Creating a trust relationship

This guide will explain how you can allow users from your Active Directory to access your virtual desktops.

Last updated 20th November 2017

Objective

It is sometimes useful for multiple users in your Active Directory to be able to access your virtual desktops on your Cloud Desktop Infrastructure solution. This guide will show you how to do this.

Requirements

  • You need to have set up an interconnection via vRack.

In practice

Below are the settings we will use in this guide. You will need to replace them with your own settings:

  • OVH AD Domain: view1045.local
  • IP of OVH AD: 172.16.0.6
  • Customer AD Domain: customer.local
  • IP of customer AD: 10.209.0.25
  • IP intercom customer router: 192.168.169.251
  • Customer Network: 10.209.0.0/24

Step 1: Create a network

If you have not yet defined the network in which your Active Directory is located, you need to create it via the OVHcloud API.

To do this, go to the Customer Network section to create the network:

API Customer Network

Then press Execute.

A task will be executed. You can then make sure you have created your private network by listing the existing ones. You will then have to proceed via the following API method:

The command returns a list of identifiers (ID). In order to see the information describing each private network, use the API call below:

Step 2: Allow flows through your firewall

In order for the authorisation to work, it is necessary to allow data flows to pass through the ports used by the Active Directory.

We will, therefore, authorise the following ports towards the Directory:

  • UDP: 53, 88, 137:138, 389, 445, 3389, 49152:65535
  • TCP: 53, 88, 135, 389, 445, 636, 3268, 3269, 49152:65535

To see the IP of the Cloud Desktop Infrastructure Active Directory, issue the following call on the OVH API:

The IP address of the Cloud Desktop Infrastructure Active Directory looks like this: activeDirectoryIp : xxx.xxx.xxx.xxx.

Step 3: Route the data flows to the private administration network

We will configure the route that will allow us to direct the data flows towards the private administration network.

To see the private administration network, issue the following call on the OVH API:

The private network looks like this: adminPrivateNetwork: "xxx.xxx.xxx.xxx/xx". The next hop is also populated in this call: adminNetworkNextHop: "xxx.xxx.xxx.xxx".

If you need to create a route via NSX, you can do it this way:

NSX Route creation

In our case, the private administration network is as follows: 172.16.0.0/24 and the next hop is 192.168.169.1.

Step 4: Create the Trust and open the data flows

Once the flows are open, you will need to open them on the OVH side.

To do this, go to our API:

You will need the following information:

  • The IP of your Active Directory;
  • DNS 1 (optional);
  • DNS 2 (optional);
  • The domain of your Active Directory.

Step 5: Configure the Active Directory Client

To carry out this step, you need to perform the following actions:

Create a Conditional Forwarder

For this, you will need to know the IP and domain of the OVH Active Directory. Then make the following call to the OVH API:

The IP of the OVH Active Directory looks like this: activeDirectoryIp: "xxx.xxx.xxx.xxx". The domain name of the OVH Active Directory is: adminDomain: "viewxxxx.local".

Once the information is retrieved, you can create the Conditional Forwarder.

  • Either via the command line:
add-DnsServerConditionalForwarderZone -name view1045.local -MasterServers 172.16.0.6
  • Or via the interface:

  • Open the DNS console:

  • right-click Conditional Forwarder;
  • click New Conditional Forwarder;
  • enter the domain name of the OVH Active Directory;
  • add the IP address of the OVH Active Directory.

The Conditional Forwarder is then created.

Create the domain account

To carry out this step, you will need to generate a complex password, which you will enter when the Trust is created in the API. You will also need to name this user horizonUI.

To create a domain account, proceed as follows:

  • Via the command line:
New-ADServiceAccount -Name horizonUI -AccountPassword (ConvertTo-SecureString - AsPlainText "p@ssw0rd" -Force) -Enabled $true -Path "CN=Managed Service Accounts,DC=CUSTOMER,DC=LOCAL" -RestrictToSingleComputer

Note that "DC" designates the domain of your Active Directory.

Step 6: Configure the Trust on your Active Directory

Once the call to the API is complete, a task will run on your Cloud Desktop Infrastructure. Once it has completed, you will receive an email confirming that the Trust is configured at OVH.

You will still have to follow the instructions in the email to finalise the authorisation, or follow the procedure below:

  • log in to your Active Directory;
  • open Active Directory Domains and Trusts;
  • on your domain, in our example customer.local, right-click and go to the Trust tab;
  • select New Trust;
  • follow the instructions in the wizard.

Wizard 1

  • Enter the domain name of the OVH Active Directory.
  • Choose Forest Trust.
  • Choose One-way: incoming.

Wizard 2

  • Then select This domain only.
  • Enter the passphrase you defined when creating the domain in the API.

Wizard 3

  • Confirm the actions.

The Trust is now created.

Step 7: Create a Trust in the OVH API

To create the Trust on the OVH Active Directory, you will need the following information:

  • a complex password intended to be the passphrase of the Trust;
  • the complex password that you used when you created the service account.

Enter this information in the API:

A task will then execute, and you will receive an email once it has finished. The Active Directory trust is now created.

Go further

Chat with our user community on https://community.ovh.com/en/.


Did you find this guide useful?

Please feel free to give any suggestions in order to improve this documentation.

Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.

Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.

Thank you. Your feedback has been received.

OVHcloud Community

Access your community space. Ask questions, search for information, post content, and interact with other OVHcloud Community members.

Discuss with the OVHcloud community

In accordance with the 2006/112/CE Directive, modified on 01/01/2015, prices incl. VAT may vary according to the customer's country of residence
(by default, the prices displayed are inclusive of the UK VAT in force).