Intro
The scenario intended in this document expects to integrate the Flexxible|SUITE infrastructure servers in the customer's existing domain. So, the infrastructure servers will be hosted on that domain.
To make this implementation easier and satisfy the Active Directory requirements, all the components will be hosted into an organizational unit(OU), provided by the customer. It must be used for the solution implementation exclusively.
The deployment will need several OUs, user accounts, groups, MSA accounts, and team accounts.
Integrate with an Existing Active Directory
When you choose to integrate your AD domain into the deployment, a series of changes are made in your domain controller to integrate it into the automatic orchestration process.
During the domain integration process, a trust relationship will be created between the domain of the resource, so both domains will be visible from Flexxible|SUITE:
- Desktops, application servers, and templates will be in the customer domain.
- Citrix servers, hypervisor, and the rest of the infrastructure will be in the resource domain.
Also, some requirements must be met, such as:
- Conditional forwarders are created in both domains so that can be resolved between them.
- GPOs are imported and linked according to the configuration entered in QCS, these policies can be found at http://flxpol.azurewebsites.net
Users&Groups
The following tables show the users and groups whose creation is required. Users and specific groups of Flexxible|SUITE can be created in any OU, although we recommend creating them into OU=FlexxibleIT,DC=YourDomain
Groups
Group Name |
Comment |
Domain |
Scope |
|---|---|---|---|
FlexxibleVDIServices |
Contains MSA/gMSA accounts running Flexxible|SUITE services. |
Infrastructure |
Global |
DDControllers |
Contains Citrix Delivery Controllers Computer accounts. |
Infrastructure |
Domain Local |
|
Contains users who start a desktop session via Token-based authentication. Deprecated from 4.8. |
All customer domains |
Domain Local |
Users with USB redirection policy |
Contains users who can use USB devices connected to the physical machine in their virtual desktop. |
All customer domains |
Domain Local |
Users with COM redirection policy |
Contains users who can use COM devices connected to the physical machine on their virtual desktop. |
All customer domains |
Domain Local |
Users with LPT1 redirection policy |
Contains users who can use the LPT1 port of the physical machine on their virtual desktop. |
All customer domains |
Domain Local |
Users with Local Units redirection policy |
Contains users who can access the local drives of their physical machine on their virtual desktop. |
All customer domains |
Domain Local |
Users with Audio redirection policy |
Contains users whose audio is redirected from the VM to the physical machine. |
All customer domains |
Domain Local |
Users with Printer redirection policy |
Contains users who can use printers configured in the physical machine on their virtual desktop. |
All customer domains |
Domain Local |
Users with TWAIN redirection policy |
Contains users who can use in their virtual desktop the TWAIN scanners connected to the physical machine. |
All customer domains |
Domain Local |
Users with Network drives redirection policy |
Contains users who can use the network drives from the physical machine in the VM. |
All customer domains |
Domain Local |
Users
| User Name |
Comments |
Domain |
|---|---|---|
VDIHandler |
The user that Flexxible|SUITE to operate with the infrastructure domain. |
Infrastructure Domain |
VDIHandler |
The user that Flexxible|SUITE to operate with the customer domain. |
Customer Domains |
MSAWeb |
FlexxibleVDIServices Group Member. |
Infrastructure |
| Identity of the Flexxible|SUITE Web console application pool. | ||
MSAWork |
FlexxibleVDIServices Group Member. |
Infrastructure |
The logon user for the Flexxible|SUITE worker services. |
Organizational Units (OU)
The tenant structure requires the following OUs:
Flexxible|SUITE in multitenant environments will create the same structure for secure desktop, secure desktop users, and secure servers, using the tenant code as base OU:
Regarding the OUs created within the infrastructure domain, the OU tree would look like the one shown below:
OU |
Name and Proposed Route |
Comment |
FlexxibleIT |
FlexxibleIT |
Includes the OUs used by Flexxible|SUITE |
Infrastructure OU |
VDI OS Infrastructure |
Includes the VDI OS Infrastructure machine |
Users OU |
VDI OS Users and groups |
Includes the VDI OS User accounts and groups |
Roles & Permissions
The roles and permissions to be granted, are described in the following table:
OU |
Group |
Roles |
Comment |
OU infrastructure |
VDI OS Services Group |
Read |
In the infrastructure domain with delegated permissions |
Create computer objects | |||
Delete computer objects | |||
VDI OS OU template |
VDI OS Services Group |
Read |
In the MT and Client Domains |
Create computer/user objects | |||
| Delete computer/user objects |
Host Group Directives
The import of multiple Host directives must be requested to ensure the correct performance of the VDI OS and its relationship to some specific OUs (assuming these OUs have been created in the VDI OS OU).
