Active Directory is required for authentication and authorization. The Kerberos infrastructure in Active Directory is used to guarantee the authenticity and confidentiality of communications with the Delivery Controllers. For information about Kerberos, see the Microsoft documentation.
The System requirements article lists the supported functional levels for the forest and domain. To use Policy Modeling, the domain controller must be running on Windows Server 2003 to Windows Server 2012 R2; this does not affect the domain functional level.
Optionally, Virtual Delivery Agents (VDAs) can use information published in Active Directory to determine which Controllers they can register with (discovery). This method is supported primarily for backward compatibility, and is available only if the VDAs are in the same Active Directory forest as the Controllers. For information about this discovery method see the Delivery Controllers article and CTX118976.
Tip: Do not change the computer name or the domain membership of a Controller after the Site is configured.
In an Active Directory environment with multiple forests, if one-way or two-way trusts are in place you can use DNS forwarders for name lookup and registration. To allow the appropriate Active Directory users to create computer accounts, use the Delegation of Control wizard. Refer to Microsoft documentation for more information about this wizard.
No reverse DNS zones are necessary in the DNS infrastructure if appropriate DNS forwarders are in place between forests.
You might need reverse DNS configuration if your DNS namespace is different than that of Active Directory.
After adding the ListOfSIDs registry key and editing the brokeragent.exe.config file, restart the Citrix Desktop Service to apply the changes.
|Trust type||Transitivity||Direction||Supported in this release|
|Parent and child||Transitive||Two-way||Yes|
|External||Nontransitive||One-way or two-way||Yes|
|Forest||Transitive||One-way or two-way||Yes|
|Shortcut||Transitive||One-way or two-way||Yes|
|Realm||Transitive or nontransitive||One-way or two-way||No|
For more information about complex Active Directory environments, see CTX134971.