Domain Join Setup
Before moving on to the Domain Join setup phase, please ensure you have:
- reviewed and met the requirements outlined on the Domain Join landing page
- completed the steps in the Domain Controller Preparation guide
- adjusted the appropriate AWS account permissions using the AWS IAM Permissions guide (if applicable)
- configured your DNS settings on Azure (if applicable)
You can join your Sandbox or Utility server to your domain by logging into either machine and following the standard process of joining a Windows machine to a domain. If you domain-join your Sandbox and/or Utility servers, we recommend you configure these servers for RDP and add a local Windows administrator user. This allows you to access the Sandbox and/or Utility servers in the event you are unable to login to the servers using your domain user credentials (e.g., loss of domain trust).
Validate Connections
Firstly, we will start by verifying that our Frame account Sandbox can communicate with the domain controller (DC). Log in to the Sandbox of the Frame account you would like to join to the domain. We will use the Frame AD Helper to validate the domain configuration parameter values you will specify in the Domain Settings page.
Frame AD Helper
Frame AD Helper is a standalone tool built for testing network configuration, name resolution (DNS), and directory credentials/permissions. Frame AD Helper can assist in ensuring that all prerequisites for DJI are met successfully. It is part of the Frame Agent installation and located in C:\ProgramData\Frame\Tools\ as FrameADHelper.exe. The Frame AD Helper Tool can be found in C:\ProgramData\Nutanix\Frame\Tools\.
Network Connectivity Test
- DNS Service Test
- AD Service Test
Name Resolution (DNS) Test
The Name Resolution test confirms that the Active Directory Domain Name can be resolved using the DNS server of your choice. This test performs the following actions:
- Resolves a record for the Domain Name
- Resolves SRV record for the Domain Name
Directory Configuration Test
The Directory Configuration test verifies that the Active Directory service account and permissions are configured properly for DJI. This test performs the following actions:
- Connects to Active Directory using the provided credentials
- Creates a test computer object (GUID-Frame)
- Deletes the test computer object
Once you have completed all of the tests above, you can begin configuring your domain with Frame.
Configure your Domain in Frame Console
Click on Settings in the Dashboard and then the “Domain Settings” tab. Click on the “Enable Domain Settings” toggle to enable. You will need to populate the configuration parameters as described below.
- Domain Name (FQDN): The DNS Domain Name we mentioned earlier in this guide –
azuredji.local - Domain Controller FQDN (or IP): In this field you can enter up to three domain controllers, comma separated, either as:
- FDQN
supportdc.azuredji.localor - domain name
nutanix.local(in situations where multiple Domain Controllers are used). - The IP address of the Domain Controller
10.0.0.5
- FDQN
- Service Account Name (UPN): This is the service account we created in the Domain Controller Preparation guide. This must be in UPN format –
frameservice@azuredji.local. Do not use the down-level logon name format (DOMAIN**\**UserName) - Service Account Password: The password for the service account mentioned above.
- Reenter Service Account Password: Re-type the password from above.
- Target OU Distinguished Name: This is the distinguished name of the OU which we copied during the Domain Controller preparation –
OU=Azure-DJI-Test,OU=Frame,DC=azuredji,DC=local - Machine Name Prefix: Specify (up to 6 characters) a string that will be prepended to the machine name generated by Frame for the domain-joined VMs.
- Require Login with Domain User Account: If enabled, you will no longer login with the Frame local user credentials, but will be asked to login as a domain user instead.
- Remove AD computer objects for terminated test/production instances: If enabled, AD computer objects will be deleted in your domain when test/production instances are terminated. For additional details, review the page on Stale AD Object Cleanup.
- Require Login with Domain User Account: If enabled, the user will be required to login with their Windows domain user account in the Windows login screen.
- Frame SSO: Refer to the Frame SSO documentation for details.
- Promote domain user to local admin (Persistent Desktop Frame accounts only): If enabled, the persistent desktop user will be added to the local Windows Administrators group of their assigned persistent desktop VM. This allows the user to install applications or adjust Windows settings. This configuration setting will only be visible after the persistent desktop Frame account has been joined to a Windows domain.
noteThe domain-joined workload VMs must be able to reach at least 1 DNS server that can resolve public FQDNs (either provided by DHCP or the domain controller). Otherwise, the workload VMs will not be able to register themselves with the Frame control plane.
- Domain Name (FQDN): The DNS Domain Name we mentioned earlier in this guide –
Once you have correctly entered all of the required information, click “Save” in the upper right corner of the page. A notification will appear displaying the pending request to enable Domain Join.
The pending request notification will disappear once the process is complete and your Domain Join tab will now display the option to change the service account password.
Lastly, go back to your “Systems” page and publish your Sandbox. Once the publish is complete, you will be able to access your Domain Joined instances.
noteTo ensure your production instances are joined to your domain correctly, it is recommended to adjust your first publish to a max of 1 (under your capacity settings) and verify changes before publishing to a larger pool.
Troubleshooting
Frame recommends using the Frame AD Helper tool as described above for scenarios where troubleshooting is required.