app orchestration 2 - citrix.com · offerings created in multi-domain or multi-forest environments...
TRANSCRIPT
© 2015 Citrix Systems, Inc. All rights reserved.
App Orchestration 2.6
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Last Updated: July 25, 2014
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 2 © 2015 Citrix Systems, Inc. All rights reserved.
Contents
Overview ........................................................................................................................................................... 3
Resources ...................................................................................................................................................... 3
Tenants .......................................................................................................................................................... 4
Offerings ........................................................................................................................................................ 4
App Orchestration and domains ..................................................................................................................... 5
Scenarios .......................................................................................................................................................... 6
Single domain ................................................................................................................................................ 6
Two domains (other resource domain) ........................................................................................................... 7
Two domains (other user domain) .................................................................................................................. 7
Three domains ............................................................................................................................................... 8
Requirements .................................................................................................................................................... 9
Domain requirements ..................................................................................................................................... 9
SSL requirements .......................................................................................................................................... 9
Task 1: Preconfigure environmental settings ..................................................................................................... 9
Task 2: Import a domain into App Orchestration .............................................................................................. 13
Task 3: Configure the Virtual Delivery Agent ................................................................................................... 14
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 3 © 2015 Citrix Systems, Inc. All rights reserved.
Overview
App Orchestration enables you to rapidly deploy multiple XenDesktop environments without having to manually
configure Delivery Controllers, Session Machines, Virtual Delivery Agents (VDAs), and connections. You can
even create App Orchestration environments that will deploy XenDesktop in complex Microsoft Active Directory
environments with multiple domains or forests. Some of the steps to do this in App Orchestration are
automated, but there are additional settings that you must configure manually. This document provides a step-
by-step guide to setting up and configuring App Orchestration 2.6 in a complex multi-domain or multi-forest
environment.
Important: This document applies only to App Orchestration 2.6, XenApp 7.6 and XenDesktop 7.6, and XenApp 6.5.
Other versions of App Orchestration and XenDesktop are not covered.
Deploying a comprehensive environment with the desktops and applications necessary to meet the needs of
your organization can be complicated. App Orchestration simplifies the processes of installing and deploying
server and client operating systems, configuring network settings, and adding other domains.
App Orchestration can use resources from various environments, which makes it easier to integrate elements
such as users, servers, and desktop applications. This enables you to manage multiple environments through
a single interface without compromising security, keeping logical separation between the environments.
Note: App Orchestration 2.6 now offers a Zero Trust Agent. The Zero Trust Agent allows the App Orchestration
configuration server to orchestrate resources in a domain to which it cannot directly connect or where configuring
Active Directory trusts between the App Orchestration domain and the target orchestrated domain is not allowed. For
more information, see the document Deploying the Zero Trust Agent in App Orchestration 2.6.
Resources
App Orchestration coordinates the provisioning and configuration of resources by leveraging the underlying
Citrix technology and combining the advanced functionality of products such as XenDesktop, XenApp,
StoreFront, and XenServer. App Orchestration manages these technologies as resources.
Figure 1: Resources that App Orchestration manages
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 4 © 2015 Citrix Systems, Inc. All rights reserved.
Tenants
In App Orchestration, tenants subscribe to your offerings and, in turn, make them available so that their users
can consume the resources to which they have access. A tenant is identified by one or more Active Directory
groups. Tenants are associated to resources and users from the domains specified in the App Orchestration
configuration.
A tenant is defined by two configurations: the resource domain and the user domain. You can set up the tenant
association to the resource domain so that the tenant is configured to use or receive access to resources in
either the global shared resource domain or a different domain. The tenant association to the user domain
determines whether the tenant can host users from the global shared resource domain, a separate resource
domain, or a separate user domain.
The OU, network, domain, and a tenant’s users must all exist in Active Directory before you add the tenant.
Offerings
In App Orchestration, offerings are used to provide desktops and applications for tenants’ users. You can
design offerings to be shared between tenants in a shared resource domain. You can also configure private
offerings for individual tenants, providing a level of security in the offering.
When you create an offering, you can share it among users. The offering is mapped to the resources based on
the isolation mode and can be shared or private. In the case of shared offerings, the users of all the tenants
assigned to the offering have access to all resources providing the desktops and applications for that offering.
If the offering is private, then the resources used for that offering are dedicated to that tenant’s users only,
thereby isolating access to those resources and maintaining a level of security. The following isolation modes
are available in App Orchestration.
