SOLVED
Home

[Announcement] Connectivity issues from synchronized users to VMs joined to AAD DS

%3CLINGO-SUB%20id%3D%22lingo-sub-759642%22%20slang%3D%22en-US%22%3E%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-759642%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%20thanks%20for%20the%20continued%20testing%20of%20WVD.%20We%E2%80%99ve%20seen%20multiple%20connection%20errors%20with%20UPN%20when%20connecting%20to%20VMs%20joined%20to%20Azure%20AD%20Domain%20Services.%20We%E2%80%99ve%20done%20some%20preliminary%20investigations%20and%20figured%20out%20which%20scenarios%20are%20currently%20affected%20and%20which%20scenarios%20should%20continue%20to%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWorks%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ELogging%20into%20VM%20joined%20to%20Azure%20AD%20DS%20instance%20with%20Azure%20AD%20user%20sourced%20from%3CSTRONG%3EAzure%20Active%20Directory%20%3C%2FSTRONG%3E(aka%2C%20%3CSTRONG%3ENew%20user%3C%2FSTRONG%3Ecreated%20just%20in%20Azure%20AD).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDoes%20not%20work%20(and%20investigating%20fix)%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ELogging%20into%20VM%20connected%20to%20Azure%20AD%20DS%20with%20Azure%20AD%20user%20sourced%20from%3CSTRONG%3EWindows%20Server%20AD%20%3C%2FSTRONG%3E(aka%2C%20synchronized%20to%20Azure%20AD%20through%20Azure%20AD%20Connect).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20will%20see%20an%20error%20in%20the%20Diagnostics%20similar%20to%20below%3A%3C%2FP%3E%0A%3CP%3EErrorSource%20%3A%20RDBroker%3CBR%20%2F%3EErrorOperation%20%3A%20OrchestrateSessionHost%3CBR%20%2F%3EErrorCode%20%3A%20-2146233088%3CBR%20%2F%3EErrorCodeSymbolic%20%3A%20ConnectionFailedUserSIDInformationMismatch%3CBR%20%2F%3EErrorMessage%20%3A%20OrchestrateAsync%3A%20SID%20value%20in%20the%20database%20is%20different%20than%20the%20value%20returned%20in%20the%3CBR%20%2F%3Eorchestration%20reply%20from%20the%20agent%20for%20user%20%E2%89%A4%3CA%20href%3D%22mailto%3Auser1%40contoso.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Euser1%40contoso.com%3C%2FA%3E%E2%89%A5%20with%20Id%3CBR%20%2F%3E54a45a4c-41ad-4374-5e41-08d6e4d9acde.%20This%20scenario%20is%20not%20supported%20-%20we%20will%20not%20be%20able%20to%3CBR%20%2F%3Eredirect%20the%20user%20session.%3CBR%20%2F%3EErrorInternal%20%3A%20False%3CBR%20%2F%3EReportedBy%20%3A%20RDGateway%3CBR%20%2F%3ETime%20%3A%207%2F16%2F2019%203%3A17%3A24%20PM%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWorkaround%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIf%20your%20setup%20matches%20the%20description%20but%20you%20would%20still%20like%20to%20test%2C%20we%20suggest%20creating%20cloud%20users%20in%20Azure%20Active%20Directory%20for%20the%20time%20being.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EResolution%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ENo%20current%20ETA%2C%20but%20working%20towards%20a%20fix.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20to%20check%20where%20your%20user%20is%20sourced%20from%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EYou%20can%20navigate%20to%20the%20Azure%20AD%20portal%20or%20the%20Azure%20Active%20Directory%20blade%20in%20the%20Azure%20portal%2C%20then%20go%20to%20users%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F123570i33DB7E0421078641%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22aaduser.PNG%22%20title%3D%22aaduser.PNG%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ELocate%20where%20the%20Azure%20AD%20user%20is%20sourced.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-762578%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-762578%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20before%20the%20post%20that%20Cloud%20ID%20only%20is%20working%20but%20that%20is%20not%20valid%20for%20our%20production%20POC%3C%2FP%3E%3CP%3Ei%20been%20testing%20with%20cloud%20ID%20only%20and%20that%20works%20%2C%20further%20more%20the%20issue%20with%20synced%20account%2C%20it%20looks%20like%20recently%20(because%20this%20was%20working%20before)%20you%20doing%26nbsp%3B%20SID%20check%20between%20the%20azure%20synced%20account%20and%20the%20account%20in%20azure%20DS%20and%20that%20will%20not%20match.%20i'm%20wondering%20if%20the%20scenario%20without%20azure%20DS%20%2C%20i%20mean%20extending%20AD%20to%20the%20cloud%20and%20join%20the%20virtual%20desktop%20machines%20to%20the%20same%20domain%20will%20have%20the%20same%20issue%20or%20not%20for%20synced%20user%20account.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-763626%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-763626%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F376480%22%20target%3D%22_blank%22%3E%40ashro2%3C%2FA%3E%26nbsp%3B%3A%20Thanks%20for%20the%20clarifying%20question%2C%20but%20no%2C%20the%20issue%20will%20not%20replicate%20if%20you%20have%20a%20hybrid%20setup%20and%20are%20joining%20your%20virtual%20machines%20to%20the%20domain%20that%20is%20syncing%20up%20the%20users%20with%20Azure%20AD%20Connect.%20The%20primary%20issue%20lies%20in%20the%20SID%20check%2C%20and%20that%20Azure%20AD%20DS%20creates%20a%20new%20SID%20(by%20design)%20for%20the%20users%20that%20it%20creates%20on%20the%20managed%20domain%20services%20instance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-764620%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-764620%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%20%26nbsp%3Bi%20came%20to%20the%20same%20conclusion%20when%20looking%20ate%20the%20object%20SID%20in%20AAD%20and%20Azure%20DS%20and%20the%20Mismatch.%20i%20have%202%20comments%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20this%20check%20was%20introduced%20recently%20because%20this%20scenario%20was%20working%20before%20%2C%20is%20it%20possible%20to%20trun%20off%20this%20check%20of%20the%20SID%3F%20I%20saw%20the%20feedback%20on%20the%20form%20suggested%20moving%20the%20pool%20to%20validation%20pool%20where%20you%20deployed%20a%20fix%20for%20the%20issue%20but%20looks%20like%20that%20is%20not%20working%20as%20well.%20so%20is%20there%20a%20way%20to%20trun%20off%20this%20check%20i%20can%20do%20in%20my%20side%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20is%20there%20a%20way%20to%20modify%20the%20Azure%20DS%20object%20SID%20to%20match%20AAD%20%3F%20we%20don't%20have%20much%20control%20over%20the%20object%20in%20Azure%20DS%20I%20realized%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eit%20will%20be%20great%20if%20we%20can%20manually%20turnoff%20this%20SID%20check%20manually%20at%20least%20for%20testing%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-764917%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-764917%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F376480%22%20target%3D%22_blank%22%3E%40ashro2%3C%2FA%3E%26nbsp%3B%3A%20Unfortunately%2C%20it's%20not%20quite%20as%20simple%20as%20turning%20off%20the%20check%20since%20this%20check%20was%20implemented%20to%20stabilize%20the%20reconnection%20scenarios%20so%20that%20users%20get%20redirected%20back%20to%20a%20previously%20existing%20session%20(as%20opposed%20to%20get%20a%20new%20session).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20not%20sure%20if%20there's%20a%20way%20to%20manipulate%20the%20SIDs%2C%20but%20we're%20investigating%20all%20possible%20options%20right%20now.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20the%20feedback%20and%20dialogue%20though.%20We%20want%20to%20unblock%20testing%2C%20but%20also%20do%20not%20want%20to%20leave%20users%20in%20a%20bad%20state.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769417%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769417%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BSo%20no%20workaround%20for%20this%20scenario%20since%20the%20SID%20check%20is%20active%20now%20and%20according%20to%20you%20no%20ETA%20too.%20that's%20a%20bit%20disappointing!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769759%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769759%22%20slang%3D%22en-US%22%3E%3CP%3EI%20know%20the%20service%20is%20currently%20in%20preview%2C%20but%20i%20find%20the%20fact%20that%20this%20bug%20took%20multiple%20weeks%20to%20identify%20and%20acknowledge%20is%20a%20bit%20worrying%20for%20the%20state%2Ffuture%20of%20AAD%20DS%20(that%20we%20rarely%20deployed%20before%20WVD).%3CBR%20%2F%3E%3CBR%20%2F%3EAre%20there%20so%20few%20orgs%20using%20AAD%20DS%20%3F%20Should%20we%20drop%20it%20and%20extend%20on-prem%20ADs%20to%20Azure%20LAN%20for%20WVD%20instead%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-770061%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-770061%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35332%22%20target%3D%22_blank%22%3E%40Bazam%20Chekrian%20Valappu%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20we%20solved%20one%20failing%20behavior%20but%20now%20it's%20hindering%20another%2C%20but%20definitely%20working%20to%20achieve%20both.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-770074%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-770074%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78166%22%20target%3D%22_blank%22%3E%40Arthur%20GERARD%3C%2FA%3E%26nbsp%3B%3A%20I%20wouldn't%20say%20that%20no%20one%20is%20using%20Azure%20AD%20DS%20or%20that%20it's%20not%20a%20viable%20solution.%20Primarily%2C%20understanding%20this%20failing%20scenario%20is%20an%20intersection%20of%20where%20customers%20are%20today%20and%20how%20they%20are%20piloting%20Windows%20Virtual%20Desktop%20with%20just%20cloud%20users%20(before%20trying%20to%20extend%20this%20with%20a%20full%20site-to-site%20on-prem%20infrastructure).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBetween%20using%20Azure%20AD%20DS%20or%20extending%20existing%20domain%20structure%20to%20Azure%2C%20it%20depends%20on%20your%20scenarios%20you're%20targeting.%20You%20have%20much%20more%20flexibility%20by%20extending%2C%20since%20you%20can%20use%20Federation%2C%20Passthrough%20Authentication%2C%20or%20password%20hash%20(whereas%20AAD%20DS%20only%20works%20with%20password%20hash).%20Not%20sure%20if%20you've%20already%20seen%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fcomparison%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecomparison%20article%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-770094%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-770094%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3EThat%20makes%20sense%2C%20thank%20you.%3CBR%20%2F%3E%3CBR%20%2F%3EIs%20%22Azure%20AD%20join%22%20on%20the%20roadmap%20for%20WVD%20%3F%20Or%20will%20AAD%20DS%20continue%20to%20be%20the%20lightest%20deployment%20for%20our%20SMB%20customers%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-770124%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-770124%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78166%22%20target%3D%22_blank%22%3E%40Arthur%20GERARD%3C%2FA%3E%26nbsp%3B%3A%20Azure%20AD%20Join%20is%20definitely%20a%20scenario%20we%20want%20to%20support%20and%20we're%20in%20the%20initial%20investigation%20stages%2C%20as%20it's%20a%20larger%20change%20from%20how%20VDI%2FRDS%20has%20worked%20in%20the%20past.%20Unfortunately%2C%20this%20feature%20is%20not%20something%20that%20will%20make%20it%20into%20our%20initial%20GA.%20We%20will%20continue%20to%20update%20these%20forums%20and%20our%20Docs%20site%20as%20we%20have%20more%20information%20on%20this%20scenario%2C%20and%20other%20new%20ones.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-771838%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-771838%22%20slang%3D%22en-US%22%3EJust%20checking%20if%20there's%20any%20ETA%20on%20the%20fix%20for%20the%20initial%20problem%20in%20this%20thread.