{"_id":"5accd08df6f4810003fe7318","project":"55d535ca988e130d000b3f5c","version":{"_id":"55d535cb988e130d000b3f5f","__v":13,"project":"55d535ca988e130d000b3f5c","hasDoc":true,"hasReference":false,"createdAt":"2015-08-20T02:04:59.052Z","releaseDate":"2015-08-20T02:04:59.052Z","categories":["55d535cc988e130d000b3f60","55d6b238d2a8eb1900109eef","55d6b4f3250d7d0d004274cd","55d7967960fc730d00fc2852","55da9804e835f20d009fc5d0","55e75b1de06f4b190080dbfd","55e75b39e06f4b190080dbfe","55e75b7ae06f4b190080dbff","564f5a4e33082f0d001bb709","570fb64aa38d470e0060cbff","586d0dd89a854123001acd65","586d0e3b9a854123001acd66","5a613b28da07540012e8ca4a"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"55e75b7ae06f4b190080dbff","__v":10,"project":"55d535ca988e130d000b3f5c","version":"55d535cb988e130d000b3f5f","pages":["5637e17197666c0d008656a5","569591a4fcb1032d0089e037","569622eafe18811700c9c19b","5696c9588560a60d00e2c1e0","569709ca0b09a41900b2442b","5697129ac8ded91700307b77","5697190a59a6692d003fad6a","5697192969393517000c8280","569f11908f6d4b0d00f13bb2","56a0030b5b981c2b00383df0"],"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-09-02T20:26:34.258Z","from_sync":false,"order":4,"slug":"frame-platform","title":"Frame Platform"},"user":"57ebf6b80db1190e0094a3ba","githubsync":"","__v":0,"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2018-04-10T14:56:13.757Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":30,"body":"Frame supports integrating with your on-prem or cloud-based Microsoft Active Directory (AD) environment. This is accomplished by taking steps to enable a new Frame account to communicate with your Domain Services components, such as through a VPC Peering connection or through a VPN. You will then join these cloud Windows Server 2016 machines to your domain. \n\nFrame recommends that you utilize your own AWS account, where these Windows machines will be provisioned and orchestrated by the Frame Platform. This is called our \"BYO AWS\" feature. Before continuing with this setup guide, you will need to set up BYO AWS as described in [this article](https://docs.fra.me/docs/byo-aws-account). If you plan on scaling your environment and supporting it in a production manner, you will be required to use an AWS BYO account. \n\nIn order to ensure success as part of this process, you will be coordinating through Frame Support, so that a Support representative or Solution Architect can best guide you through the process. \n\n## Supported Deployment Models and Systems Overview\nThere are a few architectural models to use for connecting your AD environment to Frame.\n\n1. One or more of your Domain Controllers are located in an AWS VPC. The Region in which your Domain Controllers are located must support inter-region VPC Peering, which you can read about [here](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-basics.html). In this model, you can create a VPC Peering connection between your Domain Controllers and your Frame account. \n\n2. You have an on-prem environment and have the ability to set up an always-on VPN connection to Frame. \n\nIn both models above, you will need to configure your networking and firewall rules to enable all ports and protocols corresponding to Active Directory traffic. Such a list can be found online in Microsoft documentation [here](https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts). Amazon provides documentation on setting up VPC Peering [here](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/create-vpc-peering-connection.html). Amazon's VPN Connection documentation is located [here](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html).  \n\nPlease read this guide thoroughly **before** beginning the process of connecting your AD environment with Frame. \n\n## Active Directory Prep Tasks\nYou will need to add several items to your Active Directory environment to integrate with Frame. Please take the following steps to set this up. \n\n### Create your OU and retrieve its detailed info\n\nCreate an OU titled \"Frame\". If this name is already taken, please check with our Support team for alternative names which are compatible. Next, create another OU within the Frame OU which has a title matching the name of the Frame account you created with our Support team. While this name does not need to match, it will be helpful in correlating information in the future. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/bb83db7-DC2_OH_Zackadmin.png\",\n        \"DC2_OH_Zackadmin.png\",\n        257,\n        215,\n        \"#d9dab3\"\n      ]\n    }\n  ]\n}\n[/block]\nWe will now retrieve detailed info about this new OU, so we can pass this along to Frame Support later on. In your *Active Directory Users and Computers* console, make sure that *Advanced Features* is checked as shown below. This will enable us to easily retrieve the info we need. \n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/646de58-AD_Users_and_Computers_check_Advanced_Features.png\",\n        \"AD_Users_and_Computers_check_Advanced_Features.png\",\n        488,\n        427,\n        \"#f2f1ec\"\n      ]\n    }\n  ]\n}\n[/block]\nNow select Properties for your new OU. