Cloud desktops in Elastic Desktop Service (EDS) are deployed inside workspaces. Inside a workspace, you can configure cloud desktop settings such as secure office networks, user account systems, and Internet access. User accounts are classified into convenience accounts and enterprise Active Directory (AD) accounts. You can connect to enterprise AD systems to obtain enterprise AD accounts. This topic describes how to connect to an enterprise AD system and create a workspace of the enterprise AD account type.

Prerequisites

  • An enterprise AD system is created.
    Note
    • If the enterprise AD system and Domain Name System (DNS) are deployed on the same server, make sure that the DNS address of this server is set to 127.0.0.1.
    • If the enterprise AD system and DNS are deployed on different servers, make sure that the DNS address of the AD domain server is set to the IP address of the DNS server.
  • A Cloud Enterprise Network (CEN) instance is created. The network of the enterprise AD system is attached to the CEN instance. For more information, see Create a CEN instance and Attach a network instance.
    Notice When you connect to the enterprise AD system, make sure that the private network of the enterprise AD system is connected to the secure office network that you specify when you create the workspace over CEN. If the AD domain server and DNS server are deployed in a data center, you must connect on-premises networks to off-premises networks by using Smart Access Gateway (SAG), Express Connect, or VPN Gateway.

Background information

A workspace in which cloud desktops are deployed is a collection of environment configurations. For more information, see Workspace overview.

After you create a workspace of the enterprise AD account type, you must connect to the enterprise AD system. You must create a workspace in the EDS console, and configure the enterprise AD domain and the DNS server. Perform the following steps:
  1. Step 1: Create a workspace
    1. Create a workspace of the enterprise AD account type in the EDS console.
    2. Configure a security group rule in the Elastic Compute Service (ECS) console.
  2. Step 2: Configure an AD domain
    1. Configure a conditional forwarder on the DNS server.
    2. Configure the trust relationship on the AD domain server.
    3. Enter the trust password and select an organizational unit (OU) in the EDS console.
Note When you connect to an enterprise AD system, you are charged for an AD connector. For more information, see Billing of AD connectors.

Step 1: Create a workspace

  1. Log on to the EDS console.
  2. In the left-side navigation pane, click Overview.
  3. On the Overview page, click Create workspace.
  4. In the Configure Secure Office Network step, configure the network parameters and click Next: Configure Account System.
    The following table describes the parameters.
    Parameter Description
    Select region The region where the workspace is created. For more information about the available regions and limits, see Regions.
    Workspace name The name of the workspace. We recommend that you use an identifiable name to facilitate future management. The naming conventions are provided on the configuration panel.
    IPv4 CIDR block The IPv4 CIDR block that the system uses to create a virtual private cloud (VPC). We recommend that you set the IPv4 CIDR block to 10.0.0.0/12, 172.16.0.0/12, 192.168.0.0/16, or a subnet of these CIDR blocks. If you set the IPv4 CIDR block to 10.0.0.0/12 or 172.16.0.0/12, the mask is 12 to 24 bits in length. If you set the IPv4 CIDR block to 192.168.0.0/16, the mask is 16 to 24 bits in length.
    Note When you create a cloud desktop in the workspace, the system assigns an IP address from the specified CIDR block to the cloud desktop. To prevent IP address conflicts between network instances that belong to the same CEN instance, we recommend that you specify a CIDR block based on your business requirements. Make sure that the number of available IP addresses in the CIDR block can meet the requirements on the number of cloud desktops that you want to create. The greater the value of the mask length, the fewer the number of IP addresses that can be contained in the workspace, and the fewer cloud desktops that you can create in the workspace.
    Connection Method The method to connect to a cloud desktop from a client. Valid values:
    • Internet: allows the client to connect to the cloud desktop only over the Internet.
    • VPC: allows the client to connect to the cloud desktop only over a VPC.
    • Internet and VPC: allows the client to connect to the cloud desktop over the Internet or a VPC. You can select a connection method based on your business requirements when you connect to a cloud desktop from a client.
    Note The VPC connection method depends on Alibaba Cloud PrivateLink. You can use PrivateLink for free. If you set Connection Method to VPC or Internet and VPC, PrivateLink is automatically activated.
    Cloud Enterprise Network Specifies whether to attach the workspace network to a CEN instance. This ensures network connectivity between the secure office network and the network of the enterprise AD system when EDS is connected to an enterprise AD system. Select Join, select a CEN instance, and then click Submit. Check whether the CIDR block of the selected CEN instance overlaps with the CIDR block of the workspace.
    Note You can select a CEN instance from this Alibaba Cloud account or another Alibaba Cloud account. If you select a CEN instance from another Alibaba Cloud account, you must enter a verification code for security purposes. After you click Get Verification Code, the system sends the code to the email address that is associated with the account.
    Local Administrator If you select Local Administrator, the permissions of regular users to which a cloud desktop in the workspace are assigned vary based on the OS of the cloud desktop:
    • For a Windows cloud desktop, regular users are granted the local administrator permissions. However, the actual permissions are subject to the settings of the enterprise AD system.
    • For a Linux cloud desktop, regular users are granted the permissions to run all commands. When the regular users use sudo to run commands, passwords of AD users are required.
  5. In the Configure Account System step, set Account Type to Enterprise AD Account, configure the related parameters, and then click Create workspace now.
    The following table describes the parameters.
    Parameter Description
    DNS Address Enter the DNS address (private IP address) of the enterprise AD system.
    Note If the AD domain controller and the DNS server are deployed on the same server, you can enter the IP address of this server. Make sure that the IP address is accessible from the secure office network that you specified in the previous step.
    Domain Name Enter the domain name of the enterprise AD system. Example: example.com.
    Note If a message appears, which indicates that the domain name is invalid, submit a ticket.
    Connect to AD System as Subdomain Administrator If the enterprise AD system includes parent domains and subdomains, and you want to use a subdomain to connect to and manage AD directories, you can select this parameter. After you select this option, you must enter a subdomain name and a subdomain DNS address:
    • Subdomain Name: the domain name of the enterprise AD subdomain.
    • Subdomain DNS: the DNS address of the enterprise AD subdomain. The DNS address can be the same as the DNS address of the parent domain.
  6. Click View Workspace Details. On the workspace details page, record the IP address of the AD connector.
    If the workspace is in the Not Configured state, you must configure the DNS conditional forwarder and the trust relationship as described in Step 2. Workspace of the enterprise AD account type
  7. Configure the security group rules for the VPC to which the AD domain server and DNS server belong, and enable the required network ports.
    1. Log on to the VPC console.
    2. On the VPCs page, find the required VPC and click the ID of the VPC.
    3. On the Resources tab, click the number in the lower part of Security Group.
    4. On the Security Groups page, find the security group for which you want to configure rules and click the ID of the security group.
    5. Configure security group rules.
      Configure an inbound rule for the security group based on the rules in the following table.
      Protocol Type Port Range Authorized Object
      Customized UDP 53, 88, 123, 137, 138, 389, 445, and 464
      • The IP address of the AD connector. The IP address is the connection address. Example: 172.16.XX.XX/32.
      • The IPv4 CIDR block of the AD workspace. Example: 192.168.XX.XX/24.
      Custom TCP
      • 53
      • Ports 88 to 65535
      • The IP address of the AD connector. The IP address is the connection address. Example: 172.16.XX.XX/32.
      • The IPv4 CIDR block of the AD workspace. Example: 192.168.XX.XX/24.