%20Thanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-776643%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-776643%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Christian%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20seem%20to%20be%20experiencing%20the%20exact%20same%20error%20in%20a%20test%20environment.%20However%2C%20the%20user%20is%20sourced%20from%20Azure%20Active%20Directory.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20be%20happy%20to%20help%20troubleshoot%20since%20I%20have%20clients%20looking%20forward%20to%20WVD.%20below%20is%20some%20info%20that%20might%20be%20relevant%20and%20if%20you%20need%20identifying%20tenant%20info%20I'll%20be%20happy%20to%20send%20via%20PM%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EErrorSource%20%3A%20RDBroker%3CBR%20%2F%3EErrorOperation%20%3A%20OrchestrateSessionHost%3CBR%20%2F%3EErrorCode%20%3A%20-2146233088%3CBR%20%2F%3EErrorCodeSymbolic%20%3A%20ConnectionFailedUserSIDInformationMismatch%3CBR%20%2F%3EErrorMessage%20%3A%20OrchestrateAsync%3A%20SID%20value%20in%20the%20database%20is%20different%20than%20the%20value%20returned%20in%20the%20orchestration%20reply%20from%20the%20agent%20for%20user%20%E2%89%A4username%E2%89%A5%20with%20Id%20%3CID%3E.%20This%20scenario%20is%3CBR%20%2F%3Enot%20supported%20-%20we%20will%20not%20be%20able%20to%20redirect%20the%20user%20session.%3CBR%20%2F%3EErrorInternal%20%3A%20False%3CBR%20%2F%3EReportedBy%20%3A%20RDGateway%3CBR%20%2F%3ETime%20%3A%207%2F28%2F2019%2014%3A17%3A15%3C%2FID%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETenantName%20%3A%20IC-WVD2%3CBR%20%2F%3ETenantGroupName%20%3A%20Default%20Tenant%20Group%3CBR%20%2F%3EHostPoolName%20%3A%20Desktop%3CBR%20%2F%3EFriendlyName%20%3A%3CBR%20%2F%3EDescription%20%3A%3CBR%20%2F%3EPersistent%20%3A%20False%3CBR%20%2F%3ECustomRdpProperty%20%3A%3CBR%20%2F%3EMaxSessionLimit%20%3A%20999999%3CBR%20%2F%3ELoadBalancerType%20%3A%20BreadthFirst%3CBR%20%2F%3EValidationEnv%20%3A%20True%3CBR%20%2F%3ERing%20%3A%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-777298%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777298%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EWe%20have%20just%20noticed%20the%20same%20problem%20in%20our%20test%20environment.%3C%2FP%3E%3CP%3EBut%20a%20strange%20thing%20is%20that%20it%20only%20affects%20one%20of%20the%2017%20pilot%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20users%20were%20synced%20from%20a%20local%20AD%20to%20Azure%20AD.%3C%2FP%3E%3CP%3EAzure%20AD%20connect%20sync%20was%20removed%201%20year%20ago.%3C%2FP%3E%3CP%3EAzure%20AD%20services%20was%20setup%20to%20support%20the%20WVD%20environment.%3C%2FP%3E%3CP%3EUsers%20envolved%20in%20pilot%20had%20to%20reset%20their%20passwords%20and%20could%20then%20logon.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20now%2C%20one%20user%20gets%20the%20error%20message%3A%3C%2FP%3E%3CP%3ESID%20value%20in%20the%20database%20is%20different%20than%20the%20value%20returned%20in%20the%20orchestration%20reply%20from%20the%20agent%20for%20user...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Hostpool%20is%20in%20%22validation%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26lt%3B%23%3C%2FP%3E%3CDIV%3EErrorSource%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%20RDBroker%3CBR%20%2F%3EErrorOperation%20%26nbsp%3B%20%26nbsp%3B%3A%20OrchestrateSessionHost%3CBR%20%2F%3EErrorCode%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%20-2146233088%3CBR%20%2F%3EErrorCodeSymbolic%20%3A%20ConnectionFailedUserSIDInformationMismatch%3CBR%20%2F%3EErrorMessage%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%20OrchestrateAsync%3A%20SID%20value%20in%20the%20database%20is%20different%20than%20the%20value%20returned%20in%20the%20orchestration%20reply%20from%26nbsp%3Bthe%20agent%20for%20user%20%E2%89%A4a.b%40domain.se%E2%89%A5%20with%20Id%20b663bb3d-3f67-42e9-f891-08d6fb3eb712.%20This%20scenario%20is%20not%20supported%20-%20we%20will%20not%20be%20able%20to%20redirect%20the%20user%20session.%3CBR%20%2F%3EErrorInternal%20%26nbsp%3B%20%26nbsp%3B%3A%20False%3CBR%20%2F%3EReportedBy%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%20RDGateway%3CBR%20%2F%3ETime%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%202019-07-18%2009%3A36%3A42%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EErrorSource%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%20Client%3CBR%20%2F%3EErrorOperation%20%26nbsp%3B%20%26nbsp%3B%3A%20ClientRDPConnect%3CBR%20%2F%3EErrorCode%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%202147965400%3CBR%20%2F%3EErrorCodeSymbolic%20%3A%3CBR%20%2F%3EErrorMessage%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%20Your%20computer%20can't%20connect%20to%20the%20Remote%20Desktop%20Gateway%20server.%20Contact%20your%20network%20administrator%20for%20assistance.%3CBR%20%2F%3EErrorInternal%20%26nbsp%3B%20%26nbsp%3B%3A%20True%3CBR%20%2F%3EReportedBy%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%20Client%3CBR%20%2F%3ETime%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%3A%202019-07-18%2009%3A36%3A42%3C%2FDIV%3E%3CP%3E%23%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-778080%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-778080%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bwould%20be%20great%20to%20get%20an%20update%20on%20when%20this%20will%20be%20fixed%20-%20we%20were%20happily%20using%20this%20with%20this%20setup%20then%20in%20abruptly%20broke%20and%20we've%20been%20investigating%20on%20and%20off%20as%20time%20allowed%20ever%20since.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20i%20stumbled%20across%20this%20issue%20(after%20finally%20figuring%20out%20how%20to%20debug%20what%20was%20going%20wrong).%20Do%20we%20have%20an%20ETA%20as%20this%20is%20now%20a%20total%20block%20on%20us%20using%20WVD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20really%20disappointed%20as%20this%20is%20the%202nd%20major%20stumbling%20block%20-%20we've%20fully%20adopted%20Azure%20AD%20and%20the%20lack%20of%20support%20for%20Azure%20AD%20join%20is%20the%20other%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20can%20be%20such%20a%20good%20solution%20it's%20just%20so%20frustrating.....%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-778926%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-778926%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20way%20to%20identify%20the%20public%20IP%20range%20used%20by%20azure%20virtual%20desktops%20to%20communicate%20with%20external%20resources%20such%20as%20O365%3C%2FP%3E%3CP%3EServices%20.%20this%20is%20required%20to%20apply%20some%20azure%20%26nbsp%3Baccess%20control%20policy%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-779549%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-779549%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F376480%22%20target%3D%22_blank%22%3E%40ashro2%3C%2FA%3E%26nbsp%3BSee%20this%20thread%20on%20github%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F33988%23issuecomment-509722530%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F33988%23issuecomment-509722530%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-789440%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-789440%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%20Same%20issue%20for%20one%20of%20test%20Azure-born%20user%2C%20the%20second%20one%20(Azure-born%20as%20well)%20still%20works%20fine.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-791960%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-791960%22%20slang%3D%22en-US%22%3EAny%20update%20on%20a%20resolution%3F%20This%20is%20a%20hard%20blocker%20for%20us.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20workaround%20only%20works%20with%20NEWLY%20CREATED%20users%20-%20meaning%20I%20cannot%20delete%20a%20Windows%20Server%20AD%20user%2C%20then%20recreate%20with%20the%20same%20username%20as%20an%20Azure%20AD%20sourced%20user.%20It%20seems%20like%20Windows%20Virtual%20Desktop%20permanently%20stores%20the%20upn%20and%20sid%20in%20its%20database....so%20deleting%20and%20recreating%20the%20user%20in%20Azure%20AD%20doesn%E2%80%99t%20help...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794147%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794147%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388293%22%20target%3D%22_blank%22%3E%40JeffN825%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64296%22%20target%3D%22_blank%22%3E%40Richard%20Harrison%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383387%22%20target%3D%22_blank%22%3E%40Integral-Consulting%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374394%22%20target%3D%22_blank%22%3E%40rhythmnewt%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54353%22%20target%3D%22_blank%22%3E%40Alex%20Ignatenko%3C%2FA%3E%26nbsp%3B%3A%20Hi%20everyone%2C%20apologies%20for%20this%20thread%20going%20a%20bit%20quiet.%20We've%20done%20investigations%20and%20started%20implementing%20the%20fix%2C%20but%20will%20take%20time%20to%20roll%20into%20production.%20Once%20I%20get%20a%20better%20date%2C%20I%20will%20reach%20out%20here%20so%20you%20all%20can%20continue%20your%20testing!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20we%20roll%20out%20in%20phases%2C%20I'd%20highly%20recommend%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Fcreate-validation-host-pool%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Esetting%20up%20a%20host%20pool%20for%20validation%3C%2FA%3E%2C%20as%20this%20will%20be%20the%20first%20place%20to%20test.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%2C%20thanks%20all%20and%20we're%20definitely%20trying%20to%20get%20this%20fix%20rolled%20out%20as%20soon%20as%20we%20can.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794150%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794150%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F18065%22%20target%3D%22_blank%22%3E%40Torbj%C3%B6rn%20Granheden%3C%2FA%3E%26nbsp%3B%3A%20As%20it%20stands%20now%2C%20the%20issue%20stems%20from%20the%20SID's%20being%20synchronized%20as%20part%20of%20the%20Azure%20AD%20token%20and%20then%20receiving%20a%20different%20one%20through%20Azure%20AD%20Domain%20Services.%20Are%20you%20aware%20of%20any%20difference%20of%20properties%20between%20this%201%20user%20and%20the%20other%2016%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794151%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794151%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78166%22%20target%3D%22_blank%22%3E%40Arthur%20GERARD%3C%2FA%3E%26nbsp%3B%3A%20Azure%20AD%20Join%20is%20in%20our%20backlog.%20We've%20heard%20overwhelming%20interest%20for%20this%2C%20and%20we%20want%20to%20align%20with%20Azure%20AD%20Join%2FIntune%20as%20a%20means%20of%20deploying%20and%20managing%20Windows.%20We%20don't%20have%20any%20specific%20dates%20on%20this%2C%20but%20we%20definitely%20want%20to%20supporting%20this%20as%20a%20scenario%20down%20the%20road.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794227%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794227%22%20slang%3D%22en-US%22%3EThank%20you%20for%20keeping%20us%20informed!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794229%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794229%22%20slang%3D%22en-US%22%3EThanks.%20Is%20there%20an%20eta%20for%20when%20a%20fix%20will%20be%20available%20to%20host%20pools%20in%20validation%20mode%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20not%2C%20is%20there%20any%20way%20to%20submit%20a%20support%20request%20to%20get%20you%20to%20delete%20stale%20user%20accounts%20from%20your%20sql%20azure%20database%20or%20is%20this%20exposed%20in%20any%20way%3F%20It%20would%20at%20least%20allow%20us%20to%20proceed%20with%20testing%20if%20there%20was%20a%20way%20to%20recreate%20the%20user%20accounts%20with%20problems.