FlexxibleIT OU
An OU must be requested to host all the domain objects used by the Flexxible|SUITE:
- OUs children.
- Users (Optional, the users should have already been included in the client OUs).
- The Group is used by the VDI OS.
- Machine accounts.
- Service accounts
The OU may not depend on the domain root, but it is recommendable to activate the "Block inheritance" option to no accidentally apply GPOs defined over, except if they have been intentionally marked as "enforce".
Service Accounts
We must request the Managed Service Accounts we need to use as the identity of the VDI OS services in each one of our infrastructure machines. The proposed account names along with the names of the machines where they should be installed and the roles they play are indicated in the following table:
Account Name |
Server Name |
Role |
MSADB01$ |
DB01 |
SQL Server |
MSAWeb$ |
Web01 |
Web Server |
MSAWorker$ |
Worker01 |
Execution of VDI OS Services |
MSA$$01$ |
$$01 |
Hypervisor controller - TBD |
MSA$$02$ |
$$02 |
Hypervisor controller - TBD |
It is recommendable that the names of the MSA accounts include the "MSA" prefix and the name of the corresponding infrastructure server. For example, for the DB01 server, the account name would be MSADB01$.
User for vSphere Operations
Note: this applies to VMWare only.
Detailed for each Hypervisor (if applicable).
VDI OS Services Group
The group is made for the Managed Service Accounts of the VDI OS services in the created OU for VDI OS. For this reason, the group must:
- Include the MSA accounts created for our infrastructure machines.
- Be the local administrator in each one of the six Flexxible machines, as the mentioned services run commands on the machines that require the right privileges(To get the up-time, analyze and start services, restart or turn off the machine, etc).
- Be local administrator for templates that use Personal vDisk, since otherwise, VDI OS can't execute the inventory during the Ready for Deploy process.
The application parameter “AD Accounts/VDIOSServicesGroup” should be informed with the pattern "DOMAIN\GroupName" defined for this group.
DDControllers Group
Detailed for each Hypervisor (if applicable).
Redirection Groups
The user groups to be created are:
- Double factor authentication
- USB redirection
- COM redirection
- LPT1 redirection
- Local Units redirection
- Audio redirection
- Printer redirection
- TWAIN redirection
- Network drives redirection
These groups should be included in VDI OS parameters, group "User policies" and also in the VDI OS domain properties.
Integrate with Active Directory forest
In this case, during the domain integration process, a trust relationship is not needed between the resource domain. Also, all the objects or items involved such as Groups, GPOs, OUs, etc are included in the client domain. Therefore, the client can customize the Groups and the OUs. Apart from that, we should follow the same process we did for the integration with an Active Directory, which has already been illustrated in this article.
Permissions
When a tenant is created and initialized, the following OU structure is generated.
For the proper functioning of Flexxible|SUITE, the followings accounts must have these permissions on the FlexxibleIT base OU (and descendants):
-
FlexxibleVDIServices (group)
- full control
- SD - DDControllers (group)
- Read, write and create child objects
- flxsqlclustr01$
- full control
- flxvmmlu01$
- full control
The followings accounts must have reading permissions on the tenant base OU (and descendants):
- A01 – Desktops
- A01 – Templates
- A01 – Application server
- A01 – Application server templates
- A01 – Users
- A01 – Servers