How to configure an AD office network? - Elastic Desktop Service

Elastic Desktop Service (EDS) supports convenience accounts and enterprise Active Directory (AD) accounts. When you create office networks (formerly workspaces), you can specify the account types of the office networks. This topic describes how to create an office network of the enterprise AD account type (short for an enterprise AD office network).

Billing rules

Enterprise AD office networks connect to enterprise AD systems by using AD connectors. You are charged for using AD connectors on a pay-as-you-go basis based on the usage duration and the unit price of the AD connectors you use. For more information about the prices of AD connectors of different types, see the AD Connector Price section on the Pricing page in the EDS portal.

Delete your enterprise AD office network if it is no longer used to prevent extra charges. For more information, see the "Delete an office network" section of the Create and manage an enterprise AD office network topic.

Prerequisites

An enterprise AD system is deployed. If you deploy an AD domain controller and a Domain Name System (DNS) server on different servers, make sure that the DNS address of the AD domain controller is set to the IP address of the DNS server.
A Cloud Enterprise Network (CEN) instance is created, and the virtual private cloud (VPC) of the enterprise AD system and the enterprise AD office network are attached to the CEN instance. For more information about how to create a CEN instance, see the "Step 1: Create a CEN instance" section of the Use CEN and Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks topic.
Note
If the AD domain controller and DNS server are deployed in an on-premises data center, you must use Express Connect (circuits), Smart Access Gateway (SAG), or VPN Gateway to establish connection between the on-premises and cloud networks. For more information, see Select a private network service.

Specific ports are opened. The VPC that the enterprise AD office network uses must access the ports of the AD domain controller. Make sure that the ports are opened in the AD domain controller, DNS server, and secure software. The following table describes the required ports.

Protocol	Port/Port range	Description	Authorization object
Custom UDP	53	DNS	The IPv4 CIDR block of the office network. Example: 192.168.XX.XX/24.
	88	Kerberos
	123	Windows Time
	137	NETBIOS
	138	NETBIOS
	389	LDAP
	445	CIFS
	464	Password change or reset based on Kerberos
Custom TCP	53	DNS	The IPv4 CIDR block of the office network. Example: 192.168.XX.XX/24.
	88	Kerberos
	135	Replication
	389	LDAP
	443	HTTPS
	445	SMB/CIFS
	636	LDAP SSL
	9389	PowerShell
	Ports 49152 to 65535	RPC
	3268~3269	Lightweight Directory Access Protocol (LDAP) Global Catalog (GC) and LDAP GC Secure Sockets Layer (SSL)

Create an office network

Log on to the EDS Enterprise console.
In the left-side navigation pane, choose Networks & Storage > Office Networks.
In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, click Create Office Network.

In the Create Office Network step, select Advanced Office Network, configure parameters as prompted, and then click Next: Configure Account System. The following table describes the parameters.

Parameters

Parameter	Description
Select Region	The region where you want to create the office network. For more information about supported regions and limits, see Regions.
Name	The name of the office network. Follow the on-screen instructions to specify a name.
IPv4 CIDR Block	When you create cloud computers in an office network, the system automatically assigns IP addresses to the cloud computers from the CIDR block of the VPC that is used by the office network. The number of IP addresses varies based on the CIDR block. For more information, see Plan a CIDR block. By default, you can specify the CIDR block of the virtual private cloud (VPC) to which the office network uses to one of the following IPv4 CIDR blocks and their subnets: 192.168.0.0/16 10.0.0.0/12 172.16.0.0/12 If you want to use a custom IPv4 CIDR block, submit a ticket to contact Alibaba Cloud technical support.
Connection Method	When you create an office network, you must specify a method used by end users to connect cloud computers from the Alibaba Cloud Workspace client. The following connection methods are provided: Internet (default): End users can connect to the cloud computers only over the Internet. If you select this method, on-premises machines that are used to connect to the cloud computers must be able to access the Internet. VPC: End users can connect to the cloud computers only over a VPC. If you select this method, you must attach the office network to a Cloud Enterprise Network (CEN) instance. In addition, you must use Express Connect (circuits), Smart Access Gateway (SAG), or VPN Gateway to establish a connection between the on-premises and cloud networks. For more information, see Attach and detach an office network to and from a CEN instance and Select a private network service. VPC and Internet: End users can use both of the preceding connection methods. Note The method that you want to use to connect Alibaba Cloud Workspace terminals to cloud computers. A VPC connection depends on PrivateLink, which is free of charge. If you select VPC or Internet and VPC, the system automatically activates PrivateLink.
Attach to CEN	If you set the Connection Method parameter to VPC, you must set this parameter to Yes. To attach the VPC to CEN, you can select a CEN instance within the current or from another Alibaba Cloud account. Note If you connect an on-premises network to the cloud by using Smart Access Gateway, Express Connect, or VPN Gateway, you must attach the office network to the same CEN instance as that of the on-premises network. To ensure that cloud computers in the office network can be used as expected, click Check after you specify a CEN instance. The system checks whether the CIDR block of the route of the CEN instance is overlapped with the IPv4 CIDR block of the office network. If the CIDR blocks conflict, click View Conflict Details and Recommended CIDR Blocks. Then, specify another IPv4 CIDR block or CEN instance.

