In our production environment we have been running into issue with correctly applying the appropriate permissions for our VDI connection broker server to create/delete child object in a particular OU (Any OU really). Our VDI Server has Server 2012 installed and it has been setup to create pooled & managed virtual desktops. As mentioned up above the Active Directory functional level is 2008R2. Under Remote Desktop Services>Overview>Deployment Overview>Tasks>Edit Deployment Properties>Active Directory you can specify the distinguished name of the OU and apply it and you will receive the following message:
The specified Active Directory Domain Services organizational unit is configured with the appropriate permissions to automatically create new virtual desktops.
** Note: I had previously given the broker computer Full Control of the OU **
The problem that pops up is when you move on to create a virtual desktop collection. I am able to do the following:
- Name Collection
- Choose Collection Type: in our case a Pooled virtual desktop collection that is setup to Automatically create and manage virtual desktops
- Specify the virtual desktop template
----------
My issue begins when I attempt to Provide unattended installation settings, more specifically it occurs when I once again specify the name of the organizational unit.
Example:
CN=Computers,DC=test,DC=local (Note: it does not matter if it is a top level OU or if it is nested. This same issue keeps occurring regardless if I assign permissions before hand to the OU or if I set them through this wizard)
Before I click next it also explains the following:
The appropriate permissions will be configured automatically on the specified organizational unit(OU); however, the Domain Computers OU in Active Directory is not automatically configured, If you do not have the required permissions on the domain controller, you could generate a script to configure these permissions. Generate script
** so at this point I click Next and receive the following message:
Active, Directory configuration - The RD Connection Broker server does not have access to add the virtual desktops to the Active Directory domain. Configure access by using the Active Directory page of the Deployment Properties.
-----
Now I am confused. I already edited Deployment properties and it still has an issue for some reason. I have also already tried running the PowerShell script on the domain controller and despite it reporting the appropriate permissions had been assigned - I still none the less receive this particular error message.
---------
Here are a few more things I have tried:
I stood up a lab environment that has a 2012 AD present - and this issue did not occur. (Domain admin account used to create deployment and setup collection)
I stood up a second lab environment in which 2008R2 AD was present and this issue occurs. (Domain admin account used to create deployment and setup collection)
----------
Does anyone have an idea on what could be going wrong here?