Step 2: Configure an AD domain

  1. On the workspace details page of the EDS console, click Configure on the right side of Status.
  2. Log on to the DNS server that corresponds to the AD domain based on the operation that is prompted in the Configure AD Domain panel to configure the conditional forwarder.
    Note
    • If your enterprise AD system includes one or multiple domains (a parent domain and a subdomain) that share the same DNS server, you must configure the conditional forwarder for the DNS server.
    • If your enterprise AD system includes multiple domains (a parent domain and a subdomain) that have different DNS servers, you must configure the conditional forwarder for each DNS server.
    1. Open DNS Manager.
      In this example, Windows Server 2016 is used to describe how to open DNS Manager. The process may vary if your server runs another OS.
      1. Open Server Manager. In the left-side navigation pane, select DNS.
      2. In the right-side server list, right-click the server and select DNS Manager.
    2. In the DNS Manager dialog box, right-click Conditional Forwarders and select New Conditional Forwarder.
    3. Enter the domain name and IP address, select Store this conditional forwarder in Active Directory, and replace it as follows, and then select All DNS servers in this domain.
      Enter ecd.acs as the domain name and enter the IP address of the AD connector. You can obtain the IP address in the Configure AD Domain panel. Conditional forwarding
    4. Click OK.
    5. Run the following command in Command Prompt to check the network connectivity:
      nslookup ecd.acs

      If the IP address of the AD connector is returned, the conditional forwarder is configured. If an error message is returned, check whether the conditional forwarder is correctly configured, and clean the DNS cache. For more information, see FAQ.

  3. In the Configure AD Domain panel of the EDS console, click Next.
  4. In the Configure AD Domain panel, log on to the AD domain server based on instructions to configure the trust relationship.
    1. Open Server Manager.
    2. In the upper-right corner, choose Tools > Active Directory Domains and Trusts.
    3. In the dialog box that appears, right-click the domain and select Properties.
    4. In the Properties dialog box, click the Trusts tab, and then click New Trust.
    5. Proceed the trust configurations on the New Trust Wizard panel.
      Take note of the following parameters. For other parameters, retain the default values.
      • Name: Enter ecd.acs. Trust relationship
      • Trust Type: Select External trust. External trust
      • Trust password: You can specify a custom password. The password is required when you configure the AD domain in the EDS console. Trust password
    6. Confirm the trust that you configured and click OK.
  5. In the Configure AD Domain panel of the EDS console, enter the trust password that you specify when you configure the trust relationship, and click Next.
  6. Select an OU.
    1. Select an OU from the AD domain.
    2. Enter the username and the password.
      The user that is configured must have permissions to join a computer to a domain. After you complete the configurations, the cloud desktop that you created in this workspace is added to the specified OU.
    3. Click Configuration completed.

Result

After you configure the preceding parameters, you can use one of the following methods to check whether the workspace of the enterprise AD account type is created:
  • On the Overview page of the EDS console, find the desired workspace, click the workspace ID to go to the workspace details page, and then check whether the workspace is in the Registered state.
  • On the Secure office network page of the EDS console, find the network of the workspace and check whether the network is in the Registered state.

FAQ

After the configuration is complete, you can click View Registration Logs in the upper-right corner of the workspace details page to view error messages. If you are prompted to clear the DNS cache, you can restart the AD domain server. You can also log on to the DNS server and run the following commands in PowerShell to clear the DNS cache:
  • Clear resource records from the DNS server cache.
    Clear-DnsServerCache -Force
  • Clear contents of the DNS client cache.
    Clear-DnsClientCache
Note If the workspace is in the Registering state for a long time, the registration fails. Check whether the workspace of the enterprise AD account type, the AD domain server, and the DNS server are correctly configured. For more information, see What do I do if I fail to register the workspace of the enterprise AD account type?