When you build a Horizon View environment, the virtual desktops that users connect to run Windows. The servers that provide the virtual desktop infrastructure services run on Windows. So, as you can imagine, Active Directory plays a huge role in Horizon View.
When you’re planning a Horizon View deployment, or rearchitecting an existing deployment, the design of your Active Directory environment is a critical element that needs to be considered. How you organize your virtual desktops, templates, and security groups impacts Group Policy, helpdesk delegation rights, and View Composer.
Some Active Directory objects need to be configured before any Horizon View components are installed. Some of these objects require special configuration either in Active Directory or inside vCenter. The Active Directory objects that need to be set up are:
- An organizational unit structure for Horizon View Desktops
- Basic Group Policy Objects for the different organizational units
- An organization unit for Microsoft RDS servers if application remoting is used
Optionally, you may want to set up an organizational unit for any security groups that might be used for entitling access to the Horizon View desktop pools. This can be useful for organizing those groups and/or delegating access to Help Desk or other staff who don’t need Account Operator or Domain Administrator rights.
Creating An Organizational Unit for Horizon View Desktops
The first think that we need to do to prepare Active Directory for a Horizon View deployment is to create an organizational unit structure for Horizon View desktops. This OU structure will hold all of the desktops created and used by Horizon View. A separate OU structure within your Active Directory environment is important because you will want to apply different group policies to your Horizon View desktops than you would your regular desktops. There are also specific permissions that you will need to delegate to the View Composer service account.
There are a lot of ways that you can set up an Active Directory OU structure for Horizon View. My preferred organizational method looks like this:
View Desktops is a top-level OU (ie – one that sites in the root of the domain). I like to set up this OU for two reasons. One is that is completely segregates my VDI desktops from my non-VDI desktops and servers. The other is that it gives me one place to apply group policy that should apply to all VDI desktops such as disabling non-essential services, turning off screen savers, or setting the inactivity timeout to lock the machine.
I create three child OUs under the View Desktops OU to separate persistent desktops, non-persistent desktops, and desktop templates. This allows me to apply different group policies to the different types of desktops. For instance, you may want to disable Windows Updates and use Persona Management on non-persistent desktops but allow Windows Updates on the desktop templates.
You don’t need to create all three OUs. If your environment consists entirely of Persistent desktops, you don’t need an OU for non-persistent desktops. The opposite is true as well.
Finally, I tend to create department or location OUs underneath the persistent or non-persistent OUs if I have locations that require special Group Policy settings in addition to the default settings. One example where I used this was in a previous job that HEAVILY used Microsoft Access databases at one site. Microsoft Access includes a security groups option that uses a centrally stored database file to manage access to databases. This can be configured with group policy, and since other locations used Access without the security groups configured, applying that policy to all desktops would have broken any Access databases that the other locations used.
These grandchild OUs are completely optional. If there is no need to set any custom policy for a location or a department, then they don’t need to be created. However, if a grandchild OU is needed, then an entire pool will need to be created as desktop pools are assigned to OUs. Adding additional pools can add management overhead to a VDI environment.
Creating an Organizational Unit for RDS Servers
Horizon View 6.0 added PCoIP support for multi-user desktops running on Windows Server with the Remote Desktop Session Host role. These new abilities also added support for remote application publishing.
RDS servers need to be handled differently than virtual desktops. They’re managed differently than your virtual desktops, and some features such as Persona Management are not available to RDS servers.
If application remoting or multi-user desktops are going to be deployed, an organizational unit for RDS servers should be created underneath your base servers organizational unit.
Horizon View Group Policy Objects
Horizon View contains a number of custom group policy objects that can be used for configuring features like Persona Management and optimizing the PCoIP protocol. The number of Group Policy objects has been increased in Horizon View 6, and the number of templates has increased as well.
Unfortunately, most of the Group Policy templates are distributed as ADM files. There are a number of drawbacks to ADM files in modern Active Directory environments. The main one is that you cannot store the Group Policy files in the Central Store.
If you plan on using the Group Policy templates, it’s a good idea to convert them into the ADMX format. I had previously written about converting the View Group Policy templates into the ADMX format and the reasons for converting here.
Horizon View Service Accounts
Horizon View requires a service account for accessing vCenter to provision new virtual machines. If View Composer is used, a second service account will be needed to create computer accounts in Active Directory for linked clones. I will cover setting up those account in a future section.
In the next section, I’ll cover SSL certificates for Horizon View servers.
One thought on “Horizon View 6.0 Part 4–Active Directory Configuration”
Pingback: Newsletter: August 10, 2014 | Notes from MWhite
Comments are closed.