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/2cd1dc7-Select_Properties_for_your_new_OU.png\",\n        \"Select_Properties_for_your_new_OU.png\",\n        450,\n        434,\n        \"#eff0ea\"\n      ]\n    }\n  ]\n}\n[/block]\nNow double-click on the property titled *distinguishedName*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/64b5516-double-click_on_distinguishedName.png\",\n        \"double-click_on_distinguishedName.png\",\n        398,\n        452,\n        \"#1e539a\"\n      ]\n    }\n  ]\n}\n[/block]\nCopy this attribute's *Value* to your clipboard and keep this info handy for later on, when we submit your Support Request to Frame. In our example below, our value is as follows: \n\n*OU=FEPTSERV-WEST,OU=Frame,DC=feptserv,DC=com*\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/2840f34-Copy_the_DN_for_Your_Support_Request.png\",\n        \"Copy_the_DN_for_Your_Support_Request.png\",\n        633,\n        568,\n        \"#f0f0ee\"\n      ]\n    }\n  ]\n}\n[/block]\n### Create a service account for Frame and delegate control\nNext, create a new user account in your domain titled \"Frame Service\" and save the credentials in a secure location. Work with our Support staff to securely transfer these credentials to us. This will be used by the Frame Platform during the Sandbox Publishing process in order to create machine objects and join the Windows instances to your Domain. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/56f8287-DC2_OH_Zackadmin.png\",\n        \"DC2_OH_Zackadmin.png\",\n        434,\n        374,\n        \"#eaeae9\"\n      ]\n    }\n  ]\n}\n[/block]\nNow use the Delegation of Control wizard to enable the Frame Service account with the required permissions to manage the OU and its computer objects. The permissions needed are shown in subsequent steps of this guide for convenience.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/9706197-delegate_control_1.png\",\n        \"delegate_control_1.png\",\n        376,\n        509,\n        \"#f0f0ed\"\n      ]\n    }\n  ]\n}\n[/block]\nSelect your Frame Service account. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/11c4d31-frame_service_account_selected_in_ad_doc_wizard.png\",\n        \"frame_service_account_selected_in_ad_doc_wizard.png\",\n        455,\n        249,\n        \"#e9eae8\"\n      ]\n    }\n  ]\n}\n[/block]\nOn the *Tasks to Delegate* screen, select *Create a custom task to delegate*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/66769e6-DC2_OH_Zackadmin.png\",\n        \"DC2_OH_Zackadmin.png\",\n        496,\n        389,\n        \"#e9e9e7\"\n      ]\n    }\n  ]\n}\n[/block]\nOn the *Active Directory Object Type* screen, select *Only the following objects in this folder*, then *Computer objects* and *Create selected objects in this folder*, as shown below. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/72aaa40-AD_OT_screen_1.png\",\n        \"AD_OT_screen_1.png\",\n        495,\n        389,\n        \"#eaeae6\"\n      ]\n    }\n  ]\n}\n[/block]\nOn the *Permissions* screen, with the *General* toggle checked, select both *Change password* and *Reset password*. Complete the wizard by clicking *Next*, then *Finish*. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/9f9f18a-permissions_to_select_1.png\",\n        \"permissions_to_select_1.png\",\n        496,\n        387,\n        \"#eaeae8\"\n      ]\n    }\n  ]\n}\n[/block]\nIn some circumstances, you may wish to create separate Frame Service accounts for each OU for greater security, scalability, or convenience. This is also supported. To do so, create a Frame Service account for each OU and delegate the same permissions as above. \n\nIf you are planning on using Utility Servers in this account, you may wish to create a second OU for the Utility Servers, so that you can apply Group Policies specific to these servers. You may also wish to have a third OU to place the Sandbox in, because it is the master image and you may wish to test Group Policy changes on it without affecting your production machines.  \n\n### Group Policy considerations\nPlease also ensure that Loopback Processing is disabled on the Frame OU, so that unnecessary and potentially conflicting GPOs are not applied inadvertently. Since your organization may have specific security lockdowns and GPOs, you will need to work with our Customer Success or Solution Architect teams to ensure that these GPOs do not cause adverse effects to the Frame environment.