We've identified by looking at packet captures/firewall logs that during a user login the connection server is intermittently trying to communicate with domain controllers not in the servers AD site which is not allowed by the firewall (We have 100+ domain controllers and the Connection Servers can only talk to the 6 in their site). We've verified that the connection server knows which AD site it's in and can communicate with DC in those site. The issue is when the connection server attempts to perform user logins using DC not in the servers site. Our environment consists of 4 x Connection Servers in a POD running 7.4.0.
Hopefully someone can give you confirmation, but I think the connection servers do an auto discovery, and if you look in here at one point you could use the ADAM database to limit what they look at
https://kb.vmware.com/s/article/2147129?docid=2150448
I think you just need to set pae-AdDomainSite to the correct site.
Solution 2: Set pae-AdDomainSite to manually specify the correct site.
The article looks promising but I'll see what support comes back with.
Solution 1 doesn't apply since I'm on Horizon 7.4.0.
Solution 2 and 3 reference a ADdomain object under "OU=NgvcAdDomain,OU=Properties,DC=vdi,DC=vmware,DC=int" which I don't have. In fact I don't have any entries in the ADAM database under that path.
Solution 4 doesn't seem to apply as I don't have a C:\ProgramData\VMware\VDM\krb\ folder let alone C:\ProgramData\VMware\VDM\krb\krb5.conf.
Would this help you?
Using the vdmadmin command to exclude or include a domain on a search list for View Administrator or Security Server (2006292)
We have three domains (e.g. domain1, domain2, domain3). I'm already doing a include so only 1 of our 3 AD domain (domain1) is used for Horizon logins.
The issue here is that within that single AD domain (domain1) we can only talk to 6 of the 100+ domain controllers within the same AD site that the connection servers are in. The Connection Servers are intermittently ignoring the AD site during periods of high logins (first thing in the morning and right after lunch) and trying to use all of the DC.
When you query DNS for that domain name does all the servers IP's return? I'm wondering what happens if you edit the local hosts file on the connection servers for the domain name and put in only the domain controllers you want to access.
I'm working with support and they've asked us to enable trace/full connection server logging during the time the issue occurs. We typically see it first thing in the morning when lots of users are logging in but missed it this morning.