10
Active Directory and Infrastructure Services Considerations
Group Policy Loopback Processing
You can use the Group Policy Loopback feature to apply Group Policy objects that depend only on
which computer the user logs in to. This is ideal when users already reside in their respective OUs
and new OUs have been created to handle Terminal Server/RDSH from where the applications and
desktops are published. Essentially, we are applying user settings when they log in to those
computer objects, in this case to the Terminal Servers/RDSH.
This can be carried out from Group Policy Management Console (GPMC). Navigate to Computer
Configuration\Administrative Templates\System\Group Policy and then enable the Loopback
Policy option (Merge or Replace).
More information on loopback processing can be found at https://support.microsoft.com/en-
us/kb/231287
DNS
The Domain Name System (DNS) is a hierarchical distributed database that contains mappings of
DNS domain names to various types of data, such as IP addresses. DNS allows you to use friendly
names to easily locate computers and other resources on a TCP/IP network.
DNS is a key infrastructure component frequently used by various Remote Application Server
components. While standard file-based storage, such as the hosts file, will provide proper DNS
resolution in Proof of Concept (POC) environments, Parallels recommends implementing Active
Directory integrated DNS in enterprise deployments.
Parallels recommends the use of the DNS zone integrated with Active Directory so that
organizations can have the benefit of using secure dynamic updates, as well as the ability to use
Access Control List (ACL) editing features to control which machines can update the DNS system.
Dynamic updates are a key feature of DNS, which allows domain computers to register their name
and IP addresses with the DNS server automatically when they come online or change IP
addresses through the DHCP server. The DNS Server service allows dynamic update to be enabled
or disabled on a per-zone basis on each server that is configured to load either a standard primary
or directory-integrated zone. By default, the DNS Client service dynamically updates host (A)
resource records in DNS when the service is configured for TCP/IP. This form of update eliminates
the need for manual entries of names and IP addresses into the DNS database.
There is a security concern when automatic update from a client to the DNS database could take
place and thus create the possibly for a malicious entry. Therefore, secure dynamic updates will
verify that the computer that is requesting the update to the DNS server also has an entry in the
Active Directory database. This means that only computers that have joined the Active Directory
domain can dynamically update the DNS database.
More information on how DNS works can be found at
https://technet.microsoft.com/library/cc772774.aspx