\n\n## Additional networking, firewall, and routing considerations\nYou will need to work with our Customer Success team or a Customer Solution Architect to plan the network routes between your Domain Controllers and the Frame account. This ensures that there are no IP address conflicts and that there is sufficient network address space available in your AWS VPC's to contain and expand this environment. As mentioned at the start of this guide, you will also need to ensure that [all applicable Active Directory ports and protocols](https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts) are open along this new network path. If you plan to connect multiple Frame accounts to your Domain Controllers, then you will need to plan this with our team and duplicate the steps in this guide for each new account. Setting up a VPC Peering Connection or VPN Connection will be one of the first steps in the setup process for this Domain Join feature. \n\nIf you are planning on scaling this environment and using it in a production manner, you may have additional setup steps and you should discuss this with our team. \n\n## Create a Frame Support Request\nNow create a new Support Request on the [Frame support site](support.fra.me ) titled *Active Directory Domain Join Integration Request* with the following information: \n- The IP address of your Domain Controller (DC)\n- The CIDR block (IP subnet and mask) where your Domain Controller resides and information about the network routes needed to reach this subnet. \n- Your AWS Account ID, which will be used by our team to send a VPC Peering Request to you\n- The AWS VPC ID and Region with your DC in it, if your DC resides in an AWS VPC\n- Information about your VPN configuration \n- Your preferred method of sharing the account name and password for the Frame Service account you created above, such as via encrypted messaging app, encrypted file download, etc. \n- The list of GPO's you wish to apply to this environment after setup, if applicable. You may alternatively attach an ADMX template file to your Support Request. \n\nOur Support team will get back to you shortly and quickly set up your new Frame account! \n\n## Join to the Domain and Complete Setup\nOnce a compatible Frame account has been created by Frame Support, you will be able to proceed to joining your Sandbox to the domain, if you wish. Joining the Sandbox allows you to test connectivity with your Domain Controller, validate that the new service account works as expected, and utilize the domain-joined Sandbox to test any client-server applications relying on Active Directory. \n\nBefore continuing, make sure your Frame account's Sandbox can communicate with the domain controller through your VPC Peer or VPN tunnel. This can be tested by starting up the Sandbox and using it to test network connectivity, such as through Ping or another tool. You will need to ensure that forward and reverse DNS lookups are working correctly, so that the Windows machines in the new Frame account, such as the Sandbox, can resolve your domain controller's FQDN and IP address. \n\nAfter confirming network connectivity with your domain, take note of the hostname of the Sandbox, so that you can later find it in your Active Directory forest and place it in an OU of your choosing. You may choose to not move the Sandbox to the same OU that you created previously, because you may wish to use it as a template without the same GPO's applied to it. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/72897de-new_hostname_noted_5122.png\",\n        \"new_hostname_noted_5122.png\",\n        1694,\n        876,\n        \"#404551\"\n      ]\n    }\n  ]\n}\n[/block]\nNow you can proceed with joining the Sandbox to your domain as you would normally by using an administrator account to do so. Restart the Sandbox when prompted. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/accdb8f-computer_name_and_domain_changes_234.png\",\n        \"computer_name_and_domain_changes_234.png\",\n        454,\n        329,\n        \"#dfdedf\"\n      ]\n    }\n  ]\n}\n[/block]\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/524ef4f-restart_now_14.png\",\n        \"restart_now_14.png\",\n        350,\n        167,\n        \"#ebeaef\"\n      ]\n    }\n  ]\n}\n[/block]\nOnce the Sandbox restarts, you will be presented with the Windows Logon Screen. \n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/ce4e851-Try_logging_in_0237911.png\",\n        \"Try_logging_in_0237911.png\",\n        1702,\n        1562,\n        \"#181b25\"\n      ]\n    }\n  ]\n}\n[/block]\nYou should be presented with the Windows Desktop, where you can further test connectivity with other servers and services on your domain. Install your applications and ensure they function as expected. Once completed, shut down the Sandbox machine. \n\nNext, we will increase your Production Capacity. Navigate to the Settings portion of your Dashboard and select the Production tab. Increase the number of instances to the maximum number of concurrent users you wish to support. You should be knowledgeable of any AWS account limits or Frame limits and not exceed them. You should also note that this Max value creates additional storage volumes, which will increase costs. You may optionally change the Min and Buffer settings, which