Create and configure an AD workspace - Elastic Desktop Service

A workspace is a collection of environment configurations in Elastic Desktop Service (EDS). A workspace of the enterprise Active Directory (AD) account type can be used to connect to enterprise AD account systems. If you want to associate with an account of the enterprise AD type, you must obtain the account of the enterprise AD system to which you want to connect before you create a workspace. This topic describes how to create and configure a workspace of the enterprise AD account type.

Prerequisites

An enterprise AD system is available.
Note
- If you deploy an AD domain controller and a Domain Name System (DNS) server on the same server, make sure that the DNS address of the server is set to 127.0.0.1.
- If you deploy an AD domain controller and a DNS server on different servers, make sure that the DNS address of the AD domain controller is set to the IP address of the DNS server.
A Cloud Enterprise Network (CEN) instance is available. If no CEN instance is available, create a CEN instance and attach the instance to the virtual private cloud (VPC) in which the enterprise AD system resides. For more information about specific operations, see Create a CEN instance or Step 3: Connect the VPCs to the transit router.
Important
When you create a workspace, you must configure a secure office network for the workspace. When you connect Elastic Desktop Service (EDS) to the enterprise AD system, make sure that the VPC of the enterprise AD system is connected to the secure office network over CEN. If you deploy an AD domain controller and a DNS server in a data center, you must connect on-premises networks to off-premises networks by using Smart Access Gateway (SAG), Express Connect, or VPN Gateway.

The security group rules for the VPC to which the AD domain controller and DNS server belong are configured to allow traffic to pass over the required network ports.

Log on to the VPC console.
On the VPCs page, find the VPC that you want to manage and click the ID of the VPC.
On the Resources tab, click the number in the lower part of Security Group.
On the Security Groups page, find the security group for which you want to configure rules and click the ID of the security group.

Configure inbound rules for the security group based on the information that is provided in the following table. For more information about specific operations, see Add a security group rule.

Protocol	Port or port range	Authorized object	Description
Custom UDP	53	The IPv4 CIDR block of the AD workspace. Example: 192.168.XX.XX/24.	DNS
	88		Kerberos
	123		Windows Time
	137		NETBIOS
	138		NETBIOS
	389		LDAP
	445		CIFS
	464		Kerberos change/set password
Custom TCP	53	The IPv4 CIDR block of the AD workspace. Example: 192.168.XX.XX/24.	DNS
	88		Kerberos
	135		Replication
	389		LDAP
	443		HTTPS
	445		SMB/CIFS
	636		LDAP SSL
	9389		PowerShell
	Ports 49152 to 65535		RPC
	3268~3269		LDAP GC & LDAP GC SSL

Background information

Elastic Desktop Service (EDS) allows you to create an AD workspace based on the Adaptive Streaming Protocol (ASP) or High Definition Experience (HDX) protocol. The AD workspace becomes available only after you complete the AD domain configuration. The operations that are performed to create an ASP-based AD workspace are slightly different from the operations that are performed to create an HDX-based AD workspace. You must proceed based on your business requirements. If you cannot select a protocol type when you configure the account system of a workspace, the ASP protocol is used. We recommend that you create an ASP-based AD workspace. For information about the benefits of the ASP protocol, see ASP.

Desktop administrator permissions

Users who are granted the desktop administrator permissions can download software and perform tasks that require the desktop administrator permissions. You can grant the desktop administrator permissions to users when you create an AD workspace or configure an AD domain controller.

Note

The two methods slightly differ in terms of configuration manner and permission management. You can select a method based on your business requirements.

Method	Advantage	Disadvantage
Grant the desktop administrator permissions when you create an AD workspace	When you create an AD workspace, you need to only select the check box under Local Administrator. The system grants the desktop administrator permissions to all users who use cloud desktops in the workspace.	The local administrator permissions are granted to users based on workspaces. All users who are assigned cloud desktops in the workspace are granted the desktop administrator permissions. The configurations cannot be modified.
Grant the desktop administrator permissions when you configure an AD controller	The local administrator permissions vary based on the workspaces. You can perform fine-grained control when you grant the desktop administrator permissions to specific users.	You must configure the desktop administrator permissions in an AD controller. This is more complex.

For more information about specific operations, see How do I grant the desktop administrator permissions to a user in an AD domain controller?.

Procedure

Configure a secure office network.

Log on to the Elastic Desktop Service (EDS) console.
In the left-side navigation pane, choose Desktops and Groups > Workspace.
On the Workspace page, click Create Workspace.

In the Configure Security Office Network step, configure parameters for the secure office network based on your business requirements. The following table describes the parameters.