%20As%20I%20mentioned%20above%20-%20today%20we%20can%E2%80%99t%20even%20delete%2Frecreate%20the%20user.%20It%20has%20to%20be%20created%20as%20a%20cloud%20only%20user%20with%20a%20different%20upn...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-802715%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-802715%22%20slang%3D%22en-US%22%3E%3CP%3EHola%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%2C%26nbsp%3Bthanks%20for%20the%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20my%20case%2C%20the%20scenario%20and%20behavior%20are%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20Active%20Directory%20On-Premise%20synchronized%20to%20Azure%20Active%20Directory%20through%20ADConnect.%20In%20Azure%20I%20have%20implemented%20an%20Azure%20Active%20Directory%20Domanin%20Services%20(AADDS).%20Both%20directories%20are%20synchronized%20(ADDS%20and%20AADDS)%20through%20the%20AAD.%20I%20have%20password%20hashes%20replication%20set.%20I%20implemented%20a%20WVD%20HostPool.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20perform%20tests%20with%20my%20synchronized%20users%2C%20I%20have%20also%20created%20Cloud%20users%20(AAD%20only).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBoth%20types%20of%20users%20allow%20me%20to%20connect%20the%20most%20virtual%20machines%20of%20the%20WVD%20HostPool%20through%20RDP.%20However%2C%20when%20I%20try%20to%20use%20the%20WebClient%20through%20the%20URL%20%3CA%20title%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%22%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%3C%2FA%3Eboth%20types%20of%20users%20can%20log%20in%20with%20their%20AADDS%20and%20AAD%20credentials.%20But%20by%20selecting%20applications%20to%20log%20in%20to%20them%2C%20only%20users%20created%20in%20the%20cloud%20(in%20AAD)%20can%20successfully%20start%3B%20synchronized%26nbsp%3Busers%20from%20ADDS%20get%20the%20error%20from%20the%20following%20image%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20604px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126757i0F14C6F4EA53419A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Error.png%22%20title%3D%22Error.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20log%20error%20for%20synced%20users%20is%20the%20follow%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EActivityId%20%3A%20e5eaa99a-0873-4e39-9063-d39e511c0000%3CBR%20%2F%3EActivityType%20%3A%20Connection%3CBR%20%2F%3EStartTime%20%3A%2012%2F08%2F2019%205%3A09%3A12%20p.%20m.%3CBR%20%2F%3EEndTime%20%3A%2012%2F08%2F2019%205%3A09%3A18%20p.%20m.%3CBR%20%2F%3EUserName%20%3A%20F21212121%40fvl.org.co%3CBR%20%2F%3ERoleInstances%20%3A%20rdwebclient%3Bmrs-eus2r0c002-rdgateway-prod-staging%3A%3ARD2818788A5384%3Bmrs-eus2r0c001-rdbroker-prod-staging%3A%3ARD2818782C7086%3B%E2%89%A4WVDSH-0.fvl.org.co%E2%89%A5%3CBR%20%2F%3EOutcome%20%3A%20Failure%3CBR%20%2F%3EStatus%20%3A%20Completed%3CBR%20%2F%3EDetails%20%3A%20%7B%5BClientOS%2C%20Win32%20Chrome%2076.0.3809.100%5D%2C%20%5BClientVersion%2C%201.0.18.5%5D%2C%20%5BClientType%2C%20HTML%5D%2C%20%5BPredecessorConnectionId%2C%20%5D...%7D%3CBR%20%2F%3ELastHeartbeatTime%20%3A%2012%2F08%2F2019%205%3A09%3A19%20p.%20m.%3CBR%20%2F%3ECheckpoints%20%3A%20%7BLoadBalancedNewConnection%2C%20TransportConnected%2C%20TransportConnecting%7D%3CBR%20%2F%3EErrors%20%3A%20%7BMicrosoft.RDInfra.Diagnostics.Common.DiagnosticsErrorInfo%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20same%20error%20that%20you%20are%20describing%20in%20this%20post%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot%20for%20your%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%20Pedroza%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-807351%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-807351%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eany%20updates%3F%20we%20are%20hard%20blocked%20in%20terms%20of%20using%20Windows%20Virtual%20Desktop%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-812602%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-812602%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3EI%20have%20checked%20with%20every%20powershell%20cmdlet%20i%20can%20think%20of%2C%20but%20the%20users%20are%20identical%20configured.%20I%20have%20compared%20with%20another%20user%20that%20was%20hired%20at%20the%20same%20time%20(2014).%20And%20also%20has%20been%20migrated%20from%20an%20onprem%20AD%20to%20an%20Azure%20AD%20only%20environment.%20The%20ad%20connect%20was%20removed%20a%20year%20ago%20ish.%20The%20Azure%20Domain%20Services%20was%20setup%20to%20support%20WVD%20preview%20in%20June.%3C%2FP%3E%3CP%3EMy%20user%20is%20on%20vaccation%20and%20I%20cannot%20get%20an%20answer%20if%20it%20still%20is%20an%20issue%20or%20if%20it%20has%20been%20solved%20by%20agent%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%2C%20you%20should%20think%20of%20a%20rollback%20of%20the%20sid%20verification%20and%20do%20a%20rearchitect.%3CBR%20%2F%3EIf%20it%20is%20so%20much%20trouble%20for%20preview%20users%2C%20how%20will%20this%20work%20for%20GA%3F%3C%2FP%3E%3CP%3E%2FMr%20T-Bone%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-815957%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815957%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%20Any%20update%20on%20this%26nbsp%3B%20%3F%20As%20others%20have%20reported%20we%20are%20at%20a%20stand%20still.%26nbsp%3B%3CBR%20%2F%3ESynced%20from%20on-premise%20aren't%20working.%26nbsp%3B%20I%20have%20tried%20validation%20pools%20and%20still%20no%20luck%20with%20Sync%20accounts.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822173%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822173%22%20slang%3D%22en-US%22%3ESeems%20like%20we%E2%80%99re%20in%20store%20for%20a%20repeat%20of%20Azure%20RemoteApp.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822467%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822467%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3EAnother%20week%20without%20status%20update%3F%3C%2FP%3E%3CP%3EAny%20progress%20of%20getting%20the%20WVD%20working%20again%20for%20all%20of%20us%20with%20Azure%20DS%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20only%20one%20user%20out%20of%2030%20pilots%20that%20get%20sid%20failure%3F%3C%2FP%3E%3CUL%3E%3CLI%3ECannot%20see%20any%20different%20attributes%20on%20this%20specific%20user%20compared%20with%20another%20user%20created%20same%20week.%3C%2FLI%3E%3CLI%3EBoth%20accounts%20created%203%20years%20ago%20in%20a%20local%20AD.%3C%2FLI%3E%3CLI%3ESynced%20to%20Azure%20AD%20with%20AD%20connect.%3C%2FLI%3E%3CLI%3ELocal%20AD%20and%20Azure%20AD%20connect%20dismounted%20and%20retired%2012%20month%20ago.%3C%2FLI%3E%3CLI%3EAzure%20DS%20started%20for%20WVD%203%20months%20ago.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%2FMr-Tbone%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2FTorbj%C3%B6rn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-823017%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-823017%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F18065%22%20target%3D%22_blank%22%3E%40Torbj%C3%B6rn%20Granheden%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396243%22%20target%3D%22_blank%22%3E%40cititechs%3C%2FA%3E%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388293%22%20target%3D%22_blank%22%3E%40JeffN825%3C%2FA%3E%26nbsp%3B%3A%20Thanks%20for%20being%20patient%20with%20us.%20As%20an%20update%2C%20we've%20identified%20the%20issue%20and%20have%20taken%20the%20first%20step%20to%20solving%20it%2C%20just%20that's%20a%20multi-phase%20fix%2Froll-out.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20to%20address%20some%20of%20the%20feedback%2C%20in%20order%20to%20login%20users%20and%20work%20between%20cloud%2Fon-prem%20accounts%2C%20there%20are%20only%20so%20many%20interfaces%20and%20returned%20values%20that%20the%20system%20gives%20us%20for%20logon.%20And%2C%20unfortunately%2C%20it%20wasn't%20as%20easy%20as%20rolling%20back%20because%20then%20we%20would%20then%20have%20other%20sets%20of%20users%20be%20unable%20to%20reconnect%20to%20existing%20sessions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWill%20hope%20to%20have%20another%20update%20soon%20regarding%20the%20full%20fix.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-823069%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-823069%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388293%22%20target%3D%22_blank%22%3E%40JeffN825%3C%2FA%3E%26nbsp%3B%3A%20Just%20to%20get%20more%20clarity%2C%20is%20it%20primarily%20%3CEM%3E%3CSTRONG%3Ethis%3C%2FSTRONG%3E%3C%2FEM%3Eissue%20that%20you%20think%20will%20make%20it%20the%20next%20Azure%20RemoteApp%3F%20Is%20there%20other%20functionality%20that%20we're%20missing%2C%20should%20be%20focusing%20on%2C%20or%20should%20be%20fixing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-824239%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824239%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20validation%20pool%20seems%20like%20a%20good%20idea%20(%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fvirtual-desktop%2Fcreate-validation-host-pool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Fvirtual-desktop%2Fcreate-validation-host-pool%3C%2FA%3E%3C%2FFONT%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20to%20make%20that%20really%20viable%20we%20need%20a%20schedule%20of%20upcoming%20releases%20to%20know%20when%20we%20should%20be%20validating%20(and%20potentially%20what%20specific%20areas%20to%20check).%20Is%20that%20something%20that%20is%20also%20going%20to%20be%20published%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20control%20of%20when%20updates%20are%20pushed%20would%20also%20be%20very%20useful%20-%20for%20example%20if%20we%20find%20an%20issue%20during%20validation%20can%20we%20prevent%20that%20being%20pushed%20to%20our%20environments%20or%20would%20if%20just%20get%20pushed%20anyway%20after%20some%20timeout%20period%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3ERich%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-824558%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824558%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E-%20one%20other%20thing%20to%20just%20mention%20-%20we%20recently%20had%20some%20other%20issues%20with%20AADDS%20and%20in%20conversations%20with%20the%20product%20group%20there%20they%20told%20us%20there%20is%20a%20new%20version%20of%20the%20sync%20process%20planned%20(quite%20soon%20I%20think)%20from%20AAD%20to%20AADDS%20-%20not%20sure%20if%20this%20helps%20you%20in%20any%20way%20with%20the%20issues%20you%20have%20-%20perhaps%20if%20you%20have%20any%20requirements%20for%20changes%20these%20could%20be%20included%20in%20what%20that%20team%20is%20doing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-825661%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-825661%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64296%22%20target%3D%22_blank%22%3E%40Richard%20Harrison%3C%2FA%3E%26nbsp%3B%3A%20Great%20questions!%20We%20definitely%20intend%20to%20push%20out%20notice%20of%20things%20coming%20out%20the%20validation%20pool%20so%20it%20can%20be%20tested.%20We%20have%20done%20this%20in%20limited%20capacity%20and%20to%20smaller%20groups%20of%20customers%2C%20but%20we%20intend%20to%20use%20this%20more.%20We%20have%20also%20not%20pushed%20a%20build%20all%20the%20way%20to%20the%20general%20population%20due%20to%20issues%20we've%20seen%20in%20validation%2C%20so%20we%20plan%20on%20using%20it%20exactly%20like%20you're%20expecting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnd%20thank%20you%20for%20the%20notification.%20Will%20bring%20this%20up%20with%20the%20Azure%20AD%20DS%20team.