Jump to content
Welcome to our new Citrix community!
  • 0

Citrix Cloud Active Directory Confusion


Darryl Sakach

Question

We have a Citrix Cloud configuration with two Resource Locations, each location having two Cloud Connectors installed. The challenge is that both locations have an Active Directory Domain named ThisDomain, however the Domains are separate and distinct, ThisDomain in ResourceLocationA has no connection to ThisDomain in ResourceLocationB. When these two Resource Locations are configured in Citrix Cloud they both get added to one ThisDomain in Identity and Access Management Domains although they are not the same actual Domain.

 

The issue this causes is that when adding a desktop hosted in ResourceLocationA to a Machine Catalog the Cloud Connector used to access AD may be in ResourceLocationB as this is a dynamic decision made by Citrix Cloud. The desktop does not exist in ResourceLocationB so we get a not found condition.

 

We have two Zones configured, one for all of the resources in each Resource Location (Cloud Connectors, Host Connection and Machine Catalog). We do not have a Primary Zone set in Citrix Cloud (although we did try that to resolve this issue).

 

How do we configure this environment so that the Active Directory structure used during an Add Machine operation is always and only the one in the Resource Location of the hosted desktop?

 

Some of the behavior we have seen is we try to add Desktop1 to MachineCatalogA configured in ZoneA. There is no Desktop1 in ZoneB. We drill down into the Host Connection in ZoneA and select Desktop1 for addition. We then attempt to configure the Computer AD Account. This becomes hit or miss as we try to select Desktop1. It sometimes returns not found because it looks in ZoneB. When we do get directed to a Cloud Connector in ZoneA Desktop1 is found and we proceed. Then we try to proceed to the next step in adding the desktop and may get sent to a ZoneB Cloud Connector again and get a not found error again. If we get luck and get a ZoneA Cloud Connector for both steps we can finalize the add which simply submits the add as a background task in Citrix Cloud where we might once again be sent to a Cloud Connector in ZoneB and get a desktop not found. If we get really lucky and get ZoneA where Desktop1 does exist for all three of these checkpoints the machine is added. Yay! Everything from that point on seems to work fine. The desktop registers, status reflects as expected, access via Workspace App is all good, power managment works. It is only the Add process that seems to be challenged.

Link to comment

5 answers to this question

Recommended Posts

  • 0
4 hours ago, Darryl Sakach said:

We have a Citrix Cloud configuration with two Resource Locations, each location having two Cloud Connectors installed. The challenge is that both locations have an Active Directory Domain named ThisDomain, however the Domains are separate and distinct, ThisDomain in ResourceLocationA has no connection to ThisDomain in ResourceLocationB. When these two Resource Locations are configured in Citrix Cloud they both get added to one ThisDomain in Identity and Access Management Domains although they are not the same actual Domain.

 

The issue this causes is that when adding a desktop hosted in ResourceLocationA to a Machine Catalog the Cloud Connector used to access AD may be in ResourceLocationB as this is a dynamic decision made by Citrix Cloud. The desktop does not exist in ResourceLocationB so we get a not found condition.

 

We have two Zones configured, one for all of the resources in each Resource Location (Cloud Connectors, Host Connection and Machine Catalog). We do not have a Primary Zone set in Citrix Cloud (although we did try that to resolve this issue).

 

How do we configure this environment so that the Active Directory structure used during an Add Machine operation is always and only the one in the Resource Location of the hosted desktop?

 

Some of the behavior we have seen is we try to add Desktop1 to MachineCatalogA configured in ZoneA. There is no Desktop1 in ZoneB. We drill down into the Host Connection in ZoneA and select Desktop1 for addition. We then attempt to configure the Computer AD Account. This becomes hit or miss as we try to select Desktop1. It sometimes returns not found because it looks in ZoneB. When we do get directed to a Cloud Connector in ZoneA Desktop1 is found and we proceed. Then we try to proceed to the next step in adding the desktop and may get sent to a ZoneB Cloud Connector again and get a not found error again. If we get luck and get a ZoneA Cloud Connector for both steps we can finalize the add which simply submits the add as a background task in Citrix Cloud where we might once again be sent to a Cloud Connector in ZoneB and get a desktop not found. If we get really lucky and get ZoneA where Desktop1 does exist for all three of these checkpoints the machine is added. Yay! Everything from that point on seems to work fine. The desktop registers, status reflects as expected, access via Workspace App is all good, power managment works. It is only the Add process that seems to be challenged.

