You can optionally register additional Active Directory domains with your node to assign management roles or provide assignments to users in those domains.

Prerequisites

Ensure that the Active Directory infrastructure is synchronized to an accurate time source to prevent the domain join from failing. Such a failure requires you to contact VMware Support for assistance.

For the required primary and auxiliary domain-bind accounts, verify you have the information for two Active Directory user accounts that adhere to the requirements described in the prerequisites checklist document, including:

  • The account passwords cannot expire, change, or be locked out.

Caution:

Ensure that your domain-bind accounts cannot expire, change, or be locked out. You must use this type of account configuration because the system uses the primary domain-bind account as a service account to query Active Directory. If the primary domain-bind account becomes inaccessible for some reason, the system then uses the auxiliary domain-bind account.

For the required domain-join account, verify you have the information for the Active Directory user account that has domain-join permissions because the system uses this account to perform Sysprep operations on desktops and join the desktops to the domain. The domain-join account also must be in an Active Directory group that you add to the Super Administrators role in the Administration Console.

Procedure

  1. In the Administration Console, select Settings > Active Directory.
  2. Click Register.
  3. In the Register Active Directory dialog box, provide the requested registration information.
    Important:

    Use Active Directory accounts that adhere to the guidelines for the primary and auxiliary domain-bind accounts as described in the prerequisites.

    Option

    Description

    NETBIOS Name

    Active Directory domain name

    DNS Domain Name

    Fully qualified Active Directory domain name

    Protocol

    Automatically displays LDAP.

    Bind Username

    User account in the domain to use as the primary LDAP bind account

    Bind Password

    The password associated with the name in the Bind Username text box.

    Auxiliary Account #1

    In the Bind Username and Bind Password fields, type a user account in the domain to use as the auxiliary LDAP bind account and its associated password.

  4. Click Domain Bind.

    The Domain Join dialog box appears.

  5. In the Domain Join dialog box, provide the domain-join information.
    Note:

    Use an Active Directory account that adheres to the guidelines for the domain-join account described in the prerequisites.

    Option

    Description

    Join Username

    User account in the Active Directory that has permissions to join systems to that Active Directory domain.

    Join Password

    The password associated with the name in the Join Username text box.

    Primary DNS Server IP

    IP address of the primary DNS Server

    Secondary DNS Server IP

    (Optional) IP of a secondary DNS Server

    Default OU

    Active Directory organization unit to have the desktop image resources, such as OU=NestedOrgName, OU=RootOrgName,DC=DomainComponent. The system default is CN=Computers.

  6. Click Save.

    At this point, if the domain join process succeeds, the Add Administrator dialog box appears and you can continue to the next step.

  7. In the Add Administrator dialog box, use the Active Directory search function to add a group from this Active Directory that you want performing management actions on your environment using the Administration Console.
    Important:

    Add the Active Directory group which includes the domain-join account, as described in the prerequisites.

  8. Click Save.

Results

The following items are now in place:

  • The Horizon Cloud node is joined to the Active Directory domain.

  • After logging in to Horizon Cloud using your My VMware credentials, in the Active Directory login window, users with the super administrator role can select the domain that corresponds to their Active Directory account.

  • Users in the group to which you granted the super administrator role can access the Administration Console and perform management activities.

  • User accounts in the joined Active Directory domain can be selected for assignments using the Administration Console, such as desktop assignments.

What to do next

From this point, you typically perform the following tasks: