Table of Contents
Overview
For my domain, I am going to use Microsoft Windows Server 2022 and build two domain controllers (DC1 and DC2) in a new forest called aaronrombaut.com. The domain controllers will provide critical services such as Domain Name System (DNS), authentication, and time services to other domain joined computers and servers. VMware Horizon (and other products) components (VMware Horizon and VMware App Volumes) rely on domain joined Windows Servers still, so without domain controllers, there would be no VMware Horizon Virtual Desktop Infrastructure (VDI) to build.
Install and Configure Two DNS Virtual Machines
Refer to this post on how to configure virtual machines…https://www.aaronrombaut.com/mylab-the-virtual-machine/. For this task, I am going to create DC-1 and DC-2.
A few tasks need to take place before turning these virtual machines into Active Directory Domain Controllers. This will ensure success the first time around. The very first task is to install the latest version of VMware Tools and restart the server when prompted.
When the guest restarts, set the host name, ensure IPv4 and IPv6 addresses are configured with static addresses, and that the time zone and time are correct. For the first domain controller, the Preferred DNS server is the only field set. Once the second domain controller is online, then the Alternate DNS server field will be populated with the loopback address.
Refer to MyLab: Domain Name System (DNS) for more details.
Organizational Units (OU)
Configure an Organizational Unit (OU) for the Domain
Open Active Directory Users and Computers (dsa.msc) and configure a top-level Organizational Unit. I do this to separate my domain objects (users and computers) from the built in objects. Organizational Units are also necessary to correctly apply Group Policy Objects (GPO) that we will configure later.
I will usually add a few additional Organizational Units (OU) now and populate with a few users, service accounts, and groups. I use firstname.lastname for regular end users and firstname.lastname.adm for administrative users. Be sure to add email addresses, even if there is no e-mail server! This ensures that when a sync occurs from VMware Identity Manager or VMware Workspace ONE Access, the users will sync without receiving an error.
Be sure to add the administrative users to administrative groups, otherwise you will just have another regular user.
Adding Domain Local Security Groups now. Be sure to add the administrative users to the groups.
Adding in service accounts now. I use svc.service-name for service accounts.
Group Policy Objects (GPO)
Create a Central Store
ref: https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/create-central-store-domain-controller
By default, a domain controller will serve Group Policy from C:\Windows\PolicyDefinitions. Since I am going to have more than one Domain Controller in the domain, I want to take advantage of replication and create a central store.
According to Microsoft (and other various bloggers) to create a Central Store, a PolicyDefinitions folder needs to be placed in \\FQDN\SYSVOL\FQDN\policies. Below is an attempt to create this folder.
Odd…I tried to add the Enterprise Admins security group to my admin account temporarily and still received the Access Denied window. There has to be another way, this should not be this difficult. It turns out that where this actually needs to be added is C:\Windows\SYSVOL\sysvol\FQDN\Policies.
Now when I open the SYSVOL folder via the network, the PolicyDefinitions are there!
In PolicyDefinitions, there are folders for languages (in my case, there is only one folder for English in the US) and the rest of the files are the XML based policy objects. This is where we will place any new Group Policy Object files. This location will be replicated to all Domain Controllers and allow management of Group Policy Objects from any Domain Controller. It is recommended that the newest available version of the Windows Server and Windows 10 files be added here.
Adding VMware Group Policy Objects to the Central Store
Below is an image of VMware Horizon Group Policy objects. I am going to copy the contents of the en-US folder and paste them in the Central Store, in the en-US folder. Then I will copy all of the ADMX files and paste them in the PolicyDefinitions folder.
Now, when I open Group Policy Manager and create a test group policy object, I can see that I am using policy objects from the central store and that my added VMware policy objects are available to configure.
Create Group Policy Objects
Refer to the MyLab: Group Policy Objects posts for configuring Group Policy Objects.