app orchestration 2 - citrix.com · offerings created in multi-domain or multi-forest environments...

© 2015 Citrix Systems, Inc. All rights reserved.

App Orchestration 2.6

Deploying App Orchestration 2.6 in a Complex Active Directory Environment

Last Updated: July 25, 2014



Contents

Overview ........................................................................................................................................................... 3

Resources ...................................................................................................................................................... 3

Tenants .......................................................................................................................................................... 4

Offerings ........................................................................................................................................................ 4

App Orchestration and domains ..................................................................................................................... 5

Scenarios .......................................................................................................................................................... 6

Single domain ................................................................................................................................................ 6

Two domains (other resource domain) ........................................................................................................... 7

Two domains (other user domain) .................................................................................................................. 7

Three domains ............................................................................................................................................... 8

Requirements .................................................................................................................................................... 9

Domain requirements ..................................................................................................................................... 9

SSL requirements .......................................................................................................................................... 9

Task 1: Preconfigure environmental settings ..................................................................................................... 9

Task 2: Import a domain into App Orchestration .............................................................................................. 13

Task 3: Configure the Virtual Delivery Agent ................................................................................................... 14



Overview

App Orchestration enables you to rapidly deploy multiple XenDesktop environments without having to manually

configure Delivery Controllers, Session Machines, Virtual Delivery Agents (VDAs), and connections. You can

even create App Orchestration environments that will deploy XenDesktop in complex Microsoft Active Directory

environments with multiple domains or forests. Some of the steps to do this in App Orchestration are

automated, but there are additional settings that you must configure manually. This document provides a step-

by-step guide to setting up and configuring App Orchestration 2.6 in a complex multi-domain or multi-forest

environment.

Important: This document applies only to App Orchestration 2.6, XenApp 7.6 and XenDesktop 7.6, and XenApp 6.5.

Other versions of App Orchestration and XenDesktop are not covered.

Deploying a comprehensive environment with the desktops and applications necessary to meet the needs of

your organization can be complicated. App Orchestration simplifies the processes of installing and deploying

server and client operating systems, configuring network settings, and adding other domains.

App Orchestration can use resources from various environments, which makes it easier to integrate elements

such as users, servers, and desktop applications. This enables you to manage multiple environments through

a single interface without compromising security, keeping logical separation between the environments.

Note: App Orchestration 2.6 now offers a Zero Trust Agent. The Zero Trust Agent allows the App Orchestration

configuration server to orchestrate resources in a domain to which it cannot directly connect or where configuring

Active Directory trusts between the App Orchestration domain and the target orchestrated domain is not allowed. For

more information, see the document Deploying the Zero Trust Agent in App Orchestration 2.6.

Resources

App Orchestration coordinates the provisioning and configuration of resources by leveraging the underlying

Citrix technology and combining the advanced functionality of products such as XenDesktop, XenApp,

StoreFront, and XenServer. App Orchestration manages these technologies as resources.

Figure 1: Resources that App Orchestration manages

http://docs.citrix.com/content/dam/docs/en-us/app-orchestration/app-orchestration-2-6/cao-zero-trust-agent.pdf



Tenants

In App Orchestration, tenants subscribe to your offerings and, in turn, make them available so that their users

can consume the resources to which they have access. A tenant is identified by one or more Active Directory

groups. Tenants are associated to resources and users from the domains specified in the App Orchestration

configuration.

A tenant is defined by two configurations: the resource domain and the user domain. You can set up the tenant

association to the resource domain so that the tenant is configured to use or receive access to resources in

either the global shared resource domain or a different domain. The tenant association to the user domain

determines whether the tenant can host users from the global shared resource domain, a separate resource

domain, or a separate user domain.

The OU, network, domain, and a tenant’s users must all exist in Active Directory before you add the tenant.

Offerings

In App Orchestration, offerings are used to provide desktops and applications for tenants’ users. You can

design offerings to be shared between tenants in a shared resource domain. You can also configure private

offerings for individual tenants, providing a level of security in the offering.

When you create an offering, you can share it among users. The offering is mapped to the resources based on

the isolation mode and can be shared or private. In the case of shared offerings, the users of all the tenants

assigned to the offering have access to all resources providing the desktops and applications for that offering.