 

Hi Darryl,

 

If you have multiple domain, configured in Identity and Access Management with 2 Cloud Connectors for each Domain this should work.

I have a setup with 3 AD Domains, 4 Resource Locations, 5 Hosting connections, 4 Zones and everything works fine.

I can provision Machine Catalog in each Zone/Resource location.

 

Did you check your settings, for AD, Resource Location, Hosting?

 

Thanks

Arnaud

 

 

Link to comment
  • 0

I think the disconnect between our configurations is here "The challenge is that both locations have an Active Directory Domain named ThisDomain, however the Domains are separate and distinct, ThisDomain in ResourceLocationA has no connection to ThisDomain in ResourceLocationB." If I create an object in ResourceLocationA its AD record does not get replicated to ResourceLocationB as there is no connection between those two ResourceLocation. Since I have two Zones set up with all of the components relevant to each ResourceLocation I would expect those Zone components to be used for all work within that Zone. However, it seems that when it comes to AD it will use a Domain Controller in any Zone.

Link to comment
  • 0
1 minute ago, Darryl Sakach said:

I think the disconnect between our configurations is here "The challenge is that both locations have an Active Directory Domain named ThisDomain, however the Domains are separate and distinct, ThisDomain in ResourceLocationA has no connection to ThisDomain in ResourceLocationB." If I create an object in ResourceLocationA its AD record does not get replicated to ResourceLocationB as there is no connection between those two ResourceLocation. Since I have two Zones set up with all of the components relevant to each ResourceLocation I would expect those Zone components to be used for all work within that Zone. However, it seems that when it comes to AD it will use a Domain Controller in any Zone.

Hi Darryl,

 

My AD domains are different as well and not communication between them.

Each component member of 1 zone should communicate with each other, if you have AD DC, Cloud Connector and Master Image in ZoneA/DomainA, creation of Machine Catalog in this Zone should work.

 

Arnaud

Link to comment
  • 0

My challenge is that ThisDomain in ResourceLocationB is a restored copy of ThisDomain in ResourceLocationA so they share the same DomainSID. ResourceLocationA and ResourceLocationB cannot talk to one another, but they both are configured up to the same Citrix Cloud instance. When they are configured up to Citrix Cloud it sees the domain in the two locations as being the same, I assume because the DomainSID is the same. However, by expectation again would be that if I am working with a resource in ZoneB then the Domain Controllers in Zone B would be used. They are not. So my question is how I can configure this environment to only use Domain Controllers in the Zone being referenced at the time.

Link to comment
  • 0
10 minutes ago, Darryl Sakach said:

My challenge is that ThisDomain in ResourceLocationB is a restored copy of ThisDomain in ResourceLocationA so they share the same DomainSID. ResourceLocationA and ResourceLocationB cannot talk to one another, but they both are configured up to the same Citrix Cloud instance. When they are configured up to Citrix Cloud it sees the domain in the two locations as being the same, I assume because the DomainSID is the same. However, by expectation again would be that if I am working with a resource in ZoneB then the Domain Controllers in Zone B would be used. They are not. So my question is how I can configure this environment to only use Domain Controllers in the Zone being referenced at the time.

So maybe this is your main issue here, 2 domain with same DomainSID ...

 

Do you have ListOfSIDs  configured on your Master image?

In fact, this registry key contains the DOMAIN SID of the DDC  and if you have same Domain SID it will not work.

 

Please check this, and if it's the case please use ListOfDDCs instead and ensure DDC's name are not the same as well in both domains.

 

Thanks

Arnaud

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...