Citrix Director is capable of monitoring a XenDesktop and XenApp environment spanning a forest configuration where the users, XD Delivery controller, VDAs and Citrix Director can be located in same/different forests.
When Citrix Director interacts with these components located on different forests, there is a need for trust relationship configured between some of the components to not get into any failures on Citrix Director due to trust issues. This blog talks about the recommended trust relationships needed between some of the components of XenDesktop and XenApp and some other configurations needed for using Citrix Director in multiforest environment.
- User Forest refers to the forest where all the user accounts who use Desktops/Apps are located.
- XD DDC Forest refers to the forest where the delivery controller is located.
- VDA Forest refers to the forest where all the machine accounts of Virtual Desktop Agents are located.
- Director Forest refers to the forest where Director is located.
Configuring Trust Relationships
User and XD DDC Forests:
Create an outgoing and an incoming trust between the User Forest and XD DDC Forest with domain wide authentication.
Director and XD DDC Forests:
Create an outgoing forest trust from Director Forest to XD DDC Forest with domain wide authentication, so that the XD DDC domain is trusted by the Director domain.
Director and VDA Forests:
Create an outgoing forest trust from Director Forest to VDA Forest with domain wide authentication, so that, the User domain is trusted by the Director domain.
This enables the Director admin to search for specific machines in the VDA Forest to troubleshoot issues.
User and Director Forests:
Create an outgoing forest trust from Director Forest to User Forest with domain wide authentication so that, the User domain is trusted by the Director domain.
This enables the Director admin to search for the users to troubleshoot individual user sessions.
On Active Directory:
An outgoing forest trust from the Director Forest to a User Forest can be created in the Active Directory Domain and Trusts as shown in the sample below:
- External Trust with Domain Wide Authentication can also be used but the trust is non-transitive and hence the trust doesn’t flow to other domains in the forests. Hence, forest wide trust is recommended.
- Selective authentication is not preferred as the windows doesn’t automatically authenticate the users from specified domain even after establishing the trust relationship.
On Director Server:
The Director Server must be configured to add user domain as shown below:
- Open the Internet Information Services (IIS) Manager console.
- From the Default website, go to the Director website.
- Double-click Application Settings.
- Double click on Connector.ActiveDirectory.Domains’ and add the user domain separated by a comma.
- Open the Studio Console.
- Go to DeliveryGroups, click Edit Delivery Group.
- Select Users, add the user groups from the user domain.
Note: Avoid using domain local group from the XD DDC domain.
For issues related to domain local groups, please refer to this blog post.