Skip to main content

Domain Join Setup

Before moving on to the Domain Join setup phase, please ensure you have:

  • reviewed and met the requirements outlined on the Domain Join landing page
  • completed the steps in the Domain Controller Preparation guide
  • adjusted the appropriate AWS account permissions using the AWS IAM Permissions guide (if applicable)
  • configured your DNS settings on Azure (if applicable)
info

You can join your Sandbox or Utility server to your domain by logging into either machine and following the standard process of joining a Windows machine to a domain. If you domain-join your Sandbox and/or Utility servers, we recommend you configure these servers for RDP and add a local Windows administrator user. This allows you to access the Sandbox and/or Utility servers in the event you are unable to login to the servers using your domain user credentials (e.g., loss of domain trust).

Validate Connections

Firstly, we will start by verifying that our Frame account Sandbox can communicate with the domain controller (DC). Log in to the Sandbox of the Frame account you would like to join to the domain. We will use the Frame AD Helper to validate the domain configuration parameter values you will specify in the Domain Settings page.

Frame AD Helper

Frame AD Helper is a standalone tool built for testing network configuration, name resolution (DNS), and directory credentials/permissions. Frame AD Helper can assist in ensuring that all prerequisites for DJI are met successfully. It is part of the Frame Agent installation and located in the Frame Tools directory C:\ProgramData\Nutanix\Frame\Tools\ as FrameADHelper.exe.

Network Connectivity Test
The Network Connectivity test verifies that DNS and AD services are reachable. Tests will automatically fail if network connectivity has not been established between the Frame account's VPC and AD/DNS resources. This test performs the following actions:
  • DNS Service Test
  • AD Service Test
  • Custom Ports Test (Optional) - verify that specific ports are reachable. To invoke the Custom Ports Test, place the customports.txt file in C:\ProgramData\Nutanix\Frame\Tools\ and modify the file prior to launching Frame AD Helper (v1.1 or newer). The file must contain a separate line for each port tested, in the following format: Port Number, "Port Description".

AD Helper Network

You will see in the output that these additional ports are now being tested:

AD Helper Network

Name Resolution (DNS) Test

The Name Resolution test confirms that the Active Directory Domain Name can be resolved using the DNS server of your choice. This test performs the following actions:

  • Resolves a record for the Domain Name
  • Resolves SRV record for the Domain Name

Name Resolution

Directory Configuration Test

The Directory Configuration test verifies that the Active Directory service account and permissions are configured properly for DJI. This test performs the following actions:

  • Connects to Active Directory using the provided credentials
  • Creates a test computer object (GUID-Frame)
  • Deletes the test computer object

Directory Configuration

Once you have completed all of the tests above, you can begin configuring your domain with Frame.

Configure your Domain in Frame Console

  1. Click on Settings in the Dashboard and then the “Domain Settings” tab. Click on the “Enable Domain Settings” toggle to enable. You will need to populate the configuration parameters as described below.

    Domain Settings

    • Domain Name (FQDN): Domain Name (FQDN), such as azuredji.local. This field is mandatory. For Frame Guest Agent 2.X (Server 9.X), if Domain Controller FQDN (or IP) field is empty, the domain name (FQDN) value will be used in conjunction with your DNS and Active Directory (AD) Sites and Services to determine the domain controller(s) to use. If the Domain Controller FQDN (or IP) field has 1 or more FQDNs or IP addresses, then Frame Guest Agent 2.X will attempt to join the test and production pool VMs to one of the specified domain controllers.
    • Domain Controller FQDN (or IP) (Frame Guest Agent 2.X only): If you are using AD Sites and Services, you can leave this field blank. If you wish to use specific domain controllers, enter those domain controllers, comma separated, either as:
      • Domain Controller FDQN supportdc.azuredji.local
      • Domain Controller IP address 10.0.0.5
      • Domain name nutanix.local (in situations where multiple Domain Controllers are used).
    • Service Account Name (UPN): This is the service account we created in the Domain Controller Preparation guide. This must be in UPN format – frameservice@azuredji.local. Do not use the down-level logon name format DOMAIN\UserName.
    • Service Account Password: The password for the service account mentioned above.
    • Reenter Service Account Password: Re-type the password from above.
    • Target OU Distinguished Name: This is the distinguished name of the OU which we copied during the Domain Controller preparation – OU=Azure-DJI-Test,OU=Frame,DC=azuredji,DC=local
    • Machine Name Prefix: Specify (up to 6 characters) a string that will be prepended to the machine name generated by Frame for the domain-joined VMs.
    • Remove AD computer objects for terminated test/production instances: If enabled, AD computer objects will be deleted in your domain when test/production instances are terminated. For additional details, review the page on Stale AD Object Cleanup.
    • Frame SSO: Refer to the Frame SSO documentation for details.
    • Promote domain user to local admin (Persistent Desktop Frame accounts only): If enabled, the persistent desktop user will be added to the local Windows Administrators group of their assigned persistent desktop VM. This allows the user to install applications or adjust Windows settings. This configuration setting will only be visible after the persistent desktop Frame account has been joined to a Windows domain.
    note

    The domain-joined workload VMs must be able to reach at least 1 DNS server that can resolve public FQDNs (either provided by DHCP or the domain controller). Otherwise, the workload VMs will not be able to register themselves with the Frame control plane.

  2. Once you have correctly entered all of the required information, click “Save” in the upper right corner of the page. A notification will appear displaying the pending request to enable Domain Join.

  3. The pending request notification will disappear once the process is complete and your Domain Join tab will now display the option to change the service account password.

  4. Lastly, go back to your “Systems” page and publish your Sandbox. Once the publish is complete, you will be able to access your Domain Joined instances.

    note

    To ensure your production instances are joined to your domain correctly, it is recommended to adjust your first publish to a max of 1 (under your capacity settings) and verify changes before publishing to a larger pool.

Troubleshooting

Frame recommends using the Frame AD Helper tool as described above for scenarios where troubleshooting is required.