• Workspace

workspace
  1. Help Center
  2. Workspace
  3. User Guide
  4. FAQs (Administrators)
  5. How Do I Interconnect Workspace with Microsoft AD?

How Do I Interconnect Workspace with Microsoft AD?

You can deploy Microsoft AD in the intranet of the enterprise DC or in the VPC where Workspace resides. The following describes how to interconnect Workspace with Microsoft AD in two deployment scenarios. After interconnecting Workspace with Microsoft AD, configure DNS forwarding on the DNS to allow Workspace to access the Internet.

NOTE:

Ensure that the network where Workspace resides is communicating correctly with that where Microsoft AD resides.

Procedure

Scenario 1: Microsoft AD is deployed in the intranet of the customer's DC.

Figure 1 Microsoft AD deployed in the intranet of the customer's DC

  1. Use DirectConnect or IPsec VPN to connect the customer's DC to the VPC. For details about the configuration, see the Direct Connect User Guide or Virtual Private Network User Guide.
  2. If a firewall is deployed between Microsoft AD and Workspace, enable the following ports on the firewall for Workspace to connect to Microsoft AD, as shown in Table 1:

    Table 1 Port list

    Role

    Port

    Protocol

    Description

    AD

    135

    TCP

    Remote Procedure Call (RPC) protocol

    This port is used by the Lightweight Directory Access Protocol (LDAP), Distributed File System (DFS), and Distributed File System Replication (DFSR).

    137

    UDP

    NetBIOS name resolution

    This port is used by the network login service.

    138

    UDP

    NetBIOS data gram service

    This port is used by services, such as the DFS and network login service.

    139

    TCP

    NetBIOS-SSN service

    This port is used for network basic input and output.

    445

    TCP

    NetBIOS-SSN service

    This port is used for network basic input and output.

    49,152-65,535

    TCP

    RPC dynamic port

    49,152-65,535

    UDP

    RPC dynamic port

    88

    TCP

    Kerberos key distribution center service

    88

    UDP

    Kerberos key distribution center service

    123

    UDP

    Port used by the NTP service

    389

    UDP

    LDAP server

    389

    TCP

    LDAP server

    464

    TCP

    Kerberos authentication protocol

    464

    UDP

    Kerberos authentication protocol

    500

    UDP

    isakmp

    593

    TCP

    RPC over HTTP

    636

    TCP

    LDAP SSL

    3268

    TCP

    LDAP global catalog server

    3269

    TCP

    LDAP global catalog server

    4500

    UDP

    IPsec NAT-T

    5355

    UDP

    llmnr

    9389

    TCP

    Active Directory Web service

    DNS

    53

    TCP

    DNS server

    53

    UDP

    DNS server

  3. After the configuration, verify the interconnection and ensure that the networks and ports are working correctly. For details, see Verification.
  4. Log in to your DNS server, configure the DNS reverse lookup function in the DNS Manager, and add the first subnet segment that is selected in the subnet list during Workspace application to the IP address segment for reverse lookup.

Scenario 2: Microsoft AD is deployed in a subnet and the VPC where Workspace resides is deployed in another subnet.

Figure 2 Microsoft AD deployed in a subnet and the VPC where Workspace resides deployed in another subnet

In this scenario, you must add security group rules for Microsoft AD to enable some ports of Microsoft AD for Workspace so that Workspace can connect to Microsoft AD.

  1. Create a security group, add an inbound rule, and configure the parameters as follows:

    • ProtocolANY
    • Source IP AddressIP Address
    • IP Address: Enter the subnet where Workspace resides.

  2. Apply the security group to AD server instances so that Workspace can communicate correctly with Microsoft AD.

    NOTE:

    If you want to minimize the number of enabled ports and protocols, you can add multiple inbound rules to the security group. For details about the ports that need to be enabled, see Table 1.

  3. After the configuration, verify the interconnection and ensure that the networks and ports are working correctly. For details, see Verification.
  4. Log in to your DNS server, configure the DNS reverse lookup function in the DNS Manager, and add the first subnet segment that is selected in the subnet list during Workspace application to the IP address segment for reverse lookup.

Verification

  1. Check the firewall or security group settings of the AD server and ensure that ports 49,152 to 65,535 have been enabled.

    NOTE:

    For details about the requirements on AD server ports, see Active Directory and Active Directory Domain Services Port Requirements.

  2. Create a Windows OS instance in the VPC where the user desktop resides using the ECS service and add the instance to the existing domain.

    NOTE:

    For details about how to configure and operate ECS, see the Elastic Cloud Server User Guide.

  3. Log in to the Windows instance using the RDP client tool (such as mstsc) or VNC.

    The remaining steps are performed on this Windows instance.

  4. Download ADTest.zip and unzip the test application.
  5. In the blank area of the directory where ADTest.exe resides, hold down Shift, right-click, and choose Open command windows here.
  6. In Command Prompt, enter the following command to check the AD server connectivity:

    ADTest.exe -file ADTest.cfg -ip AD IP address -domain AD domain name -user domain administrator account

    Command example:

    ADTest.exe -file ADTest.cfg -ip 192.168.161.78 -domain abc.com -user vdsadmin

  7. Check whether SUCCEED is displayed in all test results. If FAILED is displayed, check the AD server configuration or firewall ports following the instructions.

Configure DNS forwarding.

NOTE:

The following uses Windows Server 2012 as an example.

  1. Log in to the DNS server as the administrator.
  2. On the task bar, click .

    The Server Manager window is displayed.

  3. In the navigation pane on the left, click DNS.
  4. In the SERVER area, right-click server name and choose DNS Manager.

    The DNS Manager window is displayed.

  5. Unfold DNS, right-click computer name, and choose Properties from the shortcut menu.
  6. On the Advanced tab page, deselect Disable recursion (also disable forwarders), and click Apply.
  7. On the Forwarders tab page, click Edit, enter the IP address of the default DNS server of the public cloud, and click OK.

    NOTE:

    You can view the IP address of the default DNS server of the public cloud on the page for creating the VPC.