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828102%22%20slang%3D%22es-ES%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828102%22%20slang%3D%22es-ES%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20have%20deleted%20and%20re-created%20my%20WVD%20test%20environment%20several%20times%2C%20now%20I%20can't%20longer%20log%20in%20even%20with%20users%20created%20directly%20in%20the%20Azure%20cloud%2C%20with%20these%20accounts%2C%20the%20users%20before%20login.%20I%20can%20no%20longer%20log%20in%20with%20synchronized%20users%20from%20my%20AD%20On-Premise%20(ADDS%20-%26gt%3B%20AAD%20-%26gt%3B%20AADDS)%20nor%20with%20the%20old%20ones%20created%20directly%20in%20Azure%20(AAD%20-%26gt%3B%20AADDS).%20I%20can%20only%20use%20the%20scenario%20if%20I%20create%20new%20users%20in%20Azure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EErrorSource%20%3A%3CBR%20%2F%3ERDBroker%20ErrorOperation%20%3A%3CBR%20%2F%3EOrchestrateSessionHost%20ErrorCode%20%3A%20-2146233088%3CBR%20%2F%3EErrorCodeSymbolic%3CBR%20%2F%3E%3A%20ConnectionFailedUserSIDInformationMismatch%20ErrorMessage%20%3A%20User%20wahtever-whatever%3A%20SID%20information%20in%20the%20database%20'S-1-5-21-1201331163-3862359571-1670876360-8430'%20does%20not%20match%20SID%20returned%20information%20by%20agent%3CBR%20%2F%3E'S-1-5-21-1194805571-575163812-3500997978-1549'%20in%20the%20orchestration%20reply..%20This%20scenario%20is%20not%20supported%20-%20we%20will%20not%20be%20able%20to%20redirect%20the%20user%20session.%20%3CBR%20%2F%3EErrorInternal%20%3A%3CBR%20%2F%3EFalse%20ReportedBy%3CBR%20%2F%3E%3A%20RDGateway%20Time%20%3A%2028%2F08%2F2019%203%3A24%3A57%20p.m.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-830363%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-830363%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20issue%20specifically%20is%20**extremely**%20concerning%20-%20because%20this%20isn%E2%80%99t%20an%20edge%20case%3B%20this%20is%20a%20fundamental%20architecture%2Fdatabase%20design%20problem%20in%20how%20you%20uniquely%20identify%20users.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20don%E2%80%99t%20need%20to%20get%20AAD%20Domain%20Services%20or%20any%20other%20complicated%20scenario%20in%20the%20mix%20to%20reproduce%20this%20problem.%20All%20you%20need%20to%20do%20is%20delete%20**any**%20user%20in%20**any**%20kind%20of%20environment%20and%20then%20create%20a%20new%20one%20with%20the%20same%20upn.%20And%20bam%2C%20that%20user%20is%20screwed...forever.Deleting%20and%20recreating%20the%20tenant%20doesn%E2%80%99t%20help%20any%2C%20which%20tells%20me%20that%20user%20registration%20data%20is%20stored%20independently%20of%20tenant%20data.%20This%20will%20lead%20down%20an%20avenue%20of%20problems%20with%20no%20end.%20There%20are%20alternative%20architectural%20approaches%20that%20would%20likely%20be%20more%20reliable.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-838200%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-838200%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388293%22%20target%3D%22_blank%22%3E%40JeffN825%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20attest%20this!%20It%20seems%20like%20a%20flaw%20in%20design.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20happend%20to%20me%20is%20the%20following%3A%3C%2FP%3E%3CP%3EI%20had%20a%20user%20in%20my%20old%20Azure%20AD%20tenant.%20lets%20call%20it%20tenant%20A%2C%20with%20a%20UPN%20of%20user%40domain.com%20and%20used%20WVD%20succesfully%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20I%20moved%20my%20domain.com%20to%20another%20Azure%20AD%20tenant%2C%20tenant%20B.%20Setup%20Azure%20ADDS%20there%20and%20tried%20to%20login%20with%20a%20user%20with%20UPN%20user%40domain.com%2C%20so%20the%20exact%20same%20UPN%20of%20the%20user%20that%20existed%20in%20tenant%20A.%20although%20offcourse%20it%20doesn't%20exists%20in%20tenant%20A%20anymore.%3C%2FP%3E%3CP%3EWhat%20I%20saw%20when%20I%20logged%20in%2C%20was%20the%20WVD%20tenant%20with%20the%20published%20desktops%20that%20I%20created%20in%20my%20Azure%20AD%20tenant%20A!%20AND%20I%20saw%20my%20new%20WVD%20tenant%20with%20the%20published%20desktops%20that%20I%20created%20in%20my%20Azure%20AD%20tenant%20B.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20when%20I%20tried%20to%20sign-in%20to%20the%20desktops%20from%20the%20new%20tenant%20B%2C%20I%20get%20the%20same%20error%20as%20everyone%20else%2C%20that%20the%20SID%20doesn't%20match%20with%20the%20one%20in%20the%20database.%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20I%20can%20understand%20that%20it%20doesn't%20match%20if%20you%20still%20saved%20the%20SID%20from%20the%20user%20in%20tenant%20A.%20But%20this%20is%20a%20completely%20new%20user%20in%20tenant%20B.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20like%20JeffN825%20already%20concludes%2C%20this%20means%20that%20the%20user%20data%20is%20independent%20from%20the%20tenant%20data%2C%20which%20seems%20strange%20to%20me.%3C%2FP%3E%3CP%3EAlso%2C%20I%20would%20like%20some%20way%20to%20delete%20my%20old%20user%20with%20its%20SID%20from%20this%20backend%20database.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-839715%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-839715%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20each%20day%20that%20passes%20with%20no%20meaningful%20reply%20on%20this%20issue%2C%20I%20become%20more%20skeptical%20that%20the%20right%20team%20(one%20with%20extensive%20experience%20in%20distributed%2C%20AzureAD%20based%20authentication%20and%20authorization)%20is%20working%20on%20this%20product.%20I%20also%20wonder%20if%20the%20lack%20of%2Fdelay%20in%20reply%20is%20indicative%20of%20the%20team%20taking%20a%20pause%20to%20re-evaluate%20if%20they%20can%20successfully%20develop%20this%20solution...%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20information%20you%20can%20provide%20that%20might%20alleviate%20this%20concern%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-848508%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-848508%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20add%20users%20from%20a%20'invited%20user'%20source%20or%20from%20an%20'external%20aad'%20source%20to%20a%20remoteapp%20group%20using%20powershell.%20I%20notice%20that%20only%20users%20created%20directly%20in%20AAD%20can%20be%20added%2C%20but%20externals%20or%20invited%20ones%20cannot.%20I%20keep%20getting%20the%20error%26nbsp%3B%26nbsp%3B%22The%20specified%20UserPrincipalName%20does%20not%20exist%20in%20the%20Azure%20AD%20associated%20with%20the%20RD%20tenant.%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20confirm%20if%20these%20external%20users%20or%20invited%20users%20should%20work%20with%20WVD%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-849728%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-849728%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193408%22%20target%3D%22_blank%22%3E%40Marcel%20A'%20Campo%3C%2FA%3E%26nbsp%3B-%20external%20users%20can't%20work%20with%20WVD%20because%20they%20are%20not%20replicated%20via%20Azure%20AD%20Domain%20Services%20to%20the%20managed%20AD%20domain.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-849784%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-849784%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20issue%20a%20showstopper%20for%20us.%26nbsp%3B%20We're%20trying%20to%20roll%20out%20VDI%20for%20thousands%20of%20users%20globally....%20but%20the%20inability%20to%20automate%20handling%20of%20multiple%20security%20identifiers%20is%20a%20bit%20deal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGlad%20I%20encountered%20this%20now%2C%20instead%20of%202%20months%20from%20now%20when%20a%20single%20user%20identity%20will%20exist%20in%20AADDS%2C%20AzureAD%2C%20and%20ADDS.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-849850%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-849850%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F363970%22%20target%3D%22_blank%22%3E%40DubC85%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388293%22%20target%3D%22_blank%22%3E%40JeffN825%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193408%22%20target%3D%22_blank%22%3E%40Marcel%20A'%20Campo%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F201943%22%20target%3D%22_blank%22%3E%40Roel%20Everink%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F391201%22%20target%3D%22_blank%22%3E%40pau_pedroza%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F18065%22%20target%3D%22_blank%22%3E%40Torbj%C3%B6rn%20Granheden%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F396243%22%20target%3D%22_blank%22%3E%40cititechs%3C%2FA%3E%26nbsp%3B%2F%20All%20%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20provide%20an%20update%2C%20we're%20still%20working%20on%20this%20fix.%20As%20alluded%20to%20before%2C%20the%20fix%20is%202%20steps%3A%3C%2FP%3E%0A%3CP%3E1.%20To%20create%20and%20populate%20the%20fields%3C%2FP%3E%0A%3CP%3E2.%20To%20adjust%20the%20logic%20to%20use%20these%20fields%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe've%20completed%20step%20%231%20completely%20and%20%232%20is%20what%20we're%20implementing%2Fvalidating%20now.%20We%20expect%20this%20to%20complete%20and%20rollout%20within%20the%20next%20month.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20may%20still%20seem%20like%20a%20long%20time%20out%2C%20but%20we%20do%20want%20to%20be%20more%20cautious%20on%20the%20rollout%20and%20ensure%20we%20don't%20break%20user%20connections%20like%20the%20changes%20we%20made%20that%20landed%20here.%20There%20is%20always%20an%20option%20to%20push%20straight%20to%20production%2C%20but%20that%20also%20doesn't%20help%20us%20if%20there's%20another%20case%20that%20we%20missed%20and%20if%20we%20did%20quick%20validation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUltimately%2C%20we%20realize%20that%20this%20has%20led%20to%20the%20inability%20to%20quickly%20test%20out%20the%20service%20using%20Azure%20AD%20DS.%20Once%20the%20fix%20is%20live%2C%20you%20should%20be%20quickly%20unblocked%2C%20re-start%20efforts%20to%20evaluate%20the%20product%20as%20you%20need%2C%20and%20hope%20to%20see%20continued%20feedback%20as%20you%20have%20been%20so%20far%20on%20TechCommunity%20so%20far.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20will%20post%20back%20here%20as%20we%20progress%20further%20in%20the%20fix%20and%20when%20we%20have%20this%20available%20in%20the%20validation%20pools%20to%20test.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-853330%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-853330%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20month%20-%20alright.%26nbsp%3B%20Still%20paying%20for%20the%20actual%20resource%20(that%20doesn't%20work)...have%20been%20for%20several%20months%20now.%26nbsp%3B%20This%20has%20become%20very%20disappointing.%26nbsp%3B%20Standstill%20-%20Business%20Units%20waiting%20on%20the%20solution%20-%20complaining%20about%20chargebacks%20for%20the%20resource%20(that%20doesn't%20work)%20will%20be%20the%20next%20thing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20guys%20-%20get%20this%20fixed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-854312%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-854312%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%2C%20is%20there%20any%20news%20on%20this%3F%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20is%20a%20hard%20block%20for%20us%20as%20well!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-854567%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-854567%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3ECan%20you%20share%20some%20technical%20details%20on%20what%20these%20fields%20are%20and%20how%20they%20are%20used%3F%20Any%20details%20that%20would%20inspire%20confidence%20in%20the%20solution%20you%E2%80%99ve%20designed%20would%20be%20helpful.