Site icon Robin Hobo

How to implement and manage Azure AD Domain Services (Azure AD DS) for a fast Windows Virtual Desktop (WVD) PoC deployment

I recently visited a customer who wanted a Windows Virtual Desktop PoC. And although it is customary for me to implement a Windows Virtual Desktop PoC within the current production environment and take it in production after a successful PoC right away, this customer wanted the PoC to be in a completely separate environment. The customer even wanted to implement this Windows Virtual Desktop PoC in a whole new Azure tenant.

At the moment of writing this blog, Windows Virtual Desktop requires an (on-premises) Active Directory or Azure AD Domain Services. So in this case, the fastest way to deploy a Windows Virtual Desktop PoC environment is with Azure AD DS. In this blog I will show you step-by-step how to deploy this.

In this blog

This blog will cover the following topics:


Before you start make sure you have the following in place;

The environment

The environment in which I will install Azure AD DS consists of a new Microsoft Azure tenant with the required licenses and an Azure subscription in place. I have registered a new public domain name and have added the domain to the “Custom domain names” in Azure AD. A custom domain name is optional for Azure AD DS, you can also setup Azure AD DS with a non-public resolvable domain name. An Azure Virtual network with a subnet is configured within this new tenant. You can also configure this configuration in your existing Azure tenant, for example in an isolated new virtual network so that it has no impact on the production environment.


Implementing Azure AD Domain Services

For the next steps login with a Global Administrator account to the Microsoft Azure Portal.

In the Azure portal click the + Create a resource button and search for Azure AD Domain Service. Click Create.

Select your Azure Subscription and the Resource group (or create a new one, like I will do in the case). Select your DNS domain name, keep in mind that this cannot be changed afterwards. In my case I will use my external resolvable domain name. But you can also use a .local domain name for example.

Select your Location and Forest type, in this case select User.

Click Next – Networking

Select your Virtual network and Subnet and click Next – Administration

Leave everything default and click Next – Synchronization

Azure AD Domain Services is a one-way synchronization from Azure AD to the Azure AD DS managed domain, meaning that Azure AD is leading. You can choice to sync the entire Azure AD, or synchronize based on selected groups. For the Windows Virtual Desktop implementation you need at least one Administrator account within the Azure AD DS managed domain to join the Hostpool session hosts. Therefor make this account member of the AAD DC Administrators group. Every user account that is member of the AAD DC Administrators group will have Domain Admin rights within the Azure AD DS Managed Domain.

Click Review + create

Click Create

Click OK

The Azure AD DS deployment will now be started.

After the deployment is completed you can go to the Azure AD Domain Services blade within the Microsoft Azure Portal. However, right after the deployment, the Managed Domain is still being provisioned. This can take op to 30 to 40 minutes.

Update DNS server settings for your virtual network

Once the Azure AD Domain Services Managed Domain is running you need to configure the new DNS servers in your Azure virtual network.

Open the Azure AD Domain Services blade within the Microsoft Azure portal, on the right you find the Required configuration steps. Click Configure to Update DNS server settings for your virtual network.

The DNS servers will be configured automatically for the virtual network. After the new DNS servers are configured within the virtual network, you need to restart every server within this virtual network so they can start using the new DNS servers.

Change passwords of existing user accounts

Assuming you are using cloud-only user accounts (without Azure AD Sync from a local domain, like the case described in this blog) you need to reset the password of the existing users that needs to authenticate via Azure AD DS, like in this case for Windows Virtual Desktop.

Create a VM for Azure AD DS Management Tools           

To manage Azure AD Domain Services we need to install the management Tools on a Virtual Machine.

Within the Microsoft Azure Portal, go to Virtual Machines and click the + Add button.

Fill in the following information:

Subscription : Select your Azure subscription
Resource group : Select a resource group, or create a new one
Virtual machine name : Any name you like
Region : Select your Region
Availability options : Configure if required
Image : For the management tools you can select either Windows (client) or Windows Server

Scroll down

Select of fill in the following information:

Size : Select the size of the VM you want
Username : Fill in a user name for the local administrator account
Password : Fill in a password of your choice
Inbound port rules : Configure any inbound ports you want to open

Click Next : Disks

Select the OS disk type you want to use for this virtual machine and click Next : Networking

Select your Virtual network and Subnet and configure any Public inbound ports if desired. Click Review + create

Click Create

After the deployment is completed, go to the virtual machine and connect to it.

Login with the local administrator account, open the Computer properties and join this VM to the managed domain. Restart the VM and login with a user that is member of the Azure AD AAD DC Administrators group.

In the Server Manager, click Manage and click Add Roles and Features.

Click Next

Select Role-based or feature-based installation and click Next

Click Next

Click Next

Select Group Policy Management and scroll down

Under Remote Server Administration Tools > Role Administration Tools select AD DS and AD LDS Tools.

Click Next

Click Install

After the installation is completed, you now can start tools like Active Directory Users and Computers and Group Policy Management to manage your Azure AD Domain Services managed domain.

Next steps

Now that Azure AD Domain Services is up and running and you are able to managed it, it’s time to deploy Windows Virtual Desktop itself. See this blog for the step-by-step instructions:

Exit mobile version