You can optionally register additional Active Directory domains with your Horizon Cloud customer account. Registering the Active Directory domain adds that domain to the set of cloud-configured domains associated with that Horizon Cloud customer account. When the domain is in the set of cloud-configured domains, then you can enable user accounts and groups from that domain to use features that the system provides, such as help desk administrators using the help desk features or end users using the desktop-related features.

Important: In the Bind Username and Join Username text boxes related to the domain-bind and domain-join accounts, provide the account name itself, such as ouraccountname, like the user logon name without the domain name.
Note: Distribution groups are not supported, even if they are nested under a Security group. When creating Active Directory groups, always select Security for Group type.

Prerequisites

Ensure that the Active Directory infrastructure is synchronized to an accurate time source to prevent the domain-join account step from failing. Such a failure might require you to contact VMware Support for assistance. If the domain-bind step succeeds, but the domain-join step fails, you can try resetting the domain and then investigate whether you need to adjust the time source. To reset the domain, see the steps in Remove the Active Directory Domain Registration.

For the required primary and auxiliary domain-bind accounts, verify you have the information for two Active Directory user accounts that adhere to the requirements described in Service Accounts That Horizon Cloud Requires for Its Operations.

Caution: To prevent accidental lockouts that would prevent you from logging in to the cloud-based console to manage your Horizon Cloud environment, you must ensure that your domain-bind accounts cannot expire, change, or be locked out. You must use this type of account configuration because the system uses the primary domain-bind account as a service account to query your Active Directory domain to verify credentials to log in to the console. If the primary domain-bind account becomes inaccessible for some reason, the system then uses the auxiliary domain-bind account. If both the primary and auxiliary domain-bind accounts expire or become inaccessible, then you will not be able to log in to the console and update the configuration to use an accessible domain-bind account.

The primary and auxiliary domain bind accounts are always assigned the Super Administrator role, which grants all the permissions to perform management actions in the console. You should ensure that your specified domain bind accounts are not accessible to users that you do not want to have Super Administrator permissions.

For the domain-join account, verify the account meets the requirements described in Service Accounts That Horizon Cloud Requires for Its Operations.
Caution:
  • If you only have one Active Directory group with the Super Administrator role assigned, do not remove that group from the Active Directory server. Doing so can cause issues with future logins.
  • When your pod fleet has any Horizon Cloud pods in Microsoft Azure that are running manifests older than 1600.0, the domain-join account must be granted the Super Administrator role. Because the roles are granted at a group level, if you have such pods and if the domain-join account you provide in the Active Directory domain registration's domain-join account step is not already in one of the Active Directory groups to which you can assign the Super Administrator role, create an Active Directory group for that account and add that group to the Super Administrator role. In that way, you can ensure the Super Administrator role can be assigned to that domain-join account when your pod fleet has pods of those older manifests.

Verify you have the Active Directory domain's NetBIOS name and DNS domain name. You will provide these values in the console's Register Active Directory window in the first step of this workflow. For an example of how to locate these values, see Locating the Information Required for the Horizon Cloud Register Active Directory Workflow's NETBIOS Name and DNS Domain Name Fields.

Caution: When you register an additional Active Directory domain, ensure that all of your cloud-connected pods have line-of-sight to that domain. All of the pods the same customer account record need to be able to reach the same set of cloud-configured Active Directory domains that are registered with that account. All of the pods need to be able to reach the same Active Directory servers and the DNS configuration needs to resolve all of those cloud-configured Active Directory domains.

Procedure

  1. In the console, select Settings > Active Directory.
  2. Click Register.
  3. In the Register Active Directory dialog box, provide the requested registration information.
    Important: Use Active Directory accounts that adhere to the guidelines for the primary and auxiliary domain-bind accounts as described in the prerequisites.
    Option Description
    NETBIOS Name
    • When you have cloud-connected Horizon pods, at this step, the system displays a selection menu that is populated with the names of all of the Active Directory domains that the Horizon pod can see. Select the Active Directory domain that you want to register first.
    • When your only cloud-connected pods are in Microsoft Azure, at this step, the system displays a text box. Type in the NetBIOS name for the Active Directory domain that you want to register. Typically this name does not contain a period. For an example of how to locate the value to use from your Active Directory domain environment, see Locating the Information Required for the Horizon Cloud Register Active Directory Workflow's NETBIOS Name and DNS Domain Name Fields.
    DNS Domain Name
    Protocol Automatically displays LDAP, the supported protocol.
    Bind Username User account in the domain to use as the primary LDAP bind account.
    Note: Only provide the user name itself. Do not include the domain name here.
    Bind Password The password associated with the name in the Bind Username text box.
    Auxiliary Account #1 In the Bind Username and Bind Password fields, type a user account in the domain to use as the auxiliary LDAP bind account and its associated password.
    Note: Only provide the user name itself. Do not include the domain name here.
  4. Click Domain Bind.
    When the domain-bind step succeeds, the Domain Join dialog box appears and you can continue to the next step.
  5. In the Domain Join dialog box, provide the required information.
    Note: Use an Active Directory account that adheres to the guidelines for the domain-join account described in the prerequisites.
    Option Description
    Primary DNS Server IP The IP address of the primary DNS Server that you want Horizon Cloud to use to resolve machine names.

    For a pod in Microsoft Azure, this DNS server must be able to resolve machine names inside of your Microsoft Azure cloud as well as resolve external names.

    Secondary DNS Server IP (Optional) IP of a secondary DNS Server
    Default OU Active Directory organization unit (OU) that you want used by the pod's desktop-related virtual machines such as imported VMs, farm RDSH VMs, VDI desktop instances. An Active Directory OU is of the form such as OU=NestedOrgName, OU=RootOrgName,DC=DomainComponent. The system default is CN=Computers. You can change the default to match your needs, like CN=myexample.
    Note: For a description of nested organization names, see Considerations For Using Nested Active Directory Domain Organizational Units. Each individual entered OU must be 64 characters long or less, not counting the OU= portion of your entry. Microsoft limits an individual OU to 64 characters or less. An OU path that is longer than 64 characters, but with no individual OU having more than 64 characters, is valid. However, each individual OU must be 64 characters or less.
    Join Username User account in the Active Directory that has permissions to join computers to that Active Directory domain.
    Note: Only provide the user name itself. Do not include the domain name here.
    Join Password The password associated with the name in the Join Username text box.
  6. (Optional) Specify an auxiliary domain-join account.
    If the primary domain-join account you specified becomes inaccessible, the system uses the auxiliary domain-join account for those operations in pods in Microsoft Azure that require joining the domain, such as importing image VMs, creating farm RDSH instances, creating VDI desktop instances, and so on.
    Note:
    • Use an Active Directory account that adheres to the same guidelines for the primary domain-join account described in the prerequisites. Ensure that this auxiliary domain-join account has a different expiration time from the primary domain-join account, unless both accounts have Never Expires set. If both the primary and auxiliary domain-join accounts expire at the same time, the system's operations for sealing images and provisioning farm RDSH VMs and VDI desktop VMs will fail.
    • You can add only one auxiliary domain-join account for each Active Directory you register with Horizon Cloud.
    • If you do not add an auxiliary domain-join account at this time, you can add one later using the console.
    • You can update or remove this account later.
    • The agent-related software on a desktop-related virtual machine — such as a sealed image, farm RDSH instance, or VDI desktop instance — must be version 18.1 or later for the system to use the auxiliary domain-join account with that virtual machine.
    Option Description
    Auxiliary Join Username User account in the Active Directory that has permissions to join systems to that Active Directory domain.
    Important: Only provide the account name in this field, such as ouraccountname, like the user logon name without the domain name. Entering slashes or at-signs will display an error.
    Auxiliary Join Password The password associated with the name in the Auxiliary Join Username text box.
  7. Click Save.
    At this point, if the domain-join step succeeds, the Add Administrator dialog box appears and you can continue to the next step.
  8. In the Add Super Administrator dialog box, use the Active Directory search function to select the Active Directory administrator group you want performing management actions on your environment using the console.
    This assignment ensures that at least one of your Active Directory domain's user accounts is granted the permissions to log in using the standard login workflow now that the Active Directory domain is configured for this customer account.
    Important: If your pod fleet has any Horizon Cloud pods in Microsoft Azure that are running manifests older than 1600.0, you must add the Active Directory group which includes the domain-join account to the Super Administrator role, as described in the prerequisites. When your pod fleet has pods running at those old manifests, if the domain-join account is not in any of the Active Directory groups that have the Super Administrator role, using the import VM workflow with those pods can fail.
  9. Click Save.

Results

The following items are now in place:
  • The Active Directory domain is one of the cloud-configured Active Directory domains associated with this Horizon Cloud customer account.
  • For a pod in Microsoft Azure, Horizon Cloud has the necessary domain-join account needed for those system operations involving joining desktop-related virtual machines to that domain.
  • After logging in to Horizon Cloud using your My VMware credentials, in the Active Directory login window, users in that Active Directory that have an assigned Horizon Cloud role can select the domain that corresponds to their Active Directory account.
  • Users in the group to which you granted the Super Administrator role will be able to access the console and perform management activities when they use the associated My VMware account for the first login screen. To enable those administrators to use their own My VMware account credentials for the first login step, complete the steps described in Give Administrative Roles to Individuals in Your Organization for Logging In To and Performing Actions in Your Horizon Cloud Tenant Environment Using the Horizon Universal Console.
  • User accounts from the registered Active Directory domain can be selected for assignments involving resources from pods in Microsoft Azure.
  • The console's help desk features can be used with user accounts from that registered Active Directory domain.

What to do next

From this point, you typically perform the following tasks: