Cloud desktops in Elastic Desktop Service (EDS) are deployed in workspaces. In a workspace, you can configure cloud desktop settings such as secure office networks, user account systems, and Internet access. User accounts are classified into convenience accounts and enterprise Active Directory (AD) accounts. To create enterprise AD accounts, you must connect to enterprise AD systems. This topic describes how to connect to an enterprise AD system and create a workspace of the enterprise AD account type.

Prerequisites

  • An enterprise AD system is created.
    Note
    • If you deploy an AD domain controller and a Domain Name System (DNS) server on the same server, make sure that the DNS address of this server is set to 127.0.0.1.
    • If you deploy an AD domain controller and a DNS server on different servers, make sure that the DNS address of the AD domain controller is set to the IP address of the DNS server.
  • A Cloud Enterprise Network (CEN) instance is created. The network of the enterprise AD system is attached to the CEN instance. For more information, see Create a CEN instance and Attach a network instance.
    Notice When you create a workspace, you must specify a secure office network. When you connect to the enterprise AD system, make sure that the private network of the enterprise AD system is connected to the secure office network over CEN. If you deploy an AD domain controller and DNS server in a data center, you must connect on-premises networks to off-premises networks by using Smart Access Gateway (SAG), Express Connect, or VPN Gateway.

Background information

A workspace in which cloud desktops are deployed is a collection of environment configurations. For more information, see Workspace overview.

After you create a workspace of the enterprise AD account type, you must connect to the enterprise AD system. In addition, you must configure the enterprise AD domain and the DNS server. Perform the following steps:
  1. Step 1: Create a workspace
    1. In the EDS console, create a workspace of the enterprise AD account type.
    2. In the Elastic Compute Service (ECS) console, configure rules for a security group.
  2. Step 2: Configure an AD domain
    1. Configure a conditional forwarder on the DNS server.
    2. Configure a trust relationship on the AD domain controller.
    3. In the EDS console, enter the trust password and select an organizational unit (OU).
Note When you connect to an enterprise AD system by using an AD connector, you are charged for the AD connector. For more information, see Billing of AD connectors.

Step 1: Create a workspace

  1. Log on to the EDS console.
  2. In the left-side navigation pane, click Overview.
  3. On the Overview page, click Create workspace.
  4. In the Configure Secure Office Network step, configure the network parameters and click Next: Configure Account System.
    The following table describes the parameters.
    Parameter Description
    Select region The region where the workspace resides. For more information about the available regions and limits.
    Workspace name The name of the workspace. We recommend that you specify a name that is easy to identify. Follow the on-screen instructions to specify the name.
    IPv4 CIDR block The IPv4 CIDR block that the system uses to create a virtual private cloud (VPC) for the workspace. We recommend that you set the IPv4 CIDR block to 10.0.0.0/12, 172.16.0.0/12, 192.168.0.0/16, or a subnet of these CIDR blocks. If you set the IPv4 CIDR block to 10.0.0.0/12 or 172.16.0.0/12, the mask is 12 to 24 bits in length. If you set the IPv4 CIDR block to 192.168.0.0/16, the mask is 16 to 24 bits in length.
    Note When you create a cloud desktop in the workspace, the system assigns an IP address from the specified CIDR block to the cloud desktop. To prevent CIDR block overlapping between specified CIDR block and network instances that belong to the same CEN instance, we recommend that you specify a CIDR block based on your business requirements. Make sure that the number of available IP addresses in the CIDR block can meet the requirements on the number of cloud desktops that you want to create. The greater the value of the mask length, the fewer the number of IP addresses that can be contained in the workspace, and the fewer cloud desktops that you can create in the workspace.
    Connection Method The method that is used to connect to a cloud desktop from a client. Valid values:
    • Internet: allows the client to connect to the cloud desktop only over the Internet.
    • VPC: allows the client to connect to the cloud desktop only over a VPC.
    • Internet and VPC: allows the client to connect to the cloud desktop over the Internet or a VPC. You can select a connection method based on your business requirements.
    Note VPC connections are established by using Alibaba Cloud PrivateLink. You can use PrivateLink for free. If you set Connection Method to VPC or Internet and VPC, PrivateLink is automatically activated.
    Cloud Enterprise Network When a workspace is connected to an AD system of an enterprise, you must attach the workspace network to a CEN instance. This ensures network connectivity between the secure office network and the network of the enterprise AD system when EDS is connected to an enterprise AD system. Select Join, select a CEN instance, and then click Submit. Check whether the CIDR block of the selected CEN instance overlaps with the CIDR block of the workspace.
    Note You can select a CEN instance from your Alibaba Cloud account or other Alibaba Cloud accounts. If you select a CEN instance from a different Alibaba Cloud account, you must enter a verification code for security purposes. After you click Get Verification Code, the system sends the code to the email address that is associated with the account.
  5. In the Configure Account System step, set Account Type to Enterprise AD Account, configure the related parameters, and then click Create Now.
    The following table describes the related parameters.
    Parameter Description
    DNS Address Enter the DNS address (private IP address) of the enterprise AD system.
    Note If the AD domain controller and the DNS server are deployed on the same server, you can enter the IP address of the server. Make sure that the IP address can be accessed from the secure office network that you specified in the previous operation.
    Domain Name Enter the domain name of the enterprise AD system. Example: example.com.
    Note If a message that indicates the domain name is invalid appears, submit a ticket.
    Domain-Controller Hostname If the AD domain controller and DNS server are separately deployed, we recommend that you specify the domain controller hostname. This way, the system can easily identify the domain controller that can be connected. This helps improve the success rate on workspace creation.
    Local Administrator If you select Local Administrator, the permissions of regular users to which a cloud desktop in the workspace is assigned vary based on the OS of the cloud desktop.
    • For a Windows cloud desktop, regular users are granted the local administrator permissions. However, the actual permissions are subject to the settings of the enterprise AD system.
    • For a Linux cloud desktop, regular users are granted the permissions to run all commands. When the regular users use sudo to run commands, the regular users must enter passwords of AD users.
    AD Connector Type Select an AD connector type based on the number of desktops that you want to create. You are charged for AD connectors on a pay-as-you-go basis. The billing of AD connectors varies based on the AD connector type. For more information, see Billing of AD connectors.
    • General: applies to the workspace in which no more than 500 cloud desktops are deployed.
    • Advanced: applies to the workspace in which more than 500 cloud desktops are deployed.
  6. Click View Workspace Details. On the workspace details page, the connection address appears, which is the IP address of the AD connector.
    If the status of the workspace changes from Registering to Created, you must configure settings such as the DNS conditional forwarder and trust relationship as described in Step 2.
    Note If the status changes to Failed, retry your operations as prompted or submit a ticket. For example, if a message that indicates the DNS setting or domain name error appears, you can ping the IP address of the AD connector from the AD domain controller. If the IP address failed to be pinged, check CEN settings and security software settings of the enterprise office network.
    Figure-Workspace of the enterprise AD account type
  7. Configure the security group rules for the VPC to which the AD domain controller and DNS server belong, and enable the required network ports.
    1. Log on to the VPC console.
    2. On the VPCs page, find the VPC that you want to manage and click the ID of the VPC.
    3. On the Resources tab, click the number in the lower part of Security Group.
    4. On the Security Groups page, find the security group for which you want to configure rules and click the ID of the security group.
    5. Configure rules for the security group.
      Configure an inbound rule for the security group based on the rules in the following table.
      Protocol type Port range Authorization object
      Customized UDP 53, 88, 123, 137, 138, 389, 445, and 464 The IPv4 CIDR block of the AD workspace. Example: 192.168.XX.XX/24.
      Custom TCP
      • 53
      • Ports 88 to 65535
      		 The IPv4 CIDR block of the AD workspace. Example: 192.168.XX.XX/24.