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-860892%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-860892%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20update.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20waiting%20to%20deploy%20WVD%20with%20Azure%20AD%20DS%20and%20if%20I%20understand%20correctly%20it%20will%20be%20possible%20once%20the%20second%20fix%20is%20rolled%20out%3F%20We%20have%20host%20pools%20set%20as%20%22Validation%22%20host%20pools%2C%20can%20we%20hope%20to%20get%20the%20fixes%20out%20sooner%20to%20these%20hostpools%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECheers%2C%3C%2FP%3E%3CP%3EJoakim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-863610%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863610%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193358%22%20target%3D%22_blank%22%3E%40Joakim%20Westin%3C%2FA%3E%26nbsp%3B-%20I%20wouldn't%20count%20on%20this%20fixing%20the%20underlying%20issue.%20From%20the%20description%20of%20the%20fix%2C%20it%20sounds%20like%20it%20will%20just%20work%20around%20it%20for%20some%20situations.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-863691%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-863691%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388293%22%20target%3D%22_blank%22%3E%40JeffN825%3C%2FA%3E%26nbsp%3B%3A%20Essentially%2C%20there%20are%20three%20pieces%20of%20information%20we%20need%20for%20processing%20the%20new%20or%20reconnecting%20user%20connection%3A%3C%2FP%3E%0A%3CP%3E1.%20UPN%20in%20Azure%20AD%20token%3C%2FP%3E%0A%3CP%3E2.%20SID%20in%20Azure%20AD%20token%3C%2FP%3E%0A%3CP%3E3.%20SID%20that%20the%20on-premises%20domain%20sends%20back%20when%20it%20matches%20up%20the%20user%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEverything%20is%20based%20according%20to%20the%20UPN%2C%20as%20that%20is%20provided%20in%20all%20tokens.%20The%20fixes%20will%3A%3C%2FP%3E%0A%3CP%3E1.%20Update%20the%20SID%20for%20the%20UPN%20(accounts%20for%20user%20migration%20on%20premises%20or%20new%20instantiations%20of%20Azure%20AD%20DS%20for%20users%20sourced%20in%20Windows%20Server%20AD)%3C%2FP%3E%0A%3CP%3E2.%20Update%20the%20SID%20that%20the%20on-premises%20domain%20sends%20back%20when%20it%20matches%20up%20the%20user%2C%20which%20is%20needed%20for%20manual%2Fauto-reconnect%20scenarios.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20definitely%20hear%20feedback%20on%20%22why%20SID%3F%22%2C%20but%20unfortunately%20that%20is%20needed%20for%20current%20logon%20APIs%20if%20we%20want%20to%20provide%20a%20consistent%20re-connect%20experience%20that%20can%20get%20triggered%20even%20if%20you%20lose%20Internet%20connectivity%20for%20a%20brief%20second%20or%20switch%20wireless%20networks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-871432%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-871432%22%20slang%3D%22en-US%22%3EI%20don%E2%80%99t%20understand%20how%20this%20will%20resolve%20the%20underlying%20issue%2C%20which%20is%20as%20simple%20to%20reproduce%20as%20deleting%20and%20recreating%20a%20user.%20Or%20deleting%20an%20AAD%20DS%20domain%20and%20recreating%20it.%20It%20seems%20that%20would%20still%20be%20broken%20after%20this%20fix.%3CBR%20%2F%3E%3CBR%20%2F%3EFurther%2C%20you%20say%3CBR%20%2F%3E%E2%80%9C2.%20Update%20the%20SID%20that%20the%20on-premises%20domain%20sends%20back%20when%20it%20matches%20up%20the%20user%2C%20which%20is%20needed%20for%20manual%2Fauto-reconnect%20scenarios.%E2%80%9D%3CBR%20%2F%3E%3CBR%20%2F%3EFirst%20-%20I%20assume%20you%20mean%20the%20RDSH%20agent%3F%20If%20so%2C%20how%20is%20the%20agent%20going%20to%20get%20the%20token%20for%20the%20current%20AAD%20user%20(which%20contains%20the%20SID%20you%20want)%3F%20If%20what%20you%20mean%20is%20that%20you%E2%80%99re%20going%20to%20try%20to%20silently%20acquire%20a%20token%20from%20the%20agent%20as%20the%20user...please%20don%E2%80%99t.%20The%20user%20could%20be%20subject%20to%20MFA%20policies%20which%20would%20muck%20you%20up%20even%20further...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-878097%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-878097%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388293%22%20target%3D%22_blank%22%3E%40JeffN825%3C%2FA%3E%26nbsp%3B%3A%20Ultimately%2C%20everything%20is%20mapped%20to%20a%20UPN%20so%20we%20know%20how%20to%20connect%2Freconnect%20them.%20Regardless%20of%20how%20you%20get%20your%20UPN%2C%20we%20map%20the%20resulting%20SID%20(that%20the%20domain%20understands%20relates%20to%20that%20user)%20back%20to%20the%20UPN.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20just%20to%20clarify%2C%20the%20Azure%20AD%20token%20is%20initially%20acquired%20by%20the%20user%20for%20the%20Windows%20Virtual%20Desktop%20Azure%20AD%20application%2C%20and%20we%20pass%20this%20through%20our%20system%20when%20we%20need%20to%20reference%20the%20incoming%20Azure%20AD%20user.%20We%20are%20not%20trying%20to%20silently%20get%20one.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-879165%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-879165%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bdo%20you%20have%20any%20updates%20on%20when%20we%20can%20expect%20to%20see%20the%20fix%20rolled%20out%20for%20us%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-879169%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-879169%22%20slang%3D%22en-US%22%3E%3CP%3EFYI%2C%20i%20just%20ditched%20AADDS%20and%20extended%20the%20on-premise%20AD%20through%20S2S%20VPN%20and%20DC%20VMs%20in%20Azure%20instead.%3CBR%20%2F%3ERe-used%20my%20TenantGroup%2C%20Tenant%2C%20and%20ServicePrincipal.%3CBR%20%2F%3ETemplate%20Deployment%20and%20user%20connexion%20went%20flawless%20on%20the%20first%20try.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20recommend%20to%20forget%20about%20AADDS%20if%20you%20can.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-879236%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-879236%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78166%22%20target%3D%22_blank%22%3E%40Arthur%20GERARD%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20not%20helpful%20to%20those%20of%20us%20who%20would%20rather%20not%20have%20to%20deal%20with%20ADDS%20and%20AD%20Connect%20unnecessarily.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-879267%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-879267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F363970%22%20target%3D%22_blank%22%3E%40DubC85%3C%2FA%3E%26nbsp%3BMaybe%20i%20wasn't%20clear%20but%20i%20went%20from%20%3A%3CBR%20%2F%3E%3CBR%20%2F%3EOn-prem%20AD%20%2B%20AADConnect%20%2B%20AADDS%20(WVD%20VM%20being%20joined%20to%20AADDS)%3CBR%20%2F%3E-%26gt%3B%20was%20stuck%20with%20this%20bug%20for%20several%20months%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eto%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EOn-prem%20AD%20%2B%20AADConnect%20%2B%20On-prem%20AD%20extended%20to%20Azure%20vNet%20(WVD%20VM%20being%20joined%20to%20AD)%3CBR%20%2F%3E-%26gt%3B%20everything%20worked%20on%20the%20first%20try%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-882206%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-882206%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F78166%22%20target%3D%22_blank%22%3E%40Arthur%20GERARD%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYep%2C%20this%20works%20great%2C%20and%20has%20since%20the%20beginning%20(adding%20a%20hostpool%20that's%20actually%20on%20your%20on-prem%20domain%20and%20not%20AADDS%20joined).%26nbsp%3B%20I%20didn't%20even%20add%20a%20DC%20out%20in%20the%20Azure%20vnet%20-%20just%20joined%20on-prem%20domain%20over%20the%20S2S%20tunnel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wish%20I%20could%20use%20that%20-%20I%20would%20be%20six%20months%20ahead%20now.%26nbsp%3B%20The%20smaller%20attack%20surface%20of%20available%20users%20(filtered%20sync%20to%20AADDS)%20will%20be%20required%20for%20us.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-887104%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-887104%22%20slang%3D%22en-US%22%3EAny%20timeline%20on%20the%20fix%3F%20Looks%20like%20WVD%20went%20GA%20today.%20I%20can%20see%20there%20are%20some%20options%20with%20VPN%20tunnels%2C%20but%20I%20would%20rather%20avoid%20re-configuring%20my%20WVD%20environment%20away%20from%20Azure%20ADDS.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-890627%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-890627%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374394%22%20target%3D%22_blank%22%3E%40rhythmnewt%3C%2FA%3E%26nbsp%3BIf%20you%20look%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Foverview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20link%3C%2FA%3E%2C%20it%20looks%20that%20we%20will%20have%20to%20wait%20a%20little%20bit%20longer.%20I%20am%20pretty%20sure%20this%20Note%20has%20been%20added%20recently.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135255iCF86CEF4F98D5C23%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22image.png%22%20title%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-892274%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-892274%22%20slang%3D%22en-US%22%3ESo%20now%20it's%20officially%20not%20supported%20%3A(%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-892579%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-892579%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F374394%22%20target%3D%22_blank%22%3E%40rhythmnewt%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F11816%22%20target%3D%22_blank%22%3E%40Olivier%20Debonne%3C%2FA%3E%26nbsp%3B%3A%20Correct%2C%20the%20link%20was%20added%20in%20the%20past%20week%20and%20a%20half%20ago%20so%20that%20customers%20would%20not%20accidentally%20hit%20this%20scenario.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENo%20worries%20though%3A%20once%20the%20fix%20is%20in%20and%20live%2C%20the%20scenario%20will%20be%20supported%20%3A)%3C%2Fimg%3E%20We're%20on%20still%20on%20track%20for%20this%20month.%20I%20will%20post%20back%20here%20once%20we%20have%20it%20available%20for%20validation%20pools%20(host%20pools%20with%20%22ValidationEnv%22%20set%20to%20%24true)%20so%20that%20we%20can%20confirm%20the%20fix%20before%20the%20broadest%20rollout.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-892601%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-892601%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20the%20update%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-895082%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895082%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20still%20experiencing%20this%20same%20issue%20you%20explain%20above%20with%20AADDS%2C%20however%20even%20when%20I%20create%20a%20Cloud%20native%20user%20I%20get%20the%20following%20error%20when%20trying%20to%20connect%20to%20Virtual%20Desktop%20%2F%20RemoteApp%3A-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EErrorSource%20%3A%20RDAgent%3CBR%20%2F%3EErrorOperation%20%3A%20AddUserToRDUGroup%3CBR%20%2F%3EErrorCode%20%3A%20-2147467259%3CBR%20%2F%3EErrorCodeSymbolic%20%3A%20ConnectionFailedAdErrorNoSuchMember%3CBR%20%2F%3EErrorMessage%20%3A%20Failed%20to%20add%20user%20%3D%20%E2%89%A4Cloud.User%40teammetalogic.com%E2%89%A5%20to%20group%20%3D%20Remote%3CBR%20%2F%3EDesktop%20Users.