In a complex Active Directory environment, your organization might have a scenario in which your pod-provisioned resources are joined to a domain in one forest while your user accounts are in a domain in another forest, and you have an external or forest trust that allows users in their domain to access resources in the other domain. This topic describes the Horizon Cloud support for traversing those external trusts or forest trusts that are between your domains of different forests.

In the administrative console, you create what are called assignments to entitle users and groups to your pod-provisioned resources. When you use the console to create a VDI desktop assignment or a farm, you specify in which of the cloud-registered domains to locate the resulting desktop VMs or farm session-host VMs. You also use the console to configure the assignments to provide use of those resources to users and groups in your Active Directory domains. To accommodate use of complex domain environments for these assignments, Horizon Cloud provides support for:

  • Entitling pod-provisioned resources that are joined to a domain in one forest to users and groups joined to a domain in a different forest.
  • One-way trusts.
Important: Use of domain local groups for Horizon Cloud assignments is not supported. To entitle groups from different forests to the same assignment, you must register one universal group from each forest.

For Horizon Cloud support of your external and forest trusts, you must:

  • Register with Horizon Cloud all domains from all forests that contain accounts that you wish to use with resources provisioned from the cloud-connected pods. The system cannot validate a forest's groups unless the group's domain is registered with Horizon Cloud. See First-Gen Tenants - Perform the First Required Active Directory Domain Registration for Your Horizon Cloud Control Plane Tenant and Register Additional Active Directory Domains as Cloud-Configured Active Directory Domains with Your Horizon Cloud Tenant Environment. As described in those topics, all of the cloud-connected pods must have line-of-sight to every cloud-registered Active Directory domain.
  • Register forest root domains from both sides of a forest trust. This requirement must be met even if you have no users or desktops in the forest root domains. This requirement allows Horizon Cloud to connect to the forest roots and decode the relevant TDOs (Trusted Domain Objects).
  • Enable global catalog for at least one of the registered domains in each forest. For optimal performance, all registered domains should have global catalog enabled.
  • To enable entitling groups from different forests to the same assignment in Horizon Cloud, register at least one universal group from each forest.
  • Follow a hierarchical structure for the forest domains' DNS name and root naming context. For example, if the parent domain is called example.edu, a child domain could be called vpc.example.edu but not vpc.com.
  • Avoid having a domain from an externally trusted forest with a NETBIOS name that clashes with another registered domain, because such domains are excluded from the system's enumeration. The registered NETBIOS name will take precedence over a clashing NETBIOS name found during the system's enumeration of a trusted forest's domains.