VMware Horizon Community
mf_SVA
Contributor
Contributor

Horizon Cloud on Azure - Unable to register Active Directory

Hello everybody,

i'm currently trying to set up a Horizon Cloud Environment with Azure resources. I basically followed the instructions from these sources:

From Zero to Hero:  A Step by Step Guide How To Deploy Horizon Cloud Service on Azure - YouTube

Quick-Start Tutorial for VMware Horizon Cloud Service on Microsoft Azure | VMware

So what i did is, i set up all the network requirements on Azure, set up my local DNS Server in the VNET Settings, created a service principal on Azure, the IPSEC Tunnel from Azure to my on premises environment is up and running and also the POD Deployment from Horizon Cloud to Azure was successful. The next step would be to connect my local Active Directory and here i stuck at the moment.

The error message says "Unable to register Active Directory" as shown in the following picture:

Image 749.png

For troubleshooting purposes it created a small Windows 10 VM on Azure and configured it with Network Settings from i.e. the MGMT Subnet which i created earlier for my Horizon on Azure Deployment. From that VM i can access different resources on my local Environment via the IPSEC Tunnel without any problems. So there shouldn't be an network issue.

Does someone have had the same issues or any idea what to check or where the problem could be? i'd really appreciate any help!

Thank you in advance.

Best Regards,

MF

Reply
0 Kudos
10 Replies
mf_SVA
Contributor
Contributor

Hey,

here's a little update on this:

  • Connection to the local Domain Controller from Horizon Cloud still doesn't work, but i can join a Azure Test VM into my local Domain without any problems
  • I deployed a Server 2016 VM on Azure and configured it to be an additional Domain Controller for my local AD. After i did this i could register my local AD on Horizon Cloud with my local domain bind / domain join Accounts. From there i could finally set up the Cloud Pod and everything worked perfectly

So that's a workaround for now and definitely not the final solution. I'm still trying to figure out what the problem with the AD join via the IPSEC Tunnel ist and why it's not working as expected.

The different Active Directory deployment options are listet here:

pastedImage_1.png

The VMware recommended one is Option 6. So i'll try to set this up as well but event if that workes, i'll want to get option 1 running as well.

I still appreciate any help from your side.

Thanks.

Regards,

MF

Reply
0 Kudos
Aginaco
Contributor
Contributor

Hi,

I´m expecting a similar issue. Could you finally solve the the problem of registering on-prem AD via IPSEC Tunnel?

thank you and regards

Reply
0 Kudos
alsmk2
Hot Shot
Hot Shot

Also having the exact same issue.

Have validated the settings against another Horizon Cloud deployment I'd done previously and, other than domain names and underlying IP's, they're 100% identical (both within Azure and HC).

Reply
0 Kudos
Aginaco
Contributor
Contributor

Hi,

thanks for you comment, may be you can answer me a question

in my case I´m also doubting if  my network architecture is correct. When I first deployed the PoD I used Azure AD DS and create some users for testing. So a VNet was created for AD DS and another one with the management, service and DMZ subnets. Peering both VNets I can authenticate wih AD DS. Now I want to register an additional on-prem Domain to use real users. I´ve create the gateway subnet in the same VNet where the management, service and DMZ subnets are but I´m not sure if this is correct and I should create the whole VPN stuff in a separate VNet  and then  a new peering to my management, service and DMZ VNet like I see in the examples in the documentation.

Do you know if it is mandatoy to create a different Vnet for site-to-site connections (VPNs) ? I can´t find a word in favor or against it

thank you and regards

Reply
0 Kudos
alsmk2
Hot Shot
Hot Shot

I may be misunderstanding your question, but I see absolutely no reason to put the GatewaySubnet in it's own VNET. It should work absolutely fine if you do do that and have vnet peering configured correctly, but you may also find it works out more costly for traffic (egress traffic over vnet-peering has a cost in the same region, ingres/egress would have a cost if the peered vnets are in a different region).

Reply
0 Kudos
Aginaco
Contributor
Contributor

Ok,

thanks for your help!

regards

Reply
0 Kudos
Aginaco
Contributor
Contributor

Hi,

I wonder if you finnaly found the reason for that...

After my holiday season I created yesterday a Win10 Pro VM in the same subnet as the pod´s management VM (the one which name ends with "node-1"). I configured manually this Win10 VM to use the on-prem DNS servers and I could join this VM machine to the on-prem domain via the VPN.

Next step was to setup this DNS servers in my Azure-VNet  substituting the DNS Servers created during the initial pod deployment made by my customer and restart the pod´s management VM.

But the registration of my local domain in Horizon Cloud keeps failing.

These DNS servers crated during the deployment where not on-prem servers but hosted in Azure. The idea was to do some testing using initially resources in Azure (also the test users reside in an Azure AD managed through Azure AD DS) and after that register the local domain to test with users in on-prem production environment, define on-prem users as Horizon admins and finallly get rid of Azure users , DNS, and so on. I wonder if it is even possible to do what we are trying  to do or if we should configure everything from scratch again...

Any suggestion?

thank you and regards

Reply
0 Kudos
sjsaravanan1
Contributor
Contributor

Is there a final solution for this? I am facing the same issue in my first POD deployment. The test windows server in the same subnet as the POD manager is able to join the domain and LDAP is also successful, but unable to register the Active Directory in the POD setup

Reply
0 Kudos
kgsivan
VMware Employee
VMware Employee

>> Now I want to register an additional on-prem Domain to use real users. I´ve create the gateway subnet in the same VNet where the management, service and DMZ subnets are but I´m not sure if this is correct and I should create the whole VPN stuff in a separate VNet  and then  a new peering to my management, service and DMZ VNet like I see in the examples in the documentation.

The above may not be the right approach (Technically it will work provided there is a right transit peering). Instead, you can plan to have a Virtual WAN and Spoke VNETs attached to it. This way the traffic over VPN will be optimised, and also can scale up with additional VNETs connecting to the HUB VNET, without having VPNs set up each and every time.

Reply
0 Kudos
kgsivan
VMware Employee
VMware Employee

DNS picked during Azure Smartnode deployment, will be used to resolve the AD domain configuration (Even if you have provided the right DNS at the time of configuring DOMAIN

So, It is better to redeploy the POD with the right DNS pointed to Onprem AD in the Azure VNET. Otherwise, contact VMware support to Reset the domain configuration for your account and rebuild it. 

Reply
0 Kudos