Elastic Desktop Service (Enterprise Edition) supports convenience accounts and enterprise Active Directory (AD) accounts. When you create office networks (formerly workspaces), you can specify the account types of the office networks. This topic describes how to create an office network of the enterprise AD account type (hereinafter referred to as an enterprise AD office network).
Billing
Enterprise AD office networks connect to enterprise AD systems by using an AD connector. You are charged for using AD connectors on a pay-as-you-go basis based on the usage duration and the unit price of the AD connector you use. For more information about prices of AD connectors of different types, see the AD Connector Price section on the Pricing page in the Elastic Desktop Service portal.
If you want to stop the billing of AD connectors, delete the corresponding enterprise AD office networks. For more information, see the "Delete an AD office network" section of the Create and configure an AD office network topic.
Prerequisites
An enterprise AD system is deployed If you deploy an AD domain controller and a Domain Name System (DNS) server on different servers, make sure that the DNS address of the AD domain controller is set to the IP address of the DNS server.
A Cloud Enterprise Network (CEN) instance is created, and the virtual private cloud (VPC) of the enterprise AD system and the enterprise AD office network are attached to the CEN instance. For more information about how to create a CEN instance, see the "Step 1: Create a CEN instance" section of the Use CEN and Enterprise Edition transit routers to enable intra-region communication between on-premises and cloud networks topic.
NoteIf the AD domain controller and DNS server are deployed in an on-premises data center, you must use Express Connect (circuits), Smart Access Gateway (SAG), or VPN Gateway to establish connection between the on-premises network and cloud network. For more information, see Select a private network service.
Specific ports are opened. The VPC that the enterprise AD office network uses must access the ports of the AD domain controller. Make sure that ports are opened in the AD domain controller, DNS server, and secure software. The following table describes the ports that are required.
Protocol
Port or port range
Description
Authorization object
Customized User Datagram Protocol (UDP)
53
DNS
The IPv4 CIDR block of the office network. Example: 192.168.XX.XX/24.
88
Kerberos
123
Windows Time
137
NETBIOS
138
NETBIOS
389
LDAP
445
CIFS
464
Password change or reset based on Kerberos
Custom Transmission Control Protocol (TCP)
53
DNS
The IPv4 CIDR block of the office network. Example: 192.168.XX.XX/24.
88
Kerberos
135
Replication
389
LDAP
443
HTTPS
445
SMB/CIFS
636
LDAP SSL
9389
PowerShell
Ports 49152 to 65535
RPC
3268~3269
Lightweight Directory Access Protocol (LDAP) Global Catalog (GC) and LDAP GC Secure Sockets Layer (SSL)
Create an office network
Log on to the Elastic Desktop Service console.
In the left-side navigation pane, choose
.In the upper-left corner of the top navigation bar, select a region.
On the Office Network (Formerly Workspace) page, click Create Office Network.
In the Create Office Network panel, select Advanced Office Network, configure parameters as prompted, and then click Next: Configure Account System. The following table describes the parameters.
In the Account Type section, select Enterprise AD Account, configure parameters, and then click OK. The following table describes the parameters.
After the office network is created, go to the Office Network (Formerly Workspace) page to view its status.
If the Configure users message appears in the Status column, the office network is created.
If the Registering state appears and the office network remains in the state, you must go to the details page of the office network and view the actual status in the Basic Information section. If Failed to create the office network appears to the right of the Status parameter, you must check the following items: whether the networks between the office network and AD domain server are connected, whether the parameters that you have configured are valid, and whether the DNS server that you configured for the AD domain controller is valid. If no exceptions are found, click Retry to create the office network again. For more information, see FAQ about AD office networks.
Configure users
In the left-side navigation pane, choose
.In the upper-left corner of the top navigation bar, select a region.
On the Office Network (Formerly Workspace) page, click the ID of the office network that you created in the previous section to go to the details page.
In the Basic Information section of the details page, click Configure next to Status.
In the Configure AD Domain panel, enter usernames and passwords of AD domain users.
NoteThe users must have the permissions to add AD domains and read user property from the AD domain controller. This way, the system can add cloud computers in the office network to the AD domain controller and assign cloud computers to the users.
Click Verify to verify and obtain information about the organizational unit (OU) to which the users belong.
If the verification is passed, select the OU whose information you obtained in the previous step.
Confirm the preceding configurations and click Close.
If the office network enters the Registered state, you can create cloud computers or cloud computer pools in the office network.
Configure users as local administrators
Only local administrators of cloud computers can download software and perform tasks that require local administrator permissions on cloud computers. You can choose one of the following methods to configure users as local administrators: Method 1: Configure local administrators in the Elastic Desktop Service (Enterprise Edition) console, and Method 2: Configure local administrators in an AD domain controller.
Method | Advantage | Disadvantage |
Method 1 | When you create an enterprise AD office network, you can enable the local administrator feature by selecting the Specify AD User as Local Administrator check box. After you select the checkbox, all users who are authorized to use the cloud computers in the office network are the local administrators of the cloud computers that reside in the office network. | This method is suitable for granting local administrator permissions by office network. Users that are assigned with cloud computers in an enterprise AD office network have the local administrator permissions on cloud computers. However, this method cannot provide a fine-grained permission control on users. |
Method 2 | This method is suitable for granting local administrator permissions by user. You can grant the local administrator permissions to specific users. This method can provide a fine-grained permission control on users. | However, you must configure local administrator permissions for domain users in the AD domain controller, and the configurations are complex. |
For more information, see How do I configure the local administrator permissions in my AD domain controller?
Manage an office network
You can perform the following operations after you create office networks:
Delete an office network
You can delete only office networks in which cloud computers are released. The system stops the billing on an AD connector only when the corresponding enterprise AD office network is deleted.
Before you delete an office network, make sure that you backed up important resources and data of cloud computers. You cannot restore deleted cloud computers. Proceed with caution.
In the left-side navigation pane, choose
.In the upper-left corner of the top navigation bar, select a region.
On the Office Network (Formerly Workspace) page, find the desired office network and click Delete in the Actions column.
In the message that appears, read the message and click OK.
Configure a conditional forwarder and trust relationship
By default, new office networks use the Adaptive Streaming Protocol (ASP). For existing office networks that use High-definition Experience (HDX) protocol, you must configure conditional forwarders and trust relationships before you use the office networks.
What to do next
After you create the enterprise AD office network, perform the following operations based on your business requirements: