Domain Controller Preparation¶
The Xi Frame platform supports integrating with your on-prem or cloud-based Microsoft Active Directory (AD) environment. This is accomplished by taking steps to enable a Frame account to communicate with your Domain Services components, such as through a peering connection or VPN. You will then join your cloud Windows Server 2016 machines to your domain.
To use the Domain Join feature, you will need to utilize your own cloud account, where these Windows machines will be provisioned and orchestrated by the Frame Platform. This is called our “BYO” feature. Before continuing with this setup guide, you will need to set up your BYO described in these articles, BYO AWS and BYO Azure.
Supported Deployment Models and Systems Overview¶
There are a few architectural models to use for connecting your AD environment to Frame:
- One or more of your domain controllers (DCs) are located in an AWS VPC or Azure VNet. The region in which your DCs are located must support inter-region peering. In this model, you can create a peering connection between your Domain Controllers and your Frame account.
- You have an on-prem environment and have the ability to set up an always-on VPN connection to Frame.
In both models above, you will need to configure your networking and firewall rules to enable all ports and protocols corresponding to Active Directory traffic. Such a list can be found online in Microsoft documentation. Please read through this guide thoroughly before beginning the process of connecting your AD environment with Frame.
- Organizational Unit (OU) should not have spaces in it (e.g.,
Frame Azure 1).
- Service account must own the OU using “Delegate control.”
- Service Account must be in UPN format (e.g.,
- Organizational Unit (OU) should not have spaces in it (e.g.,
- Each account should be in a different OU (
- Each account should ideally have a different service account (
- Service accounts should have NO password expiration. If the password expires, the Frame account will not be able to publish production instances.
- Inheritance should be blocked on the Frame OUs.
Domain Controller Preparation Steps¶
In order to join instances to the Xi Frame Platform, you must complete the steps outlined below.
- Log into your domain controller and open up “Active Directory Users and Computers.”
- Navigate to the “Computers” Organizational Unit (OU), right-click and select “Create a New OU”. We recommend that you give this OU a unique name that will help you identify the Frame account that it is tied to. In this example, we have named the OU
- In our example, we created a new OU for Frame. Inside of that OU, we created another sub OU with the account name we will be using. This is strongly recommended to prevent confusion for situations where multiple Frame accounts are joined to the same domain.
Create Service Account¶
- Next, we will create a service account to manage the necessary Frame resources. To start this process, we will need to add a new user. It is recommended you create this user where your organization keeps other service accounts. In our example, we will add them directly into the “Users” OU by right-clicking “Users”. Select “New” and click “User.”
- Add the necessary information to help you identify what this service account will be used for. Click “Next.”
- Set the desired password for the service account. If your organization allows it, it is recommended to set your service account password to “never expire.” Make sure to uncheck “User must change password at next logon” and click “Next” and then “Finish.”
If the service account password expires, the account will not function until the password is updated. The updated password will then need to be set in the Frame Dashboard as well. If an admin attempts to publish from their Frame account with expired domain join credentials, the publish will fail.
Next, we will delegate controls to our service account.
- Right-click on the newly-created OU and select “Delegate Control…” to open the Delegation of Control Wizard.
- Select your Frame service account.
- On the “Tasks to Delegate” page, select “Create a custom task to delegate” and click “Next.”
- On the “Active Directory Object Type” page, select “Only the following objects in this folder” and check “Computer objects.” Then, check “Create selected objects in this folder” and “Delete selected objects in this folder” as shown below.
- On the “Permissions” page of the wizard, with the “General” toggle checked, select both “Change password” and “Reset password.” Complete the wizard by clicking “Next” and then “Finish.”
In some circumstances, you may wish to create separate Frame Service accounts for each OU for greater security, scalability, or convenience. This is also supported. To do so, create a Frame service account for each OU and delegate the same permissions as above.
We recommend you ensure that Loopback Processing is disabled on the Frame OU so that unnecessary and potentially conflicting GPOs are not applied inadvertently. Since your organization may have specific security lockdowns and GPOs, you will need to work with our Support or Solution Architect teams to ensure that these GPOs do not cause adverse effects to the Frame environment.
Obtain OU Details¶
Now we will obtain the necessary OU information needed to integrate with Frame. You will be entering this information into your Dashboard in later steps.
- In your “Active Directory Users and Computers” console, make sure that “Advanced Features” is checked as shown below. This will enable us to easily retrieve the needed information.
- Next, right-click on the OU and select “Properties.”
- Under the “Attribute Editor” tab, double-click “distinguishedName.”
Copy this attribute’s value to your clipboard and have it ready, as we will need it in order to add your Frame account to your domain in the next guide.
Additional Networking, Firewall, and Routing Considerations¶
You will need to work with our support team or a Customer Solution Architect to plan the network routes between your domain controllers and the Frame account. Doing so helps to prevent IP address conflicts and ensures that there is sufficient network address space available in your VPC or VNet to contain and expand this environment.
As mentioned at the start of this guide, you will also need to ensure that all applicable Active Directory ports and protocols are open along this new network path. If you plan to connect multiple Frame accounts to your domain controllers, then you will need to plan this with our team and duplicate the steps in this guide for each new account. Setting up a Peering Connection or VPN Connection will be one of the first steps in the setup process for the Domain Join feature.
If you are planning on scaling this environment and using it in a production manner, there may be additional setup steps to discuss with our team.