I'm setting up my view 5.0 enviroment.
I'm going to be a private cloud service for diffrent clients hosting their domains.
The view connection server needs to have multiple access to diffrent microsoft active directory domains.
I would like not to establish a trust or merge diffrent AD domains.
Has any one been able to support multi domains with a view connection server.?
Would I need a separate view connection servers for each domain I'm hosting?
WILLIAM KOSINETZ wrote:
Would I need a separate view connection servers for each domain I'm hosting?
Yes. If you can't use AD domain trusts between domains you can have a Connection Server per domain and that way you'll keep them separate.
Mark.
WILLIAM KOSINETZ wrote:
Would I need a separate view connection servers for each domain I'm hosting?
Yes. If you can't use AD domain trusts between domains you can have a Connection Server per domain and that way you'll keep them separate.
Mark.
Thank You Mark for your validation.
This poses another question.
I would then need remote view clients on external networks to:
Connected through View security server in the DMZ then to a connection server then to Microsoft Activate Directory server.
So would this model would be needed for each domain? (3- vm's per domain)
Then would a load balancing solution be needed for each domain or can one that supports say 50 servers span across all the domains View security servers?
What about Vcenter being able to manage across all the domains?
Yes. Your understanding is correct. So minimum of one Connection Server per Domain. A Security Server attached to each Connection Server is optional. With the Connection Server running Server 2008 R2 it can also act as the PCoIP Gateway.
For HA, you may want two Connection Servers (standard instance and replica instance).
A single LB appliance can be used for all your Connection Servers. Each pair would have their own URL and the load balancer could balance load across the two Connection Servers for that URL. You would have a URL per domain.
Mark.
Mark,
I may be reading his question wrong but if this is for solely external access (I'm assuming that is the case as he is a cloud provider). Wouldn't he need 4 VMs per domain for load balancing? 2 Security Servers in the DMZ, 2 View Connection Servers for them to be paired to. Between the SS and the Internet is where your LB would sit (which is right in line with your video on this). I'm just not seeing how 3 VMs per domain would work in this scenario if all connections are coming from the Internet.
Not questioning you so much as trying to get a better understanding of where you are coming from.
Gunnar Berger
Sorry Gunnar, I don't mean to confuse people. I didn't mention 3. The SS is optional with View, so it's 1 server, 2 servers or 4 servers depending on requirements (or more for further scale).
Minimum is 1 CS.
With optional SS its 1 SS and 1 CS.
For HA its 2 CS with a load balancer in front.
For HA with optional Security Servers its 2 SS plus 2 CS with a load balancer in front of the 2 SS.
The load balancer can be shared across multiple View environments with a URL per View environment.
I know you know this - adding this detail for others.
Mark
Cool, thanks for the clarification Mark. Future Googler's will praise you. Of course if they really wanted to praise you they'd go to Vimeo where you explain in detail the entire SS/VCS relationship.
Gunnar Berger
Thank You Gunnar & Mark for your help on this.
In my design I'm thinking 3 business models.
Some clients will have metro Ethernet to my cluster.
With this connection I would not need a SS, just CS & AD.
As far as HA I would not really need it. Planning to VM the CS & AD.
On premises distribution also would not need a SS, just CS & AD.
The same with HA and VM's.
Public Space VPN access would be physical machines for SS & CS. AD server would be VM.
I would use physical HA for both SS & CS. With LB across this environment.
This is a steep mountian to climb to get into the cloud.
Mark Benson wrote:
WILLIAM KOSINETZ wrote:
Would I need a separate view connection servers for each domain I'm hosting?
Yes. If you can't use AD domain trusts between domains you can have a Connection Server per domain and that way you'll keep them separate.
Mark.
Mark. Are there any best best practice guide to setup this?
Page 54 of the Architecture and Planning Guide talks about AD authentication and the need to join a Connection Server to an AD domain.
If you have domains without trusts then you can have different independent View environments for each domain and point users to their appropriate View environment for their domain.
Mark
Ok..
Thank for fast answer.
/Jim
There is not much information about connect domains without trust..
“
Each View Connection Server instance is joined to an Active Directory domain, and users are authenticated
against Active Directory for the joined domain. Users are also authenticated against any additional user
domains with which a trust agreement exists.
“
We have:
VLAN A and Domain A
VmWare View Server
VLANB domain B
Virtual Center
The only domain as shown in view is the domain B (The domain where vcenter is placed).
Do we need a connection server in domain A?
/Jim
If your View Connection Server is joined to domain A, your View clients will be able to logon with domain A user credentials. If Domain A has a two-way trust relationship with other domains, they will be able to logon to those domains too.
If you have another Domain (say Domain B) which doesn't have any trust relationships, the only way users can logon to View with Domain B credentials is if they connect to a Connection Server that is joined to Domain B.
View delegates password authentication to the Windows OS, so these rules are the same as for Windows. If you make an RDP connection to your View Connection Server joined to Domain A, you should also see Domain A in the domain drop down in the Windows login prompt.
Mark.
We connect to the View Manager as a domain A user We add VCenter Server's instance with a domain B account In Composer's setting we add domain B but we can't add domain A ("bad domain name") As a result, when creating a new pool, the linked-clones desktops are added in the domain B's OU, but we would like to be added in domain A.
So when segmenting multiple domains the following need to be established?
Vcenter server.
Connection server
security server.
This would be needed for each domain that does not have a two way trust relationship?
I'ii have to research if there is a 3 party app to over come this trust.
Ok.. Thanks for all help..
/Jim
Hi Jim
I have the same scenario. I was wondering if you ever found a solution? I'd love to hear it.
thank you,
Paul