Symptoms

A workspace of the enterprise Active Directory (AD) account failed to be created. The workspace is stuck in the Registering or Not Configured state. Registering the AD workspace

Causes

You may fail to register the workspace of the enterprise AD account, called the AD workspace for short, to connect to an enterprise AD system due to one of the following causes:
  • The parameter settings are invalid when you create the AD workspace.
  • The network between the AD system of the enterprise and the AD workspace is disconnected.
  • The domain name system (DNS) server specified by the AD domain server is invalid.
  • The required ports are disabled in the security group of the virtual private cloud (VPC) to which the AD domain server and DNS server belong.
  • The configurations of the DNS conditional forwarder are invalid.

Solutions

  1. Check whether the parameters are correctly configured when you create the AD workspace to connect to the AD system of the enterprise.
    1. Log on to the Elastic Desktop Service (EDS) console.
    2. On the Overview page, find the required workspace and click the workspace ID.
    3. On the workspace details page, check whether the parameter configurations are valid:
      Take note of the following configurations:
      • The domain name is in correct format. Example: example.com.
      • The DNS address is a private IP address. Example: 192.168.XX.XX.

      If the parameter configurations are invalid, create the workspace again to complete the configurations.

  2. Check whether the private network of the enterprise AD system is connected to the secure office network of the AD workspace by using Cloud Enterprise Network (CEN).
    Note If the AD domain server and DNS server are deployed in a data center, you must connect the on-premises network to Alibaba Cloud by using Smart Access Gateway (SAG), Express Connect, or VPN Gateway.
    1. Log on to the AD domain server.
    2. Run the following command in Command Prompt to check the network connection:
      ping IP address of the AD connector
      You can obtain the IP address of the AD connector from the Secure office network page in the EDS console. If the ping fails, add the VPC to which the AD domain server and DNS server belong and the VPC that corresponds to the secure office network of the AD workspace to the CEN instances. Perform the following operations to add the VPCs to the CEN instances:
      • For the VPC to which the AD domain server and DNS server belong:

        On the Instances page of the CEN console, click the ID of the required CEN instance. Then, click Attach Network to complete the relevant configurations in the displayed panel.

      • For the VPC that corresponds to the secure office network of the AD workspace:

        On the Secure office network page of the EDS console, click Join the cloud enterprise network. In the dialog box that appears, complete the configurations.

  3. Check whether the DNS server configurations for the AD domain server are valid.
    In this example, Windows Server 2016 is used to demonstrate how to verify the DNS settings. If your server runs another operating system, available DNS settings vary.
    1. Log on to the AD domain server of the enterprise.
    2. Open Network and Sharing Center.
    3. Click the network that is being used. In the dialog box that appears, click Properties.
      Ethernet status
    4. Double-click Internet Protocol Version 4 (TCP/IPv4) to open the Properties dialog box.
    5. Check whether a DNS server is specified and whether the IP address is correct.
      If AD and DNS are deployed on the same server, make sure that the DNS address of this server is set to 127.0.0.1. If AD and DNS are deployed on different servers, make sure that the DNS address of the AD domain server is set to the IP address of the DNS server. Network properties
  4. Check whether the network ports of the security group of the VPC to which the AD domain server and DNS server belong is enabled.
    1. Log on to the VPC console.
    2. On the VPCs page, find the VPC that you want to manage, and click the ID of the VPC.
    3. On the Resources tab, click the number under Security Group.
    4. On the Security Groups page, find the required security group and click the security group ID.
    5. Check and configure the inbound rules of the security group.
      Protocol Type Port Range Authorization Object
      Customized UDP 53, 88, 123, 137, 138, 389, 445, and 464
      • The IP address of the AD connector. The IP address is the connection address. Example: 172.16.XX.XX/32.
      • The IPv4 CIDR block of the workspace of the enterprise AD account type. Example:192.168.XX.XX/24.
      Custom TCP
      • 53
      • Ports 88 to 65535
      • The IP address of the AD connector. This IP address is the connection address. Example: 172.16.XX.XX/32.
      • The IPv4 CIDR block of the workspace of the enterprise AD account type. Example:192.168.XX.XX/24.
  5. Check whether the DNS conditional forwarder is configured correctly.
    1. Log on to the DNS server.
    2. Run the following command in Command Prompt to check whether the configurations of the DNS conditional forwarder are correct.
      nslookup ecd.acs

      If the IP address of the AD connector is returned, the configuration of the conditional forwarder is correct. If an error message is returned, reconfigure the conditional forwarder.

  6. On the Overview page of the EDS console, refresh the workspace information and check whether the status changes to Registered.

    When you create the AD workspace to connect to the AD system of the enterprise, EDS automatically retries the connection. If the AD workspace remains in the Registering or Not Configured state after troubleshooting, the number of retries may exceed the upper limit. In this case, delete the created AD workspace, recreate an AD workspace, and complete the configurations. For more information, see Create a workspace of the enterprise AD account type.

    Note If the issue persists, submit a ticket.