Product Documentation

Advanced configuration

Sep 02, 2016

Director can support multi-forest environments spanning a forest configuration where users, Domain Delivery Controllers (DDC), VDAs, and Directors are located in different forests. This requires proper set up of trust relationships among the forests and configuration settings.

Recommended configuration for Director to work in a multi-forest environment

The recommended configuration requires creation of outgoing and incoming forest trust relationships among the forests with domain-wide authentication.

localized image

The trust relationship from the Director enables the administrator to troubleshoot issues in user sessions, VDAs and Domain Controllers located in different forests.

Advanced configuration required for Director to support multiple forests is controlled through settings defined in Internet Information Services (IIS) Manager.

Important: When you change a setting in IIS, the Director service automatically restarts and logs off users.

To configure advanced settings using IIS:

  1. Open the Internet Information Services (IIS) Manager console.
  2. Go to the Director website under the Default website.
  3. Double-click Application Settings.
  4. Double-click a setting to edit it.

Platinum licenses retain data for 90 days by default.  For more information on configurations see Data granularity and retention.

Director uses Active Directory to search for users and to look up additional user and machine information. By default, Director searches the domain or forest in which:

  • The administrator's account is a member.
  • The Director web server is a member (if different).

Director attempts to perform searches at the forest level using the Active Directory global catalog. If the administrator does not have permissions to search at the forest level, only the domain is searched.

Searching or looking up data from another Active Directory domain or forest requires that you explicitly set the domains or forests to be searched. Configure the following setting:

Connector.ActiveDirectory.Domains = (user),(server)

The value attributes user and server represent the domains of the Director user (the administrator) and Director server, respectively.

To enable searches from an additional domain or forest, add the name of the domain to the list, as shown in this example:

Connector.ActiveDirectory.Domains = (user), (server), <domain1>, <domain2>

For each domain in the list, Director attempts to perform searches at the forest level. If the administrator does not have permissions to search at the forest level, only the domain is searched.

Note

In an environment with multiple forests, Director does not show the session details of users from other forests who have been assigned to the XenDesktop Delivery Group using the domain local group.

Add Sites to Director

If Director is already installed, configure it to work with multiple Sites. To do this, use the IIS Manager Console on each Director server to update the list of server addresses in the application settings.

Add an address of a controller from each Site to the following setting:
Service.AutoDiscoveryAddresses = SiteAController,SiteBController

where SiteAController and SiteBController are the addresses of Delivery Controllers from two different Sites.

For XenApp 6.5 Sites, add an address of a controller from each XenApp farm to the following setting:
Service.AutoDiscoveryAddressesXA = FarmAController,FarmBController

where FarmAController and FarmBController are the addresses of XenApp controllers from two different farms.

For XenApp 6.5 Sites, another way to add a controller from a XenApp farm:
DirectorConfig.exe /xenapp FarmControllerName

Disable the visibility of running applications in the Activity Manager

By default, the Activity Manager in Director displays a list of all running applications for a user's session. This information can be viewed by all administrators that have access to the Activity Manager feature in Director. For Delegated Administrator roles, this includes Full administrator, Delivery Group administrator, and Help Desk Administrator.

To protect the privacy of users and the applications they are running, you can disable the Applications tab from listing running applications.

Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
  1. On the VDA, modify the registry key located at HKEY_LOCAL_MACHINE\Software\Citrix\Director\TaskManagerDataDisplayed. By default, the key is set to 1. Change the value to 0, which means the information will not be displayed in the Activity Manager.
  2. On the server with Director installed, modify the setting that controls the visibility of running applications. By default, the value is "true", which allows visibility of running applications in the Applications tab. Change the value to "false", which disables visibility. This option affects only the Activity Manager in Director, not the VDA.
    Modify the value of the following setting:
    UI.TaskManager.EnableApplications = false
    
Important: To disable the view of running applications, Citrix recommends making both changes to ensure the data is not displayed in Activity Manager.