Terraform script, which the deployment’s only public IP address.

Prerequisites

  • You have access to the AD Server via a jump server (the Utility Server).

  • You and have already set the necessary key-pairs and generated the Windows password for both the AD Server and the Utility Server. See Steps to Log Into Windows Server VMs.

  • Also from Steps to Log Into Windows Server VMs, you have the Utility Server’s Windows password and, its public IP address, and its RDP port (usually the default port is used: 3389).

Sign into the Utility Server

  1. Sign into the Utility Server with mstsc (Remote Desktop Connection), using its external IP address.

Sign into the AD Server and run AD Script

  1. Open mstsc (Remote Desktop Connection) and connect to the AD server.

    • The Terraform script assigns a default IP address of  10.0.255.230 to the AD server.

    • If you specified a non-default address in the Terraform script, use that.

  2.  Once logged on to the server, download the AD script below:

Install & Configure AD
2.31 KB

  1. Open PowerShell ISE powershell_ise.exe with Administrator privileges.

    • Note: The script runs reliably with PowerShell ISE but not with regular PowerShell.

    • Note: If running the script fails below, set the Execution Policy to “Unrestricted”:

  1. Run the Install & Configure AD.ps1 script. It will:

  • Install Active Directory Roles and  Features on the server.

  • Prompt your for a Domain Name.

  • Configure the AD Forest. 

  1. A window will pop up and prompt you for your domain name.

    • For a Pilot deployment, we recommend a temporary domain name like wspoc.cloudinstead of your production domain name.

    • Enter your selected Domain Name and click “OK.” The Domain Controller will be configured with this domain name.

  2. The configuration will run to completion after this and will reboot the server automatically.

Finish AD Configuration Manually

  1. After reboot, sign into the AD Server via mstsc (Remote Desktop Connection) as before, but with these AD credentials:  

    • Username: workspotadmin@[domainname]

    • Password: Workspot@1601  

  2. Launch “Active Directory Users & Computers” (ADUC) from the Start menu.

    • You will use utility quite a bit, so you may want to create a shortcut.

    • This default AD view in ADUC is shown below:

Create Organizational Units (OUs)  

  1. Add some Organizational Units (OU) for this project. For simplicity, create these at the root level.

    • Rght-click on the domain name (wspoc.cloud), and navigate to “New > Organizational Unit.”

  • Three OUs are needed for this project:

    • “Cloud PCs” for the virtual desktops.

    • “Workspot Servers” for the virtual servers.

    • “Workspot Users” is currently not used.

 

Create Workspot Service Account  

Next, we create the Workspot service account and delegate limited permissions to the Cloud PCs and Workspot Servers OUs to provide the required permissions that this account will need.

  1. In ADUC, right-click on the Workspot Users OU, select “New > User,” and step through the wizard to create the user.  

                                    A screenshot of a computer  Description automatically generated, Picture               A screenshot of a login box  Description automatically generated, Picture  

 Delegate Service Account Permissions

  1. This same process will be done for the “Cloud PCs” and “Workspot Servers” OUs.  

  2. Right-click on the “Cloud PCs” OU and select “Delegate Control” to open the Delegation wizard. 

  3. Click “Next” on the Intro screen and then click “Add” to bring up the search box to locate and select the Workspot Service account. Click “Next.”

  4. On the “Tasks to Delegate” page, select only “Create a custom task to delegate.” Click “Next.”

Group 2161, Grouped object 

  1. In the “Active Directory Object Type” page, make the highlighted selections:

    • “Only the following objects in the folder.”

    • “Computer objects.”

    • “Create selected objects in this folder.”

    • “Delete selected objects in this folder.”

    • Click “Next.”

A screenshot of a computer object  Description automatically generated, Picture 

  1. The Permissions page is shown next. Select the following six permissions:

    • Create All Child Objects.

    • Delete All Child Objects.

    • Reset password.

    • Read and write account restrictions.

    • Validated write to DNS host name.

    • Validated write to service principal name.

    • Click “Next.”

Delegation of Control Wizard showing permissions for user account management tasks.

  1. AD is now configured.

Adding Domain User Accounts

This step is required if you will use domain-joined templates.

End-user accounts are created in the usual way. See Microsoft’s Create a User Account.