If the offering is private, then the resources used for that offering are dedicated to that tenant’s users only,

thereby isolating access to those resources and maintaining a level of security. The following isolation modes

are available in App Orchestration.

Shared delivery group:

o Multiple tenants access the offering on the same Session Machines

o Multiple tenants access the offering using the same Delivery Controllers

o Sufficient capacity to accommodate the number of tenants is required

Private delivery group:

o Each tenant accesses the offering using dedicated Session Machines

o Multiple tenants access the offering using the same Delivery Controllers

Private delivery site: Each tenant accesses the offering using dedicated Session Machines and Delivery

Controllers

Offerings created in multi-domain or multi-forest environments function in the same way as in single-domain

environments, although certain configurations are required. Because of the complexity of maintaining multiple

domains or forests, the appropriate configuration of DNS, security, and App Orchestration-specific settings is

essential.



App Orchestration and domains

In App Orchestration, there are four types of domains that can be used in various configurations. Each option

can be tailored to the needs of the users and the environment, whether the configuration calls for a single

domain with multiple resources or multiple domains with resources contained in other locations.

Domain type Description

Global shared resource domain (default) Contains the App Orchestration configuration

server

Resources can be shared across domains

Default App Orchestration configuration

Commonly used for single-domain configurations

Simplest configuration

Resource domain Deployed when using resources from another

domain

Commonly used in environments where

resources are geographically and logically

separated

Medium complexity configuration

User domain Deployed when users are located in other

domains

Commonly used in environments with sub-

domains or multiple domains

Medium complexity configuration

Resource + user domain Deployed when providing resources in

environments with multiple domains where users

and resources are in different locations

Commonly used in environments where both

users and resources are geographically and

logically separated

Also often used when managing multiple domains

and environments from a single location



Scenarios

Single domain

This commonly used configuration maintains the users and resources in the same domain, thereby eliminating

the need for trusts or Secure Sockets Layer (SSL) configurations. Such deployments are often used by

companies with a single domain infrastructure where users and resources are located in a single geographic

and logical region.

Figure 2: Users and resources in a single domain



Two domains (other resource domain)

In a two domain scenario, App Orchestration manages users and resources in separate domains, one of which

is the global shared resource domain. One option is for the App Orchestration configuration server to import

dedicated resources, such as Delivery Controllers, virtual desktops, and StoreFront servers, for each tenant

from specific domains. Meanwhile, all user accounts reside in the global shared resource domain. This

configuration is useful when users need access to multiple distinct groups of resources, such as geographically

dispersed datacenters.

Figure 3: Users in a shared domain, resources in other domain

Two domains (other user domain)

An alternative two domain scenario sees resources shared between multiple tenants through the global shared

resource domain while the App Orchestration configuration server imports users from other domains. This

configuration enables the administrator to provide shared offerings to multiple tenants, such as different

divisions within a single company or the customers of a service provider.

Figure 4: Resources in shared domain, users in other domain



Three domains

In the three domain scenario, the App Orchestration configuration server can import both resources and users

from other domains. This configuration gives maximum flexibility to provide both shared and private offerings in

situations where both users and resources are subdivided into multiple distinct groups. An example of where

this deployment mode might be appropriate is centralization of resource and user management for a company

with multiple geographically dispersed datacenters and offices.

Figure 5: Users and resources in other domains



Requirements

Domain requirements

In a multi-forest Active Directory environment where one-way or two-way trusts are in place, you can use DNS

forwarders for name lookup and registration between the forests. When the appropriate DNS forwarders are in

place between the forests, reverse DNS zones are not necessary.

If the VDA and Delivery Controller are in separate forests, regardless of any differences in the Active Directory

and NetBIOS names, you must create the

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\SupportMultipleForest registry key on the

VDA.

You might need reverse DNS configuration if your DNS namespace is different than that of Active Directory.

If external trusts are in place, you must also create the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\ListOfSIDs on the VDA and set the value to

the security identifier (SID) of the Delivery Controllers. Additionally, modify the brokeragentconfig.exe.config

file on the VDA to allow Microsoft NT LAN Manager (NTLM) authentication.

