Director can support multi-forest environments spanning a forest configuration where users, Delivery Controllers (DCs), VDAs, and Directors are located in different forests. This requires proper setup of trust relationships among the forests and configuration settings.
Recommended configuration in a multi-forest environment
The recommended configuration requires creation of outgoing and incoming forest trust relationships among the forests with domain-wide authentication.
The trust relationship from the Director enables you to troubleshoot issues in user sessions, VDAs, and Delivery Controllers located in different forests.
Advanced configuration required for Director to support multiple forests is controlled through settings defined in Internet Information Services (IIS) Manager.
Important: When you change a setting in IIS, the Director service automatically restarts and logs off users.
To configure advanced settings using IIS:
- Open the Internet Information Services (IIS) Manager console.
- Go to the Director website under the Default website.
- Double-click Application Settings.
- Double-click a setting to edit it.
- Click Add to add a new setting.
Director uses Active Directory to search for users and to look up additional user and machine information. By default, Director searches the domain or forest in which:
- The administrator’s account is a member.
- The Director web server is a member (if different).
Director attempts to perform searches at the forest level using the Active Directory global catalog. If you do not have permissions to search at the forest level, only the domain is searched.
Searching or looking up data from another Active Directory domain or forest requires that you explicitly set the domains or forests to be searched. Configure the following Applications setting to the Director website in IIS Manager:
Connector.ActiveDirectory.Domains = (user),(server)
The value attributes user and server represent the domains of the Director user (the administrator) and Director server, respectively.
To enable searches from an additional domain or forest, add the name of the domain to the list, as shown in this example:
Connector.ActiveDirectory.Domains = (user),(server),\<domain1\>,\<domain2\>
For each domain in the list, Director attempts to perform searches at the forest level. If you do not have permissions to search at the forest level, only the domain is searched.
Domain local group configuration
Most Citrix Service Providers (CSPs) have similar environment set-ups consisting of the VDAs, DC(s), and Director in what we can call the Infrastructure forest while the users or user-group records belong to the Customer forest. A one-way outgoing trust exists from the Infrastructure forest to the Customer forest.
CSP administrators typically create a domain local group in the Infrastructure forest and add the users or user groups in the Customer forest to this domain local group.
Director can support a multi-forest set-up like this and monitor the sessions of users configured using domain local groups.
Add the following Applications settings to the Director website in IIS Manager:
Connector.ActiveDirectory.DomainLocalGroupSearch= true Connector.ActiveDirectory DomainLocalGroupSearchDomains= \<domain1\>,\<domain2\>
<domain1><domain2> are names of the forests in which the domain local group exists.
Assign the domain local group to Delivery Groups in Citrix Studio.
Restart IIS and log on to Director again for the changes to take effect. Now, Director can monitor and show the sessions of these users.
Add Sites to Director
If Director is already installed, configure it to work with multiple Sites. To do this, use the IIS Manager Console on each Director server to update the list of server addresses in the application settings.
Add an address of a Controller from each Site to the following setting:
Service.AutoDiscoveryAddresses = SiteAController,SiteBController
where SiteAController and SiteBController are the addresses of Delivery Controllers from two different Sites.
Disable the visibility of running applications in the Activity Manager
By default, the Activity Manager in Director displays a list of all running applications for a user’s session. This information can be viewed by all administrators that have access to the Activity Manager feature in Director. For Delegated Administrator roles, this includes Full Administrator, Delivery Group Administrator, and Help Desk Administrator.
To protect the privacy of users and the applications they are running, you can disable the Applications tab to list running applications.
Warning: Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
- On the VDA, modify the registry key located at HKEY_LOCAL_MACHINE\Software\Citrix\Director\TaskManagerDataDisplayed. By default, the key is set to 1. Change the value to 0, which means the information is not collected from the VDA and hence not displayed in the Activity Manager.
- On the server with Director installed, modify the setting that controls the visibility of running applications. By default, the value is “true”, which allows visibility of running applications in the Applications tab. Change the value to “false”, which disables visibility. This option affects only the Activity Manager in Director, not the VDA. Modify the value of the following setting: UI.TaskManager.EnableApplications = false
Important: To disable the view of running applications, Citrix recommends making both changes to ensure that the data is not displayed in Activity Manager.