After your first successful pairing of your first pod with Horizon Cloud, you log in to Horizon Cloud at cloud.horizon.vmware.com to register an Active Directory domain with your Horizon Cloud environment. When the registration workflow is completed, that Active Directory domain is the first cloud-configured Active Directory domain in your Horizon Cloud customer account. The overall registration workflow is a multi-step process.

You should perform this Active Directory domain registration process immediately or shortly after cloud pairing your first pod with Horizon Cloud. A pod is cloud paired with Horizon Cloud either when pod deployment was initiated from Horizon Cloud, in the case of pods in Microsoft Azure, or initiated using the Horizon Cloud Connector, in the case of Horizon pods. The overall steps of this registration workflow are:

  1. Provide the Active Directory domain's name-related information, protocol-related information, and credentials of a domain-bind service account that Horizon Cloud can use to query that Active Directory domain. For information about what Horizon Cloud requires for that domain-bind account, see Domain Bind Account - Required Characteristics.
  2. Provide the IP address for the DNS server that you want Horizon Cloud to use to resolve machine names, the organizational unit (OU) in which you want the pod's desktop-related virtual machines (VMs), and credentials of a domain-join service account that Horizon Cloud can use to join those desktop-related VMs. Such VMs include imported VMs, farm RDSH instances, and VDI desktop instances, and so on. For information about what Horizon Cloud requires for that domain-join account, see Domain Join Account - Required Characteristics.
  3. Assign the Horizon Cloud Super Administrator role to an Active Directory domain group.
Important: Please review all of the following bullet points for your understanding of the registration workflow.
  • You must finish the entire Active Directory registration process for the first domain you are registering before you can move to other pages in the console. Main services are locked until you finish these tasks.
  • Also, due to a known issue, when connecting Horizon pods using Horizon Cloud Connector, unexpected results can occur if you do not complete this Active Directory domain registration process for the first pod before attempting to run the connector's cloud-pairing workflow for subsequent pods. Even though the cloud-pairing workflow allows you to run it for multiple pods prior to completing the first Active Directory domain registration with Horizon Cloud, if you have not yet completed the first domain registration before running that cloud-pairing process on the next pod, this domain registration process might fail. In that case, you will have to:
    1. Use the Unplug action in the Horizon Cloud Connector configuration portal to remove the connection between each of the cloud-connected pods until you are down to a single cloud-connected pod.
    2. Remove the failed registration, by following the steps in remove the failed Active Directory domain registration from Horizon Cloud.
    3. Complete the first Active Directory domain registration process, related to that pod.
    4. Re-run the Horizon Cloud Connector workflow on the other pods.
  • Although in this release pods the domain-join account that you specify in these steps is used solely with pods in Microsoft Azure, when you have only cloud-connected Horizon pods for your environment, it is prudent to complete the domain-join account step to ensure that the subsequent prompt to assign the Super Administrator role is activated. Assigning that role to an Active Directory domain group is a required step for all cloud-connected pod types.
  • Distribution groups are not supported, even if they are nested under a Security group. When creating Active Directory groups, always select Security for Group type.
Important: In the Bind Username and Join Username text boxes related to the domain-bind and domain-join accounts, provide the account name itself, such as ouraccountname, like the user logon name without the domain name.

Prerequisites

Ensure that the Active Directory infrastructure is synchronized to an accurate time source to prevent the domain-join account step from failing. Such a failure might require you to contact VMware Support for assistance. If the domain-bind step succeeds, but the domain-join step fails, you can try resetting the domain and then investigate whether you need to adjust the time source. To reset the domain, see the steps in Remove the Active Directory Domain Registration.

Verify that your first pod is successfully deployed. The Capacity section of the Getting Started wizard indicates whether the first pod is successfully deployed by displaying a green checkmark icon (Round green icon with a checkmark to show success).

Important: If your first deployed pod is a Horizon pod, verify that it is running Horizon 7.7 or later.

For the required primary and auxiliary domain-bind accounts, verify you have the information for two Active Directory user accounts that adhere to the requirements described in Service Accounts That Horizon Cloud Requires for Its Operations.