Shared delivery group:
o Multiple tenants access the offering on the same Session Machines
o Multiple tenants access the offering using the same Delivery Controllers
o Sufficient capacity to accommodate the number of tenants is required
Private delivery group:
o Each tenant accesses the offering using dedicated Session Machines
o Multiple tenants access the offering using the same Delivery Controllers
Private delivery site: Each tenant accesses the offering using dedicated Session Machines and Delivery
Controllers
Offerings created in multi-domain or multi-forest environments function in the same way as in single-domain
environments, although certain configurations are required. Because of the complexity of maintaining multiple
domains or forests, the appropriate configuration of DNS, security, and App Orchestration-specific settings is
essential.
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 5 © 2015 Citrix Systems, Inc. All rights reserved.
App Orchestration and domains
In App Orchestration, there are four types of domains that can be used in various configurations. Each option
can be tailored to the needs of the users and the environment, whether the configuration calls for a single
domain with multiple resources or multiple domains with resources contained in other locations.
Domain type Description
Global shared resource domain (default) Contains the App Orchestration configuration
server
Resources can be shared across domains
Default App Orchestration configuration
Commonly used for single-domain configurations
Simplest configuration
Resource domain Deployed when using resources from another
domain
Commonly used in environments where
resources are geographically and logically
separated
Medium complexity configuration
User domain Deployed when users are located in other
domains
Commonly used in environments with sub-
domains or multiple domains
Medium complexity configuration
Resource + user domain Deployed when providing resources in
environments with multiple domains where users
and resources are in different locations
Commonly used in environments where both
users and resources are geographically and
logically separated
Also often used when managing multiple domains
and environments from a single location
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 6 © 2015 Citrix Systems, Inc. All rights reserved.
Scenarios
Single domain
This commonly used configuration maintains the users and resources in the same domain, thereby eliminating
the need for trusts or Secure Sockets Layer (SSL) configurations. Such deployments are often used by
companies with a single domain infrastructure where users and resources are located in a single geographic
and logical region.
Figure 2: Users and resources in a single domain
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 7 © 2015 Citrix Systems, Inc. All rights reserved.
Two domains (other resource domain)
In a two domain scenario, App Orchestration manages users and resources in separate domains, one of which
is the global shared resource domain. One option is for the App Orchestration configuration server to import
dedicated resources, such as Delivery Controllers, virtual desktops, and StoreFront servers, for each tenant
from specific domains. Meanwhile, all user accounts reside in the global shared resource domain. This
configuration is useful when users need access to multiple distinct groups of resources, such as geographically
dispersed datacenters.
Figure 3: Users in a shared domain, resources in other domain
Two domains (other user domain)
An alternative two domain scenario sees resources shared between multiple tenants through the global shared
resource domain while the App Orchestration configuration server imports users from other domains. This
configuration enables the administrator to provide shared offerings to multiple tenants, such as different
divisions within a single company or the customers of a service provider.
Figure 4: Resources in shared domain, users in other domain
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 8 © 2015 Citrix Systems, Inc. All rights reserved.
Three domains
In the three domain scenario, the App Orchestration configuration server can import both resources and users
from other domains. This configuration gives maximum flexibility to provide both shared and private offerings in
situations where both users and resources are subdivided into multiple distinct groups. An example of where
this deployment mode might be appropriate is centralization of resource and user management for a company
with multiple geographically dispersed datacenters and offices.
Figure 5: Users and resources in other domains
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 9 © 2015 Citrix Systems, Inc. All rights reserved.
Requirements
Domain requirements
In a multi-forest Active Directory environment where one-way or two-way trusts are in place, you can use DNS
forwarders for name lookup and registration between the forests. When the appropriate DNS forwarders are in
place between the forests, reverse DNS zones are not necessary.
If the VDA and Delivery Controller are in separate forests, regardless of any differences in the Active Directory
and NetBIOS names, you must create the
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\SupportMultipleForest registry key on the
VDA.
You might need reverse DNS configuration if your DNS namespace is different than that of Active Directory.
If external trusts are in place, you must also create the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\ListOfSIDs on the VDA and set the value to
the security identifier (SID) of the Delivery Controllers. Additionally, modify the brokeragentconfig.exe.config
file on the VDA to allow Microsoft NT LAN Manager (NTLM) authentication.
App Orchestration supports all the trust types supported by XenDesktop. For a complete and up-to-date list of
supported trust types and other requirements for multi-forest XenDesktop deployments, see
http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-plan-multiple-forest.html.
