Configuring vDisks for Active Directory management
Integrating Provisioning Services and Active Directory allows administrators to:
- Select the Active Directory Organizational Unit (OU) in which Provisioning Services should create a target device computer account.
- Take advantage of Active Directory management features, such as delegation of control and group policies.
- Configure the Provisioning Server to automatically manage the computer account passwords of target devices.
Before integrating Active Directory within the farm, verify that the following prerequisites are met:
- The Master Target Device was added to the domain before building the vDisk
- The Disable Machine Account Password Changes option was selected when the image optimization wizard was run during imaging
After all prerequisites have been verified, new target devices can be added and assigned to the vDisk. A machine account must then be created for each target device.
Managing domain passwords
When target devices access their own vDisk in Private Image mode, there are no special requirements for managing domain passwords. However, when a target device accesses a vDisk in Standard Image mode, the Provisioning Server assigns the target device its name. If the target device is a domain member, the name and password assigned by Provisioning Server must match the information in the corresponding computer account within the domain. Otherwise, the target device is not able to log on successfully. For this reason, the Provisioning Server must manage the domain passwords for target devices that share a vDisk.
To enable domain password management you must disable the Active Directory-(or NT 4.0 Domain) controlled automatic re-negotiation of machine passwords. This is done by enabling the Disable machine account password changes security policy at either the domain or target-device level. Provisioning Server provides equivalent functionality through its own Automatic Password Renegotiate feature.
While target devices booting from vDisks no longer require Active Directory password renegotiation, configuring a policy to disable password changes at the domain level applies to any domain members booting from local hard drives. This may not be desirable. A better option is to disable machine account password changes at the local level. To do this, select the Optimize option when building a vDisk image. The setting will then be applied to any target devices that boot from the shared vDisk image.
The Provisioning Server does not in any way change or extend the Active Directory schema. Provisioning Server’s function is to create or modify computer accounts in Active Directory, and reset passwords.
When domain password management is enabled, it:
- Sets a unique password for a target device.
- Stores that password in the respective domain computer account.
- Gives the information necessary to reset the password at the target device before it logs on to the domain.
Password management process
With password management enabled, the domain password validation process includes:
- Creating a machine account in the database for a target device, then assign a password to the account.
- Providing an account name to a target device using the Streaming Service.
- Having the domain controller validate the password provided by the target device.
Enabling domain management
Each target device that logs on to a domain requires a computer account on the domain controller. This computer account has a password that is maintained by the Windows desktop OS and is transparent to the user. The password for the account is stored both on the domain controller and on the target device. If the passwords stored on the target device and on the domain controller do not match, the user can not log on to the domain from the target device.
Domain management is activated by completing the following tasks:
- Enabling Machine Account Password Management
- Enabling Automatic Password Management
Enabling machine account password management
To enable machine account password management, complete the following:
- Right-click on a vDisk in the Console, then select theFile Propertiesmenu option.
- On the Options tab, select Active Directory machine account password management.
- Click OK, then close the properties dialogs, then restart the Streaming Service.
Enabling automatic password management
If your target devices both belong to an Active Directory domain and are sharing a vDisk, the following additional steps must be completed:
To enable automatic password support, complete the following:
- Right-click on a Provisioning Server in the Console, then select thePropertiesmenu option.
- Select theEnable automatic password supportoption on the Options tab.
- Set the number of days between password changes.
- ClickOKto close the Server Properties dialog.
- Restart the Streaming Service.
Managing domain computer accounts
The tasks documented here must be performed using the Provisioning Server, rather than in Active Directory, in order to take full advantage of product features.
Supporting cross-forest scenarios
To support cross-forest scenarios:
- Ensure that DNS is properly set up. (Refer to the Microsoft website for information on how to prepare DNS for a Forest Trust.)
- Ensure the forest functional level of both forests is the same version of Windows Server.
- Create the forest trust. In order for Provisioning Services and the user from the Provisioning Services domain to create an account in a domain from another forest, create an Inbound Trust from the external forest to the forest Provisioning Services is in.
Parent-child domain scenario
A common cross-domain configuration involves having the Provisioning Server in a parent domain and users from one or more child domains who want to administer Provisioning Services and manage Active Directory accounts within their own domains.
To implement this configuration:
Create a Security Group in the child domain. (It can be a Universal, Global, or Local Domain Group.) Make a user from the child domain a member of this group.
From the Provisioning Server Console, in the parent domain, make the child domain security group a Provisioning Services Administrator.
If the child domain user does not have Active Directory privileges, use theDelegation Wizardin the Active Directory Users & Computers Management Console to assign, create, and delete a user’s computer account rights for the specified OU.
Install the Provisioning Services Console in the child domain. No configuration is necessary. Log into the Provisioning Server as the child domain user.
This configuration is similar to the cross-domain scenario, except that the Provisioning Services Console, user, and Provisioning Services administrator group are in a domain that is in a separate forest. The steps are the same as for the parent-child scenario, except that a forest trust must first be established.
Microsoft recommends that administratorsdo notdelegate rights to the default Computers container. The best practice is to create new accounts in the OUs.
Giving access to users from another domain Provisioning Services administrator privileges
Citrix recommends the following method:
- Add the user to a Universal Group in their own domain (not the Provisioning Services Domain).
- Add that Universal Group to a Local Domain Group in the PVS domain.
- Make that Local Domain Group the PVS Admin group.
Adding target devices to a domain
The machine name used for the vDisk image must not be used again within your environment.
- Right-click on one or more target devices in the Console window (alternatively, right-click on the device collection itself to add all target devices in this collection to a domain). SelectActive Directory, then selectCreate machine account. The Active Directory Management dialog appears.
- From the Domain scroll list, select the domain that the target device(s) belongs to, or in the Domain Controller text box, type the name of the domain controller that the target devices should be added to (if you leave the text box blank, the first Domain Controller found is used).
- From the Organization unit (OU) scroll list, select or type the organization unit to which the target device belongs (the syntax is ‘parent/child,’ lists are comma separated; if nested, the parent goes first).
- Click theAdd devicesbutton to add the selected target devices to the domain and domain controller. A status message displays to indicate if each target device was added successfully. ClickCloseto exit the dialog.
Removing target devices from a domain
- Right-click on one or more target devices in the Console window (alternatively, right-click on the device collection itself to add all target devices in this collection to a domain). SelectActive Directory Management, then selectDelete machine account. The Active Directory Management dialog appears.
- In the Target Device table, highlight those target devices that should be removed from the domain, then click the Delete Devices button. ClickCloseto exit the dialog.
Reset computer accounts
An Active Directory machine account can only be reset when the target device is inactive.
To reset computer accounts for target devices in an Active Directory domain:
Right-click on one or more target devices in the Console window (alternatively, right-click on the device collection itself to add all target devices in this collection to a domain), then selectActive Directory Management, then selectReset machine account. The Active Directory Management dialog appears.
In the Target Device table, highlight those target devices that should be reset, then click theReset devicesbutton.
This target device should have been added to your domain while preparing the first target device.
Click Close to exit the dialog.
Disable Windows Active Directory automatic password re-negotiation. To do this, on your domain controller, enable the following group policy:Domain member: Disable machine account password changes.
To make this security policy change, you must be logged on with sufficient permissions to add and change computer accounts in Active Directory. You have the option of disabling machine account password changes at the domain level or local level. If you disable machine account password changes at the domain level, the change applies to all members of the domain. If you change it at the local level (by changing the local security policy on a target device connected to the vDisk in Private Image mode), the change applies only to the target devices using that vDisk.
Boot each target device.