Pages

Sunday, April 6, 2014

Filtering out Active Directory domains for VMware Horizon View

I was recently asked by a client who’s environment consists of 3 forest trusts to other domains and would like to filter them out from their VMware Horizon View infrastructure. The following screenshot is basically what they see when they log into the VMware Horizon View Administrator console:

image

Clicking on one of the domains configured with a forest trust shows the following:

Trust Relationship: The trust relationship could not be determined.

Status: Domain status error detected. View

image

The reason for the error above is because the View Connection server has problems verifying the domain and in the case of the client I was at, it was because the DNS servers configured for the View Connection servers not having forward lookup zones to these domains. With that clarified, the client wanted the domains removed so in order to do so, we can accomplish this with the vdmadmin command:

Trust Relationships and Domain Filtering
http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.installation.doc/GUID-48644652-C5C9-4BDC-AE93-75DA2D176995.html

The available switches for this command can be found here:

Configuring Domain Filters Using the N Option
http://pubs.vmware.com/view-50/index.jsp#com.vmware.view.administration.doc/GUID-3E9924EC-1554-43E5-A812-84F9711909A5.html

The vdmadmin.exe executable can be found in the following directory of the View Connection server:

C:\Program Files\VMware\VMware View\Server\tools\bin

image

Begin by launching the command prompt and navigating to the directory:

image

Execute the following command to list all of the domains VMware Horizon View can see:

vdmadmin -N -domains -list -active

image

Use the following command to list the current include and exclude domains:

vdmadmin -N -domains –list

image

To exclude the domain named MSAD, execute the following:

vdmadmin -N -domains -exclude -domain MSAD -add

**Note that you can only use NetBIOS names for the domain and not the FQDN.

Once the exclusion has been added, you should be able to use the vdmadmin -N -domains -list command to display the list showing that the domain is excluded:

image

With the domain MSAD added to the exclude list for the cluster, restart the VMware View Connection Server service and you should now see the domain no longer listed:

image

Executing the following command should no longer show MSAD as a active domain:

vdmadmin -N -domains -list -active

image

If you want to remove the MSAD domain from the exclude list, you can execute the following:

vdmadmin -N -domains -exclude -remove -domain MSAD

image

Also note that as soon as a domain is filtered out, the logon page for VMware Horizon View Administrator will no longer display it in the Domain: drop down menu:

image

image

1 comment:

Wolfegang76 said...

I end up in this BlOG once in a long while when trying to tshoot something obscure - but this post is one that saved my mission! More specifically, the tip about using the NetBIOS names instead of the FQDN. None of the other articles mention this very important fact. Additionally, this fixed another issue for my site. (my main issue) After entering in PIN from my smartcard, the client would sit for about 2 minutes saying "Authenticating".... This not only removed several red/unreachable domains within View Administrator, but it stopped the lengthy Authentication timeout! Thank you for posting this! --Wolfegang76