Forum Discussion

SamirAbdou1999's avatar
SamirAbdou1999
Brass Contributor
Oct 09, 2020

Azure AD Connect & WVD

Hey all 

 

Im setting up WVD (Windows Virtual Desktop) for a client. 

From what ive read on docs i either need Azure AD Connect (with my on premise enviorment) or Azure AD Domain Services.

 

Im going with the first one Azure AD Connect.

I have synced over users in a demo enviroment and it worked out fine.

But when it comes to adding a host pool to WVD it asks me to write "AD Domain join UPN" 

 

I'm a bit confused rather they ask me for my global admin account in Office365,

or AD Administrator Account onpremise? Or maybe even if they should be synced (merged) as one account?

 

 

 

Help is appreciated, Thanks!

 

  • SamirAbdou1999's avatar
    SamirAbdou1999
    Oct 10, 2020

    I managed to fix this myself.

     

    I want to share the issue and what solution worked for me, and also give a big thanks to all the people that had engagement in this thread.

     

    my on prem AD had the same domain name as my Azure AD tenant.

    Also, my on prem AD join user had the same UPN as one of my Office365 users (which is a part of Azure AD Tenant)

     

    So I suppose wvd deployment was trying to authenticate with the wrong catalog, and since I don't have Azure ADDS deployed it failed.

     

    Hope someone troubleshooting this same issue will find this thread. 

  • -Akos-'s avatar
    -Akos-
    Brass Contributor

    Hi SamirAbdou1999 

     

    You join your newly built VMs to a Windows Active Directory. That is the ad domain join credential, just like you would add a new machine to your on-premises domain. But! Your Windows Active Directory servers need to be able to reach the virtual network that the WVD VMs live in. So:

     

    - Either you have set up AADDS, and those instances give you two IPs (which you have to add as DNS servers in your VNet)

     

    - Or you have your on-premises domain controllers connected to Azure via VPN or express route. Preferably also you have set up two domain controllers in Azure and sync them with your on-premises domain controllers. Next to this, there needs to be an AD connect, so that your accounts are also in Azure AD. Then you add the IPs of your on-premises (or Azure replicated) IP addresses to your DNS in the VNet.

     

    Once you've set up those prerequisites, you can add the hostpool VMs to your domain, using your on-premises credentials.

     

    An end user will first log on with the Azure AD credentials, then log on a second time using their on-premises credentials.

    • SamirAbdou1999's avatar
      SamirAbdou1999
      Brass Contributor

      -Akos- 

       

      I'm super thankful for your response, and maybe I forgot to add the fact that I already have established an IP SEC tunnel and even have an VM in Azure running that is already connected to my on-premise domain (Which I joined manually )

      - So with that said, I have the right DNS settings in my sub-network.

       

      Still getting an error when creating the host pool.

       

      But for clarification 

      I'm going to use my local AD Administrator account, but doesn't this account need to be synced to Azure AD then?

       

      I watched Travis Robert's youtube video 

      https://www.youtube.com/watch?v=rnLdQSWUi4w&t=817s

      And he said that the account needs to be sourced from Azure AD and not from Windows AD.

       

       

       

      • -Akos-'s avatar
        -Akos-
        Brass Contributor

        SamirAbdou1999 Be careful about the info you get from youtube videos, the fall edition of WVD is not the same as the spring update of WVD, but that screenshot in the first post you showed is where you come to the part where you tell to add the machines to the domain, and I'm 100% sure you should be using an on-premises account (in the form of a upn, so something like wvdadmin@youronpremisesdomain.internal). Should that account be joined? I'm not sure, but the demo I got this morning from a colleague had that account synced (she showed me a setup with AADDS, so that naturally is joined), but it just needs to be the account to join to the domain.

         

        However, your second screenshot I saw something with "vmcreation-LinkedTemplate" in the name.. Are you using ARM templates? I've heard of issues before regarding domain joining and those nested ARM templates that are provided by Microsoft.

         

        A quick search gave me something from Azure Academy https://www.youtube.com/watch?v=DrkQFSVD9Ik from which I know who is heavily into WVD at the moment. There may be some info in there too.

         

  • SamirAbdou1999 

    The Domain Join account does not need to by synced with AD Connect.  The domain administrator account is a protected account and not replicated by default.  I’ve used domain admin accounts many times to join session hosts.

     

    Be sure to set the VNet DNS servers to your DC, or domain DNS if they are different.  Also, if you have deployed session hosts with the same prefix in the past, you may need to delete the old session hosts from AD or reset the computer account.    They can’t join the domain if there are existing computer accounts with the same name.

     

    I have a new version of that video, link in the Fall 2019 version comments.  There were some registrations that required an Azure AD global admin account for that version.  Now that WVD is ARM, that’s not needed.

     

    For the second host pool error with “Changing  property ‘adminUsername’, did you use the back button after the failed deployment and update the domain join account?  If so, it looks like you will need to start the deployment over without going back.

    -Travis

    • SamirAbdou1999's avatar
      SamirAbdou1999
      Brass Contributor

      I'm Super thankful for your respons TravisRoberts 

       

      DNS Settings on VNET are costum and this is the IP of the Domain Controller that is on premise.

       

      Note that if I create a new VM in Azure within this VNET I can manually (within windows) join the domain without any problem what so ever.

      It is just when I try to do it from the WVD Deployment Portal.

       

      I have tried different prefix names just in case of that reason also.

       

      You mention that the administrator account does not need to be synced to azure ad. Sure. 
      But, Do i need Azure AD Connect at all at this point then?
      As I said earlier in this thread, I have ONLY synced a few users that will use this

       

      • SamirAbdou1999's avatar
        SamirAbdou1999
        Brass Contributor

        I managed to fix this myself.

         

        I want to share the issue and what solution worked for me, and also give a big thanks to all the people that had engagement in this thread.

         

        my on prem AD had the same domain name as my Azure AD tenant.

        Also, my on prem AD join user had the same UPN as one of my Office365 users (which is a part of Azure AD Tenant)

         

        So I suppose wvd deployment was trying to authenticate with the wrong catalog, and since I don't have Azure ADDS deployed it failed.

         

        Hope someone troubleshooting this same issue will find this thread. 

Resources