SSL requirements
The SSL protocol is used to secure traffic between the App Orchestration configuration server and other
servers in your deployment. In single-domain environments, a server certificate signed by your domain
certificate authority must be installed on the configuration server to enable communication with the agents on
the various machines in an App Orchestration deployment. In multi-domain environments, an SSL certificate
from the trusted domain must be present in the trusting domain to enable App Orchestration configuration
across domains.
Task 1: Preconfigure environmental settings
1. After setting up the App Orchestration configuration environment, configure either two-way transitive or
external transitive trust between the primary and secondary forests.
2. Ensure that DNS resolution is in place between the primary and secondary forests.
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 10 © 2015 Citrix Systems, Inc. All rights reserved.
3. In the secondary forest, add an OU that resembles the OU structure in the primary forest.
4. Delegate security in the secondary forest so that the App Orchestration administrator account can create
machine accounts in that forest:
a. On the Windows Start screen or Apps screen, locate and click the Administrative Tools tile and then
click Active Directory Users and Computers.
b. Right-click the OU to which you want to delegate access and select Delegate Control. The Welcome
page of the Delegation of Control wizard appears. Click Next.
c. On the Users or Groups page, click Add, click Locations, and then select the domain containing the
administrator account. Enter the user name for the administrator account, click OK, and then click Next.
d. On the Tasks to Delegate page, select Create a custom task to delegate and click Next.
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 11 © 2015 Citrix Systems, Inc. All rights reserved.
e. On the Active Directory Object Type page, click Only the following objects in the folder. Select the
Computer objects and Create selected objects in this folder check boxes and then click Next.
5. On the Permissions page, select the following settings:
Under Show these permissions, select General and Property-specific
Under Permissions, select Read and Write
Click Next and then click Finish.
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 12 © 2015 Citrix Systems, Inc. All rights reserved.
6. Add the orchestration service account or group to the local administrators group on the local VDA machine
that you plan to add to the machine catalog:
a. On the Windows Apps screen, locate and click the Control Panel tile and click System and Security >
Administrative Tools > Computer Management.
b. In the left pane of the console, click Local Users and Groups > Groups. In the results pane, right-click
the Administrators group and select Properties.
c. In the Administrators Properties dialog box, click Add, click Locations, and then select the domain
containing the service account or group. Enter the account user name or group name.
Click OK and then click OK again.
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 13 © 2015 Citrix Systems, Inc. All rights reserved.
Task 2: Import a domain into App Orchestration
1. Log on to the App Orchestration web console and, on the Home page, click Define > Domains and then
click Add Domain. Enter the required information, and then click Save.
2. Add Session Machines from the secondary forest:
a. Click Design > Session Machine Catalog.
b. Select the catalog you want to use and click Add Machines. Enter the required information, making
sure to specify the FQDN for your Session Machines. Click Next and then click Save.
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 14 © 2015 Citrix Systems, Inc. All rights reserved.
Task 3: Configure the Virtual Delivery Agent
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating
system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use
Registry Editor at your own risk. Be sure to back up the registry before you edit it.
1. On the VDA, launch the Registry Editor and perform the following actions:
a. Create a registry key with the REG_DWORD value type at
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\SupportMultipleForest. Set the
value of the new key to 1.
b. Restart the Citrix Desktop Service.
If using external trusts, on the VDA, create another registry key with the REG_SZ value type at
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\VirtualDesktopAgent\ListOfSIDs. Set the value of the new
key to the SID of the Delivery Controllers.
Note: You can obtain your domain SID using the Citrix XDPing tool, which can be downloaded from
http://support.citrix.com/article/CTX123278.
Deploying App Orchestration 2.6 in a Complex Active Directory Environment
Page 15 © 2015 Citrix Systems, Inc. All rights reserved.
2. If external trusts are in place, on the VDA, use a text editor to open the brokeragentconfig.exe.config file,
which is typically located in the C:\Program Files\Citrix\Virtual Desktop Agent\ directory. Back up the file
and then locate the following setting:
allowNtlm="false"
3. Change the value of the allowNtlm setting to true, then save and close the file.
4. Restart the Citrix Desktop Service to apply your changes to both the registry and the
brokeragentconfig.exe.config file.
Note: These registry settings and the file modification can also be deployed through Group Policy.
5. Create some subscriptions and test the connectivity of your App Orchestration environment.