How to: Horizon View and vCloud Director multi-tenant DaaS

Services Providers and large customers with requirement for multi-tenant Desktop-as-a-Service frequently ask me how would be possible to integrate Horizon View and vCloud Director and get both technologies to work together. As of today, the official VMware answer is – this is not supported.

In this article I demonstrate how multi-tenant implementations with View and vCD is achievable with some automation. However, let’s first look at why this is not supported today.

Most attempts to integrate View with VCD focus in placing View Connection Servers inside a vCD tenant organization. This works well for VMs and VApps created by and through vCD. However, View only communicates with vCenter Server, not vCD. For this reason, unless a dedicated vCenter server is placed in each vCD tenant organization with nested ESX’s you will not be able to have a completely independent environment. In this article I don’t plan to discuss vCD architecture. However, placing additional vCenters and nested ESX’s in a vCD tenant organization is not a scalable solution nor will excel in performance.

In addition to that, for a true multi-tenant environment you would need dedicated Active Directory domain servers hosted within each tenant organization. This AD server may be an extension of a customer network trough a VPN connection.

When Horizon View creates virtual desktops it will only communicate and place them in vCenter, not in VCD. Therefore, desktops will not be able to contact the correct AD server to be able to join the domain and execute other customization related tasks; nor will they be in a vCD organization. Therefore, vCD does not see the desktop nor manage resources for it.

The picture below demonstrates a deployment with Horizon View running inside a vCD organization and how it will communicate to vCenter only.


Screen Shot 2013-03-30 at 10.07.58 PM

VMware does not support the steps outlined below. I recommend testing in development environment. If you decide to test or implement you are doing it on your own risk.


Enter a new undocumented feature in Horizon View 5.2 “HoldCustomization”.  This feature was a request I placed with engineering team  to help me to achieve multiple different objective; being one of them out-of-band vCD integration for Horizon View. When using this feature make sure the desktop pool is created with provisioning disabled, and only enable provisioning after the pae-HoldCustomization attribute is set to 1. If you need help to modify the ADAM database, please refer to my article How to Access Windows 2K8 Server via PCoIP with VMware View  for instructions.


When a Horizon View desktop pool is enabled with HoldCustomization the desktops will not be automatically powered-on after creation – this applies to both full and linked-clones. Because desktops have not been powered on it is possible to execute certain tasks before the customization process starts and before the domain join fails while trying to contact the correct Active Directory server.

As an example, one of the tasks that could be executed at this point in time is an Import-CIVApp task in vCD via API (PowerShell, Java, .NET). I am not going to explain in details how the function work in this blog post. Here is a code example:

Import-CIVApp -VM (Get-VM -Name $ -NoCopy -OrgVdc $org -RunAsync -Confirm:$false | Wait-Task

Once the VM is imported into vCD it will be automatically configured with identity, placed in the correct organization and registered with vCNS (vShield Edge). Now you need to automate the addition of the vCD VM into a pre-configured org-network using vCD API. Here is a sample of how to do that with PowerShell:

Function Configure_VMNetwork {
 $IpAddressAllocationMode #$IpAddressAllocationMode = Pool, DHCP
 $vmext = (Get-CIVM -Org $org -Name $vm*).ExtensionData
 $NetworkConfig = $vmext.Section | where {$_ -is [VMware.VimAutomation.Cloud.Views.NetworkConnectionSection]}
 if (($NetworkConfig.NetworkConnection).Count -eq 1) {
 ($NetworkConfig.NetworkConnection)[$NetworkConnection].network = $newNetworkName
 ($NetworkConfig.NetworkConnection)[$NetworkConnection].IsConnected = $true
 ($NetworkConfig.NetworkConnection)[$NetworkConnection].IpAddressAllocationMode = $IpAddressAllocationMode
 ($NetworkConfig.NetworkConnection)[$NetworkConnection].NeedsCustomization = $true
 } else {
 ($NetworkConfig.NetworkConnection | sort-object NetworkConnectionIndex)[$NetworkConnection].network = $newNetworkName
 ($NetworkConfig.NetworkConnection | sort-object NetworkConnectionIndex)[$NetworkConnection].IsConnected = $true
 ($NetworkConfig.NetworkConnection | sort-object NetworkConnectionIndex)[$NetworkConnection].IpAddressAllocationMode = $IpAddressAllocationMode
 ($NetworkConfig.NetworkConnection | sort-object NetworkConnectionIndex)[$NetworkConnection].NeedsCustomization = $true
 Return ""

At this point in time the VM is ready to be powered on via vCD (must be via vCD because vCD executes few run-time configurations).


Screen Shot 2013-03-30 at 10.08.09 PM


When the VM is finally back online, now in vCD, the desktop customization will continue normally and the desktop will be added into the domain and available to be connected via View Connection Server.

At his point in time you have a fully contained View environment with Connection Servers, Security Servers, View Composer, Active Directory and the desktops running inside a vCD tenant organization and all View related tasks such as refresh, recompose and reset will continue to work as per usual.


Screen Shot 2013-03-30 at 10.08.20 PM


It is important to observe an implication while using this approach – vCenter Server is shared amongst View deployments in different organizations, therefore it’s important to harden Horizon View to avoid attack from inside the organization. In order to do that the attacker would need to have passed AD credentials or RSA token authentication to be able to start trying to do something. However, I am just raising awareness of the shared vCenter.

Automating View, vCenter, vCD with pre-created vAPP templates to create a multi-tenant infrastructure for desktop-as-a-service is possible. This guide doesn’t show you how to do it, but rather gives you an idea how to accomplish it.

There is another method to achieve similar results, where desktops are created in vCD and then added to manual pools in View. I’ll cover that in a different article. However, the downside of that is that you loose desktop lifecycle and pool management capabilities provided by View; such as refresh on logoff, recompose and refresh operations.


This article was first published by Andre Leibovici (@andreleibovici) at

1 ping

  1. […] A while back I published an article about how to stop Horizon View provisioning and then import virtual desktops into vCloud Director using API Calls; in the example I provide I used PowerShell cmdlet Import-CIVapp. Check it out my article here. […]

Comments have been disabled.