Caution: To prevent accidental lockouts that would prevent you from logging in to the cloud-based console to manage your Horizon Cloud environment, you must ensure that your domain-bind accounts cannot expire, change, or be locked out. You must use this type of account configuration because the system uses the primary domain-bind account as a service account to query your Active Directory domain to verify credentials to log in to the console. If the primary domain-bind account becomes inaccessible for some reason, the system then uses the auxiliary domain-bind account. If both the primary and auxiliary domain-bind accounts expire or become inaccessible, then you will not be able to log in to the console and update the configuration to use an accessible domain-bind account.

The primary and auxiliary domain bind accounts are always assigned the Super Administrator role, which grants all the permissions to perform management actions in the console. You should ensure that your specified domain bind accounts are not accessible to users that you do not want to have Super Administrator permissions.

For the domain-join account, verify the account meets the requirements described in Service Accounts That Horizon Cloud Requires for Its Operations.
Caution:
  • If you only have one Active Directory group with the Super Administrator role assigned, do not remove that group from the Active Directory server. Doing so can cause issues with future logins.
  • When your pod fleet has any Horizon Cloud pods in Microsoft Azure that are running manifests older than 1600.0, the domain-join account must be granted the Super Administrator role. Because the roles are granted at a group level, if you have such pods and if the domain-join account you provide in the Active Directory domain registration's domain-join account step is not already in one of the Active Directory groups to which you can assign the Super Administrator role, create an Active Directory group for that account and add that group to the Super Administrator role. In that way, you can ensure the Super Administrator role can be assigned to that domain-join account when your pod fleet has pods of those older manifests.
Important: For a pod in Microsoft Azure of manifests older than 1600.0, this domain-join account must be in one of the Active Directory groups to which you grant the Super Administrator role. If the domain-join account is not in a group granted the Super Administrator role, system operations that involve joining the pod's virtual machines to the domain will fail, such as when importing base images or creating RDSH farms and virtual desktops.

Verify you have the Active Directory domain's NetBIOS name and DNS domain name. You will provide these values in the console's Register Active Directory window in the first step of this workflow. For an example of how to locate these values, see Locating the Information Required for the Horizon Cloud Register Active Directory Workflow's NETBIOS Name and DNS Domain Name Fields.

For future thinking, keep in mind that if you plan to later use the same Horizon Cloud customer account to connect other Horizon pods or deploy pods into Microsoft Azure for one unified environment, those pods will need to have line-of-sight to this same Active Directory domain at the time you connect or deploy those pods.

Procedure

  1. Using a browser, log in to the cloud-based console at cloud.horizon.vmware.com using your preferred method.
    • In the My VMware Credentials section of the login page, enter My VMware account's credentials. The account credentials are the primary email address, such as user@example.com, and the password that are set in the account's profile. This choice sends the authentication request to the Horizon Cloud control plane.
    • In the VMware Cloud Services section of the login page, click VMWARE CLOUD LOGIN. Clicking that button redirects the authentication request to VMware Cloud Services, to authenticate you according to your organization's configuration there. Your organization might have asked you to access their Horizon Cloud tenant using VMware Cloud Services.
    The following screenshot illustrates logging in by entering My VMware account's credentials.
    Horizon Cloud on Microsoft Azure: Screenshot of the My VMware account login screen for the initial login

    If you have not previously accepted the Horizon Cloud terms of service using those My VMware credentials, a terms of service notification box appears after you click the Login button. Accept the terms of service to continue.
    When your login is successfully authenticated, the console opens and displays the Getting Started wizard.

    If the Getting Started wizard is not displayed when you first log in, open it by clicking Settings > Getting Started.

