Flexxible|SUITE - Integration with Active Directory

Integrating with an Existing Active Directory Domain

Flexxible|Suite only supports Active Directories within Organizational Units built-in English. If English is not the AD language, the group "Authenticated users" won´t exist. This can lead to very poor performance.


Integrate with Active Directory Forest

In this case, during the domain integration process, a trust relationship is not needed between the resources and the customer domains. Also, all the objects or items involved such as Groups, GPOs, OUs, etc are included in the client domain. Therefore, the client is able to customize the Groups and the OUs. Apart from that, we should follow the same process we did for the integration with an Active Directory, which has already been illustrated in this article.

Remark

When you choose to integrate your Windows domain into the deployment, a series of changes are made to your domain controller to integrate it into the automatic orchestration process.

During the domain integration process for full and mixed deployments, a trust relationship will be created between the resource domain, so you'll have an environment that works in two domains:

  • Desktops, application servers, and templates will be in the customer domain.
  • Citrix servers, hypervisors, and the rest of the infrastructure will be in the resource domain.

Note: in full integration deployments all users, machines, GPOs, and even the infrastructure servers will be in the customer domain.

In addition, a number of requirements must be met, such as:

  • Conditional forwarders are created in both domains so that they can be resolved between them (only for full and mixed deployment).
  • FlexxibleIT Organizational Unit (OU) is created with full account control permissions for the FlexxibleVDIServices account. This group contains the MSA accounts used by the orchestration layer.
  • The structure of OUs, groups, and users created from this OU (Desktops, AppServers, etc.) is the following:

 

  • Security groups: to manage the activation of functionalities on users and resources, new groups will be created within the base organizational unit. The list of groups to be created is as follows:
    • Template Designers: users with permission to edit templates
    • Users: all users in the virtualization environment
    • Managers: administrators of the environment
    • Remote support team: users who can provide remote assistance to other users
    • Users with USB redirection: enable USB redirection
    • Users with COM redirection: activation of COM redirection
    • Users with LPT1 redirection: activation of LPT1 redirection
    • Users with Local Units redirection: enable redirection of local units
    • Users with Audio redirection: enable audio redirection
    • Users with Printer redirection: enable printer redirection
    • Users with TWAIN redirection: enable TWAIN redirection
    • Users with Network drive redirection: enable network drive redirection


AD Integration for Flexxible|Appliances

There are two types of integration with client domains for deployments performed on Flexxible|SUITE:

  1. Mixed deployment: The Resource domain, which is integrated with an existing client domain gets auto-generated. A two-way Trust relationship between both domains is created.
  2. Full integration: No Resource domain generated, as the entire solution is installed under an existing domain. There is no trust relationship created for this deployment.

The possibility to integrate multiple domains will be enabled depending on the type of deployment:

  1. Enterprise Deployment, it allows integration with only ONE client domain.
  2. MT Deployment(multitenant), it allows integration with multiple domains in two formats:
    1. Dedicated Domain, a domain will be imported from Active Directory to be totally dedicated to a single tenant. It can be a client in the DaaS environments, a site in a multisite client, a department in a large company, etc.
    2. Multitenant Domain, a domain will be imported enabling the multitenant functionality, which allows the orchestration of different clients (or sites, departments, etc) in the same domain isolating each tenant into a unique 'domain OU' and orchestrating all the processes related to the mentioned tenant under this specific "Base OU".

In Multitenant environments, each tenant has a tenant code which is made of three characters. Such code, which is the tenant code in a multitenant domain, also represents the name of the tenant's Base OU.

In both cases, the requirements are shown below:


Users and Groups

The following users and groups should be created for the specified domains:

The Users and Groups specific for Flexxible|SUITE can be created in any OU, although for the sake of the infrastructure management, the prefered OU would be *\VDI OS\Users.

Account Proposed name Observations
VDI OS Administrators Group VDI OS Administrators Optional if there is more than one administrator.
VDI OS Administrator VDIOSAdmin Account to manage VDI OS


Organization Name Remark Domain Scope
VDI OS Services Group VDI OS Services Includes the MSA accounts of the VDI OS Services. Infrastructure Global
Controllers Group DDControllers Includes the AD accounts of the XenDesktop's Desktop Delivery Controllers which are part of the Domain infrastructure Infrastructure Local Domain
Double factor authentication Group
(Deprecated 4.4)
VDI OS Double factor Authentication Includes the users who can start a session in their desktop via Token-Based Authentication All the client domains Local Domain
USB redirection Group VDI OS USB redirection Includes the users who can use USB devices in their Virtual Desktops. All the client domains Local Domain
COM redirection Group VDI OS COM redirection Includes the users who can use their local machine COM port in their Virtual Desktops All the client domains Local Domain
LPT1 redirection Group VDI OS LPT1 redirection Includes the users who can use their local machine LPT1 port in their Virtual Desktops All the client domains Local Domain
Local units redirection Group VDI OS Local units redirection Includes the users who can use their local machine physical disks in their Virtual Desktops All the client domains Local Domain
Audio redirection Group VDI OS Audio redirection Includes the users who can redirect sound audio from their Virtual Desktop to their local machine All the client domains Local Domain
Printer redirection Group VDI OS Printer redirection Includes the users who can use the printers connected to their local machine, in their virtual desktop All the client domains Local Domain
TWAIN redirection Group VDI OS TWAIN redirection Includes the users who can use the TWAIN scanners connected to their local machine, in their virtual desktop All the client domains Local Domain
Network drives redirection Group VDI OS Network drives redirection Includes the users who can use their local machine network units, in their virtual desktop All the client domains Local Domain


User Name Remark Domain
VDI OS Administrator VDI OSAdmin This user is the administrator of the Flexxible|SUITE infrastructure Infrastructure
Multitenant Domain AD Read Only User VDIHandlerDaaS Multi-client Active Directory Read-Only User MT Domain
Client Domain AD Read Only User VDIHandler AD Read-Only User for each client All the client domains
Multitenant Domain AD Write Access User VDIHandlerDaaS This user has permissions to edit the Multi-client Active Directory MT Domain
Client Domain AD write Access User VDIManager AD Write Access User for each client All the client domains
Managed Service Account Web1 MSAWeb01$ VDI OS Services Group Member. For the Flexxible|SUITE Services that are executed in their infrastructure web servers. VDI OS console application pool identity. Infrastructure
Managed Service Account Web1 MSAWeb02$ VDI OS Services Group Member. For the Flexxible|SUITE Services that are executed in their infrastructure web servers. VDI OS console application pool identity. Infrastructure
Managed Service Account Worker1 MSAWorker01$ VDI OS Services Group Member. For the Flexxible|SUITE Services that are executed in their infrastructure worker servers. Infrastructure
Managed Service Account Worker2 MSAWorker02$ VDI OS Services Group Member. For the Flexxible|SUITE Services that are executed in their infrastructure worker servers. Infrastructure
Managed Service Account XD1 MSAXD01$ VDI OS Services Group Member. For the Flexxible|SUITE Services that are executed in their infrastructure XenDesktop servers.

Infrastructure
Managed Service Account XD2 MSAXD02$ VDI OS Services Group Member. For the Flexxible|SUITE Services that are executed in their infrastructure XenDesktop servers.

Infrastructure


OUs

A series of OUs are required in the client/MT domain and in the infrastructure domain as well. In the client domain, only one OU is required. In a Multitenant environment, a Base OU should be created for each tenant. For both cases, the results will be the following (See below):

Regarding the OUs created in the infrastructure domain:

OU Name and Proposed Route Comment
VDI OS Base OU VDI OS Includes the OUs that are used by VDI OS Manager
Infrastructure OU VDI OS - Infrastructure Includes the Flexxible|SUITE Infrastructure machines
Users OU VDI OS - User and groups Includes the Flexxible|SUITE Users and Groups


Permissions

The below table includes a brief description of the privileges to be granted:

OU Object Group Permissions Remark
Infrastructure OU VDI OS Services OU Read
Create computer objects
Delete computer objects
 In the infrastructure domain with delegated privileges
VDI OS Base OU VDI OS Services Group Read
Create computer/user objects
Delete computer/user objects
In MT and Client domain


Group Directives

Several group directives should be imported to assure the right performance of Flexxible|SUITE and its relationship to some OUs (Once they have been created inside the VDI OS OU).


VDI OS OU

An OU is needed to host all the domain objects used by Flexxible|SUITE:

  • OUs (children)
  • Users (optional, as they would already exist in the client OUs)
  • Groups used by Flexxible|SUITE
  • Equipment Account
  • Service Account

The OU may not be a child of the Root Domain. However, it is recommended to enable the "Block inheritance" option so that the defined GPOs are not applied accidentally at any level above the OU, except in cases, the "enforce" option has been checked intentionally.


Service Accounts

It is required to create the Managed Service Accounts needed to identify the VDI OS services.

Account Server Role
MSADB01$ DB01 SQL Server
MSADB02$ DB02 SQL Server
MSAVSP01$ Hypervisor01 Hypervisor cluster or management machine
MSAVSP02$ Hypervisor02 Hypervisor cluster or management machine
MSAWeb01$ Web01 Web Server
MSAWeb02$ Web02 Web Server
MSAWorker01$ Worker01 VDI OS Orchestrator
MSAWorker02$ Worker02 VDI OS Orchestrator
MSAWorker03$ Worker03 VDI OS Orchestrator
MSAWorker04$ Worker04 VDI OS Orchestrator
MSAXD01$ XD01 XenDesktop Controller
MSAXD02$ XD02 XenDesktop Controller

It is recommended that the “MSA” prefix is included in the accounts names, and also the name of their corresponding infrastructure server. For example, for the server DB01, the name of the MSA account should be MSADB01$.


“VDI OS Services” Group

In the OU created for Flexxible|SUITE, the group is formed by the Managed Service Account of the Flexxible|SUITE services. This group should:

  • Have the MSA accounts created for our infrastructure machine included as members of the group
  • Have Local Administrator privilege on the six Flexxible IT machines as the mentioned services send commands over the machines, which require privileges (to get the system uptime, analyze and start services, restart or shut down the machine, etc).
  • Have Local Administrator access to the templates which use Personal vDisk. If this is not the case, Flexxible|SUITE won´t be able to process the template inventory during the Ready for Deploy process.

The “AD Accounts / VDIOSServicesGroup” parameter should be notified within the Domain\Name\Group associated with this group. 


DDControllers Group

This group should be formed by the AD accounts of the Desktop Delivery Controllers for all the XenDesktop sites, as it is used to grant access to XenDesktop to create objects in the "Desktops" OU.

Once the group is created, its name will be included in the “AD Accounts / DDControllersGroup” application parameter

This group must have the following permissions on the OUs where the machines are created:



Redirection Groups

The Groups of Users to be created are:

  • Double factor authentication (Deprecated 4.4)
  • USB redirection
  • COM redirection
  • LPT1 redirection
  • Local Units redirection
  • Audio redirection
  • Printer redirection
  • TWAIN redirection
  • Network drives redirection

These groups should be included in the VDI OS parameters, in the “Users policies” Group and in the VDI OS Domain properties.


Please, refer to the Active Directory Integration for FLEXXIBLE|Appliances for more information.