How to implement and manage Azure AD Domain Services (Azure AD DS) for a fast Windows Virtual Desktop (WVD) PoC deployment

I recently visited a customer who wanted a Windows Virtual Desktop PoC. And although it is customary for me to implement a Windows Virtual Desktop PoC within the current production environment and take it in production after a successful PoC right away, this customer wanted the PoC to be in a completely separate environment. The customer even wanted to implement this Windows Virtual Desktop PoC in a whole new Azure tenant.

At the moment of writing this blog, Windows Virtual Desktop requires an (on-premises) Active Directory or Azure AD Domain Services. So in this case, the fastest way to deploy a Windows Virtual Desktop PoC environment is with Azure AD DS. In this blog I will show you step-by-step how to deploy this.

In this blog

This blog will cover the following topics:

  • Prerequisites
  • The environment
  • Implementing Azure AD Domain Services (Azure AD DS)
  • Update DNS server settings for your virtual network
  • Change passwords of existing user accounts
  • Create a Virtual Machine for Azure AD DS Management Tools
  • Next steps

Prerequisites

Before you start make sure you have the following in place;

  • Microsoft 365 (E3/E5/A3/A5/F1/Business), Windows 10 Enterprise (E3/E5), Education (A3/A5), VDA per user (For Windows Client OS) or RDS CAL licenses with active SA (For Server OS)
  • Azure Subscription
  • Configured Azure Virtual Network with subnet to use for Azure AD DS and WVD Session Hosts
  • An external resolvable domain name (optionally)

The environment

The environment in which I will install Azure AD DS consists of a new Microsoft Azure tenant with the required licenses and an Azure subscription in place. I have registered a new public domain name and have added the domain to the “Custom domain names” in Azure AD. A custom domain name is optional for Azure AD DS, you can also setup Azure AD DS with a non-public resolvable domain name. An Azure Virtual network with a subnet is configured within this new tenant. You can also configure this configuration in your existing Azure tenant, for example in an isolated new virtual network so that it has no impact on the production environment.

 

Implementing Azure AD Domain Services

For the next steps login with a Global Administrator account to the Microsoft Azure Portal.

In the Azure portal click the + Create a resource button and search for Azure AD Domain Service. Click Create.

Select your Azure Subscription and the Resource group (or create a new one, like I will do in the case). Select your DNS domain name, keep in mind that this cannot be changed afterwards. In my case I will use my external resolvable domain name. But you can also use a .local domain name for example.

Select your Location and Forest type, in this case select User.

Click Next – Networking

Select your Virtual network and Subnet and click Next – Administration

Leave everything default and click Next – Synchronization

Azure AD Domain Services is a one-way synchronization from Azure AD to the Azure AD DS managed domain, meaning that Azure AD is leading. You can choice to sync the entire Azure AD, or synchronize based on selected groups. For the Windows Virtual Desktop implementation you need at least one Administrator account within the Azure AD DS managed domain to join the Hostpool session hosts. Therefor make this account member of the AAD DC Administrators group. Every user account that is member of the AAD DC Administrators group will have Domain Admin rights within the Azure AD DS Managed Domain.

Click Review + create

Click Create

Click OK

The Azure AD DS deployment will now be started.

After the deployment is completed you can go to the Azure AD Domain Services blade within the Microsoft Azure Portal. However, right after the deployment, the Managed Domain is still being provisioned. This can take op to 30 to 40 minutes.

Update DNS server settings for your virtual network

Once the Azure AD Domain Services Managed Domain is running you need to configure the new DNS servers in your Azure virtual network.

Open the Azure AD Domain Services blade within the Microsoft Azure portal, on the right you find the Required configuration steps. Click Configure to Update DNS server settings for your virtual network.

The DNS servers will be configured automatically for the virtual network. After the new DNS servers are configured within the virtual network, you need to restart every server within this virtual network so they can start using the new DNS servers.

Change passwords of existing user accounts

Assuming you are using cloud-only user accounts (without Azure AD Sync from a local domain, like the case described in this blog) you need to reset the password of the existing users that needs to authenticate via Azure AD DS, like in this case for Windows Virtual Desktop.

Create a VM for Azure AD DS Management Tools           

To manage Azure AD Domain Services we need to install the management Tools on a Virtual Machine.

Within the Microsoft Azure Portal, go to Virtual Machines and click the + Add button.

Fill in the following information:

Subscription : Select your Azure subscription
Resource group : Select a resource group, or create a new one
Virtual machine name : Any name you like
Region : Select your Region
Availability options : Configure if required
Image : For the management tools you can select either Windows (client) or Windows Server

Scroll down

Select of fill in the following information:

Size : Select the size of the VM you want
Username : Fill in a user name for the local administrator account
Password : Fill in a password of your choice
Inbound port rules : Configure any inbound ports you want to open

Click Next : Disks

Select the OS disk type you want to use for this virtual machine and click Next : Networking

Select your Virtual network and Subnet and configure any Public inbound ports if desired. Click Review + create

Click Create

After the deployment is completed, go to the virtual machine and connect to it.

Login with the local administrator account, open the Computer properties and join this VM to the managed domain. Restart the VM and login with a user that is member of the Azure AD AAD DC Administrators group.

In the Server Manager, click Manage and click Add Roles and Features.

Click Next

Select Role-based or feature-based installation and click Next

Click Next

Click Next

Select Group Policy Management and scroll down

Under Remote Server Administration Tools > Role Administration Tools select AD DS and AD LDS Tools.

Click Next

Click Install

After the installation is completed, you now can start tools like Active Directory Users and Computers and Group Policy Management to manage your Azure AD Domain Services managed domain.

Next steps

Now that Azure AD Domain Services is up and running and you are able to managed it, it’s time to deploy Windows Virtual Desktop itself. See this blog for the step-by-step instructions: https://www.robinhobo.com/how-to-deploy-windows-virtual-desktop-preview-and-publish-a-full-desktop-and-the-microsoft-office-365-proplus-applications/

8 comments

  • Hi Rob
    QQ could setup a Win 1016 vm as DC and use to setup WVD?
    I want to setup a lab to play whit VWD but a setup of azure AD DS will eat all my MSDN$ 🙁 any tip how to do it?

    • Sure you can, know exactly what you mean 😉 You can install a VM with the server OS in Azure and install the DC role on it (there are several blogs about it on the internet). Make sure you don’t forget to configure also Azure AD Connect. Good luck.

  • Great article!

    Just been doing our PoC. There seems to be a subtle difference between WVD+AADDS and WVD+ADDS(on-prem)+ADConnect, with WVD+AADDS you have to manually login to all of the Microsoft apps (OneDrive, Teams, Outlook, Edge) and cant use the Windows Hello to connect to the WVD remote desktop.

    I have searched but cant find a workaround/solution to this

  • Is it feasible to employ AADDS+GPO for dynamically (e.g. based on group membership, individual user share) mapping Azure based file server shares as drives on a pooled WVD much in the same way on-prem workstations use AD+GPO to map on-prem file server shares to a on-prem file server?

    • Sorry – the last part should read “map on-prem workstation drives to on-prem file server shares”

  • Hi Robin,

    So inside of the VM using AAD-DS, is there no Azure Same Sign-On, Connected Identities, connecting of work accounts, etc to get a seamless SSO experience? Is that just not possible today?

    I’m guessing the only way you get it is via ADFS or some other authentication mechanism? Seems like none of the seamless Azure stuff applies. I thought maybe you could leverage the Kerberos with Azure AD-DS for it.

About Robin Hobo

Robin Hobo

I work as a Senior Solution Architect with focus on the Modern Workspace. I am specialized in Azure Virtual Desktop (AVD), Windows 365 and Microsoft EM+S (including Microsoft Endpoint Manager - Microsoft Intune).

For my full bio, check the About Me page. You can also join me on the following social networks:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close