Procedure

Scenario 1: Microsoft AD is deployed in the intranet of the customer's DC

1. Use DirectConnect or IPsec VPN to connect the customer's DC to the VPC. For details about the configuration, see the Direct Connect User Guide or VPN User Guide.
2. If a firewall is deployed between Microsoft AD and Workspace, enable the following ports on the firewall for Workspace to connect to Microsoft AD, as shown in Table 1:

   Table 1 Port list

   Role	Port	Protocol	Description
   AD	135	TCP	Remote Procedure Call (RPC) protocol This port is used by the Lightweight Directory Access Protocol (LDAP), Distributed File System (DFS), and Distributed File System Replication (DFSR).
   	137	UDP	NetBIOS name resolution This port is used by the network login service.
   	138	UDP	NetBIOS data gram service This port is used by services, such as the DFS and network login service.
   	139	TCP	NetBIOS-SSN service This port is used for network basic input and output.
   	445	TCP	NetBIOS-SSN service This port is used for network basic input and output.
   	49,152-65,535	TCP	RPC dynamic port
   	49,152-65,535	UDP	RPC dynamic port
   	88	TCP	Kerberos key distribution center service
   	88	UDP	Kerberos key distribution center service
   	123	UDP	Port used by the NTP service
   	389	UDP	LDAP server
   	389	TCP	LDAP server
   	464	TCP	Kerberos authentication protocol
   	464	UDP	Kerberos authentication protocol
   	500	UDP	isakmp
   	593	TCP	RPC over HTTP
   	636	TCP	LDAP SSL
   	3268	TCP	LDAP global catalog server
   	3269	TCP	LDAP global catalog server
   	4500	UDP	IPsec NAT-T
   	5355	UDP	llmnr
   	9389	TCP	Active Directory Web service
   DNS	53	TCP	DNS server
   	53	UDP	DNS server

3. After the configuration, verify the interconnection and ensure that the networks and ports are working correctly. For details, see Verification.

Scenario 2: Microsoft AD is deployed in a subnet and the VPC where Workspace resides is deployed in another subnet

In this scenario, you must add security group rules for Microsoft AD to enable some ports of Microsoft AD for Workspace so that Workspace can connect to Microsoft AD.

1. Create a security group, add an inbound rule, and configure the parameters as follows:
   • Protocol: ANY
   • Source IP Address: IP Address
   • IP Address: Enter the subnet where Workspace resides.
2. Apply the security group to AD server instances so that Workspace can communicate correctly with Microsoft AD.
   http://support.hwclouds.com/en-us/workspace_faq/public_sys-resources/icon-note.gif NOTE:

   If you want to minimize the number of enabled ports and protocols, you can add multiple inbound rules to the security group. For details about the ports that need to be enabled, seeTable 1.

3. After the configuration, verify the interconnection and ensure that the networks and ports are working correctly. For details, see Verification.

Verification

1. Check the firewall or security group settings of the AD server and ensure that ports 49,152 to 65,535 have been enabled.
   http://support.hwclouds.com/en-us/workspace_faq/public_sys-resources/icon-note.gif NOTE:

   For details about the requirements on AD server ports, see Active Directory and Active Directory Domain Services Port Requirements.

2. Create a Windows OS instance in the VPC where the user desktop resides using the ECS service and add the instance to the existing domain.
   http://support.hwclouds.com/en-us/workspace_faq/public_sys-resources/icon-note.gif NOTE:

   For details about how to configure and operate ECS, see the Elastic Cloud Server User Guide.

3. Log in to the Windows instance using the RDP client tool (such as mstsc) or VNC.

   The remaining steps are performed on this Windows instance.

4. Download ADTest.zip and unzip the test application.
5. In the blank area of the directory where ADTest.exe resides, hold down Shift, right-click, and choose Open command windows here.
6. In Command Prompt, enter the following command to check the AD server connectivity:

   ADTest.exe -file ADTest.cfg -ip AD IP address -domain AD domain name -user domain administrator account

   Command example:

   ADTest.exe -file ADTest.cfg -ip 192.168.161.78 -domain abc.com -user vdsadmin

7. Check whether SUCCEED is displayed in all test results. If FAILED is displayed, check the AD server configuration or firewall ports following the instructions.