Cloud desktops are deployed inside workspaces. Inside a workspace, you can configure cloud desktop settings such as secure office networks, user account systems, and Internet access. User account systems are classified into convenience accounts and enterprise Active Directory (AD) accounts. Enterprise AD accounts must be obtained by connecting to AD systems of enterprises. This topic describes how to connect to the AD system of an enterprise and create a workspace of the enterprise AD account type.

Prerequisites

  • An enterprise AD system is created.
    Note
    • If AD and Domain Name System (DNS) are deployed on the same server, make sure that the DNS address of this server points to 127.0.0.1.
    • If AD and DNS are deployed on different servers, make sure that the DNS address of the AD domain server points to the IP address of the DNS server.
  • A Cloud Enterprise Network (CEN) instance is created, and the network of the enterprise AD system is attached to the CEN instance. For more information, see Create a CEN instance and Attach networks.
    Notice When you connect to the AD system of the enterprise, make sure that the private network of the enterprise AD system is connected to the secure office network of the workspace over CEN. If the AD domain server and DNS server are deployed in a data center, you must first connect the on-premises network to Alibaba Cloud by using Smart Access Gateway (SAG), Express Connect, or VPN Gateway.

Background information

A workspace in which cloud desktops are deployed is a collection of environment configurations. For more information, see Workspace overview.

If you want to create a workspace of the enterprise AD account type, you must connect to the enterprise AD system. You must create the workspace in the EDS console, and configure the DNS server of the enterprise AD domain to enable zone transfer and create a conditional forwarder. Perform the following operations:
  1. Step 1: Create a workspace
  2. Step 2: Configure DNS to enable zone transfer
  3. Step 3: Configure the conditional forwarder of the DNS server
Note When you connect to enterprise AD systems, you are charged for AD connectors. For more information about the billing of AD connectors, see Billing of AD connectors.

Step 1: Create a workspace

  1. Log on to the EDS console.
  2. In the left-side navigation pane, click Overview.
  3. On the Overview page, click Create workspace.
  4. In the Configure Secure Office Network step, select a region, enter a workspace name, and then specify an IPv4 CIDR block. Click Next: Configure Account System.
    The following table describes the parameters.
    Parameter Description
    Select region The region in which you want to create a workspace. For more information about the available regions and limits, see Regions.
    Workspace name The name of the workspace. We recommend that you use an identifiable name to facilitate future management. The naming conventions are described in the parameter field.
    IPv4 CIDR block The IPv4 CIDR block that the system uses to create a virtual private cloud (VPC). We recommend that you specify the IPv4 CIDR block as 10.0.0.0/12, 172.16.0.0/12, 192.168.0.0/16, or a subnet of these CIDR blocks. If you specify the IPv4 CIDR block as 10.0.0.0/12 or 172.16.0.0/12, the mask is 12 to 24 bits in length. If you specify the IPv4 CIDR block as 192.168.0.0/16, the mask is 16 to 24 bits in length.
    Note When you create a cloud desktop in the workspace, the system assigns IP addresses from the specified CIDR block to the cloud desktop. To avoid IP address conflicts between your workspace and other network instances that belong to the same CEN instance as the workspace, we recommend that you specify a CIDR block that is not used by other network instances on the CEN. Make sure that the number of available IP addresses in the CIDR block can meet the requirements for the number of cloud desktops you want to create. The greater the value of the mask length, the fewer the number of IP addresses that can be contained in the workspace, and the fewer cloud desktops that can be created in the workspace.
    Connection Method The connection method for the cloud desktop. Valid values:
    • Internet: allows clients to connect to cloud desktops only over the Internet.
    • VPC: allows clients to connect to cloud desktops only over VPCs.
    • Internet and VPC: allow connections over both the Internet and VPCs. You can select a connection method when you use a client to connect to a cloud desktop.
    Note The VPC connection method is provided based on Alibaba Cloud PrivateLink, which is free of charge. If you set Connection Method to VPC or Internet and VPC, PrivateLink is automatically activated.
    Cloud Enterprise Network Specifies whether to join the workspace to a CEN instance. When you connect to the AD system of the enterprise, you must attach the workspace network to a CEN instance to establish a connection between the secure office network and the network of the enterprise AD system. Select Join and select a CEN instance.
    Local Administrator Specifies whether to grant the local administrator permissions to a regular user. If you select Local Administrator, the regular user to which the cloud desktop created in the workspace is assigned has different permissions based on the operating system of the cloud desktop.
    • For Windows cloud desktops, regular users are granted local administrator permissions. However, the actual permissions that are granted are subject to the settings of the enterprise AD system.
    • For Linux cloud desktops, the regular user has the permissions to run all commands. When the regular user uses sudo to run commands, the password of the AD user is required.
  5. In the Configure Account System step, set Account Type to Enterprise AD account number and configure the parameters.
    The following table describes the related parameters.
    Parameter Description
    DNS Address The DNS address (private IP address) of the enterprise AD system.
    Note If the AD domain controller and DNS are deployed on the same server, you can enter the IP address of the server. Make sure that the IP address is accessible in the secure office network specified in the previous step.
    Domain Name The domain name of the enterprise AD system. Example: example.com.
    Connect to AD System as Subdomain Administrator If the enterprise AD system includes parent domains and subdomains, and you want to use a subdomain to connect to and manage AD directories, you can select this parameter. After you select this parameter, you must enter a subdomain name and a subdomain DNS address:
    • Subdomain Name: the domain name of the enterprise AD subdomain.
    • Subdomain DNS: the DNS address of the enterprise AD subdomain, which can be the same as the DNS address of the parent domain.
    Administrator Username, Administrator Password, and Confirm password The username and password of the domain administrator. If you select You can connect to the AD system as the subdomain administrator, you must enter the username and password of the subdomain administrator.
    Notice The administrator username is the name of an AD administrator. For example, you can enter Administrator, which is the value of the sAMAccountName parameter. Do not use the value of userPrincipalName.
  6. Enable and configure Internet access based on your business requirements.
    • If you do not need to enable Internet access, click Create a workspace immediately without public network services.
    • If you need to enable Internet access, click Next: Access Public Network Settings. On the Configure Access to the Internet page, complete the configurations.
      1. Select Open public network access for desktop.
      2. Specify the maximum bandwidth value.
      3. Click Create workspace now.
    Note You can also enable and configure Internet access after the workspace is created. For more information, see Manage Internet access.
  7. Click Go to Secure Office Network to obtain the IP address of the AD connector.
    On the Secure office network page, find the created workspace. The IP address of the AD connector is displayed in the IP address column, as shown in the following figure. AD connector
  8. Configure the security group rules of the VPC to which the AD domain server and DNS server belong, and enable the required network ports.
    1. Log on to the VPC console.
    2. On the VPCs page, find the required VPC and click the ID of the VPC.
    3. On the Resources tab, click the number under Security Group.
    4. On the Security Groups page, find the required security group and click the ID of the security group.
    5. Configure security group rules.
      Configure the inbound rules for the security group based on the rules in the following table.
      Protocol type Port or port range Authorized object
      Customized UDP 53, 88, 123, 137, 138, 389, 445, and 464
      • The IP address of the AD connector, that is, the connection address. Example: 172.16.XX.XX/32.
      • The IPv4 CIDR block of the workspace of the enterprise AD account type. Example: 192.168.XX.XX/24.
      Custom TCP
      • 53
      • Port 88 to port 65535
      • The IP address of the AD connector, that is, the connection address. Example: 172.16.XX.XX/32.
      • The IPv4 CIDR block of the workspace of the enterprise AD account type. Example:192.168.XX.XX/24.

Step 2: Configure DNS to enable zone transfer

You must enable zone transfer for the DNS addresses of the domains of your enterprise AD system.
  • If your enterprise AD system includes one or more domains (parent domain and subdomains) that correspond to a single DNS address, you must enable zone transfer for this DNS address.
  • If your enterprise AD system includes multiple domains (parent domain and subdomains) that correspond to different DNS addresses, you must enable zone transfer for the DNS address of each domain.
  1. Log on to the DNS server corresponding to the enterprise AD domain.
  2. Open the DNS manager.
    1. Open the server manager and select DNS in the left-side navigation pane.
    2. In the right-side server list, right-click the server and select DNS Manager.
    Note In this example, Windows Server 2016 is used to demonstrate how to open the DNS manager. This process may vary if your server runs a different operating system.
  3. In the DNS Manager dialog box, click Forward Lookup Zones.
  4. Repeat the following steps to configure the properties for the msdcs zone and the domain zone under Forward Lookup Zones.
    1. Right-click a zone and select Properties.
    2. On the Zone Transfers tab of the Properties dialog box, select Allow zone transfers and then select To any server.
      Note If you set Allow zone transfers to Only to the following servers and specify a server, or if you do not want to set Allow zone transfers to To any server for security considerations, you can add the IP address of the AD connector to the allowed server list. You can set Allow zone transfers to the IP address of the AD connector.
    3. Click OK.
    Configure the enterprise AD system

Step 3: Configure the conditional forwarder of the DNS server

You must configure the conditional forwarder for the DNS addresses of the domains of your enterprise AD system.
  • If your enterprise AD system includes one or more domains (parent domain and subdomain) that correspond to a single DNS address, you must configure the conditional forwarder for this DNS address.
  • If your enterprise AD system includes multiple domains (parent domain and subdomain) that correspond to different DNS addresses, you must configure the conditional forwarder for the DNS address of each domain.
  1. Log on to the DNS server corresponding to the enterprise AD domain.
  2. Open the DNS manager.
    1. Open the server manager and select DNS in the left-side navigation pane.
    2. In the right-side server list, right-click the server and select DNS Manager.
    Note In this example, Windows Server 2016 is used to demonstrate how to open the DNS manager. This process may vary if your server runs a different operating system.
  3. In the DNS Manager dialog box, right-click Conditional Forwarders and select New Conditional Forwarder.
  4. Enter the domain name and IP address.
    Enter ecd.acs as the domain name and enter the IP address of the AD connector that is obtained in Step 1. Configure DNS
  5. Click OK.
  6. Run the following command in Command Prompt to check the network connection:
    nslookup ecd.acs

    If the IP address of the AD connector (the connection address) is returned, the conditional forwarder is configured. If an error message is returned, check whether the conditional forwarder is correctly configured.

Execution results

After the preceding configurations are complete, you can use one of the following methods to check whether the workspace is created:
  • On the Overview page of the Elastic Desktop Service (EDS) console, find the created workspace, click the workspace ID to go to the workspace details page, and then check whether the workspace is in the Registered state.
  • On the Secure office network page of the EDS console, find the network of the created workspace and check whether the network is in the Registered state.

FAQ

After the configuration is complete, you can click View Registration Logs in the upper-right corner of the workspace details page to view error information. If you are prompted to clear the DNS cache, you can restart the AD domain server, or log on to the DNS server and run the following commands in PowerShell to clear the DNS cache:
  • Clear cached resource records of the DNS server
    Clear-DnsServerCache -Force
  • Clear cached contents of the DNS client
    Clear-DnsClientCache
Note If the created workspace is stuck in the Registering state, the registration fails. Check whether the workspace, the AD domain server, and the DNS server are correctly configured. For more information, see What do I do if I fail to register my AD workspace?