Director can support multi-forest environments spanning a forest configuration where users, Domain Delivery Controllers (DDC), VDAs, and Directors are located in different forests. This requires proper setup of trust relationships among the forests and configuration settings.
Recommended configuration for Director to work in a multi-forest environment
The recommended configuration requires creation of outgoing and incoming forest trust relationships among the forests with domain-wide authentication.
The trust relationship from the Director enables you to troubleshoot issues in user sessions, VDAs and Domain Controllers located in different forests.
Advanced configuration required for Director to support multiple forests is controlled through settings defined in Internet Information Services (IIS) Manager.
Important: When you change a setting in IIS, the Director service automatically restarts and logs off users.
To configure advanced settings using IIS:
- Open the Internet Information Services (IIS) Manager console.
- Go to the Director website under the Default website.
- Double-click Application Settings.
- Double-click a setting to edit it.
Director uses Active Directory to search for users and to look up additional user and machine information. By default, Director searches the domain or forest in which:
- The administrator’s account is a member.
- The Director web server is a member (if different).
Director attempts to perform searches at the forest level using the Active Directory global catalog. If you do not have permissions to search at the forest level, only the domain is searched.
Searching or looking up data from another Active Directory domain or forest requires that you explicitly set the domains or forests to be searched. Configure the following setting:
Connector.ActiveDirectory.Domains = (user),(server)
The value attributes user and server represent the domains of the Director user (the administrator) and Director server, respectively.
To enable searches from an additional domain or forest, add the name of the domain to the list, as shown in this example:
Connector.ActiveDirectory.Domains = (user),(server),\<domain1\>,\<domain2\> |
For each domain in the list, Director attempts to perform searches at the forest level. If you do not have permissions to search at the forest level, only the domain is searched.
Note: In an environment with multiple forests, Director does not show the session details of users from other forests who have been assigned to the XenDesktop Delivery Group using the domain local group.
Add Sites to Director
If Director is already installed, configure it to work with multiple Sites. To do this, use the IIS Manager Console on each Director server to update the list of server addresses in the application settings.
Add an address of a Controller from each Site to the following setting:
Service.AutoDiscoveryAddresses = SiteAController,SiteBController
where SiteAController and SiteBController are the addresses of Delivery Controllers from two different Sites.
For XenApp 6.5 Sites, add an address of a Controller from each XenApp farm to the following setting:
Service.AutoDiscoveryAddressesXA = FarmAController,FarmBController
where FarmAController and FarmBController are the addresses of XenApp Controllers from two different farms.
For XenApp 6.5 Sites, another way to add a Controller from a XenApp farm:
DirectorConfig.exe /xenapp FarmControllerName
Disable the visibility of running applications in the Activity Manager
By default, the Activity Manager in Director displays a list of all running applications for a user’s session. This information can be viewed by all administrators that have access to the Activity Manager feature in Director. For Delegated Administrator roles, this includes Full Administrator, Delivery Group Administrator, and Help Desk Administrator.
To protect the privacy of users and the applications they are running, you can disable the Applications tab to list running applications.
Warning: Editing the registry incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
On the VDA, modify the registry key located at HKEY_LOCAL_MACHINE\Software\Citrix\Director\TaskManagerDataDisplayed. By default, the key is set to 1. Change the value to 0, which means the information is not collected from the VDA and hence is not displayed in the Activity Manager.
On the server with Director installed, modify the setting that controls the visibility of running applications. By default, the value is “true”, which allows visibility of running applications in the Applications tab. Change the value to “false”, which disables visibility. This option affects only the Activity Manager in Director, not the VDA.
Modify the value of the following setting:
UI.TaskManager.EnableApplications = false
Important: To disable the view of running applications, Citrix recommends making both changes to ensure that the data is not displayed in Activity Manager.