In the Configure Account System step, set Account Type to Enterprise AD Account, configure parameters, and then click OK.

Parameters

Parameter	Description
Domain Name	The AD domain name of your enterprise. Example: example.com. If a message appears indicating that the specified domain name is invalid, you can submit a ticket to contact Alibaba Cloud technical support.
Domain Controller Hostname	The hostname that you configure in the AD domain controller. If the AD domain controller and DNS server are separately deployed on servers, you must specify the domain controller hostname. This way, the system can identify the valid domain controller, and the office network can be created. If the AD domain controller and the DNS server are deployed on the same server, configure this parameter based on your business requirements.
DNS Address	The IP address of the DNS server that corresponds to the enterprise AD system. If the AD domain controller and the DNS server are deployed on the same server, you can enter the IP address of the AD domain controller. Make sure that the IP address can be accessed from the IPv4 CIDR block specified in the previous step.
Secondary Domain Controller Hostname/Secondary DNS Address	Click Add Secondary Domain Controller Hostname/DNS Address to add a secondary domain controller hostname and DNS address. This parameter is used to ensure high availability. Even if one of the domain name controllers is shut down, operations such as cloud computer creation, assignment, and logon are not affected.
Local Administrator	The local administrator of a cloud computer can download software and perform tasks that require the local administrator permissions. If you select the Specify AD User as Local Administrator check box, users authorized to use cloud computers in the office network have the local administrator permissions. You can also configure a local administrator in the AD domain controller. For more information, see the "Configure users as local administrators" section of the Create and configure an enterprise AD office network topic.
AD Connector Type	The following AD connector types are provided based on the number of cloud computers: General: suitable for scenarios in which at most 1,000 cloud computers (< 1,000) are required. Advanced: suitable for scenarios in which at least 1,000 cloud computers (≥ 1,000) are required.

After the office network is created, you can go to the Office Networks page to view its status.

If the Configure users message appears in the Status column, the office network is created.
If the Registering state appears and the office network remains in the state, you must go to the details page of the office network and view the actual status in the Basic Information section. If Failed to create the office network appears in the Status parameter, you must check the following questions: whether the networks between the office network and AD domain server are connected, whether the parameters that you have configured are valid, and whether the DNS server that you configured for the AD domain controller is valid. If no exceptions are found, click Retry to create the office network again. For more information, see FAQ about AD office networks.

Configure users

In the left-side navigation pane, choose Networks & Storage > Office Networks.
In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the office network that you want to manage and click its ID.
In the Basic Information section of the details page of the office network, click Configure next to Status.
In the Configure AD Domain panel, enter usernames and passwords of AD domain users.
Note
The AD domain users must have the permissions to add AD domains and read user properties from the AD domain controller. This way, the system can add cloud computers in the office network to the AD domain controller and assign cloud computers.
Click Verify to verify and obtain information about an organizational unit (OU) to which the users belong.
If the information is verified, select the OU.
Confirm the preceding configurations and click Close.
If the office network enters the Registered state, you can create cloud computers or cloud computer pools in the office network.

Configure users as local administrators

Only local administrators of cloud computers can download software and perform tasks that require the local administrator permissions on the cloud computers. You can choose one of the following methods to configure users as local administrators: Method 1: Configure local administrators in the EDS console, and Method 2: Configure local administrators in an AD domain controller.

Method	Advantage	Disadvantage
1	When you create an enterprise AD office network, you can configure users as local administrators by selecting the Specify AD User as Local Administrator check box. After you select the checkbox, all users who are authorized to use cloud computers in the office network are the local administrators of the cloud computers.	This method is suitable for granting the local administrator permissions by office network. Users to which cloud computers in an enterprise AD office network are assigned have the local administrator permissions on the cloud computers. However, this method cannot provide users with fine-grained permission management. This method is easy.
2	You can grant the local administrator permissions to specific users. This method provides users with fine-grained permission management.	This method is suitable for granting the local administrator permissions by user. You must configure the local administrator permissions for domain users in the AD domain controller. This method is complex.

