Managing domain computer accounts
The tasks documented here must be performed using the Provisioning Server, rather than in Active Directory, in order to take full advantage of product features.
Supporting Cross-Forest Scenarios
To support cross-forest scenarios:
- Ensure that DNS is properly set up. (Refer to Microsoft’s web site for information on how to prepare DNS for a Forest Trust.)
- Ensure the forest functional level of both forests is the same version of Windows Server.
- Create the forest trust. In order for Provisioning Services and the user from the Provisioning Services domain to create an account in a domain from another forest, create an Inbound Trust from the external forest to the forest Provisioning Services is in.
Parent-child domain scenario
A common cross-domain configuration involves having the Provisioning Server in a parent domain and users from one or more child domains who want to administer Provisioning Services and manage Active Directory accounts within their own domains.
To implement this configuration:
Create a Security Group in the child domain. (It can be a Universal, Global, or Local Domain Group). Make a user from the child domain a member of this group.
From the Provisioning Server Console, in the parent domain, make the child domain security group a Provisioning Services Administrator.
If the child domain user does not have Active Directory privileges, use the Delegation Wizard in the Active Directory Users & Computers Management Console to assign, create, and delete a user’s computer account rights for the specified OU.
Install the Provisioning Services Console in the child domain. No configuration is necessary. Log into the Provisioning Server as the child domain user.
This configuration is similar to the cross-domain scenario, except that the Provisioning Services Console, user, and Provisioning Services administrator group are in a domain that is in a separate forest. The steps are the same as for the parent-child scenario, except that a forest trust must first be established.
Microsoft recommends that administrators do not delegate rights to the default Computers container. The best practice is to create new accounts in the OUs.
Giving Access to Users from Another Domain Provisioning Services Administrator Privileges
Citrix recommends the following method:
- Add the user to a Universal Group in their own domain (not the Provisioning Services Domain).
- Add that Universal Group to a Local Domain Group in the PVS domain.
- Make that Local Domain Group the PVS Admin group.
Adding Target Devices to a Domain
To add target devices to a domain:
Note: The machine name used for the vDisk image must not be used again within your environment.
- Right-click on one or more target devices in the Console window (alternatively, right-click on the device collection itself to add all target devices in this collection to a domain). Select Active Directory, then select Create machine account. The Active Directory Management dialog appears.
- From the Domain scroll list, select the domain that the target device(s) belongs to, or in the Domain Controller text box, type the name of the domain controller that the target devices should be added to (if you leave the text box blank, the first Domain Controller found is used).
- From the Organization unit (OU) scroll list, select or type the organization unit to which the target device belongs (the syntax is ‘parent/child,’ lists are comma separated; if nested, the parent goes first).
- Click the Add devices button to add the selected target devices to the domain and domain controller. A status message displays to indicate if each target device was added successfully. Click Close to exit the dialog.
Removing Target Devices From a Domain
- Right-click on one or more target devices in the Console window (alternatively, right-click on the device collection itself to add all target devices in this collection to a domain). Select Active Directory Management, then select Delete machine account. The Active Directory Management dialog appears.
- In the Target Device table, highlight those target devices that should be removed from the domain, then click the Delete Devices button. Click Close to exit the dialog.
Reset Computer Accounts
Note: An Active Directory machine account can only be reset when the target device is inactive.
To reset computer accounts for target devices in an Active Directory domain:
- Right-click on one or more target devices in the Console window (alternatively, right-click on the device collection itself to add all target devices in this collection to a domain), then select Active Directory Management, then select Reset machine account. The Active Directory Management dialog appears.
- In the Target Device table, highlight those target devices that should be reset, then click the Reset devices button. Note: This target device should have been added to your domain while preparing the first target device.
- Click Close to exit the dialog.
- Disable Windows Active Directory automatic password re-negotiation. To do this, on your domain controller, enable the following group policy: Domain member: Disable machine account password changes. Note: To make this security policy change, you must be logged on with sufficient permissions to add and change computer accounts in Active Directory. You have the option of disabling machine account password changes at the domain level or local level. If you disable machine account password changes at the domain level, the change applies to all members of the domain. If you change it at the local level (by changing the local security policy on a target device connected to the vDisk in Private Image mode), the change applies only to the target devices using that vDisk.
- Boot each target device.