Prerequisites for Deploying Cloud Access Manager with an Existing Domain Controller¶
This section outlines the pre-requisite parameters and requisite information needed when connecting to an existing domain controller as part of a Cloud Access Manager deployment.
Domain Controller Server Specifications
Teradici Cloud Access Manager supports Windows 2016 and Windows 2012 R2 Servers only.
Before deploying Cloud Access Manager with an existing domain controller, you need to carry out the following steps. You need to create a service account with permissions to join a workstation to a domain. This service account should have the minimum level of permissions needed to operate on a Cloud Access Manager deployment. For more information on the these service account permissions, see Assigning Permissions to Service Accounts.
The following additional steps need to be carried out:
- Ensure that there is a domain group called Remote Workstations and that the service account has permissions to add members to this group.
Enable the service account to perform remote powershell commands on the domain controller machine. The following steps need to be performed:
- The service account should be added to the Remote Management Users group. The following powershell commands
should be run on the domain controller to enable remote powershell and allow remote powershell connections
from a remote workstation not located in the same network as the domain controller:
Enable-PSRemoting -SkipNetworkProfileCheck -Force | Out-Null
Set-NetFirewallRule -Name "WINRM-HTTP-In-TCP-PUBLIC" -RemoteAddress Any | Out-Null
- The service account should be added to the Remote Management Users group. The following powershell commands should be run on the domain controller to enable remote powershell and allow remote powershell connections from a remote workstation not located in the same network as the domain controller:
Enable Lightweight Directory Access Protocol (LDAPS) on the domain controller. There are two methods of enabling LDAPS on the Domain Controller:
- Install an Enterprise Root CA: LDAPS is automatically enabled when you install an Enterprise Root CA on a domain controller. If you install the AD-CS role and specify the type of setup as Enterprise on a domain controller. All domain controllers will be automatically configured to accept LDAPS.
- Add a Digital Certificate on the Domain Controller. Requirements for an LDAPS certificate:
- The Digital Certificate must be valid for the purpose of Server Authentication. This means that they must contain the Server Authentication object identifier (OID). The relevant OID we are looking for is 18.104.22.168.22.214.171.124.1.
- The subject name or the first name in the Subject Alternative Name (SAN) must match the FQDN of the host machine, such as Subject:CN=server.domain.com.
- The host machine account needs to have access to the private key. This is done when the digital certificate request is issued from that machine, or when the private key was exported and imported to a different machine.