Forum Discussion

bhushangawale's avatar
bhushangawale
Brass Contributor
May 04, 2020

WVD setup with Azure AD DS and Multiple Custom Domains

Hello everyone, need some guidance and views on WVD setup that we are thinking to provision

 

  • Azure subscription's Azure AD has multiple verified custom domains e.g. alpha.com, beta.com, gamma.com
  • Because of multiple custom domain, same Azure AD contains users with different domain names e.g xyz@alpha.com, pqr@beta.com, abc@gamma.com
  • Azure AD Domain Service resource provisioned with domain name alpha.com
  • Host pool machines are joined to alpha.com domain
  • Users from alpha.com are assigned to Desktop and App groups
  • WVD setup seem to work fine so far and users have access to relevant app groups. 

Now with this, would we need to take care of anything specific if we want to provide access to beta.com and gamma.com domain users to application or desktop app groups in same WVD setup?

 

Would this setup be recommended to be used in production? If not, what are the best practices around it when WVD setup is using Azure AD Domain Services and Azure AD has multiple custom domains associated with it?

 

Thanks in advance.

  • bhushangawale 

    Multiple Custom Domains is different from Azure AD Domain Services. Custom domains are DNS domain names that you have associated with your Azure tenant.  Azure AD Domain Services is an Active Directory domain name hosted for you by Microsoft. It provides legacy authentication like LDAP, Kerberos, and NTLM. It also provides domain join capabilities ( not Azure AD Join) that is common with on-premises Active Directories.  The users created in the managed domain (Azure AD Domain Services) arrive through a one-way synchronization from Azure AD. All the users and groups in your tenant are synced in the managed domain and have the same user principal name as they do in Azure. So, it doesn't matter if they are from alpha, beta, or gamma domains. If the user has been created in your Azure AD Tenant (cloud user) or synced from your on-premises domains and forests through AAD Connect, then the user can authenticate to the managed domain (you just need to ensure those users have RDP access to the virtual machines or WVD sessions). 

     

    Hope that helps

    Mike Stephens

    Senior Program Manager

    Azure Identity

    IAM Core | Domain Services

     

  • bhushangawale I have a some what similar setup (2 different domain names in one DC, synching to Azure AD and from there to Azure AD DS) Generally I have not seen issues with users connecting (Regardless of the domain name in their UPN).

     

    I am wandering why Azure AD DS is needed in this scenario? Due to no DC in Azure and no express route to on prem?

  • bhushangawale 

    Multiple Custom Domains is different from Azure AD Domain Services. Custom domains are DNS domain names that you have associated with your Azure tenant.  Azure AD Domain Services is an Active Directory domain name hosted for you by Microsoft. It provides legacy authentication like LDAP, Kerberos, and NTLM. It also provides domain join capabilities ( not Azure AD Join) that is common with on-premises Active Directories.  The users created in the managed domain (Azure AD Domain Services) arrive through a one-way synchronization from Azure AD. All the users and groups in your tenant are synced in the managed domain and have the same user principal name as they do in Azure. So, it doesn't matter if they are from alpha, beta, or gamma domains. If the user has been created in your Azure AD Tenant (cloud user) or synced from your on-premises domains and forests through AAD Connect, then the user can authenticate to the managed domain (you just need to ensure those users have RDP access to the virtual machines or WVD sessions). 

     

    Hope that helps

    Mike Stephens

    Senior Program Manager

    Azure Identity

    IAM Core | Domain Services

     

    • Vincent Szabang's avatar
      Vincent Szabang
      Copper Contributor

      Mike Stephens , I fully understand what you are saying but for me, it just does not work.. 
      I have setup as described, multiple domains (a.com , b.com and c.com ) in Azure and Azure AD Domain Services (with only domain "a.com" in there)

       

      The VM's are joined to a.com and users with sign-in name in Azure with @a.com can work just fine, however, users with @b.com or at @c.com can sign on to WVD but, when they get the second (rdp) authentication prompt, they cannot sign in, no matter what they try (entering upn, sam account name, domain\username ,etc...)
      When I look at the groups on the VM, users are in there and are allowed to RDP into the machine.
      Anything I can check ?

       

      • Vincent Szabang's avatar
        Vincent Szabang
        Copper Contributor

        Mike Stephens , Hmm, just figured out it does work after a password reset on Azure.
        I now entered a more complex password.

        Could it be that the password complexity policy of AAD DS was not met ? Is there even one set as default ?

Resources