How to setup a new domain for a specific tenant in Platinum deployments

How to import domains in a Multitenant Implementation

Prerequisites

  • The client domain server version should be Windows Server 2008 R2 or higher
  • Access to the client DNS servers to set up DNS secondary zones or conditional forwarders
  • Base Organizational Unit: This is a new organizational unit in the client domain where the group that includes the MSA accounts for the orchestration has full control. In this OU, there should be a user admin with delegated access to the active OU. In addition, new OUs, users groups and new machines will be created.
  • A user account with Read Only access to configure the synchronization in the domain.
  • Permissions to create group policies (gpo) in the Home OU, or 20 empty gpo should be available in the Home OU where these defined policies will be imported.
  • Optional, a user account with enough permissions to add machine accounts to the domain.
  • Verify and add the same NTP server for all the domains involved
  • A share folder, DFS or a storage for the binary files, customization, scripts and branding
  • A group in the infrastructure domain to allow the client domain users to login in the infrastructure domain(It is normally called "users with authentication rights"); the Delivery Controller machines, Domain controllers, web and file servers(including DFS) should be enabled-> "allow to authenticate" (in the Active Directory VM account).
  • Cross domain dns resolution. Choose one of the following:
    • DNS Conditional Forwarders: for those domains where we don´t see any type of activities going on, or those that are very large or restrictive.
    • DNS secondary zone: for an integrated and orchestrated domain
  •  GPOs have to be imported to the client domain. They should be enabled accordingly.
  • The VDAs should include the name of the infrastructure domain secondary DNS as a suffix in their naming convention. The support registration should be enabled for multiple AD Forests(supportmultipleforests) in case it is disabled.
  • The DCs should include the names of the secondary DNS as a suffix to their names, in each one of the associated domains.

Trust relationship

The Trust relationship between the infrastructure domain and the client domain should be created. The type of trust relationship should be: Forest Trust, two-ways, and selective authentication.

DNS Configuration

 The DNS domain resolution between the infrastructure domain and the client domain can be configured in two ways:

  1. Secondary zones
  2. Conditional forwarders

Both are supported, depending on the level of complexity and the size of the client domain as well as the assigned permission level, you can decide which one to configure.

Required Groups

To meet the requirements, the following groups should either exist or be created in the home OU:

 Group  Name  Notes   Scope
Double Factor authentication Group

(Deprecated 4.4)

VDI OS Double Factor Authentication Includes users who can start a session in a virtual desktop via Token Based aunthentication Local Domain
USB Redirection Group VDI OS USB Redirection Includes users who can use their local machine connected USB devices in their virtual desktops Local Domain
COM redirection Group VDI OS COM redirection Includes users who can use their local machine COM' ports in their virtual desktops Local Domain
LPT1 Redirection Group VDI OS LPT1 Redirection Includes users who can use their local machine LPT1 ports in their virtual desktops Local Domain
Local Units Redirection Group VDI OS Local Units Redirection Includes users who can use their local machine physical disks in their virtual desktops Local Domain
Audio Redirection Group VDI OS Audio Redirection Includes users who can redirect sound audio from their virtual desktops to their local machine Local Domain
Printer Redirection Group VDI OS Printer Redirection Includes users who can use their local machine connected printers in their virtual desktops Local Domain
TWAIN Redirection Group VDI OS TWAIN Redirection Includes users who can use their local machine connected TWAIN scanners in their virtual desktops Local Domain
Network Drives Redirection Group VDI OS Network drives Redirection Includes users who can use their local machine network units in their virtual desktops Local Domain

Two things you should know about Groups:

  • The name of the groups can be modified
  • You can use existing groups in the client domain

Configure the new domain in VDI OS Manager

To import the new client domain to VDI OS Manager you should go to the Domains section and click on "New".


Then enter the information about the new domain:


We should provide the following data:

  1. The name of the new domain
  2. The NETBIOS name will be added automatically
  3. the AD GUID will be added automatically
  4. The Base OU
  5. The user for the daily synchronization of the domain, this user can have read only access
  6. The password of the synchronization user
  7. This checkbox must remain unchecked as this domain will be fully dedicated to a single tenant
  8. It is recommended to activate the daily automatic synchronization.
  9. Specify the time the domain synchronization has to start
  10. If it is required a different user than the synchronization user to create the machine accounts, that user must be specified.
  11. The password for the user to create the machine accounts

In the bottom of the VDI OS Manager domain form, we will se several tabs:

In the User policies groups tab, you should include the groups that are needed for the orchestration:


In the Permissions tab, you should specify the permissions that the configured sync user have on this domain:

These options change the behavior of the integration according to the permissions the synchronization user has in the client domain. It will allow us to:

  1. Check AD account existence: indicates that the sync user can perform LDAP queries against the domain to find out if an account exists.
  2. Create & edit group policies: indicates that the sync user has permissions to create and edit group policies in the domain. When this permission is checked, some features become available, like defining AD groups for local administrators and its members in the Tenant detail view.
  3. Create and delete computer accounts: indicates if Flexxible|SUITE can create or delete computer accounts in the domain, or must use pre-created computer accounts to deploy VMs from VDTs or ASFs.
  4. Create internal groups: wether Flexxible|SUITE can create or modify domain groups and its membership.
  5. Create or update user information: wether Flexxible|SUITE can create or modify domain user accounts.
  6. Create OUs in Base OU: wether Flexxible|SUITE can new organizational units in a tenant OU (or in the domain's base OU for non multitenant editions).
  7. Force AD Replication: wether Flexxible|SUITE can force a replication between domain controllers.


Once the new domain is saved, the Password policy tab will be visible. In this tab you can see the domain password policy, which is read from the AD domain by the "Synchronize infrastructure" periodic, automatic process. 

Generally, you will not be able to manually edit this settings beyond the "Validate password policy" check box. You will only be able to manually edit the password policy settings in case the policy has never been synchronized from the AD domain -this could happen for many reasons, like the sync user not having enough permissions-. The settings you edit will not be applied to the AD Domain, they will only be kept in the Flexxible|SUITE database for account password validation purposes.

Validate password policy

Checking this option will enable password validation in Flexxible|SUITE for this domain, so when you create a new tenant user, or change an existing user's password, it will be checked against the domain password policy before saving the changes made to the user. 

Stronger password complexity required

Indicates that the passwords will have to match additional complexity requirments, like containing alphabetic, uppercase, lowercase, numeric or symbol characters, as described in the text "Password policy description".

Minimum length

The minimum length in characters that a password must be.

Valid values range from 0 to 14. A zero value means that passwords are optional and don't have to meet any special requirement, but this is an insecure and unlikely value for a real world AD domain.

History count

The number of previous passwords that can't be re-used. That is, if you change a password and use again one of the last passwords, the password will be invalid. 

Valid values range from 0 to 24. A value of zero would mean that you can always use the same password when you are required to change it, but again it is a very unlikely and insecure value for a real wold AD domain.

Minimum age

It is how old (specified in days.hours:minutes:seconds) must be a password before it can be changed again. Valid values range from 0 to 999 days. 

Maximum age

It is how old (specified in days.hours:minutes:seconds) can be a password before it must be changed. Valid values range from 0 to 998 days.

If an existing user had a specific password policy different from the domain password policy, the "Update user" created when saving the tenant after modifying the user's password will fail and an error log line would be included specifying the specific password requirements for that particular user.

Note: password history is not checked, so if you use an old password not allowed by the policy, the "Update user" job might fail.

Was this article helpful?