I recently visited a customer who wanted a Windows Virtual Desktop PoC. And although it is customary for me to implement a Windows Virtual Desktop PoC within the current production environment and take it in production after a successful PoC right away, this customer wanted the PoC to be in a completely separate environment. The customer even wanted to implement this Windows Virtual Desktop PoC in a whole new Azure tenant.
At the moment of writing this blog, Windows Virtual Desktop requires an (on-premises) Active Directory or Azure AD Domain Services. So in this case, the fastest way to deploy a Windows Virtual Desktop PoC environment is with Azure AD DS. In this blog I will show you step-by-step how to deploy this.
In this blog
This blog will cover the following topics:
- The environment
- Implementing Azure AD Domain Services (Azure AD DS)
- Update DNS server settings for your virtual network
- Change passwords of existing user accounts
- Create a Virtual Machine for Azure AD DS Management Tools
- Next steps
Before you start make sure you have the following in place;
- Microsoft 365 (E3/E5/A3/A5/F1/Business), Windows 10 Enterprise (E3/E5), Education (A3/A5), VDA per user (For Windows Client OS) or RDS CAL licenses with active SA (For Server OS)
- Azure Subscription
- Configured Azure Virtual Network with subnet to use for Azure AD DS and WVD Session Hosts
- An external resolvable domain name (optionally)
The environment in which I will install Azure AD DS consists of a new Microsoft Azure tenant with the required licenses and an Azure subscription in place. I have registered a new public domain name and have added the domain to the “Custom domain names” in Azure AD. A custom domain name is optional for Azure AD DS, you can also setup Azure AD DS with a non-public resolvable domain name. An Azure Virtual network with a subnet is configured within this new tenant. You can also configure this configuration in your existing Azure tenant, for example in an isolated new virtual network so that it has no impact on the production environment.
Implementing Azure AD Domain Services
For the next steps login with a Global Administrator account to the Microsoft Azure Portal.
In the Azure portal click the + Create a resource button and search for Azure AD Domain Service. Click Create.
Select your Azure Subscription and the Resource group (or create a new one, like I will do in the case). Select your DNS domain name, keep in mind that this cannot be changed afterwards. In my case I will use my external resolvable domain name. But you can also use a .local domain name for example.
Select your Location and Forest type, in this case select User.
Click Next – Networking
Select your Virtual network and Subnet and click Next – Administration
Leave everything default and click Next – Synchronization
Azure AD Domain Services is a one-way synchronization from Azure AD to the Azure AD DS managed domain, meaning that Azure AD is leading. You can choice to sync the entire Azure AD, or synchronize based on selected groups. For the Windows Virtual Desktop implementation you need at least one Administrator account within the Azure AD DS managed domain to join the Hostpool session hosts. Therefor make this account member of the AAD DC Administrators group. Every user account that is member of the AAD DC Administrators group will have Domain Admin rights within the Azure AD DS Managed Domain.
Click Review + create
The Azure AD DS deployment will now be started.
After the deployment is completed you can go to the Azure AD Domain Services blade within the Microsoft Azure Portal. However, right after the deployment, the Managed Domain is still being provisioned. This can take op to 30 to 40 minutes.
Update DNS server settings for your virtual network
Once the Azure AD Domain Services Managed Domain is running you need to configure the new DNS servers in your Azure virtual network.
Open the Azure AD Domain Services blade within the Microsoft Azure portal, on the right you find the Required configuration steps. Click Configure to Update DNS server settings for your virtual network.
The DNS servers will be configured automatically for the virtual network. After the new DNS servers are configured within the virtual network, you need to restart every server within this virtual network so they can start using the new DNS servers.
Change passwords of existing user accounts
Assuming you are using cloud-only user accounts (without Azure AD Sync from a local domain, like the case described in this blog) you need to reset the password of the existing users that needs to authenticate via Azure AD DS, like in this case for Windows Virtual Desktop.
Create a VM for Azure AD DS Management Tools
To manage Azure AD Domain Services we need to install the management Tools on a Virtual Machine.
Within the Microsoft Azure Portal, go to Virtual Machines and click the + Add button.
Fill in the following information:
Subscription : Select your Azure subscription
Resource group : Select a resource group, or create a new one
Virtual machine name : Any name you like
Region : Select your Region
Availability options : Configure if required
Image : For the management tools you can select either Windows (client) or Windows Server
Select of fill in the following information:
Size : Select the size of the VM you want
Username : Fill in a user name for the local administrator account
Password : Fill in a password of your choice
Inbound port rules : Configure any inbound ports you want to open
Click Next : Disks
Select the OS disk type you want to use for this virtual machine and click Next : Networking
Select your Virtual network and Subnet and configure any Public inbound ports if desired. Click Review + create
After the deployment is completed, go to the virtual machine and connect to it.
Login with the local administrator account, open the Computer properties and join this VM to the managed domain. Restart the VM and login with a user that is member of the Azure AD AAD DC Administrators group.
In the Server Manager, click Manage and click Add Roles and Features.
Select Role-based or feature-based installation and click Next
Select Group Policy Management and scroll down
Under Remote Server Administration Tools > Role Administration Tools select AD DS and AD LDS Tools.
After the installation is completed, you now can start tools like Active Directory Users and Computers and Group Policy Management to manage your Azure AD Domain Services managed domain.
Now that Azure AD Domain Services is up and running and you are able to managed it, it’s time to deploy Windows Virtual Desktop itself. See this blog for the step-by-step instructions: https://www.robinhobo.com/how-to-deploy-windows-virtual-desktop-preview-and-publish-a-full-desktop-and-the-microsoft-office-365-proplus-applications/