Horizon Cloud on Azure – Domain Bind [Part-3]

Once the POD is created the next step is to add the pod to Domain so that an administrator can start leveraging the solution.

Pre-Requisites for Domain Bind:

Service account Permissions: –

Domain bind service accounts: –
we need 2 service accounts for Domain bind
1 –> Primary
2 –> Auxiliary ( this will be used when primary domain bind account locked / password expired)
VMware Public documentation – Service Accounts That Horizon Cloud Requires for Its Operations (vmware.com)

Based on my experience, Just create a default domain account with a password never expires is sufficient for a bind account


Domain Join service accounts: –
VMware documentation clearly states that this account requires some specific privileges, so even if we set Full Control for that account it won’t help.

Any Horizon pods in Microsoft Azure are running manifest 2474.0 or later ( Ex: 2474 and 2672 )

AccessApplies to
Read All PropertiesThis object only
Create Computer ObjectsThis object and all descendant objects
Delete Computer ObjectsThis object and all descendant objects
Write All PropertiesDescendant Computer objects
Reset PasswordDescendant Computer objects

Any Horizon pods in Microsoft Azure that are running a manifest prior to 2474.0 ( Ex: 2298 , 1976 , 1763 and 1600 etc)

AccessApplies to
List ContentsThis object and all descendant objects
Read All PropertiesThis object and all descendant objects
Create Computer ObjectsThis object and all descendant objects
Delete Computer ObjectsThis object and all descendant objects
Write All PropertiesAll descendant objects
Read PermissionsThis object and all descendant objects
Reset PasswordDescendant Computer objects

Below series of screenshots may help in providing permissions to 2 of the bind accounts.

Finally check the affective permissions and it looks below


  • Now Login to Horizon admin console
  • Select Active directory from left side pane else the same you can select from Getting started page
  • Click on Register
  • Fill in the required details

Domain controller IPs are optional, if you don’t provide one then Horizon tries to find the resolvable AD servers from DNS and tries to connect them (here we don’t have visibility to which server it connects to because horizon sorts the IPs based on an algorithm). If IPs are provided, then Horizon tries to connect those servers only to bind the POD

The below screenshot helps to find NetBIOS & DNS domain names

on a successful domain bind, the Active directory workflow goes to another screen where it asks to enter DNS details & Domain join account details.
After Domain join account validation completed, on the next screen it will ask for super administrator group details and Save

By here Active directory binding to the first pod is completed

Subsequent PODs deployments under the same customer account will automatically bind to AD using First domain bind details so that no admin intervention is required.

Common issues while Domain binding:

  • Kerberos port is not allowed on Port 88 on both TCP & UDP from POD Manager VM’s
  • Global catalog port 3268 is not allowed on GC AD servers from POD Manager VM’s
  • Incorrect NetBIOS name
  • Domain join account not having the required privileges

Scroll to Top