Skip to main content

XenDesktop and Active Directory Integration

You have to start testing the XenDesktop beta and go to the XenDesktop forums to have your questions answered.

This is a snippet copy/paste from the Citrix Blog:

If you have followed the discussions in the XenDesktop forums, or - even better - if you've tried the beta version of XenDesktop, you'll be aware that it integrates with Active Directory. Indeed, in particular the Desktop Delivery Controller (DDC - the component responsible for brokering end users to their virtual desktops) has a strong dependency on AD, and stores some data in AD that relates to security and determines how virtual desktops discover and communicate with desktop delivery controllers. Several questions have come up on this integration, and on what is actually stored in Active Directory. This post will show in more detail what's going on under the covers. Just a note of caution: the information in this post reflects the beta release of XenDesktop; however we're not expecting major changes in this area in the final release.

When you install a DDC server, an "AD set-up wizard" will start towards the end of the installation. When you install the first DDC in a farm, the wizard will ask you for the location of an OU, and will populate it with the data that XenDesktop needs to link up virtual desktops and DDCs, and to secure their communication paths. Whenever you install an additional DDC or remove one, the wizard will also start, and add or remove the DDC-specific information from that OU, although you won't typically see this, because it happens without the wizard GUI actually popping up. You can also run the wizard manually at any time, it's installed in the start menu on a DDC, and you can also run it from the command line (c:\program files\citrix\xendesktop server\adsetup.exe; use the 'rungui' option to start the GUI wizard).

When the wizard is running for the first time, it asks you to choose an OU for that farm, as shown in the previous screen shot. Every DDC farm needs a separate OU. The OU can be at an arbitrary level of a domain, and the OU does not need to contain the computer accounts for either the virtual desktops or the DDC servers (although it'd be best practice for the DDC servers to live in the farm's OU). If the user running the wizard has sufficient privileges, they can choose to create a new OU (tick the check box in the wizard). Alternatively, a domain administrator can pre-create an empty OU, and give the XenDesktop administrator running the wizard sufficient delegated privileges over that OU (you'll need 'create child' permissions). In that case, you should select that empty OU in the wizard by using the AD browser, as shown in the example above.

Now let's look at the data that shows up in the OU after the wizard has completed. The following screen shot shows that the OU contains one security group, one service connection point (SCP), and a container that contains another service connection point object:

The 'Controllers' security group is used by virtual desktops to ensure that only authorized DDCs that are members of the farm can broker and control connections (I'll explain how virtual desktops figure out where to find this security group in a moment). Whenever a DDC invokes one of the web services implemented by the virtual desktop, the VDA (Virtual Desktop Agent, the XenDesktop component that you install on a virtual desktop) will check that the caller is a member of this security group. When you add DDCs in the AD set-up wizard, as shown in the following screen shot, one of the things it does is to add the computer account for the DDC into this security group. Because the OS service that invokes web services on the VDA runs using the NetworkService predefined account on the DDC, the VDA will see incoming calls as using the DDC's computer account. You need to exercise caution in which computer accounts are made a member of this group, because all VDAs in your farm will trust these computers to control them.

Read the whole article here!

and for beta, Register Now to Download


Popular posts from this blog

Get Vyatta Virtual Appliance, now VMware certified!

We all know Vyatta, don't we?

Vyatta, the leader in Linux-based networking, today announced that its open-source networking software has received VMware Virtual Appliance Certification, thereby providing customers with a solution that has been optimized for a production-ready VMware environment. The company also announced it has joined the VMware Technology Alliance Partner (TAP) Program. As a member of TAP, Vyatta will offer its solutions via the TAP program website. With the Vyatta virtual appliance for VMware environments, organizations can now include Vyatta’s router, firewall and VPN functions as part of their virtualized infrastructure.

Vyatta combines enterprise-class routing and security capabilities into an integrated, reliable and commercially supported software solution, delivering twice the performance of proprietary network solutions at half the price. Running Vyatta software as virtual appliances gives customers many more options for scaling their data centers and cons…

3PAR adds native LDAP support to simplify administration

3PAR®, the leading global provider of utility storage, announced today native support for lightweight directory access protocol (LDAP). Support for LDAP enables centralized user authentication and authorization using a standard protocol for managing access to IT resources. With 3PAR’s support for LDAP, customers are able to now integrate 3PAR Utility Storage--a simple, cost-efficient, and massively scalable storage platform—with standard, open enterprise directory services. The result is simplified security administration with centralized access control and identity management.

“3PAR Utility Storage already provides us with a reliable, shared, and easy-to-use consolidated storage platform,” said Burzin Engineer, Vice President of Infrastructure Services at Shopzilla. "Now, with 3PAR support for LDAP, managing security commonly--across all our resources, including storage--is also simple and efficient.”

Press Release

DeepLearningTrucker Part 1