For more information, see How do I configure the local administrator permissions in my AD domain controller?

Manage an office network

You can perform the following operations after you create office networks:

Delete an office network

You can delete only office networks in which cloud computers are released. The system stops billing on an AD connector after the corresponding enterprise AD office network is deleted.

Warning

Before you delete an office network, make sure that you have backed up important resources and data of cloud computers in the office network. You cannot restore deleted office networks. Proceed with caution.

In the left-side navigation pane, choose Networks & Storage > Office Networks.
In the upper-left corner of the top navigation bar, select a region.
On the Office Networks page, find the office network that you want to delete and click Delete in the Actions column.
In the message that appears, read the message and click OK.

Configure a conditional forwarder and trust relationship

By default, new office networks use the Adaptive Streaming Protocol (ASP). For existing office networks that use the high-definition experience (HDX) protocol, you must configure conditional forwarders and trust relationships before you use the office networks.

Procedure to configure a conditional forwarder and trust relationship

Configure a conditional forwarder.
On the Configure Conditional Forwarder page, log on to the DNS server of the AD domain as prompted and configure a conditional forwarder.
Note
- If your enterprise AD is added to a domain or multiple domains (such as a parent domain and child domains) that share the same DNS server, you must configure a conditional forwarder for the DNS server.
- If your enterprise AD is added to multiple domains that correspond to different DNS servers, you must configure a conditional forwarder for each DNS server.
1. Launch DNS Manager.
  In this example, DNS Manager in Windows Server 2016 is used. If your server runs another OS, the actual configurations shall prevail.
  1. Launch Server Manager. In the left-side navigation pane, select DNS.
  2. In the right-side server list, right-click the DNS server that you want to manage and select DNS Manager.
2. In the DNS Manager dialog box, right-click Conditional Forwarders and select New Conditional Forwarder.
3. Enter the domain and the IP address of the DNS server, select Store this conditional forwarder in Active Directory, and replicate it as follows, select All DNS servers in this domain, and then click OK.
  The domain name is ecd.acs, and the IP address is the connection address.
  Note
  In the AD Configuration section of the details page of the office network, find the Connection Address parameter and obtain the IP address.
4. In the Administrator: Command Prompt window of the AD domain server, run the following command to check network connectivity:
```
nslookup ecd.acs
```
  - If the returned IP address is the connection address, the conditional forwarder is configured.
  - If an error message is returned, check whether the conditional forwarder is correctly configured and clear DNS cache. For more information about how to clear DNS cache, see FAQ about AD office networks.
Log on to the AD domain controller and configure a trust relationship.
If you do not configure a trust relationship for an enterprise AD office network, you can create only cloud computers that use the same protocol as that of the office network. If you already configure a trust relationship, you can create ASP- or HDX-based cloud computers. In the following section, an HDX-based office network is used as an example.
Note
If you want to configure a trust relationship for an ASP-based office network, submit a ticket for Alibaba Cloud technical support.
1. Launch Server Manager.
2. In the upper-right navigation bar, choose Tools > Active Directory Domains and Trusts.
3. In the dialog box that appears, right-click the domain and click Properties.
4. In the Properties dialog box, click the Trusts tab and then click New Trust to configure a trust relationship.
5. In the New Trust Wizard panel, configure parameters for the trust relationship.
  Configure the following parameters and retain the default values for other parameters.
  - Trust Name: Enter ecd.acs in the Name field.
  - Trust Type: Select External trust.
    Note
    If the External trust option is not available, run the following command in the Administrator: Command Prompt window to check network connectivity:
    nslookup ecd.acs
    If the returned IP address (the IP address of the AD connector) is the connection address, the conditional forwarder is configured.
    If an error message is returned, check whether the conditional forwarder is correctly configured and clear the DNS cache. For more information about how to clear the DNS cache, see FAQ about AD office networks.
  - Trust Password: Specify a password in the Trust password field and confirm the password. The password is required when you configure the AD domain in the EDS console in subsequent steps. Keep the password in mind.
6. Confirm the trust relationship that you configured and click OK.
7. On the Configure Trust Relationship page in the EDS console, enter the trust password that you specified when you configured the trust relationship, and then click Complete All Configurations.

What to do next

After you create the enterprise AD office network, perform the following operations based on your business requirements: