What type of Active Directory architecture does Symantec Workspace Streaming support connections to?
The following describes both the supported and not supported Active Directory connectivity.
- Implementation in a single-forest architecture
- Global Catalog: The GC is a server on the AD that collects details about users and groups from all domains in the same forest
- Two-way Transitive Trust: This provides a "pass-through" trust between multiple domain parents and child domains without explicitly creating a trust between all the domains. If you create a two-way transitive trust between domainA.com and domainB.com and domainC.com, any domains that have a trust with the parent in their respective domains will inherit the transitive trust
- Parent child domain tree in a single-forest: This consists of a single domain parent and one or more child-domains
- Global Catalog should be enabled on the parent domain and the Streaming product should be connected to the GC on port 3268
- The search base should be at the tree root (parent domain). This is accomplished by supplying a user account at that level for the connection
- Provisioning should be done using Universal Security Groups. This will allow you to provision to one group for users/groups across domains
How to confirm the GC has replicated objects from other domains
- Log on to any machine on the domain with a domain admin account
o If you have a large organization with many objects in the AD (Active Directory) you should probably run this directly on the DC (Domain Controller) that has the GC (Global Catalog). Otherwise you'll be taking up bandwidth for the duration of this process. Plus, running locally as opposed to over the pipe will provide quicker results
- From the command line: Dsquery * -gc –s ServerName –limit 5000 > c:\results.txt
o Replace 5000 with a higher number if more objects exist. There is no special significance to -limit 5000. It's just the number I chose for my example.
o –gc is used to query the global catalog.
o Make sure “ServerName” contains the host name of the GC
o Open c:\results.txt and see if all needed objects are listed. If your domain structure is correct than you should see objects from all domains. If you only see the objects in the parent domain, it's possible replication hasn't happened yet. Did you just enable the GC? If it has been enabled for more than 24 hours and objects are not showing up, you should review your domain configuration to verify everything is configured as needed.
Provisioning Best Practice
In this type of configuration, provisioning should be done in the following manner:
- Create one or more Universal Security Groups in the parent domain
- As needed, add Parent/Child domain users/groups to the Universal Security Group(s) you setup
- Provision packages to the Universal Security Group(s)
- Parent domain: parent.com
- Child domain: child.parent.com
- Streaming Backend installed on a server which is a member of parent.com
- Streaming Frontend installed on a server which is a member of parent.com
- On the parent.com domain create a Universal Security Group and add users and/or groups from both parent.com and child.parent.com
- Provision applications to this Universal Security Group
There is one exception. In the same example as above, if the domains are not setup as parent child but are in the same forest you can still provision to users/groups in other domains as long as the two-way transitive trust is in place and on the Streaming Management Console you null out the Search Base.
- Open the Management Console
- Click User Data Source under Configuration in the navigation panel on the left
- Select Edit current settings(recommended) and click Continue
- Delete the Search Base and leave the field blank
What is NOT supported?
Since Microsoft Active Directory is designed to collect information from a single forest and does not contain functionality for the Global Catalog to read and maintain object information for domains in a different forest, it is currently not possible for Symantec Workspace Streaming to connect to and enumerate users and groups from multiple forests. Each forest needs to have it's own SWS installation.