Parameter	Description
Region	The region where you want to deploy the workspace. For information about the supported regions of Elastic Desktop Service (EDS), see Region.
Name	The name of the workspace. Follow the on-screen instructions to specify a workspace name.
IPv4 CIDR Block	The IPv4 CIDR block of the workspace. To prevent CIDR block overlaps, specify a valid CIDR block based on your business requirements. For more information, see Plan a CIDR block.
Connection Method	The type of the network over which cloud desktops in the workspace are connected from clients. Valid values: Internet: Cloud desktops can be connected only over the Internet. VPC: Cloud desktops can be connected only over a VPC. Internet and VPC: Cloud desktops can be connected over the Internet or a VPC. Select a connection method based on your business requirements. Note If you set the Connect Method parameter to VPC or Internet and VPC, PrivateLink is required. PrivateLink is free of charge. In this case, PrivateLink is automatically activated.
Attach to CEN	If you want to connect Elastic Desktop Service (EDS) to an AD system of your enterprise, you must attach the workspace VPC to a CEN instance. This enables network connectivity between the secure office network of the workspace and the network of the enterprise AD system. To attach a workspace VPC to a CEN instance, perform the following steps: Click Yes. Use one of the following methods to select a CEN instance to which you want to attach the workspace VPC: In the Same Account section, click the CEN Instance ID drop-down list and select a CEN instance that is created by using the current Alibaba Cloud account. In the Different Account section, perform the following steps: In the Peer Account UID field, enter the ID of the Alibaba Cloud account to which the CEN instance that you want to use belongs. Note To obtain the ID of an Alibaba Cloud account, move the pointer over the profile picture in the upper-right corner of the Alibaba Cloud Management Console. If the account is displayed as Main Account in the user information panel, the account ID is the Alibaba Cloud account ID that you must obtain. In the Peer CEN Instance ID field, enter the ID of the CEN instance that you want to use. Note To obtain the ID of a CEN instance, perform the following operations: Log on to the CEN console. On the Instances page of the CEN console, find the CEN instance that you want to use and copy the ID of the CEN instance. Click Get Verification Code and then enter the verification code in the Verification Code field. Note You can get the verification code by using the associated email address. If you do not receive a verification code, choose Notification Center > Message Settings > Common Settings to check whether the Notifications Regarding the Creation and Activation of Product Instances option is selected. You must also check whether the main contact is correct. Click Check. Note To ensure that the cloud desktops of the workspace can provide services as expected, check whether the route of the selected CEN instance conflicts with the IPv4 CIDR block of the workspace. If the Check passed. Go to the next step. message appears, the route of the selected CEN instance does not conflict with the IPv4 CIDR block of the workspace.

Click Next: Configure Account System.

Configure the account system of the workspace.

In the Configure Account System step, select Enterprise AD Account and configure parameters for the account system.

The following table describes the parameters.

Parameter	Description
Protocol Type	Specify the type of protocol based on which you want to create the workspace. EDS supports the ASP protocol and the HDX protocol.
Domain Name	Enter the domain name of the enterprise AD system. Example: example.com. Note If a message indicating that the domain name is invalid appears, Submit a ticket.
(Optional) Domain Controller Hostname	If your AD domain controller and DNS server are deployed on different servers, we recommend that you specify the domain controller hostname. This way, the system can identify the domain controller that can be connected. This improves workspace creation efficiency.
DNS Address	Enter the DNS address (private IP address) of the enterprise AD system. Note If your AD domain controller and DNS server are deployed on the same server, enter the IP address of the server. Make sure that the IP address can be accessed from the secure office network that you configured in the previous step.
(Optional) Local Administrator	Specifies whether to grant the desktop administrator permissions to end users to whom cloud desktops in the workspace are assigned. If you select this option, the end users of cloud desktops in the workspace are granted the desktop administrator permissions. The end users can install software and perform tasks that require the desktop administrator permissions. You can reconfigure the Local Administrator parameter. In the AD Settings section of the workspace details page, you can enable or disable the Local Administrator parameter based on your business requirements. Note The desktop administrator permissions vary based on the OS of the cloud desktop. For a Windows cloud desktop, the actual desktop administrator permissions that are granted to end users are subject to the settings of the enterprise AD system. For a Linux cloud desktop, end users are granted the desktop administrator permissions to run all commands. If the end users run sudo commands, the passwords of enterprise AD users are required. If you want to perform fine-grained permission control on cloud desktops in the workspace, we recommend that you configure the desktop administrator permissions in the AD domain controller. For more information about specific operations, see How do I grant the desktop administrator permissions to a user in an AD domain controller?
AD Connector Type	Select an AD connector type based on the number of desktops that you want to create in the workspace. You are charged for AD connectors based on the pay-as-you-go billing method. The billing of AD connectors varies based on the type of the AD connector. For more information, see Billable items. General: suitable for workspaces in which you create no more than 500 cloud desktops. Advanced: suitable for workspaces in which you create more than 500 cloud desktops.

Click Create Now.
You can configure an AD domain only after the workspace enters the Registered state.
Note
If the workspace fails to be created, follow the on-screen instructions to retry or Submit a ticket.

