how to configure an AD office network - WUYING Workspace

WUYING Workspace (Pro Edition) supports convenience accounts and enterprise Active Directory (AD) accounts. When you create office networks (formerly workspaces), you can specify the account types of the office networks. This topic describes how to create an office network of the enterprise AD account type (hereinafter referred to as an enterprise AD office network).

Billing

Enterprise AD office networks connect to enterprise AD systems by using an AD connector. You are charged for using AD connectors on a pay-as-you-go basis based on the usage duration and the unit price of the AD connector you use. For more information about prices of AD connectors of different types, see the AD Connector Price section on the Pricing page in the WUYING Workspace portal.

If you want to stop the billing of AD connectors, delete the corresponding enterprise AD office networks. For more information, see the "Delete an AD office network" section of the Create and configure an AD office network topic.

Prerequisites

An enterprise AD system is deployed If you deploy an AD domain controller and a Domain Name System (DNS) server on different servers, make sure that the DNS address of the AD domain controller is set to the IP address of the DNS server.
A Cloud Enterprise Network (CEN) instance is created, and the virtual private cloud (VPC) of the enterprise AD system and the enterprise AD office network are attached to the CEN instance. For more information about how to create a CEN instance, see the "Step 1: Create a CEN instance" section of the Use CEN and Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks topic.
Note
If the AD domain controller and DNS server are deployed in an on-premises data center, you must use Express Connect (circuits), Smart Access Gateway (SAG), or VPN Gateway to establish connection between the on-premises network and cloud network. For more information, see Select a private network service.

Specific ports are opened. The VPC that the enterprise AD office network uses must access the ports of the AD domain controller. Make sure that ports are opened in the AD domain controller, DNS server, and secure software. The following table describes the ports that are required.

Protocol	Port or port range	Description	Authorization object
Customized User Datagram Protocol (UDP)	53	DNS	The IPv4 CIDR block of the office network. Example: 192.168.XX.XX/24.
	88	Kerberos
	123	Windows Time
	137	NETBIOS
	138	NETBIOS
	389	LDAP
	445	CIFS
	464	Password change or reset based on Kerberos
Custom Transmission Control Protocol (TCP)	53	DNS	The IPv4 CIDR block of the office network. Example: 192.168.XX.XX/24.
	88	Kerberos
	135	Replication
	389	LDAP
	443	HTTPS
	445	SMB/CIFS
	636	LDAP SSL
	9389	PowerShell
	Ports 49152 to 65535	RPC
	3268~3269	Lightweight Directory Access Protocol (LDAP) Global Catalog (GC) and LDAP GC Secure Sockets Layer (SSL)

Create an office network

Log on to the WUYING Workspace (Pro Edition) console.
In the left-side navigation pane, choose Network & Storage > Office Network (Formerly Workspace).
In the upper-left corner of the top navigation bar, select a region.
On the Office Network (Formerly Workspace) page, click Create Office Network.

In the Create Office Network panel, select Advanced Office Network, configure parameters as prompted, and then click Next: Configure Account System. The following table describes the parameters.

Parameters

Parameter	Description
Region	The region where you want to create the office network. For more information about the supported regions and limits, see the "Region" section of the Limits topic.
Name	The name of the office network. Follow the on-screen instructions to specify a name.
IPv4 CIDR Block	When you create cloud computers in an office network, the system automatically assigns IP addresses to the cloud computers from the CIDR block of the VPC that is used by the office network. The number of IP addresses varies based on the CIDR block. For more information, see Plan a CIDR block. By default, you can specify the CIDR block of the virtual private cloud (VPC) to which the office network uses to one of the following IPv4 CIDR blocks and their subnets: 192.168.0.0/16 10.0.0.0/12 172.16.0.0/12 If you want to use a custom IPv4 CIDR block, submit a ticket to contact Alibaba Cloud technical support.
Connection Method	When you create an office network, you must specify a method used by end users to connect cloud computers from WUYING clients. The following connection methods are provided: Internet (default): End users can connect to the cloud computers only over the Internet. If you select this method, on-premises machines that are used to connect to the cloud computers must be able to access the Internet. VPC: End users can connect to the cloud computers only over a VPC. If you select this method, you must attach the office network to a Cloud Enterprise Network (CEN) instance. In addition, you must use Express Connect (circuits), Smart Access Gateway (SAG), or VPN Gateway to establish a connection between the on-premises and cloud networks. For more information, see Attach to or detach from a CEN instance and Select a private network service. VPC and Internet: End users can use both of the preceding connection methods. Note The method that you want to use to connect WUYING clients to cloud computers. A VPC connection depends on PrivateLink, which is free of charge. If you select VPC or Internet and VPC, the system automatically activates PrivateLink.
Attach to CEN	If you set the Connection Method parameter to VPC, you must set this parameter to Yes. To attach the VPC to Cloud , you can select a CEN instance within the current or from another Alibaba Cloud account. Note If you connect an on-premises network to the cloud by using Smart Access Gateway, Express Connect, or VPN Gateway, you must attach the office network to the same CEN instance as that of the on-premises network. To ensure that cloud computers in the office network can be used as expected, click Check after you specify a CEN instance. The system checks whether the CIDR block of the route of the CEN instance is overlapped with the IPv4 CIDR block of the office network. If the IPV4 CIDR blocks conflict, click View Conflict Details and Recommended CIDR Blocks. Then, specify another IPv4 CIDR block or CEN instance.

In the Account Type section, select Enterprise AD Account, configure parameters, and then click OK. The following table describes the parameters.

Parameters

Parameter	Description
Domain Name	The AD domain name of your enterprise. Example: example.com. If a message appears indicating that the specified domain name is invalid, submit a ticket to contact Alibaba Cloud technical support.
Domain Controller Hostname	The hostname that you configure in the AD domain controller. If the AD domain controller and DNS server are separately deployed on different servers, you must specify the domain controller hostname. This way, the system can identify the available domain controller, and the office network can be created. If the AD domain controller and the DNS server are deployed on the same server, configure this parameter based on your business requirements.
DNS Address	The IP address of the DNS server that corresponds to the enterprise AD system. If the AD domain controller and the DNS server are deployed on the same server, you can enter the IP address of the AD domain controller. Make sure that the IP address can be accessed from the IPv4 CIDR block that you specified in the previous step.
Local Administrator	The local administrator of a cloud computer can download software and perform tasks that require the administrator permissions. If you select the Specify AD User as Local Administrator check box, users that are authorized to use cloud computers in the office network have the local administrator permissions. You can also configure a local administrator in the AD domain controller. For more information, see the "Configure users as local administrators" section of the Create and configure an AD office network topic.
AD Connector Type	You can select an AD connector type based on the number of cloud computers. The following types are supported: General: suitable for scenarios in which at most 500 cloud computers (<500) are required. Advanced: suitable for scenarios in which at least 500 cloud computers (≥500) are required.

After the office network is created, go to the Office Network (Formerly Workspace) page to view its status.

If the Configure users message appears in the Status column, the office network is created.
If the Registering state appears and the office network remains in the state, you must go to the details page of the office network and view the actual status in the Basic Information section. If Failed to create the office network appears to the right of the Status parameter, you must check the following items: whether the networks between the office network and AD domain server are connected, whether the parameters that you have configured are valid, and whether the DNS server that you configured for the AD domain controller is valid. If no exceptions are found, click Retry to create the office network again. For more information, see FAQ about AD office networks.

Configure users

In the left-side navigation pane, choose Network & Storage > Office Network (Formerly Workspace).
In the upper-left corner of the top navigation bar, select a region.
On the Office Network (Formerly Workspace) page, click the ID of the office network that you created in the previous section to go to the details page.
In the Basic Information section of the details page, click Configure next to Status.
In the Configure AD Domain panel, enter usernames and passwords of AD domain users.
Note
The users must have the permissions to add AD domains and read user property from the AD domain controller. This way, the system can add cloud computers in the office network to the AD domain controller and assign cloud computers to the users.
Click Verify to verify and obtain information about the organizational unit (OU) to which the users belong.
If the verification is passed, select the OU whose information you obtained in the previous step.
Confirm the preceding configurations and click Close.
If the office network enters the Registered state, you can create cloud computers or cloud computer pools in the office network.

Configure users as local administrators

Only local administrators of cloud computers can download software and perform tasks that require local administrator permissions on cloud computers. You can choose one of the following methods to configure users as local administrators: Method 1: Configure local administrators in the WUYING Workspace (Pro Edition) console, and Method 2: Configure local administrators in an AD domain controller.

Method	Advantage	Disadvantage
Method 1	When you create an enterprise AD office network, you can enable the local administrator feature by selecting the Specify AD User as Local Administrator check box. After you select the checkbox, all users who are authorized to use the cloud computers in the office network are the local administrators of the cloud computers that reside in the office network.	This method is suitable for granting local administrator permissions by office network. Users that are assigned with cloud computers in an enterprise AD office network have the local administrator permissions on cloud computers. However, this method cannot provide a fine-grained permission control on users.
Method 2	This method is suitable for granting local administrator permissions by user. You can grant the local administrator permissions to specific users. This method can provide a fine-grained permission control on users.	However, you must configure local administrator permissions for domain users in the AD domain controller, and the configurations are complex.