App Orchestration supports all the trust types supported by XenDesktop. For a complete and up-to-date list of

supported trust types and other requirements for multi-forest XenDesktop deployments, see

http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-plan-multiple-forest.html.

SSL requirements

The SSL protocol is used to secure traffic between the App Orchestration configuration server and other

servers in your deployment. In single-domain environments, a server certificate signed by your domain

certificate authority must be installed on the configuration server to enable communication with the agents on

the various machines in an App Orchestration deployment. In multi-domain environments, an SSL certificate

from the trusted domain must be present in the trusting domain to enable App Orchestration configuration

across domains.

Task 1: Preconfigure environmental settings

1. After setting up the App Orchestration configuration environment, configure either two-way transitive or

external transitive trust between the primary and secondary forests.

2. Ensure that DNS resolution is in place between the primary and secondary forests.

http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-plan-multiple-forest.html



3. In the secondary forest, add an OU that resembles the OU structure in the primary forest.

4. Delegate security in the secondary forest so that the App Orchestration administrator account can create

machine accounts in that forest:

a. On the Windows Start screen or Apps screen, locate and click the Administrative Tools tile and then

click Active Directory Users and Computers.

b. Right-click the OU to which you want to delegate access and select Delegate Control. The Welcome

page of the Delegation of Control wizard appears. Click Next.

c. On the Users or Groups page, click Add, click Locations, and then select the domain containing the

administrator account. Enter the user name for the administrator account, click OK, and then click Next.

d. On the Tasks to Delegate page, select Create a custom task to delegate and click Next.



e. On the Active Directory Object Type page, click Only the following objects in the folder. Select the

Computer objects and Create selected objects in this folder check boxes and then click Next.

5. On the Permissions page, select the following settings:

Under Show these permissions, select General and Property-specific

Under Permissions, select Read and Write

Click Next and then click Finish.



6. Add the orchestration service account or group to the local administrators group on the local VDA machine

that you plan to add to the machine catalog:

a. On the Windows Apps screen, locate and click the Control Panel tile and click System and Security >

Administrative Tools > Computer Management.

b. In the left pane of the console, click Local Users and Groups > Groups. In the results pane, right-click

the Administrators group and select Properties.

c. In the Administrators Properties dialog box, click Add, click Locations, and then select the domain

containing the service account or group. Enter the account user name or group name.

Click OK and then click OK again.



Task 2: Import a domain into App Orchestration

1. Log on to the App Orchestration web console and, on the Home page, click Define > Domains and then

click Add Domain. Enter the required information, and then click Save.

2. Add Session Machines from the secondary forest:

a. Click Design > Session Machine Catalog.

b. Select the catalog you want to use and click Add Machines. Enter the required information, making

sure to specify the FQDN for your Session Machines. Click Next and then click Save.



Task 3: Configure the Virtual Delivery Agent

Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating

system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use

Registry Editor at your own risk. Be sure to back up the registry before you edit it.

1. On the VDA, launch the Registry Editor and perform the following actions:

a. Create a registry key with the REG_DWORD value type at

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\SupportMultipleForest. Set the

value of the new key to 1.

b. Restart the Citrix Desktop Service.

If using external trusts, on the VDA, create another registry key with the REG_SZ value type at

HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\ListOfSIDs. Set the value of the new

key to the SID of the Delivery Controllers.

Note: You can obtain your domain SID using the Citrix XDPing tool, which can be downloaded from

http://support.citrix.com/article/CTX123278.

http://support.citrix.com/article/CTX123278



2. If external trusts are in place, on the VDA, use a text editor to open the brokeragentconfig.exe.config file,

which is typically located in the C:\Program Files\Citrix\Virtual Desktop Agent\ directory. Back up the file

and then locate the following setting:

allowNtlm="false"

3. Change the value of the allowNtlm setting to true, then save and close the file.

4. Restart the Citrix Desktop Service to apply your changes to both the registry and the

brokeragentconfig.exe.config file.

Note: These registry settings and the file modification can also be deployed through Group Policy.

5. Create some subscriptions and test the connectivity of your App Orchestration environment.

app orchestration 2 - citrix.com · offerings created in multi-domain or multi-forest environments...

Documents