%20Reason%3A%20Win32.ERROR_NO_SUCH_MEMBER%3CBR%20%2F%3EErrorInternal%20%3A%20False%3CBR%20%2F%3EReportedBy%20%3A%20RDGateway%3CBR%20%2F%3ETime%20%3A%2005%2F10%2F2019%2017%3A05%3A32%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWindows%20Virtual%20Desktop%20DNS%20name%20-%20azure.DOMAIN.com%20was%20initially%20created%20because%20recommendation%20was%20to%20not%20have%20conflicting%20DNS%20names%20with%20tenant%2C%20which%20is%20DOMAIN.com%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-897375%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-897375%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F420663%22%20target%3D%22_blank%22%3E%40CraigSmith87%3C%2FA%3E%26nbsp%3B%3A%20Where%20was%20that%20recommendation%20made%20(to%20not%20match%20your%20AAD%20tenant%20name)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911138%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911138%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3EThank%20you%20for%20the%20updates.%20Will%20there%20be%20any%20additional%20steps%20for%20us%20to%20perform%20if%20we%20already%20have%20the%20host%20pools%20with%20validation%20set%20to%20true%3F%20Hopefully%20your%20target%20of%20this%20month%20remains%20on%20track%2C%20I%20have%202%20clients%20that%20I%20would%20like%20to%20migrate%20to%20WVD%20as%20it%2C%20at%20least%20from%20the%20outset%2C%20looks%20to%20out%20perform%20their%20existing%20Citrix%20environment%20and%20a%20much%20lower%20cost.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-912948%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-912948%22%20slang%3D%22en-US%22%3ENo%20other%20steps%20will%20be%20necessary%2C%20aside%20from%20setting%20the%20pool%20to%20be%20a%20validation%20pool.%20I%20will%20keep%20you%20all%20updated%20on%20this%20thread.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-920111%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-920111%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20still%20encountering%20the%20issue.%20On%209%2F11%2C%20you%20wrote%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EWe've%20completed%20step%20%231%20completely%20and%20%232%20is%20what%20we're%20implementing%2Fvalidating%20now.%20We%20expect%20this%20to%20complete%20and%20rollout%20within%20the%20next%20month.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20we're%205%20weeks%20out%20from%20there%20now%20and%20there%20is%20still%20no%20fix...and%20it%20seems%20like%20it's%20not%20even%20available%20in%20validation%20environments%20yet.%20Is%20this%20correct%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20also%20decided%20to%20go%20GA%20with%20a%20product%20that%20can't%20support%20basic%20usage%20(deleting%20a%20user%20account%20and%20recreating%20it...or%20just%20renaming%20a%20user)...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20really%20like%20to%20understand%20what's%20going%20on%20here.%20Is%20there%20any%20update%20here%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-934847%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-934847%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewould%20like%20to%20add%20to%20this%20thread.%20I%20also%20have%20deployed%20WVD%20in%20view%20of%20rolling%20it%20out%20for%20our%20business%20but%20when%20I%20try%20and%20add%20new%20user%20directly%20to%20AAD%20(we%20have%20no%20AADC%20sync)%20it%20is%20failing%20with%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EErrorSource%20%3A%20RDBroker%3CBR%20%2F%3EErrorOperation%20%3A%20OrchestrateSessionHost%3CBR%20%2F%3EErrorCode%20%3A%20-2146233088%3CBR%20%2F%3EErrorCodeSymbolic%20%3A%20ConnectionFailedUserSIDInformationMismatch%3CBR%20%2F%3EErrorMessage%20%3A%20User%20xxx%40xxx.net%3A%20SID%20information%20in%20the%20database%20'S-1-5-21-1382006385-1486747441-1399156625-1111'%20does%20not%20match%20SID%20information%20returned%3CBR%20%2F%3Eby%20agent%20'S-1-5-21-1382006385-1486747441-1399156625-1129'%20in%20the%20orchestration%20reply..%20This%20scenario%20is%20not%20supported%20-%20we%20will%20not%20be%20able%3CBR%20%2F%3Eto%20redirect%20the%20user%20session.%3CBR%20%2F%3EErrorInternal%20%3A%20False%3CBR%20%2F%3EReportedBy%20%3A%20RDGateway%3CBR%20%2F%3ETime%20%3A%2023%2F10%2F2019%2012%3A48%3A50%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%3A%26nbsp%3BWould%20appreciate%20idea%20of%20when%20this%20will%20be%20fixed.%20Like%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F388293%22%20target%3D%22_blank%22%3E%40jeffb8%3C%2FA%3E%26nbsp%3Band%20others%2C%26nbsp%3BI've%20tried%20everything%20(even%20deleting%2C%20adding%20user)%20but%20nothing%20works.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-954109%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-954109%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431716%22%20target%3D%22_blank%22%3E%40antonywm%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EOnce%20a%20user%20is%20messed%20up%20in%20this%20state%2C%20it%20is%20completely%20impossible%20to%20correct%20the%20situation%20yourself.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20get%20into%20this%20state%20in%20many%20many%20different%20ways%2C%20ranging%20from%20AADC%2FAADS%20hybrid%20deployments%2C%20to%20recreating%20a%20deleted%20user%2C%20to%20using%20a%20Microsoft%20account%20to%20sign%20in%2C%20to%20moving%20from%20one%20AAD%20tenant%20to%20another.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20mechanism%20WVD%20uses%20for%20user%20info%20persistence%20is%20fundamentally%20unstable%20and%20unsound%20and%20it%20seems%20that%20no%20one%20on%20the%20Microsoft%20team%20has%20understanding%20of%20Azure%20AD%20(or%20maybe%20the%20Azure%20platform%20as%20a%20whole).%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-968427%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-968427%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Blast%20day%20of%20the%20month.%20Any%20news%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20add%20that%20this%20does%20not%20work%20with%20accounts%20sourced%20from%20local%20AD%20when%20converting%20users%20to%20cloud%20by%20disabling%20AD-connect%20either..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-980263%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-980263%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%20%3A%20A%20fix%20has%20been%20rolled%20out%20to%20production%20for%20this%20issue.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-983235%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-983235%22%20slang%3D%22en-US%22%3E%3CP%3EFantastic!!%20I%20just%20successfully%20logged%20into%20a%20desktop%20session%20on%20an%20account%20that%20was%20previously%20not%20working%20due%20to%20the%20SID%20issue%2C%20no%20reconfiguration%20required%20beforehand%2C%20literally%20just%20tried%20the%20login%20again%20and%20it%20worked%20perfectly.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-991297%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-991297%22%20slang%3D%22en-US%22%3EGreat%2C%20will%20test%20-%20thanks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-993520%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-993520%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F139744%22%20target%3D%22_blank%22%3E%40Eva%20Seydl%3C%2FA%3E%26nbsp%3Bgreat%20news!%20Things%20are%20working%20now.%20Thank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005146%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005146%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F139744%22%20target%3D%22_blank%22%3E%40Eva%20Seydl%3C%2FA%3E%3C%2FP%3E%3CP%3EHi%20Eva%2C%20%3CFONT%3Eunfortunately%20this%20fix%20did%20not%20resolve%20our%20sign-in%20issues.%20It%20did%20change%20the%20error%20code.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EWe%20have%20migrated%20all%20our%20users%20to%20Microsoft%20365%20Business%20(synced%20from%20AD%20to%20Azure%20AD%20and%20afterwards%20removed%20Azure%20AD%20Connect)%20then%20configured%20%3CFONT%3EAADDS%20and%20WVD.%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3E%3CFONT%3EWe%20can%20succesfully%20signin%20on%20the%20Microsoft%20Remote%20Desktop%20application%20and%20from%20there%20we%20can%20connect%20to%20our%20WVD%20Hostpool.%20When%20entering%20username%20and%20password%20the%20Remote%20Desktop%20seems%20to%20initiate%20the%20connection%20but%20keeps%20prompting%20for%20username%20and%20password%2C%20without%20any%20error.%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EGet-RdsDiagnosticActivities%20states%20the%20following%3A%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EActivityId%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20%23%23%23%23%23%23%23%23%23%23-f64b-405f-a79a-%23%23%23%23%23%23%23%23%23%23%23%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%3EActivityType%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20Connection%3CBR%20%2F%3EStartTime%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%2013-11-2019%2012%3A46%3A03%3CBR%20%2F%3EEndTime%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%2013-11-2019%2012%3A46%3A11%3CBR%20%2F%3EUserName%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20user%40domain%3CBR%20%2F%3ERoleInstances%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20computername%3B%E2%89%A4%E2%89%A5%3CBR%20%2F%3EOutcome%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20Success%3CBR%20%2F%3EStatus%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20Completed%3CBR%20%2F%3EDetails%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20%7B%5BClientOS%2C%20WINDOWS%2010.0.18362%5D%2C%20%5BClientVersion%2C%201.2.431.19493%5D%2C%20%5BClientType%2C%20com.microsoft.rdc.win%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20dows.msrdc.x64%5D%2C%20%5BPredecessorConnectionId%2C%20%5D...%7D%3CBR%20%2F%3ELastHeartbeatTime%20%3A%2013-11-2019%2012%3A47%3A43%3CBR%20%2F%3ECheckpoints%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20%7BTransportConnecting%2C%20TransportConnected%2C%20RdpStackDisconnect%2C%20OnCredentialPromptInvoke...%7D%3CBR%20%2F%3EErrors%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20%3A%20%7B%7D%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EWe%20also%20tried%3A%20%3C%2FFONT%3E%3CFONT%3ESet-RdsHostPool%20-TenantName%20XX%20-Name%20XX%20-ValidationEnv%20%24true%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EI'm%20not%20sure%20where%20to%20look%20from%20here..%20%3C%2FFONT%3E%3CFONT%3EWhat%20fix%20has%20been%20rolled%20out%3F%20Are%20there%20any%20specifics%20about%20this%20fix%3F%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3Ebtw%20newly%20created%20users%20seem%20to%20work%20ok.%20so%20only%20the%20synced%20user%20have%20this%20issue.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005607%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005607%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3EThis%20fixed%20it%20for%20us%20to.%20After%20it%20was%20implemented%20everything%20started%20working%20without%20having%20to%20do%20anything.%3CBR%20%2F%3E%3CBR%20%2F%3ECheers%2C%3CBR%20%2F%3ERich%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1005808%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1005808%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F456561%22%20target%3D%22_blank%22%3E%40rdoorduin%3C%2FA%3E%26nbsp%3B%3A%20For%20this%20scenario%2C%20I%20recommend%20filing%20a%20support%20ticket%2C%20as%20the%20fix%20that%20was%20rolled%20out%20should%20cover%20all%20of%20the%20standard%20cases.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1032379%22%20slang%3D%22en-US%22%3ERe%3A%20%5BAnnouncement%5D%20Connectivity%20issues%20from%20synchronized%20users%20to%20VMs%20joined%20to%20AAD%20DS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1032379%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20fix.%20Can%20you%20please%20share%20the%20details.%20What%20needs%20to%20be%20done%20to%20resolve%20this%20issue.%20Please%20explain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
christianmontoya
Microsoft

