Migrating Horizon View Desktops to a new Active Directory Domain

I have seen that customers were asking about this question –  Is it possible to move Virtual Desktops from one domain to another ? This questions was raised in VMware communities and other discussion forums, by admins who deployed Linked Clone Virtual Desktops and want to change its domain membership because of various reasons. Yes, it is possible and there are easy methods to perform such migration. These steps may not be readily available in View Administration guides, hence I am going to explain the procedure in detail.

First of all, before planning for a migration, we need to understand the necessity of applying domain membership changes for Horizon View Desktops. Assume that, we have two domains named abc.com and xyz.com; View Connection server is a member of abc.com, and all View Desktops are part of abc.com. If users of xyz.com need to access the View Desktops, it is not necessary to change its domain membership. Instead, adding appropriate user entitlement for the desktop would suffice. However it is a must that, both these domains should have two way transitive trust (A trust that can extend beyond two domains to other trusted domains in the forest) and permissions across each others, so that users of xyz.com are available through abc.com. This way, we can entitle xyz.com users for View Desktops those have membership on abc.com domain.

Now, the above requirements doesn’t warrant us to move View Desktops from abc.com to xyz.com as it can be easily fulfilled with domain trusts and entitlements of accounts from new domain. Therefore, the domain migration needs to be performed only based on specific requirements. For example, view desktops’s domain policies should to be inherited from xyz.com instead of abc.com. In such case, changing the domain membership is the better option.

Prerequisites

  1. Two way transitive trust between abc.com and xyz.com
  2. Domain filtering is not applied on View Connection servers — While View Connection servers are member of abc.com, it should not be prevented to browse the objects from xyz.com through the trust relationship.
  3. Both domains are reachable and resolvable from View Composer and vCenter/vSphere Server networks.

Initial Configuration

edit-vcLogin to View Administrator console; on the left panel inventory, navigate to server settings and choose the vCenter Server tab. The vCenter server will be already configured from which View Desktops are defined. Right click on the vCenter Server, and click ‘Edit…’ to change the configuration, and scroll down to View Composer server settings, and click “Edit” again. Now an edit settings page will pop-up for View Composer.

edit-composerUnder the ‘Domains’ section, click on the “Verify Server Information” to list all configured domains. Here you can see the existing active directory domains, domain admin users and desktops pools associated with the domain. Click on “Add” to enter a new Active Directory domain account, to which the migration has to be performed.

add-domain

If View Composer Server or vCenter server cannot resolve xyz.com domain, this step may fail. So here we need to ensure that a two way trust relationship (transitive) between the domains are already configured and the new domain is reachable  from all the associated View and vCenter components.

Once the new active directory domain is successfully added, the list will look like as below. In this example you can see that View Desktop Pool named “desktop-01” is currently associated with abc.com domain.

com-domains

The above association is not related to the entitlement of ‘desktop-01’, instead, it represents the domain membership of its virtual desktops. Note that, for entitling a user from xyz.com domain, the above step is not necessary, and can be done without composer domain addition. The above configuration is required only for migration purpose which ensures the specified domain is listed for ‘Guest Customization’ settings of View Desktop Pool.

Migration Process

Migration can be done in two ways, either by performing recompose or rebalance. Again the migration can be done at Pool level or VM level. To perform the migration, first edit the desktop pool and click on the “Guest customization” tab of the edit wizard. Domain abc.com will be pre-selected here according to the original configuration of the pool. Drop down the domain and choose the newly added domain xyz.com, and click save.  Any new desktops, those are provisioned after this step onwards will establish domain membership with xyz.com. However based on the entitlement, users from abc.com can still access those newly provisioned desktops.

Once the pool configuration is updated with new domain, initiate a recompose or rebalance operation so that all the existing desktops will undergo customization stage and pick the new domain membership from the updated pool configuration. This can be successfully performed on both dedicated or floating assignments (pool level or VM level). After that maintenance operation (recompose/rebalance), you will notice that domain VM’s membership got changed, and desktop FQDN is suffixed with xyz.com

Permalink: Migrating Horizon View Desktops to a new Active Directory Domain

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s