VDA Registration: Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

VDA Registration: Multiple Forests with 2 way or 1 way trusts (external trusts or forest trusts)

book

Article ID: CTX277562

calendar_today

Updated On:

Description

VDA(s) that reside in different Active Directory/forests with trusts already properly configured will still fail to obtain a list of DDCs to register with, failing to identify and traverse the adjacent forest where the DDCs reside.

Resolution

The following diagram illustrates XenDesktop deployment in a Multi-Forest Deployment. This is where the DDC is in a different Active Directory forest and the end users and desktops can be either in the same forest or in a separate Active Directory forest.
Note: For Forest trusts, both Forests must be in Win2003 Forest Functional Level.

User-added image

The preceding illustration shows two separate Active Directory forest with a two-way forest trust. DDC and Users are in the same forest (parent.local) but the VDAs are located in different forest (parent2.local).

For successful VDA registration with the DDC, the following must be configured correctly: 

DNS, for name and reverse lookups. Depending on the approach taken, the use of DNS Forwarders and Conditional Forwarders, Forward /Reverse lookup zones and Stub zones are all acceptable for name lookup/resolution. As an example, in the preceding illustration, on the DNS server for Parent.local, a Secondary Forward Lookup Zone and a Reverse Lookup zone for Parent2.local has been added and similarly the opposite has been done on the Parent2.local. This means that the DDC should now be able to resolve the VDA by name and IP and the VDA resolves the DDC by name and IP address.
See Managing a Forward Lookup Zone for information on managing Lookup Zones.

On the Desktop Delivery Controller, enable the following registry value on the DDC. This enables support for VDAs, which are located in separate forests: HKEY_LOCAL_MACHINE\Software\Citrix\DesktopServer\SupportMultipleForest (REG_DWORD)

User-added image

To enable VDAs located in separate forests; this value must be present and set to  1.

After changing the SupportMultipleForest value, you must restart the Citrix Broker Service for the changes to have an effect.

On the Virtual Desktop Agent, enable the following registry value on the VDA to enable support for DDCs located in a separate forest.

  • For a 32-bit VDA: HKEY_LOCAL_MACHINE\Software\Citrix\VirtualDesktopAgent\SupportMultipleForest (REG_DWORD)

  • For a 64-bit VDA: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\VirtualDesktopAgent\SupportMultipleForest (REG_DWORD)

To enable support for DDCs located in a separate forest; this value must be present and set to 1.

Note: The next step is only required if External Trusts are only being used.

  1. If the Active Directory FQDN does not match the DNS FQDN or if the domain where the DDC resides has a different NetBIOS name to that of the Active Directory FQDN, you must add the following registry key on the Virtual Desktop Agent machine.
    • For a 32-bit VDA: HKEY_LOCAL_MACHINE\Software\Citrix\VirtualDesktopAgent\ListOfSIDs
    • For a 64-bit VDA: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Citrix\VirtualDesktopAgent\ListOfSIDs

    • User-added image

The ListOfSIDs registry key contains the DOMAIN SID of the DDC. By using this key, DNS lookups are using the true DNS name of the DDC.

To obtain the correct domain SID of the DDC, the domain SID can be found in the results of the PowerShell cmdlet Get-BrokerController from an elevated PowerShell prompt on the delivery controller. 
Note: You must restart the Citrix Desktop Service for the changes to have an effect.

Problem Cause

Because DDCs reside in a different active directory environment with regards to the VDA > the active directory metadata (SID) that identifies the DDC properly needs to be specified within the registry of the VDA servers/desktops.
Powered by Wolken Software