Hi everyone, thanks for the continued testing of WVD. We’ve seen multiple connection errors with UPN when connecting to VMs joined to Azure AD Domain Services. We’ve done some preliminary investigations and figured out which scenarios are currently affected and which scenarios should continue to work.

 

Works

Logging into VM joined to Azure AD DS instance with Azure AD user sourced from Azure Active Directory (aka, New user created just in Azure AD).

 

Does not work (and investigating fix)

Logging into VM connected to Azure AD DS with Azure AD user sourced from Windows Server AD (aka, synchronized to Azure AD through Azure AD Connect).

 

You will see an error in the Diagnostics similar to below:

ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the
orchestration reply from the agent for user ≤user1@contoso.com≥ with Id
54a45a4c-41ad-4374-5e41-08d6e4d9acde. This scenario is not supported - we will not be able to
redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 7/16/2019 3:17:24 PM

 

Workaround

If your setup matches the description but you would still like to test, we suggest creating cloud users in Azure Active Directory for the time being.

 

Resolution

No current ETA, but working towards a fix.

 

How to check where your user is sourced from

You can navigate to the Azure AD portal or the Azure Active Directory blade in the Azure portal, then go to users:

aaduser.PNGLocate where the Azure AD user is sourced.

76 Replies
Highlighted

@christianmontoya 

I know before the post that Cloud ID only is working but that is not valid for our production POC

i been testing with cloud ID only and that works , further more the issue with synced account, it looks like recently (because this was working before) you doing  SID check between the azure synced account and the account in azure DS and that will not match. i'm wondering if the scenario without azure DS , i mean extending AD to the cloud and join the virtual desktop machines to the same domain will have the same issue or not for synced user account.

@ashro2 : Thanks for the clarifying question, but no, the issue will not replicate if you have a hybrid setup and are joining your virtual machines to the domain that is syncing up the users with Azure AD Connect. The primary issue lies in the SID check, and that Azure AD DS creates a new SID (by design) for the users that it creates on the managed domain services instance.