  2. In the Getting Started wizard, expand General Setup section if it is not already expanded.
  3. Under Active Directory, click Configure.
  4. In the Register Active Directory dialog box, provide the requested registration information.
    Important: Use Active Directory accounts that adhere to the guidelines for the primary and auxiliary domain-bind accounts as described in the prerequisites.
    Option Description
    NETBIOS Name
    • When the first cloud-connected pod in your customer account is a Horizon pod, at this step, the system displays a selection menu that is populated with the names of all of the Active Directory domains that the Horizon pod can see. Select the Active Directory domain that you want to register first.
    • When the first cloud-connected pod in your customer account is a pod in Microsoft Azure, at this step, the system displays a text box. Type in the NetBIOS name for the Active Directory domain that the pod can see. Typically this name does not contain a period. For an example of how to locate the value to use from your Active Directory domain environment, see Locating the Information Required for the Horizon Cloud Register Active Directory Workflow's NETBIOS Name and DNS Domain Name Fields.
    Note: Keep in mind that if you plan to use this same Horizon Cloud customer account to connect additional Horizon pods or deploy pods into Microsoft Azure for one unified environment, those subsequent pods will need to have line-of-sight to this same Active Directory domain at the time when you connect or deploy those pods.
    DNS Domain Name
    • When the first cloud-connected pod in your customer account is a Horizon pod, the system automatically displays the fully qualified DNS domain name for the Active Directory domain selected for NETBIOS Name.
    • When the first cloud-connected pod in your customer account is a pod in Microsoft Azure, the system displays a text box. Type in the fully qualified DNS domain name of the Active Directory domain you specified for NETBIOS Name. For an example of how to locate the value to use from your Active Directory domain environment, see Locating the Information Required for the Horizon Cloud Register Active Directory Workflow's NETBIOS Name and DNS Domain Name Fields.
    Protocol Automatically displays LDAP, the supported protocol.
    Bind Username User account in the domain to use as the primary LDAP bind account.
    Note: Only provide the user name itself. Do not include the domain name here.
    Bind Password The password associated with the name in the Bind Username text box.
    Auxiliary Account #1 In the Bind Username and Bind Password fields, type a user account in the domain to use as the auxiliary LDAP bind account and its associated password.
    Note: Only provide the user name itself. Do not include the domain name here.
    You can optionally provide values for advanced properties.
    Option Description
    Port The default is LDAP -> 389. You do not need to modify this text box unless you are using a non-standard port.
    Domain Controller IP (Optional) If you want Active Directory traffic to use a specific domain controller, type the preferred domain controller IP addresses, separated by commas. If this text box is left blank, the system uses any domain controller available for this Active Directory domain.
    Context LDAP naming context. This text box is autopopulated based on the information provided in the DNS Domain Name text box.
    The following screenshot illustrates the Register Active Directory window when your first cloud-connected pod is in Microsoft Azure. The fields have values for an example Active Directory domain with NetBIOS name of ENAUTO and DNS domain name of ENAUTO.com.
    Screenshot of the Register Active Directory window filled out with sample values.

  5. Click Domain Bind.
    When the domain-bind step succeeds, the Domain Join dialog box appears and you can continue to the next step.
    Important: If the domain-bind step fails, but you proceed to add the domain-join account and the system goes ahead to the Super Administrators role step, the registration process is not fully complete, even if the system proceeded to the next step. If this situation occurs, follow the steps in Remove the Active Directory Domain Registration and then start again with step 4.
  6. In the Domain Join dialog box, provide the required information.
    Note:
    • You must complete the required fields in this step when doing this Active Directory domain registration process regardless of pod type. Even though in this release the domain-join account is primarily used for system operations involving VMs located in pods in Microsoft Azure, completing this step ensures the next required step of granting the Super Administrator role gets completed.
    • Use an Active Directory account that adheres to the guidelines for the domain-join account described in the prerequisites.
    Option Description
    Primary DNS Server IP The IP address of the primary DNS Server that you want Horizon Cloud to use to resolve machine names.

    For a pod in Microsoft Azure, this DNS server must be able to resolve machine names inside of your Microsoft Azure cloud as well as resolve external names.

