I recently had to upgrade a Horizon infrastructure with around 180 pools and different masters, as you can imagine, that could be exhausting first to check which master is in use and what’s the current snapshot as well, so after searching a little bit on the Net, I’ve able to find what I need :Continue reading…
Well, this procedure is in the documentation, but I put it here so I can access it more quickly.
You need to do this when you have to use SmartCard or Certificate through UAG as an example.
- Start the ADSI Edit utility on your Connection Server host.
- In the console tree, select Connect to.
- In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name DC=vdi, DC=vmware, DC=int.
- In the Computer pane, select or type localhost:389 or the fully qualified domain name (FQDN) of the Connection Server host followed by port 389.For example: localhost:389 or mycomputer.example.com:389
- Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and double-click CN=Common in the right pane.
- In the Properties dialog box, edit the pae-NameValuePair attribute to add the following values:.
In this example, number-of-days is the number of days that can elapse before a remote Connection Server stops accepting SAML assertions. After this period of time, the process of exchanging SAML metadata must be repeated
One year ago I posted a feature request for one of my customer who require to deploy Instant Clone VM on many Active Directory domain without Trust Relationship within each other and with the domain used by the Horizon Connection Server, so what was my surprise when I received the Announcing General Availability of Horizon Enterprise 2103 and saw this feature is now available 🙂
- Horizon Server
- Added support for “Global Access Group”
- Added support for open source database — “PostgresSQL”
- Added support for untrusted domain
- Pegged unabated growth of event database
- Ability to pre-assign computer names to instant clone desktops
- Horizon Agents & Clients
- Teams offload Mac client
- USB redirection for HTML Access & Chrome client
- Pen redirection iOS & Android
- HEVC 444 Intel GPU Linux client
- Bandwidth control for integrated printing
- Serial port improvements, auto mapping, ID passing
- Agent hot patch via MSP
- Expose HCA, H.264/H.265 enablement and networking client settings to registry and GPO template
- Drop 32-bit support Windows agent, Linux agent and client
- App Volumes
- Support for Windows 10 Enterprise multi-session on Horizon Cloud on Azure
- App Volumes Command-Line Capture Program for working with App Volumes and MSIX formatted VMDK and VHD packages
- Global option to allow the same packages to work across both VDI/RDSH regardless of the packaging OS used
- Dynamic Environment Manager
- Replication of the Script folder in SyncTool
- Simplification of computer environment configuration
- Support for late arrival of system environment variables in agent configuration for computer environment settings
- Improvements in default printer logic to roam default printer settings for redirected printers
I recently have a customer requesting to install VMware Horizon on a Windows 2019 Core server. Most of customers prefer to have the “Desktop Experience” but for security reason some other prefer to limit to shell only interface.
Before installing VMware Horizon, ensure that all updates are applied to Windows 2019 Core (I had some strange behavior before doing that, like impossible to have the Flex Admin console or get “Login failed” on the new HTML 5 consoles)
The first main concern is getting signed certificate ready so Horizon will use it instead of its self signed certificate.
After copying the certificate in a local folder :
1 ) From the Administrator command prompt, type “powershell” to execute PowerShell command
Ok by default Composer must be in the same domain or at list have Trust Relationship with domains where Linked Clone will be deployed….
But with Composer you can also deploy on other domains, the caveat however is that you can’t browse the OU on Horizon Admin console so you need to Copy/Past or write the full path for the correct OU.
That said, if you look at the firewall port required by Composer, unless 18433 between Horizon Connection Server (brokers) and Composer plus 1433 to join the Ms SQL Server, nothing is really explained and a doubt can exist about which port is required (and also who create account in the domain). So here the answer 🙂 :
First I confirm, Composer server is responsible to reach the AD domains and create Computer accounts. So the required port are :
Source Destination Ports Service
Composer AD Controllers 88/TCP Kerberos
Composer AD Controllers 135/TCP RPC
Composer AD Controllers 389/TCP LDAP
Ok, I know that View Composer is depreciated but sometime we don’t have other choice to use it, eg. when you need to deploy VMs is a more cost effective way than Full Clone on domain with no Trust Relationship with the one on which the brokers is joined to.
So I have a customer who have 3 domains with trust relationship:
- dom-adm for all admin account
- dom-res for all computers account (composer and brokers are on this domain)
- dom-usr for all users accounts
We created a service account in dom-adm for Composer and added it to “Administrator” local group in Composer server.
When I tried to add Composer server on Horizon admin console, it failed with the “Internal View Composer error. Contact your administrator.” message and absolutely nothing into the log, both on Composer and Horizon logs (sic.)
I first suspected an issue with the certificate but even after putting a signed certificate the issue was the same.
Finally I created a service account for Composer in the dom-res domain and used it to add Composer on my vCenter… and it worked !!