Domain Join Setup¶
Before moving on to the Domain Join setup phase, please ensure you have reviewed and met the requirements on the Domain Join landing page, completed the steps in the Domain Controller Preparation guide, adjusted the appropriate AWS account permissions using the AWS IAM Permissions guide, and/or configured your DNS settings on Azure (if applicable).
Before we begin the setup process, we will want to verify that our Xi Frame account Sandbox can communicate with the domain controller (DC). Start by logging into the Sandbox of the Xi Frame account you would like to join to the domain.
- First, we need to make sure that communication between your Frame instances and your desired DNS is functioning. From the Sandbox, use either the
pingcommand or the
nslookupcommand (if ping / ICMP is disabled) of the DNS server’s IP address. It’s common that the domain controller is also the DNS server; if that’s the case, we’ll be directly pinging the DC. To do this, we will open up a Command Prompt on our Sandbox and type
ping [ip address]or
nslookup [ip address].
- You should see the name of the server we looked up via IP address. In our example, you can see it returned
supportdc.azuredji.local. Now that we have verified our DNS settings are correct and we are able to resolve the name of the Domain Controller, we can connect our Xi Frame account to our Domain Controller. After closing your Sandbox session, power the Sandbox off from the Dashboard.
You can join your Sandbox or Utility server to your domain by logging into either machine and following the standard process of joining a Windows machine to a domain.
- Navigate to the “Settings” page on the sidebar and click on the “Networking” tab. Before you can enable Domain Join for your instances, you must set a custom VPC CIDR or specify your own private VPC. Click the “Customize VPC Settings” check box, enter your VPC CIDR, and click “Save.”
- The “Domain Settings” tab will appear, click on it. Then, click on the “Enable Domain Settings” toggle. Multiple fields will populate under the “Domain Settings” section requiring information in the formats listed below. Be sure to click “Save” when you have entered all required information.
- Domain Name (FQDN): The DNS Domain Name we mentioned earlier in this guide –
- Domain controller IP or FQDN: The IP address of the Domain Controller –
10.0.0.5or FDQN –
- DNS servers (up to 3, comma separated): You can list up to 3 DNS Server IPs in a comma-separated format –
- Service account name (UPN): This is the service account we created in the Domain Controller Preparation guide. This must be in UPN format –
email@example.com. Do not use the down-level logon name format (
- Service account password: The password for the service account mentioned above.
- Repeat the service account password: Re-type the password from above.
- Target OU Distinguished Name: This is the distinguished name of the OU which we copied during the Domain Controller preparation –
- Require login with domain user account: If enabled, you will no longer login with the Frame local user credentials, but will be asked to login as a domain user instead.
- Once you have correctly entered all of the required information, click “Save” in the upper right corner of the page. A notification will appear displaying the pending request to enable Domain Join.
- The pending request notification will disappear once the process is complete and your Domain Join tab will now display the option to change the service account password.
- Lastly, go back to your “Systems” page and publish your Sandbox. Once the publish is complete, you will be able to access your Domain Joined instances.
To ensure your production instances are joined to your domain correctly, it is recommended to adjust your first publish to a max of 1 (under your capacity settings) and verify changes before publishing to a larger pool.
Troubleshooting with Nutanix Frame AD Helper¶
Nutanix Frame AD Helper is a standalone tool for testing network configuration, name resolution (DNS), and directory credentials/permissions. This tool was designed to be used during the account setup process for scenarios where troubleshooting is required. Frame AD Helper can assist in ensuring that all prerequisites for DJI are met successfully. Frame AD Helper Tool is installed as part of the Frame Guest Agent and located in
The Network Connectivity test verifies that DNS and AD services are reachable. Tests will automatically fail if network connectivity has not been established between the Frame account’s VPC and AD/DNS resources. This test performs the following actions:
- DNS Service Test
- AD Service Test
Name Resolution (DNS)¶
The Name Resolution test confirms that the Active Directory Domain Name can be resolved using the DNS server of your choice. This test performs the following actions:
- Resolves a record for the Domain Name
- Resolves SRV record for the Domain Name
The Directory Configuration test verifies that the Active Directory service account and permissions are configured properly for DJI. This test performs the following actions:
- Connects to Active Directory using the provided credentials
- Creates a test computer object (GUID-Frame)
- Deletes the test computer object