    Secondary DNS Server IP (Optional) IP of a secondary DNS Server
    Default OU Active Directory organization unit (OU) that you want used by the pod's desktop-related virtual machines such as imported VMs, farm RDSH VMs, VDI desktop instances. An Active Directory OU is of the form such as OU=NestedOrgName, OU=RootOrgName,DC=DomainComponent. The system default is CN=Computers. You can change the default to match your needs, like CN=myexample.
    Note: For a description of nested organization names, see Considerations For Using Nested Active Directory Domain Organizational Units. Each individual entered OU must be 64 characters long or less, not counting the OU= portion of your entry. Microsoft limits an individual OU to 64 characters or less. An OU path that is longer than 64 characters, but with no individual OU having more than 64 characters, is valid. However, each individual OU must be 64 characters or less.
    Join Username User account in the Active Directory that has permissions to join computers to that Active Directory domain.
    Note: Only provide the user name itself. Do not include the domain name here.
    Join Password The password associated with the name in the Join Username text box.
  7. (Optional) Specify an auxiliary domain-join account.
    If the primary domain-join account you specified becomes inaccessible, the system uses the auxiliary domain-join account for those operations in pods in Microsoft Azure that require joining the domain, such as importing image VMs, creating farm RDSH instances, creating VDI desktop instances, and so on.
    Note:
    • Use an Active Directory account that adheres to the same guidelines for the primary domain-join account described in the prerequisites. Ensure that this auxiliary domain-join account has a different expiration time from the primary domain-join account, unless both accounts have Never Expires set. If both the primary and auxiliary domain-join accounts expire at the same time, the system's operations for sealing images and provisioning farm RDSH VMs and VDI desktop VMs will fail.
    • You can add only one auxiliary domain-join account for each Active Directory you register with Horizon Cloud.
    • If you do not add an auxiliary domain-join account at this time, you can add one later using the console.
    • You can update or remove this account later.
    • The agent-related software on a desktop-related virtual machine — such as a sealed image, farm RDSH instance, or VDI desktop instance — must be version 18.1 or later for the system to use the auxiliary domain-join account with that virtual machine.
    Option Description
    Auxiliary Join Username User account in the Active Directory that has permissions to join systems to that Active Directory domain.
    Important: Only provide the account name in this field, such as ouraccountname, like the user logon name without the domain name. Entering slashes or at-signs will display an error.
    Auxiliary Join Password The password associated with the name in the Auxiliary Join Username text box.
  8. Click Save.
    When the domain-join step succeeds, the Add Super Administrator dialog box appears and you can continue to the next step.
    Important: If the domain-join step fails, the registration process is not fully complete. If this situation occurs, follow the steps in Remove the Active Directory Domain Registration and then start again with step 4.
  9. In the Add Super Administrator dialog box, use the Active Directory search function to select the Active Directory administrator group you want performing management actions on your environment using this console.
    This assignment ensures that at least one of your Active Directory domain's user accounts is granted the permissions to log in to this console now that the Active Directory domain is configured for this customer account.
    Caution: After assigning this Active Directory group to the Super Administrator role, never remove the specified administrator group from your Active Directory system or change its GUID as it appears in your Active Directory system unless you have added another administrator group to this Super Administrator role, as described in Assign Roles to Active Directory Groups that Control Which Areas of the Horizon Universal Console are Activated for Individuals in Those Groups After They Authenticate to Your Horizon Cloud Tenant Environment. This Super Administrator role governs which of your AD user accounts can log in to your Horizon Cloud tenant account and perform administrative operations in the console. If you remove the group from your Active Directory system or change its GUID in your Active Directory system, that change will not be communicated to the Horizon Cloud control plane, and Horizon Cloud's knowledge of that AD group having the Super Administrator role will be broken. If that group is the only group assigned to this Super Administrator role, none of your AD accounts that used to have Super Administrator access will be able to log in to your Horizon Cloud tenant account with the access to perform administrative operations. At that point, only the credentials of the domain-bind account and auxiliary domain-bind account can be used to log in and add groups to the Super Administrator role.
  10. Click Save.
    When you click Save, the system returns you to the login screen. Now that you have registered the pod with your Active Directory domain, the system requires you to log back in, to enforce use of an Active Directory account along with the My VMware credentials. For example, this time, you log in with your My VMware account and then with the Active Directory account credentials of a user that is in the Active Directory group to which you just assigned the Super Administrator role.

Results

The following items are now in place:
  • The Active Directory domain is configured in the cloud plane as the first cloud-configured Active Directory domain associated with this Horizon Cloud customer account.
  • For a pod in Microsoft Azure, Horizon Cloud has the necessary domain-join account needed for those system operations involving joining desktop-related virtual machines to that domain.
  • Management activities in the console are now accessible.
  • The login flow as you log in to the console is changed, now that the Horizon Cloud tenant has its first registered Active Directory domain. For an overview of the login flow, see About Authentication to a Horizon Cloud Tenant Environment.
  • Users in the group to which you granted the Super Administrator role will be able to access the console and perform management activities when they log in using the associated My VMware account. To enable those administrators to use their own My VMware account credentials to authenticate with Horizon Cloud, complete the steps described in Give Administrative Roles to Individuals in Your Organization for Logging In To and Performing Actions in Your Horizon Cloud Tenant Environment Using the Horizon Universal Console.
  • User accounts from the registered Active Directory domain can be selected for assignments involving resources from pods in Microsoft Azure.
  • The console's help desk features can be used with user accounts from that registered Active Directory domain.

What to do next

From this point, you typically perform the following tasks: