If you have an environment that is cloud-only, (only has Azure AD and does not have an on-premise Active Directory with Azure AD Connect), or you do not want to connect your On-premise domain to the Azure cloud via a VPN, Azure AD DS is a service that will provide the Active Directory component required by Azure Virtual Desktop.
- IMPORTANT: When using Azure AD DS with cloud-only environments, one required step is that all of your AVD users will be required to reset their passwords before they can use AVD. This is because the user's password hashes must be regenerated to be compatible with ADDS (traditional AD). See the MS Doc for details.
- Azure AD DS has a lowest tier of "standard". This tier's retail cost is a fixed rate of ~$110/mo (As of January 2021, prices may vary). Generally this tier covers most environments, which are under 25,000 AD objects and 3000 auth/hour. More pricing details can be found here.
- You do not have Domain Admin rights over the AD. However, you are given all of the necessary management, rights to join machines to domain, edit GPOs and OUs..etc.
- Azure AD DS is a one-way sync. Changes made directly to the AD are not sync'd back up to your Azure AD. Likewise, changes such as adding users, GPOs, OUs..etc are persistent, however, in the event of the Azure AD DS being deleted, they will be lost. As such, it is recommended to avoid domain-scope alterations and use registry keys or local group policy settings directly on the desktop images or session hosts when possible. Any changes you do make to the AD should be taken note of.
- If there are domain-level changes that must occur, such as adding GPOs or OUs, a "management VM" must be made with RSAT tools to edit the AD. See here for details: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm
- Azure AD DS can NOT be moved to another resource group or subscription. It must be deleted and recreated. Keep this in mind if you are using a temporary RG or subscription for POC purposes.
- The Domain name can NOT be changed. If you are building a POC and wish to use a temporary domain name, you will need to delete and recreate the domain.
Azure AD DS Design Principals
Azure AD DS is a way to provide domain services such as LDAP, Kerberos / NTLM, domain join, and group-policy for various other Azure resources that require them. It takes your Azure AD "cloud-only" and presents it as if it were a "traditional" or "on-prem" Active Directory to VMs and Apps in Azure. It can be thought of as "Active Directory-as-a-service". Since AVD requires a "traditional" AD as part of it's design, using Azure AD DS is the optimal solution for those with "Cloud-only" environments.
Below is a diagram of an example setup for Azure AD DS.
- The subnet that Azure AD DS uses for it's endpoints must be separate from your other subnets. it can ONLY contain Azure AD DS endpoints. Do NOT attempt to add VMs to this subnet. It is recommended to not link this subnet to your Nerdio environment in the settings section.
- You must set the DNS settings on your Virtual network to point to the AD DS Endpoints, so that your VMs can resolve the domain.
- Azure AD DS is a resource object. It can be placed in a resource group and likewise deleted. It is recommended to set a "lock" to prevent accidental deletion of this resource.
Create an Azure AD DS Domain
It is recommended to follow the Microsoft Guide for creation of the environment: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
Tip: Keep in mind that you will want a separate subnet to use for your session hosts. For better organization, before creating your Azure AD DS, you can make the VNet with two subnets like so (substitute the IP ranges and names as desired):
And at the "networking" settings tab, specify the VNet and subnet you had previously created:
Settings Specific to Nerdio Manager
Once Azure AD DS is up and running, the main consideration as far as Nerdio Manager is concerned, is to ensure that the option under settings -> Azure Environment -> "Display non-AD Synced Users:" is set to Enabled.
This will allow you to assign users that are cloud-only within Nerdio. Without this setting, users will not show up within the NMW web portal for assignments or roles.
Keywords: Azure ADDS ADDS AzADDS cloud-only cloud only active directory domain services sync deploy how to guide tutorial setup