Domain Authorization

Domain Authorization

Domain Authorization should not be handled by Windows, but by the AADS Terminal Server. We have our own modules for this. By having our own modules for Authorization, AADS Terminal Server is able to do Application Control for Domain Users.

Identify your domain

In the example below, the domain is called ipc.w2k3domain.intern. The server running the domain is called w2k3test:

Test the connectivity to your Domain

Before you proceed with configuring your AADS Terminal Server, be sure that both the Domain name and the Domain Server name are reachable from the AADS Terminal Server. You can open a DOS-box and use the ping command:

IPC$

Windows servers do have a so called IPC$ share. The AADS Terminal Server uses the IPC$ on the Domain Server for requests about users. So, be sure that the IPC$ of the Domain server can be accessed by the AADS Terminal Server.

Samba and Netlogon

In case you use Samba as a Domain Server, be sure to read the appropriate “howto's” and (online) manuals about Samba. For instance, you will have to define a “netlogon” share in order to mimic a Microsoft Domain Server.

Enter the Domain Settings

The tab page Domain / Workgroup is the place where you enter the relevant Domain information:

Click on verify, and the entered information will be verified. The progress-logging will be shown.

Click on Apply when done. After clicking on Apply, the Reboot button will be enabled.

Reboot required

It is recommended to reboot the AADS Terminal Server after applying the Domain settings.

Domain Server

The field “Domain Server” is optional. Preferable you should not use it.

In case you do not use the field “Domain Server”, the AADS Terminal Server will automatically determine which PDC and / or BDC is available (Primary Domain Controller and Backup Domain Controller)

If you enter a netbios name of a PDC or of a BDC, the AADS Terminal Server will only use this one PDC/BDC for its domain functions. The AADS Terminal Server will not fallback to another PDC or BDC in case the assigned PDC / BDC is not available.

When the Domain, the network and the AADS Terminal Server are correctly configured, the AADS Terminal Server is always able to determine the Primary Domain Controller (PDC) and the Backup Domain Controller(s) (BDCs).
However, if the network is not configured correctly, the AADS Terminal Server might have a problem:

The AADS Terminal Server is using a DNS-server, which does know the name of the PDC, but which does not know the name of the BDC. This is a DNS problem which does impact the AADS Terminal Server. The AADS Terminal Server is not able to use the BDC because the assigned DNS server can not tell the AADS Terminal Server what the netbios name is of the BDC.
The AADS Terminal Server is using 1 or more default gateways, which do know how to route network traffic to the PDC but not to the BDC(s). This is a network problem which does impact the AADS Terminal Server. The AADS Terminal Server can not use the BDC(s) because the assigned default gateway is not able to route the network traffic to the BDC(s).

In this case you can consider to enter a netbios name in the Domain Server field, in order to compensate for the mis-configuration of the network.

Trouble shooting Domain Server

When the AADS Terminal Server reboots, it joins the domain. If this does not work correctly, examine the following:

Can you ping the netbios name of the PDC from the AADS Terminal Server?
Can you ping the netbios name of the BDC(s) from the AADS Terminal Server?
Which DNS server(s) are assigned to the AADS Terminal Server?
Do these DNS server(s) know the PDC and / or BDCs?
Which default gateway(s) are assigned to the AADS Terminal Server?
Do these DNS server(s) know the PDC and / or BDCs?

A fix for troubles related to Domain Joining

Write down the Netbiosname of the AADServer:
Make the AADServer a Local Server using AADS Maintenance and Control:

The name of the Workgroup is irrelevant.

Apply and Reboot the AADServer.
Go to the Domain Controller, and open Active Directory, Computers.
Search for the Netbios Name of the AADServer in the list Computer:
Delete the AADServer from Active Directory
Go to back to the AADServer.
Join the AADServer again to the Domain, using AADS Maintenance and Control.

Because the AADServer was deleted from Active Directory, when now joining the AADServer again to the Domain, fresh, new settings will be applied in the Active Directory Administration, and all should be OK.

Example configuration Domain Joining

PDC

netbios name TESTW2k3
IP address 192.168.200.210
The PDC does also act as DNS-server

BDC

netbios name TESTW2k3b
IP address 192.168.200.211
The BDC does also act as DNS-server

Network card of AADS Terminal Server:

The AADS Terminal Server uses both the PDC and BDC for its DNS-settings and for its default gateway.
The AADS Terminal Server has nothing entered in the field Domain Server, because it is always able to determine which PDC and / or BDC is available.

Group Domain Users ==> Local group Remote Desktop Users

The Domain Group "Domain Users" will be added to the local group Remote Desktop Users by the AADS Terminal Server Setup program:

Application Control only for Domain Groups, not for Domain Users

When it comes to Domain Authorization, AADS Application Control is limited to Domain Groups. It would be possible to include Domain Users, but this might result in performance problems. Large Domains can contain several thousand Domain users. Showing them all and manage them all on an AADS Terminal Server might result in performance problems.
Therefore AADS Application Control can applied only to Domain Groups:

Organize and define Domain Groups that, for example, mimics your business processes within the company.
Make the right set of Domain User(s) member of the appropriate Domain Group(s).
Each Domain Users will get its appropriate desktop, under control by AADS Application Control. Which applications are available for the Domain User, is directed by its membership of 1 or more Domain Groups.