would keep instances always running and will greatly increase your costs. For more information about these Capacity settings, please refer to our documentation [here](https://docs.fra.me/docs/set-up-capacity-and-scaling). \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/58d751f-time_to_publish_0234113.png\",\n        \"time_to_publish_0234113.png\",\n        1000,\n        541,\n        \"#0e1927\"\n      ]\n    }\n  ]\n}\n[/block]\nNow we will Publish. Navigate back to the Apps portion of your Launchpad. Select the Sandbox tab, then click Publish. This may take some time. \n\n\nOnce Publishing has completed, you will be able to create new Team Members in your account and invite people in your organization to use Frame. They can then log into their apps and Desktops via the Windows login prompt as they are accustomed to. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/437ec59-Try_logging_in_0237911_another_time.png\",\n        \"Try_logging_in_0237911_another_time.png\",\n        1702,\n        1562,\n        \"#181b25\"\n      ]\n    }\n  ]\n}\n[/block]","excerpt":"","slug":"join-frame-to-your-domain","type":"basic","title":"Join Frame to your domain"}

Join Frame to your domain


Frame supports integrating with your on-prem or cloud-based Microsoft Active Directory (AD) environment. This is accomplished by taking steps to enable a new Frame account to communicate with your Domain Services components, such as through a VPC Peering connection or through a VPN. You will then join these cloud Windows Server 2016 machines to your domain. Frame recommends that you utilize your own AWS account, where these Windows machines will be provisioned and orchestrated by the Frame Platform. This is called our "BYO AWS" feature. Before continuing with this setup guide, you will need to set up BYO AWS as described in [this article](https://docs.fra.me/docs/byo-aws-account). If you plan on scaling your environment and supporting it in a production manner, you will be required to use an AWS BYO account. In order to ensure success as part of this process, you will be coordinating through Frame Support, so that a Support representative or Solution Architect can best guide you through the process. ## Supported Deployment Models and Systems Overview There are a few architectural models to use for connecting your AD environment to Frame. 1. One or more of your Domain Controllers are located in an AWS VPC. The Region in which your Domain Controllers are located must support inter-region VPC Peering, which you can read about [here](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-basics.html). In this model, you can create a VPC Peering connection between your Domain Controllers and your Frame account. 2. You have an on-prem environment and have the ability to set up an always-on VPN connection to Frame. In both models above, you will need to configure your networking and firewall rules to enable all ports and protocols corresponding to Active Directory traffic. Such a list can be found online in Microsoft documentation [here](https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts). Amazon provides documentation on setting up VPC Peering [here](https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/create-vpc-peering-connection.html). Amazon's VPN Connection documentation is located [here](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html). Please read this guide thoroughly **before** beginning the process of connecting your AD environment with Frame. ## Active Directory Prep Tasks You will need to add several items to your Active Directory environment to integrate with Frame. Please take the following steps to set this up. ### Create your OU and retrieve its detailed info Create an OU titled "Frame". If this name is already taken, please check with our Support team for alternative names which are compatible. Next, create another OU within the Frame OU which has a title matching the name of the Frame account you created with our Support team. While this name does not need to match, it will be helpful in correlating information in the future. [block:image] { "images": [ { "image": [ "https://files.readme.io/bb83db7-DC2_OH_Zackadmin.png", "DC2_OH_Zackadmin.png", 257, 215, "#d9dab3" ] } ] } [/block] We will now retrieve detailed info about this new OU, so we can pass this along to Frame Support later on. In your *Active Directory Users and Computers* console, make sure that *Advanced Features* is checked as shown below. This will enable us to easily retrieve the info we need. [block:image] { "images": [ { "image": [ "https://files.readme.io/646de58-AD_Users_and_Computers_check_Advanced_Features.png", "AD_Users_and_Computers_check_Advanced_Features.png", 488, 427, "#f2f1ec" ] } ] } [/block] Now select Properties for your new OU. [block:image] { "images": [ { "image": [ "https://files.readme.io/2cd1dc7-Select_Properties_for_your_new_OU.png", "Select_Properties_for_your_new_OU.png", 450, 434, "#eff0ea" ] } ] } [/block] Now double-click on the property titled *distinguishedName*. [block:image] { "images": [ { "image": [ "https://files.readme.io/64b5516-double-click_on_distinguishedName.png", "double-click_on_distinguishedName.png", 398, 452, "#1e539a" ] } ] } [/block] Copy this attribute's *Value* to your clipboard and keep this info handy for later on, when we submit your Support Request to Frame. In our example below, our value is as follows: *OU=FEPTSERV-WEST,OU=Frame,DC=feptserv,DC=com* [block:image] { "images": [ { "image": [ "https://files.readme.io/2840f34-Copy_the_DN_for_Your_Support_Request.png", "Copy_the_DN_for_Your_Support_Request.png", 633, 568, "#f0f0ee" ] } ] } [/block] ### Create a service account for Frame and delegate control Next, create a new user account in your domain titled "Frame Service" and save the credentials in a secure location. Work with our Support staff to securely transfer these credentials to us. This will be used by the Frame Platform during the Sandbox Publishing process in order to create machine objects and join the Windows instances to your Domain. [block:image] { "images": [ { "image": [ "https://files.readme.io/56f8287-DC2_OH_Zackadmin.png", "DC2_OH_Zackadmin.png", 434, 374, "#eaeae9" ] } ] } [/block] Now use the Delegation of Control wizard to enable the Frame Service account with the required permissions to manage the OU and its computer objects. The permissions needed are shown in subsequent steps of this guide for convenience. [block:image] { "images": [ { "image": [ "https://files.readme.io/9706197-delegate_control_1.png", "delegate_control_1.png", 376, 509, "#f0f0ed" ] } ] } [/block] Select your Frame Service account. [block:image] { "images": [ { "image": [ "https://files.readme.io/11c4d31-frame_service_account_selected_in_ad_doc_wizard.png", "frame_service_account_selected_in_ad_doc_wizard.png", 455, 249, "#e9eae8" ] } ] } [/block] On the *Tasks to Delegate* screen, select *Create a custom task to delegate*. [block:image] { "images": [ { "image": [ "https://files.readme.io/66769e6-DC2_OH_Zackadmin.png", "DC2_OH_Zackadmin.png", 496, 389, "#e9e9e7" ] } ] } [/block] On the *Active Directory Object Type* screen, select *Only the following objects in this folder*, then *Computer objects* and *Create selected objects in this folder*, as shown below. [block:image] { "images": [ { "image": [ "https://files.readme.io/72aaa40-AD_OT_screen_1.png", "AD_OT_screen_1.png", 495, 389, "#eaeae6" ] } ] } [/block] On the *Permissions* screen, with the *General* toggle checked, select both *Change password* and *Reset password*. Complete the wizard by clicking *Next*, then *Finish*. [block:image] { "images": [ { "image": [ "https://files.readme.io/9f9f18a-permissions_to_select_1.png", "permissions_to_select_1.png", 496, 387, "#eaeae8" ] } ] } [/block] In some circumstances, you may wish to create separate Frame Service accounts for each OU for greater security, scalability, or convenience. This is also supported. To do so, create a Frame Service account for each OU and delegate the same permissions as above. If you are planning on using Utility Servers in this account, you may wish to create a second OU for the Utility Servers, so that you can apply Group Policies specific to these servers. You may also wish to have a third OU to place the Sandbox in, because it is the master image and you may wish to test Group Policy changes on it without affecting your production machines. ### Group Policy considerations Please also ensure that Loopback Processing is disabled on the Frame OU, so that unnecessary and potentially conflicting GPOs are not applied inadvertently. Since your organization may have specific security lockdowns and GPOs, you will need to work with our Customer Success or Solution Architect teams to ensure that these GPOs do not cause adverse effects to the Frame environment. ## Additional networking, firewall, and routing considerations You will need to work with our Customer Success team or a Customer Solution Architect to plan the network routes between your Domain Controllers and the Frame account. This ensures that there are no IP address conflicts and that there is sufficient network address space available in your AWS VPC's to contain and expand this environment. As mentioned at the start of this guide, you will also need to ensure that [all applicable Active Directory ports and protocols](https://support.microsoft.com/en-us/help/179442/how-to-configure-a-firewall-for-domains-and-trusts) are open along this new network path. If you plan to connect multiple Frame accounts to your Domain Controllers, then you will need to plan this with our team and duplicate the steps in this guide for each new account. Setting up a VPC Peering Connection or VPN Connection will be one of the first steps in the setup process for this Domain Join feature. If you are planning on scaling this environment and using it in a production manner, you may have additional setup steps and you should discuss this with our team. ## Create a Frame Support Request Now create a new Support Request on the [Frame support site](support.fra.me ) titled *Active Directory Domain Join Integration Request* with the following information: - The IP address of your Domain Controller (DC) - The CIDR block (IP subnet and mask) where your Domain Controller resides and information about the network routes needed to reach this subnet. - Your AWS Account ID, which will be used by our team to send a VPC Peering Request to you - The AWS VPC ID and Region with your DC in it, if your DC resides in an AWS VPC - Information about your VPN configuration - Your preferred method of sharing the account name and password for the Frame Service account you created above, such as via encrypted messaging app, encrypted file download, etc. - The list of GPO's you wish to apply to this environment after setup, if applicable. You may alternatively attach an ADMX template file to your Support Request. Our Support team will get back to you shortly and quickly set up your new Frame account! ## Join to the Domain and Complete Setup Once a compatible Frame account has been created by Frame Support, you will be able to proceed to joining your Sandbox to the domain, if you wish. Joining the Sandbox allows you to test connectivity with your Domain Controller, validate that the new service account works as expected, and utilize the domain-joined Sandbox to test any client-server applications relying on Active Directory. Before continuing, make sure your Frame account's Sandbox can communicate with the domain controller through your VPC Peer or VPN tunnel. This can be tested by starting up the Sandbox and using it to test network connectivity, such as through Ping or another tool. You will need to ensure that forward and reverse DNS lookups are working correctly, so that the Windows machines in the new Frame account, such as the Sandbox, can resolve your domain controller's FQDN and IP address. After confirming network connectivity with your domain, take note of the hostname of the Sandbox, so that you can later find it in your Active Directory forest and place it in an OU of your choosing. You may choose to not move the Sandbox to the same OU that you created previously, because you may wish to use it as a template without the same GPO's applied to it. [block:image] { "images": [ { "image": [ "https://files.readme.io/72897de-new_hostname_noted_5122.png", "new_hostname_noted_5122.png", 1694, 876, "#404551" ] } ] } [/block] Now you can proceed with joining the Sandbox to your domain as you would normally by using an administrator account to do so. Restart the Sandbox when prompted. [block:image] { "images": [ { "image": [ "https://files.readme.io/accdb8f-computer_name_and_domain_changes_234.png", "computer_name_and_domain_changes_234.png", 454, 329, "#dfdedf" ] } ] } [/block] [block:image] { "images": [ { "image": [ "https://files.readme.io/524ef4f-restart_now_14.png", "restart_now_14.png", 350, 167, "#ebeaef" ] } ] } [/block] Once the Sandbox restarts, you will be presented with the Windows Logon Screen. [block:image] { "images": [ { "image": [ "https://files.readme.io/ce4e851-Try_logging_in_0237911.png", "Try_logging_in_0237911.png", 1702, 1562, "#181b25" ] } ] } [/block] You should be presented with the Windows Desktop, where you can further test connectivity with other servers and services on your domain. Install your applications and ensure they function as expected. Once completed, shut down the Sandbox machine. Next, we will increase your Production Capacity. Navigate to the Settings portion of your Dashboard and select the Production tab. Increase the number of instances to the maximum number of concurrent users you wish to support. You should be knowledgeable of any AWS account limits or Frame limits and not exceed them. You should also note that this Max value creates additional storage volumes, which will increase costs. You may optionally change the Min and Buffer settings, which would keep instances always running and will greatly increase your costs. For more information about these Capacity settings, please refer to our documentation [here](https://docs.fra.me/docs/set-up-capacity-and-scaling). [block:image] { "images": [ { "image": [ "https://files.readme.io/58d751f-time_to_publish_0234113.png", "time_to_publish_0234113.png", 1000, 541, "#0e1927" ] } ] } [/block] Now we will Publish. Navigate back to the Apps portion of your Launchpad. Select the Sandbox tab, then click Publish. This may take some time. Once Publishing has completed, you will be able to create new Team Members in your account and invite people in your organization to use Frame. They can then log into their apps and Desktops via the Windows login prompt as they are accustomed to. [block:image] { "images": [ { "image": [ "https://files.readme.io/437ec59-Try_logging_in_0237911_another_time.png", "Try_logging_in_0237911_another_time.png", 1702, 1562, "#181b25" ] } ] } [/block]