BillK201110141
Contributor
Contributor

Multiple domains in view for tenanting cloud services

Jump to solution

I'm setting up my view 5.0 enviroment.

I'm going to be a private cloud service for diffrent clients hosting their domains.

The view connection server needs to have multiple access to diffrent microsoft active directory domains.

I would like not to establish a trust or merge diffrent AD domains.

Has any one been able to support multi domains with a view connection server.?

Would I need a separate view connection servers for each domain I'm hosting?

0 Kudos
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee

WILLIAM KOSINETZ wrote:

Would I need a separate view connection servers for each domain I'm hosting?

Yes. If you can't use AD domain trusts between domains you can have a Connection Server per domain and that way you'll keep them separate.

Mark.

View solution in original post

0 Kudos
16 Replies
markbenson
VMware Employee
VMware Employee

WILLIAM KOSINETZ wrote:

Would I need a separate view connection servers for each domain I'm hosting?

Yes. If you can't use AD domain trusts between domains you can have a Connection Server per domain and that way you'll keep them separate.

Mark.

View solution in original post

0 Kudos
BillK201110141
Contributor
Contributor

Thank You Mark for your validation.

This poses another question.

I would then need remote view clients on external networks to:

Connected through View security server in the DMZ then to a connection server then to Microsoft Activate Directory server.

So would this model would be needed for each domain? (3- vm's per domain)

Then would a load balancing solution be needed for each domain or can one that supports say 50 servers span across all the domains View security servers?

What about Vcenter being able to manage across all the domains?

0 Kudos
markbenson
VMware Employee
VMware Employee

Yes. Your understanding is correct. So minimum of one Connection Server per Domain. A Security Server attached to each Connection Server is optional. With the Connection Server running Server 2008 R2 it can also act as the PCoIP Gateway.

For HA, you may want two Connection Servers (standard instance and replica instance).

A single LB appliance can be used for all your Connection Servers. Each pair would have their own URL and the load balancer could balance load across the two Connection Servers for that URL. You would have a URL per domain.

Mark.

gunnarb
Expert
Expert

Mark,

I may be reading his question wrong but if this is for solely external access (I'm assuming that is the case as he is a cloud provider).  Wouldn't he need 4 VMs per domain for load balancing?  2 Security Servers in the DMZ, 2 View Connection Servers for them to be paired to.  Between the SS and the Internet is where your LB would sit (which is right in line with your video on this).  I'm just not seeing how 3 VMs per domain would work in this scenario if all connections are coming from the Internet.

Not questioning you so much as trying to get a better understanding of where you are coming from.

Gunnar Berger

www.gunnarberger.com

Gunnar Berger http://www.gunnarberger.com http://www.endusercomputing.com
markbenson
VMware Employee
VMware Employee

Sorry Gunnar, I don't mean to confuse people. I didn't mention 3. The SS is optional with View, so it's 1 server, 2 servers or 4 servers depending on requirements (or more for further scale).

Minimum is 1 CS.

With optional SS its 1 SS and 1 CS.

For HA its 2 CS with a load balancer in front.

For HA with optional Security Servers its 2 SS plus 2 CS with a load balancer in front of the 2 SS.

The load balancer can be shared across multiple View environments with a URL per View environment.

I know you know this - adding this detail for others.

Mark

0 Kudos
gunnarb
Expert
Expert

Cool, thanks for the clarification Mark.  Future Googler's will praise you.  Smiley Happy  Of course if they really wanted to praise you they'd go to Vimeo where you explain in detail the entire SS/VCS relationship.

http://vimeo.com/20365429

Gunnar Berger

www.gunnarberger.com

Gunnar Berger http://www.gunnarberger.com http://www.endusercomputing.com
0 Kudos
BillK201110141
Contributor
Contributor

Thank You Gunnar & Mark for your help on this.

In my design I'm thinking 3 business models.

Some clients will have metro Ethernet to my cluster.

With this connection I would not need a SS, just CS & AD.

As far as HA I would not really need it. Planning to VM the CS & AD.

On premises distribution also would not need a SS, just CS & AD.

The same with HA and VM's.

Public Space VPN access would be physical machines for SS & CS. AD server would be VM.

I would use physical HA for both SS & CS. With LB across this environment.

This is a steep mountian to climb to get into the cloud.

0 Kudos
Jimboose
Contributor
Contributor

Mark Benson wrote:

WILLIAM KOSINETZ wrote:

Would I need a separate view connection servers for each domain I'm hosting?

Yes. If you can't use AD domain trusts between domains you can have a Connection Server per domain and that way you'll keep them separate.

Mark.

Mark. Are there any best best practice guide to setup this?

0 Kudos
markbenson
VMware Employee
VMware Employee

Page 54 of the Architecture and Planning Guide talks about AD authentication and the need to join a Connection Server to an AD domain.

If you have domains without trusts then you can have different independent View environments for each domain and point users to their appropriate View environment for their domain.

Mark

0 Kudos
Jimboose
Contributor
Contributor

Ok..

Thank for fast answer.

/Jim

0 Kudos
Jimboose
Contributor
Contributor

There is not much information about connect domains without trust..

Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated

against Active Directory for the joined domain. Users are also authenticated against any additional user

domains with which a trust agreement exists.

We have:

VLAN A and Domain A

VmWare View Server

VLANB domain B

Virtual Center

The only domain as shown in view is the domain B (The domain where vcenter is placed).

Do we need a connection server in domain A?

/Jim

0 Kudos
markbenson
VMware Employee
VMware Employee

If your View Connection Server is joined to domain A, your View clients will be able to logon with domain A user credentials. If Domain A has a two-way trust relationship with other domains, they will be able to logon to those domains too.

If you have another Domain (say Domain B) which doesn't have any trust relationships, the only way users can logon to View with Domain B credentials is if they connect to a Connection Server that is joined to Domain B.

View delegates password authentication to the Windows OS, so these rules are the same as for Windows. If you make an RDP connection to your View Connection Server joined to Domain A, you should also see Domain A in the domain drop down in the Windows login prompt.

Mark.

0 Kudos
Jimboose
Contributor
Contributor

We connect to the View Manager as a domain A user We add VCenter Server's instance with a domain B account In Composer's setting we add domain B but we can't add domain A ("bad domain name") As a result, when creating a new pool, the linked-clones desktops are added in the domain B's OU, but we would like to be added in domain A.

0 Kudos
BillK201110141
Contributor
Contributor

So when segmenting multiple domains the following need to be established?

Vcenter server.

Connection server

security server.

This would be needed for each domain that does not have a two way trust relationship?

I'ii have to research if there is a 3 party app to over come this trust.

0 Kudos
Jimboose
Contributor
Contributor

Ok.. Thanks for all help..

/Jim

0 Kudos
pharrison333
Contributor
Contributor

Hi Jim

I have the same scenario.  I was wondering if you ever found a solution?  I'd love to hear it.

thank you,

Paul

0 Kudos