Step 2: Configure an AD domain

  1. On the workspace details page of the EDS console, click Configure on the right side of Status.
  2. On the Configure Domain Account page of the Configure AD Domain panel, configure a domain user and an OU?
    1. Enter the username and password of an AD domain user, and click Verify.
      The AD domain user that you specify must have the permissions to add domains and read permissions on the properties of domain controller users. This way, the system can add cloud desktops in the workspace to domains and assign the cloud desktops to AD users.
    2. After the AD user is verified, select an OU that belongs to the AD domain.
    3. Click Next.
  3. In the Configure AD Domain panel on the Configure Conditional Forwarder page, follow the on-screen instructions to log on to the DNS server that corresponds to the AD domain and configure a conditional forwarder.
    Note
    • If your enterprise AD system includes one or multiple domains (such as a parent domain and a subdomain) that share the same DNS server, you must configure a conditional forwarder for the DNS server.
    • If your enterprise AD system includes multiple domains (such as a parent domain and a subdomain) that have different DNS servers, you must configure a conditional forwarder for each DNS server.
    1. Launch DNS Manager.
      The following section describes how to launch DNS Manager. In this example, Windows Server 2016 is used. The process may vary if your server runs a different OS.
      1. Launch Server Manager. In the left-side navigation pane, select DNS.
      2. In the right-side server list, right-click the server and select DNS Manager.
    2. In the DNS Manager dialog box, right-click Conditional Forwarders and select New Conditional Forwarder.
    3. Enter the domain name and the IP address, select Store this conditional forwarder in Active Directory, and replace it as follows, and then select All DNS servers in this domain.
      Enter ecd.acs as the domain name and enter the IP address of the AD connector. You can obtain the IP address in the Configure Conditional Forwarder panel from the first operation in Step 2. Figure-Conditional forwarding
    4. Click OK.
    5. Run the following command in Command Prompt to check the network connectivity: 
      nslookup ecd.acs

      If the IP address of the AD connector is returned, the conditional forwarder is configured. If an error message is returned, check whether you specified a valid conditional forwarder, and clear the DNS cache. For more information, see Troubleshooting.

  4. In the Configure AD Domain panel on the Configure Conditional Forwarder page of the EDS console, click Next.
  5. In the Configure AD Domain panel on the Configure Trust Relationship page, follow the on-screen instructions to log on to the AD domain controller that corresponds to the AD domain, and configure the trust relationship.
    1. Launch Server Manager.
    2. In the upper-right corner, choose Tools > Active Directory Domains and Trusts.
    3. In the dialog box that appears, right-click the domain and click Properties.
    4. In the Properties dialog box, click the Trusts tab, and click New Trust.
    5. On the New Trust Wizard panel, proceed the trust configurations.
      Configure the following parameters as described. For other parameters, retain the default values.
      • Name: Enter ecd.acs. Figure-Trust relationship
      • Trust Type: Select External trust.
        Note If the External trust option is unavailable, run the nslookup ecd.acs command to check whether the conditional forwarder is configured.
        Figure-External trust
      • Trust password: Specify a password. The password is required when you configure the AD domain in the EDS console. Figure-Trust password
    6. Confirm the trust relationship that you configured and click OK.
      Figure-Trust relationship
  6. In the Configure AD Domain panel on the Configure Trust Relationship page in the EDS console, enter the trust password that you specify when you configure the trust relationship, and click Complete All Configurations.

Results

After you configure the preceding parameters, you can use one of the following methods to check whether the workspace of the enterprise AD account type is created and configured:
  • On the Overview page of the EDS console, find the AD workspace that you created, click the workspace ID to go to the workspace details page, and then check whether the workspace is in the Registered status.
  • On the Secure Office Network page of the EDS console, find the network of the workspace and check whether the network is in the Registered state.

Troubleshooting

When you configure a workspace of the enterprise AD account type, you can click View Registration Logs in the upper-right corner of the workspace details page to view error messages. If you are prompted to clear the DNS cache, you can restart the AD domain controller. You can also log on to the DNS server and run the following commands in PowerShell to clear the DNS cache:
  • If you want to clear resource records from the DNS server cache, run the following command:
    Clear-DnsServerCache -Force
  • If you want to clear the contents of the DNS client cache, run the following command:
    Clear-DnsClientCache
Note If the workspace remains in the Registering state for a long time, the workspace fails to be registered. You must check whether the configurations of the workspace of the enterprise AD account type, the AD domain controller, and the DNS server are correct. For more information, see What do I do if I fail to register the workspace of the enterprise AD account type?