bjosoren's IT-Tech blog

IT-Tech blog about different tried and tested solutions based on vmware, microsoft, linux and more tips and tricks

VMware Horizon – Multi Domain/Forest Setup

Release date: June 20th 2019

Welcome to my VMware Horizon series. In this session I will simulate a multi-domain/forest setup with VMware Horizon. In order to do this, there must be a trust between the two domains. I have covered how to set up this trust here: Microsoft Windows – Setup Two-way Domain/Forest Trust. Furthermore, there must be firewall-opening for the necessary ports between Active Directory’s and Horizon components. Depending on the environment, these ports would be LDAP (389), LDAPS (636), Kerberos (88) TCP/UDP etc.

I have divided this exercise into the following tasks:

  • Create a domain-join account in frelabtest.net (hzadmin@frelabtest.net)
  • Create usergroup in frelabtest.net for user-accounts from ad.admin.frelab.net
  • Create OU-structure for Horizon Desktops in frelabtest.net
  • Add hzadmin@frelabtest.net as Instant Clone Admin in Horizon Administrator
  • Copy GPO-settings from old to new domain, adjust GPO settings and link to OU
  • Route new VLAN and IP subnet in UAG
  • Create new desktop-pool and test logging in. Verify user- and computer-account domain affinity.

Create a domain-join account in frelabtest.net (hzadmin@frelabtest.net)

I log in on the domain controller in frelabtest.net and create the domain-join user-account in ADUC. I make sure to adjust the permissions for this account to be able to join computer accounts to the domain.

MultiDomainSetup-01
MultiDomainSetup-02

Create usergroup in frelabtest.net for user-accounts from ad.admin.frelab.net

I have tried to describe some basic user and group requirements below. My users in the ad.admin.frelab.net domain, are members of the Global Security Group “View_Users”. This group is, in turn, member of the Domain Local Group “Horizon Users”, in the frelabtest.net domain. The “Horizon Users” group will later be set as member of the groups “Users” and/or “Remote Desktop Users” inside the horizon desktops that are deployed to frelabtest.net.

MultiDomainSetup-12

In frelabtest.net, I create a Domain local Security group; Horizon Users. I add the ViewUsers group from ad.admin.frelab.net. Later I will add the “Horizon Users” group to Restricted Groups via GPO Settings.

MultiDomainSetup-03
MultiDomainSetup-04

Create OU-structure for Horizon Desktops in frelabtest.net

In Active Directory in frelabtest.net, I create an OU for my Horizon Desktops. I will link my GPO to this OU later.

Add hzadmin@frelabtest.net as Instant Clone Admin in Horizon Administrator

Before I can add hzadmin@frelabtest.net as an Instant Clone Admin in Horizon Administrator, I have to make sure that Horizon can see the new domain. In my case, I had to restart connection servers after I set up the trust. After this, the new domain was visible in Horizon Administrator

MultiDomainSetup-05

Next, I add hzadmin@frelabtest.net as Instant Clone Admin

MultiDomainSetup-06

Copy GPO-settings from old to new domain, adjust GPO settings and link to OU

As I already have GPO’s in the ad.admin.frelab.net domain with more or less correct settings, I will copy these over to the new domain. I have already covered how to do this here: Microsoft Windows – Copy/Migrate GPO from one domain to another. The only adjustment I will do here is to change the Restricted Groups-setting.

MultiDomainSetup-07
MultiDomainSetup-08

Route new VLAN and IP subnet in UAG

As the users will access the Horizon environment through the Unified Access Gateway, I will need to add a route to the new VLAN / IP subnet. I have previously posted how to add routes here: VMware Unified Access Gateway – Routing

MultiDomainSetup-09

Create new desktop-pool and test logging in. Verify user- and computer-account domain affinity.

I create a standard instant clone pool using a template and snapshot with its vNic in the correct Port Group/VLAN. The only difference is when it comes to Guest Customization. I make sure to choose my new Instant Clone Admin and the correct OU in frelabtest.net

MultiDomainSetup-10

Finally I will log in with my test-user from ad.admin.frelab.net. I now verify user- and computer-account affinity.

MultiDomainSetup-11

As we can see, users from ad.admin.frelab.net, can now log into desktops in frelabtest.net and access resources in this domain. These desktop aren’t set up with App Volumes and User Environment Agent, I plan to cover this aspect a later point in time.

VMware Horizon planning, deployment etc.

Disclaimer: Every tips/tricks/posting I have published here, is tried and tested in different it-solutions. It is not guaranteed to work everywhere, but is meant as a tip for other users out there. Remember, Google is your friend and don’t be afraid to steal with pride! Feel free to comment below as needed.

%d bloggers like this: