Active Directory Configuration
Recommendations for setting up a new or existing Active Directory instance for use with the VMware Horizon DaaS environment.
This guide covers some recommendations and requirements for integrating an Active Director instance into the VMware Horizon DaaS platform, this applies to both a 'Super Tenant' and a 'Full Isolation' tenant as the configuration is the same.
This guide assumes you've already had a discussion with our team to confirm how the DaaS appliances will be connecting back to Active Directory.
Required Users and Security Groups
The Horizon DaaS platform requires a few users and security groups to be configured to facilitate several functions when communicating with the Horizon DaaS portal.
While you can give access to the Horizon DaaS environment on a per user basis by adding users to the Desktop Assignments, we recommend the use of Groups to make it easier to give new users access to the environment.
However Administrative access to the DaaS Portal can only be given via user groups.
As a high level overview the environment requires the below groups and users to be configured:
User Account: 2 x LDAP Bind Accounts, used for authentication access to AD via LDAP
User Account: Domain Join Account, used for joining VDI to the Domain following deployment
User Account: Hosted Network Management Account, this is so that HN staff can access the portal and provide support
Security Group: DaaS Admins, this provides anyone added to the group with access to the Horizon Admin portal
Security Group: DaaS Users, default user account that gives access to VDI (This is optional)
None of the above accounts require Domain Access, however if you want to join VDI to the domain with a non-domain admin account you will need to delegate some access for the 'Domain Join' user. Below is a link to our KB on the required permissions.
Configuring permissions for the Domain Join accountRecommended OU Structure
We recommend the below OU Structure as it provides a clean way to keep DaaS resources separate from the rest of the environment and allow for easy GPO and user management.
Below is a quick breakdown of what each OU is intended for:
Desktops: used to store the VDI once they're domain joined
Groups: used to house DaaS specific user groups
System Accounts: this is where the LDAP Bind, Domain Join and HN Management accounts would go
Users: This OU is optional, but it is used to store the user accounts for DaaS
This is not a strict guide but a recommendation.
Last updated