For more information, see How do I configure the local administrator permissions in my AD domain controller?

Manage an office network

You can perform the following operations after you create office networks:

Delete an office network

You can delete only office networks in which cloud computers are released. The system stops the billing on an AD connector only when the corresponding enterprise AD office network is deleted.

Warning

Before you delete an office network, make sure that you backed up important resources and data of cloud computers. You cannot restore deleted cloud computers. Proceed with caution.

In the left-side navigation pane, choose Network & Storage > Office Network (Formerly Workspace).
In the upper-left corner of the top navigation bar, select a region.
On the Office Network (Formerly Workspace) page, find the desired office network and click Delete in the Actions column.
In the message that appears, read the message and click OK.

Configure a conditional forwarder and trust relationship

By default, new office networks use the Adaptive Streaming Protocol (ASP). For existing office networks that use High-definition Experience (HDX) protocol, you must configure conditional forwarders and trust relationships before you use the office networks.

How to configure a conditional forwarder and a trust relationship

Configure a conditional forwarder.
On the Configure Conditional Forwarder page, log on to the DNS server of the AD domain as prompted and configure a conditional forwarder.
Note
- If your enterprise AD is added to a domain or multiple domains (such as a parent domain and child domains) that share the same DNS server, you must configure a conditional forwarder for the DNS server.
- If your enterprise AD is added to multiple domains that correspond to different DNS servers, you must configure a conditional forwarder for each DNS server.
1. Launch DNS Manager.
  In this example, DNS Manager in Windows Server 2016 is used. If you use another OS, the actual configurations shall prevail.
  1. Launch Server Manager. In the left-side navigation pane, select DNS.
  2. In the right-side server list, right-click the DNS server that you want to manage and select DNS Manager.
2. In the DNS Manager dialog box, right-click Conditional Forwarders and select New Conditional Forwarder.
3. Enter the domain and the IP address of the DNS server, select Store this conditional forwarder in Active Directory, and replicate it as follows, select All DNS servers in this domain, and then click OK.
  The domain name is ecd.acs, and the IP address is the connection address.
  Note
  In the AD Configuration section of the details page of the office network, find the Connection Address parameter and obtain the IP address.
4. In the Administrator: Command Prompt window of the AD domain server, run the following command to check the network connectivity:
```
nslookup ecd.acs
```
  - If the returned IP address is the connection address, the conditional forwarder is configured.
  - If an error message is returned, check whether the condition forwarder is correctly configured and clear DNS cache. For more information about how to clear DNS cache, see FAQ about AD office networks.
Log on to the AD domain controller and configure a trust relationship.
If you do not configure a trust relationship for an enterprise AD office network, you can create only cloud computers that use the protocol configured for the office network. If you already configure a trust relationship, you can create ASP- and HDX-based cloud computers. In the following section, an HDX-based office network is used as an example.
Note
If you want to configure a trust relationship for an ASP-based office network, submit a ticket for Alibaba Cloud technical support.
1. Launch Server Manager.
2. In the upper-right navigation bar, choose Tools > Active Directory Rights Management Service.
3. In the dialog box that appears, right-click the domain and click Properties.
4. In the Properties dialog box, click the Trusts tab and then click New Trust.
5. In the New Trust Wizard panel, configure parameters for the trust relationship.
  Configure the following parameters and retain the default values for other parameters.
  - Trust Name: Enter ecd.acs in the Name field.
  - Trust Type: Select External trust.
    Note
    If the External trust option is not available, run the following command in the Administrator: Command Prompt window to check network connectivity:
    nslookup ecd.acs
    If the returned IP address (the IP address of the AD connector) is the connection address, the conditional forwarder is configured.
    If an error message is returned, check whether the conditional forwarder is correctly configured and clear the DNS cache. For more information about how to clear the DNS cache, see FAQ about AD office networks.
  - Trust Password: Specify a password in the Trust password field and confirm the password. The password is required when you configure the AD domain in the WUYING Workspace console in subsequent steps. Make sure that you remember the password.
6. Confirm the trust relationship that you configured in the preceding steps and click OK.
7. In the WUYING Workspace (Pro Edition) console, go to the Configure Trust Relationship page, enter the trust password that you set when you configured the trust relationship, and then click Complete All Configurations.

What to do next

After you create the enterprise AD office network, perform the following operations based on your business requirements: