i'm currently trying to set up a Horizon Cloud Environment with Azure resources. I basically followed the instructions from these sources:
So what i did is, i set up all the network requirements on Azure, set up my local DNS Server in the VNET Settings, created a service principal on Azure, the IPSEC Tunnel from Azure to my on premises environment is up and running and also the POD Deployment from Horizon Cloud to Azure was successful. The next step would be to connect my local Active Directory and here i stuck at the moment.
The error message says "Unable to register Active Directory" as shown in the following picture:
For troubleshooting purposes it created a small Windows 10 VM on Azure and configured it with Network Settings from i.e. the MGMT Subnet which i created earlier for my Horizon on Azure Deployment. From that VM i can access different resources on my local Environment via the IPSEC Tunnel without any problems. So there shouldn't be an network issue.
Does someone have had the same issues or any idea what to check or where the problem could be? i'd really appreciate any help!
Thank you in advance.
here's a little update on this:
So that's a workaround for now and definitely not the final solution. I'm still trying to figure out what the problem with the AD join via the IPSEC Tunnel ist and why it's not working as expected.
The different Active Directory deployment options are listet here:
The VMware recommended one is Option 6. So i'll try to set this up as well but event if that workes, i'll want to get option 1 running as well.
I still appreciate any help from your side.
Also having the exact same issue.
Have validated the settings against another Horizon Cloud deployment I'd done previously and, other than domain names and underlying IP's, they're 100% identical (both within Azure and HC).
thanks for you comment, may be you can answer me a question
in my case I´m also doubting if my network architecture is correct. When I first deployed the PoD I used Azure AD DS and create some users for testing. So a VNet was created for AD DS and another one with the management, service and DMZ subnets. Peering both VNets I can authenticate wih AD DS. Now I want to register an additional on-prem Domain to use real users. I´ve create the gateway subnet in the same VNet where the management, service and DMZ subnets are but I´m not sure if this is correct and I should create the whole VPN stuff in a separate VNet and then a new peering to my management, service and DMZ VNet like I see in the examples in the documentation.
Do you know if it is mandatoy to create a different Vnet for site-to-site connections (VPNs) ? I can´t find a word in favor or against it
thank you and regards
I may be misunderstanding your question, but I see absolutely no reason to put the GatewaySubnet in it's own VNET. It should work absolutely fine if you do do that and have vnet peering configured correctly, but you may also find it works out more costly for traffic (egress traffic over vnet-peering has a cost in the same region, ingres/egress would have a cost if the peered vnets are in a different region).
I wonder if you finnaly found the reason for that...
After my holiday season I created yesterday a Win10 Pro VM in the same subnet as the pod´s management VM (the one which name ends with "node-1"). I configured manually this Win10 VM to use the on-prem DNS servers and I could join this VM machine to the on-prem domain via the VPN.
Next step was to setup this DNS servers in my Azure-VNet substituting the DNS Servers created during the initial pod deployment made by my customer and restart the pod´s management VM.
But the registration of my local domain in Horizon Cloud keeps failing.
These DNS servers crated during the deployment where not on-prem servers but hosted in Azure. The idea was to do some testing using initially resources in Azure (also the test users reside in an Azure AD managed through Azure AD DS) and after that register the local domain to test with users in on-prem production environment, define on-prem users as Horizon admins and finallly get rid of Azure users , DNS, and so on. I wonder if it is even possible to do what we are trying to do or if we should configure everything from scratch again...
thank you and regards
Is there a final solution for this? I am facing the same issue in my first POD deployment. The test windows server in the same subnet as the POD manager is able to join the domain and LDAP is also successful, but unable to register the Active Directory in the POD setup
>> Now I want to register an additional on-prem Domain to use real users. I´ve create the gateway subnet in the same VNet where the management, service and DMZ subnets are but I´m not sure if this is correct and I should create the whole VPN stuff in a separate VNet and then a new peering to my management, service and DMZ VNet like I see in the examples in the documentation.
The above may not be the right approach (Technically it will work provided there is a right transit peering). Instead, you can plan to have a Virtual WAN and Spoke VNETs attached to it. This way the traffic over VPN will be optimised, and also can scale up with additional VNETs connecting to the HUB VNET, without having VPNs set up each and every time.
DNS picked during Azure Smartnode deployment, will be used to resolve the AD domain configuration (Even if you have provided the right DNS at the time of configuring DOMAIN
So, It is better to redeploy the POD with the right DNS pointed to Onprem AD in the Azure VNET. Otherwise, contact VMware support to Reset the domain configuration for your account and rebuild it.