VMware View Composer, 2 Way Trusts are for the Weak

VMware KB: Adding a domain to the VMware View Composer service on the Connection Broker fails with the error: Bad Domain Name

This is not true. You can fix this issue by using a conditional forward also. It does result in not being able to browse the AD that your vCenter is not a part of and does not trust, but that is a small price to pay. When you need to specify the OU that your created machines will be placed in, you have to write out the LDAP syntax by hand instead of letting View do it for you. Not a big deal.

Domain 1: vCenter, View Connection Server (Conditional Forward to Domain 2)
Domain 2: Desktops (Hosts file pointing to the View Connection Server)

Advertisements

6 thoughts on “VMware View Composer, 2 Way Trusts are for the Weak

  1. Troy

    This is great news, could you provide more detail on the setup. are you running the DNS conditional fordwards from domain1 pointing to domain 2 ?

    Reply
    1. gregcarriger Post author

      I would love to! 1st off, when you try and add a domain to use with composer, your View Connection Server does a DNS lookup for the domain you are trying to add. So, if you want to add domain2.com, then View does a nslookup example.com and then tries to connect to the returned IP using the Kerberos and LDAP ports. I have a hunch that you could even get by with just adding entries to your host file, but I didn’t go down that road.

      So the main domain 1 needs a conditional forward, or some other way to talk to domain 2 and return something useful for “nslookup domain2.com”. Also the desktop VMs in domain 2 need a way to talk to vCenter and the View connection server. The way I chose to do that is just modify the desktop VMs’ hosts file with:

      192.168.1.100 vCenter.domain1.com vCenter
      192.168.1.200 ViewConnectionServer.domain1.com ViewConnectionServer

      Obviously this is an example, but I hope it helps.

      WARNING: As this is not recommended practice by VMware, they could very well not provide support if you implement this. Good luck 🙂

      Reply
    2. gregcarriger Post author

      I just realized that I went with conditional forward because the people in domain 1 need to be able to resolve the created VMs in domain 2. A conditional forward or something similar like a stub zone is needed to accomplish this.

      Reply
  2. Troy

    thanks, cant wait to give it ago and see if i can add the local domain into the composer settings. Its funny that VMWARE dont provide alternatives to the 2-way trust solution. I can see many use cases for seperate untrusted domains. I have read lots of articles on the web just saying to bolt a connection server into the alternative domain and point it back to the vcentre, im guessing they haven’t actually tested this..

    thanks again

    Reply
    1. Lee

      Hi Guys,

      How would I go about setting my DNS up if the environment was as follows

      Domain1: Vcentre server / Composer Server
      Domain2: Deployed VMs

      Domain1 does not need to resolve machines in Domain2 and vice versa. I have currently allowed the vcentre/composer server to connect through to the AD server in domain2 regarding network connections. I have setup a local hosts file on the Vcentre/composer server in Domain1 to resolve the Domain name of Domain2 to the public IP of the AD server in Domain2. I am still getting Bad Domain 😦

      Any help would be appreciated.

      Regards
      Ldjones

      Reply
      1. gregcarriger Post author

        I took the conditional forward shortcut. The issue you will have when monkeying around with the hosts file is that desktops that are created in Domain 2 will be dynamic and still need good name resolution. I think that domain 1 does a nslookup on the FQN for domain 2. If you can make that succeed with the host file then you might be able to make the connection. However, created VMs will check dns name resolution before they become available.

        Good luck.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s