Configure an AD domain.
1. On the Overview page of the EDS console, click the ID of the workspace that is created in the previous step to go to the workspace details page. In the Basic Information section, click Configure to the right of the workspace status.
2. In the Configure AD Domain panel, enter the username and password of an AD user.
3. Click Verify.
4. Optional: After the AD user is verified, select an OU that belongs to the AD domain.
  Important
  OUs in AD domains can be changed.
  Method: In the EDS console, go to the Configure AD Domain panel of the workspace, click to the right of Specified OU, and then replace the original OU with a new OU.
5. In the message that appears, click OK.

Configure a conditional forwarder and a trust relationship

Important

If you use the ASP protocol to create a workspace of the enterprise AD account type and you want to configure a trust relationship for the workspace, submit a ticket to contact Alibaba Cloud technical support.
If you use the HDX protocol to create a workspace of the enterprise AD account type and you want to configure a conditional forwarder and a trust relationship for the workspace, perform the operations that are described in this topic.

Configure a conditional forwarder.
On the Configure Conditional Forwarder page, log on to the DNS server of the AD domain and configure a conditional forwarder.
Important
- If your enterprise AD system includes a single domain or multiple domains (such as a parent domain and child domains) that share the same DNS server, you must configure a conditional forwarder for the DNS server.
- If your enterprise AD system includes multiple domains that correspond to different DNS servers, you must configure a conditional forwarder for each DNS server.
1. Launch DNS Manager.
  In this example, Windows Server 2016 is used to show how to launch DNS Manager. The process varies based on the OS of your server.
  1. Launch Server Manager. In the left-side navigation pane, select DNS.
  2. In the right-side server list, right-click the DNS server that you want to manage and select DNS Manager.
2. In the DNS Manager dialog box, right-click Conditional Forwarders and select New Conditional Forwarder.
3. Enter a domain name and an IP address, select Store this conditional forwarder in Active Directory, and replace it as follows, and then select All DNS servers in this domain.
  The domain name is ecd.acs, and the IP address is the connection address.
  Note
  You can obtain the connection address in the AD Settings panel of the workspace in the EDS console.
4. Click Confirm.
5. Run the following command in Command Prompt to check the network connectivity:
```
nslookup ecd.acs
```
  - If the returned IP address is the connection address, the conditional forwarder is configured.
  - If an error message is returned, check whether the conditional forwarder is correctly configured and clear the DNS cache. For information about how to clear the DNS cache, see FAQ about the creation of an AD workspace.
In the EDS console, click Next on the Configure Conditional Forwarder page.
Configure a trust relationship.
Note
If you do not configure a trust relationship in the AD workspace, you can create only cloud desktops that use the ASP protocol. If you configure a trust relationship in the AD workspace, you can create cloud desktops that use the ASP and HDX protocols.
On the Configure Trust Relationship page, log on to the AD domain controller and follow the on-screen instructions to configure a trust relationship.
1. Launch Server Manager.
2. In the upper-right corner of Server Manager, choose Tools > Active Directory Domains and Trusts.
3. In the dialog box that appears, right-click the domain and click Properties.
4. In the Properties dialog box, click the Trusts tab and then click New Trust.
5. In the New Trust Wizard panel, configure parameters for the trust relationship.
  Configure the following parameters and retain the default values for other parameters.
  - Name: Enter ecd.acs.
  - Trust Type: Select External trust.
    Note
    If you cannot select External trust, run the following command in Command Prompt:
    nslookup ecd.acs
    If the returned IP address is the connection address of the AD connector, the conditional forwarder is configured.
    If an error message is returned, check whether the conditional forwarder is correctly configured and clear the DNS cache. For information about how to clear the DNS cache, see FAQ about the creation of an AD workspace.
  - Trust password: Create a password. The password is required when you configure the AD domain in the EDS console. We recommend that you record the password for subsequent operations.
6. Confirm the trust relationship that you configured and click OK.
7. In the EDS console, go to the Configure Trust Relationship page, enter the trust password that you created when you configured the trust relationship, and then click Complete All Configurations.

View an AD workspace

After you configure an AD workspace, you can use one of the following methods to view the AD workspace:

On the Workspace page of the EDS console, find the workspace, click the workspace ID to go to the workspace details page, and then check whether the workspace is in the Registered state.
In the EDS console, go to the Secure Office Network page, find the network of the workspace that you created, and then check whether the network is in the Registered state.

What to do next

If you no longer need an AD workspace, you can release the cloud desktops in the workspace and then delete the workspace. After you delete the workspace, you are no longer charged for the AD connector that is configured for the workspace.

Warning

After you delete a workspace, you cannot restore the resources and data of the workspace. Proceed with caution.

To delete an AD workspace, perform the following steps:

On the Workspace page, click the ID of the AD workspace that you want to delete.
In the lower part of the workspace details page, click Delete.
In the message that appears, read the note and click Confirm.