@christianmontoya 

Thanks   i came to the same conclusion when looking ate the object SID in AAD and Azure DS and the Mismatch. i have 2 comments 

1. this check was introduced recently because this scenario was working before , is it possible to trun off this check of the SID? I saw the feedback on the form suggested moving the pool to validation pool where you deployed a fix for the issue but looks like that is not working as well. so is there a way to trun off this check i can do in my side?

 

2. is there a way to modify the Azure DS object SID to match AAD ? we don't have much control over the object in Azure DS I realized ?

 

it will be great if we can manually turnoff this SID check manually at least for testing

@ashro2 : Unfortunately, it's not quite as simple as turning off the check since this check was implemented to stabilize the reconnection scenarios so that users get redirected back to a previously existing session (as opposed to get a new session).

 

I'm not sure if there's a way to manipulate the SIDs, but we're investigating all possible options right now.

 

Thank you for the feedback and dialogue though. We want to unblock testing, but also do not want to leave users in a bad state.

@christianmontoya So no workaround for this scenario since the SID check is active now and according to you no ETA too. that's a bit disappointing! 

I know the service is currently in preview, but i find the fact that this bug took multiple weeks to identify and acknowledge is a bit worrying for the state/future of AAD DS (that we rarely deployed before WVD).

Are there so few orgs using AAD DS ? Should we drop it and extend on-prem ADs to Azure LAN for WVD instead ?

@Bazam Chekrian Valappu : Yes, we solved one failing behavior but now it's hindering another, but definitely working to achieve both.

@Arthur GERARD : I wouldn't say that no one is using Azure AD DS or that it's not a viable solution. Primarily, understanding this failing scenario is an intersection of where customers are today and how they are piloting Windows Virtual Desktop with just cloud users (before trying to extend this with a full site-to-site on-prem infrastructure).

 

Between using Azure AD DS or extending existing domain structure to Azure, it depends on your scenarios you're targeting. You have much more flexibility by extending, since you can use Federation, Passthrough Authentication, or password hash (whereas AAD DS only works with password hash). Not sure if you've already seen this comparison article.

@christianmontoyaThat makes sense, thank you.

Is "Azure AD join" on the roadmap for WVD ? Or will AAD DS continue to be the lightest deployment for our SMB customers ?

@Arthur GERARD : Azure AD Join is definitely a scenario we want to support and we're in the initial investigation stages, as it's a larger change from how VDI/RDS has worked in the past. Unfortunately, this feature is not something that will make it into our initial GA. We will continue to update these forums and our Docs site as we have more information on this scenario, and other new ones.

Just checking if there's any ETA on the fix for the initial problem in this thread. Thanks.

@christianmontoya 

 

Hi Christian,

 

I seem to be experiencing the exact same error in a test environment. However, the user is sourced from Azure Active Directory.

 

I would be happy to help troubleshoot since I have clients looking forward to WVD. below is some info that might be relevant and if you need identifying tenant info I'll be happy to send via PM:

 

ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : OrchestrateAsync: SID value in the database is different than the value returned in the orchestration reply from the agent for user ≤username≥ with Id <id>. This scenario is
not supported - we will not be able to redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 7/28/2019 14:17:15

 

TenantName : IC-WVD2
TenantGroupName : Default Tenant Group
HostPoolName : Desktop
FriendlyName :
Description :
Persistent : False
CustomRdpProperty :
MaxSessionLimit : 999999
LoadBalancerType : BreadthFirst
ValidationEnv : True
Ring :

Hi,

We have just noticed the same problem in our test environment.

But a strange thing is that it only affects one of the 17 pilot users.

 

The users were synced from a local AD to Azure AD.

Azure AD connect sync was removed 1 year ago.

Azure AD services was setup to support the WVD environment.

Users envolved in pilot had to reset their passwords and could then logon.

 

But now, one user gets the error message:

SID value in the database is different than the value returned in the orchestration reply from the agent for user...

 

The Hostpool is in "validation" 

<#

ErrorSource      : RDBroker
ErrorOperation    : OrchestrateSessionHost
ErrorCode        : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage      : OrchestrateAsync: SID value in the database is different than the value returned in the orchestration reply from the agent for user ≤a.b@domain.se≥ with Id b663bb3d-3f67-42e9-f891-08d6fb3eb712. This scenario is not supported - we will not be able to redirect the user session.
ErrorInternal    : False
ReportedBy        : RDGateway
Time              : 2019-07-18 09:36:42
 
ErrorSource      : Client
ErrorOperation    : ClientRDPConnect
ErrorCode        : 2147965400
ErrorCodeSymbolic :
ErrorMessage      : Your computer can't connect to the Remote Desktop Gateway server. Contact your network administrator for assistance.
ErrorInternal    : True
ReportedBy        : Client
Time              : 2019-07-18 09:36:42

#>

 

 

@christianmontoya would be great to get an update on when this will be fixed - we were happily using this with this setup then in abruptly broke and we've been investigating on and off as time allowed ever since.

 

Now i stumbled across this issue (after finally figuring out how to debug what was going wrong). Do we have an ETA as this is now a total block on us using WVD.

 

I'm really disappointed as this is the 2nd major stumbling block - we've fully adopted Azure AD and the lack of support for Azure AD join is the other one.

 

This can be such a good solution it's just so frustrating.....

Is there a way to identify the public IP range used by azure virtual desktops to communicate with external resources such as O365

Services . this is required to apply some azure  access control policy

Thanks

@christianmontoya  Same issue for one of test Azure-born user, the second one (Azure-born as well) still works fine.

Any update on a resolution? This is a hard blocker for us.

The workaround only works with NEWLY CREATED users - meaning I cannot delete a Windows Server AD user, then recreate with the same username as an Azure AD sourced user. It seems like Windows Virtual Desktop permanently stores the upn and sid in its database....so deleting and recreating the user in Azure AD doesn’t help...

@jeffb8  @Richard Harrison @Integral-Consulting @rhythmnewt @Alex Ignatenko : Hi everyone, apologies for this thread going a bit quiet. We've done investigations and started implementing the fix, but will take time to roll into production. Once I get a better date, I will reach out here so you all can continue your testing!

 

Since we roll out in phases, I'd highly recommend setting up a host pool for validation, as this will be the first place to test.

 

Again, thanks all and we're definitely trying to get this fix rolled out as soon as we can.

@Torbjörn Granheden : As it stands now, the issue stems from the SID's being synchronized as part of the Azure AD token and then receiving a different one through Azure AD Domain Services. Are you aware of any difference of properties between this 1 user and the other 16?

@Arthur GERARD : Azure AD Join is in our backlog. We've heard overwhelming interest for this, and we want to align with Azure AD Join/Intune as a means of deploying and managing Windows. We don't have any specific dates on this, but we definitely want to supporting this as a scenario down the road.

Thanks. Is there an eta for when a fix will be available to host pools in validation mode?

If not, is there any way to submit a support request to get you to delete stale user accounts from your sql azure database or is this exposed in any way? It would at least allow us to proceed with testing if there was a way to recreate the user accounts with problems. As I mentioned above - today we can’t even delete/recreate the user. It has to be created as a cloud only user with a different upn...

Hola @christianmontoya, thanks for the information.

 

In my case, the scenario and behavior are the following:

 

I have an Active Directory On-Premise synchronized to Azure Active Directory through ADConnect. In Azure I have implemented an Azure Active Directory Domanin Services (AADDS). Both directories are synchronized (ADDS and AADDS) through the AAD. I have password hashes replication set. I implemented a WVD HostPool.

 

To perform tests with my synchronized users, I have also created Cloud users (AAD only).

 

Both types of users allow me to connect the most virtual machines of the WVD HostPool through RDP. However, when I try to use the WebClient through the URL https://rdweb.wvd.microsoft.com/webclient/index.html both types of users can log in with their AADDS and AAD credentials. But by selecting applications to log in to them, only users created in the cloud (in AAD) can successfully start; synchronized users from ADDS get the error from the following image:

 

Error.png

 

The log error for synced users is the follow:

 

ActivityId : e5eaa99a-0873-4e39-9063-d39e511c0000
ActivityType : Connection
StartTime : 12/08/2019 5:09:12 p. m.
EndTime : 12/08/2019 5:09:18 p. m.
UserName : F21212121@fvl.org.co
RoleInstances : rdwebclient;mrs-eus2r0c002-rdgateway-prod-staging::RD2818788A5384;mrs-eus2r0c001-rdbroker-prod-staging::RD2818782C7086;≤WVDSH-0.fvl.org.co≥
Outcome : Failure
Status : Completed
Details : {[ClientOS, Win32 Chrome 76.0.3809.100], [ClientVersion, 1.0.18.5], [ClientType, HTML], [PredecessorConnectionId, ]...}
LastHeartbeatTime : 12/08/2019 5:09:19 p. m.
Checkpoints : {LoadBalancedNewConnection, TransportConnected, TransportConnecting}
Errors : {Microsoft.RDInfra.Diagnostics.Common.DiagnosticsErrorInfo}

 

Is the same error that you are describing in this post?

 

Thanks a lot for your response.

 

Paul Pedroza

 

 

@christianmontoya 

 

any updates? we are hard blocked in terms of using Windows Virtual Desktop

@christianmontoyaI have checked with every powershell cmdlet i can think of, but the users are identical configured. I have compared with another user that was hired at the same time (2014). And also has been migrated from an onprem AD to an Azure AD only environment. The ad connect was removed a year ago ish. The Azure Domain Services was setup to support WVD preview in June.

My user is on vaccation and I cannot get an answer if it still is an issue or if it has been solved by agent update.

 

But, you should think of a rollback of the sid verification and do a rearchitect.
If it is so much trouble for preview users, how will this work for GA?

/Mr T-Bone

@christianmontoya  Any update on this  ? As others have reported we are at a stand still. 
Synced from on-premise aren't working.  I have tried validation pools and still no luck with Sync accounts. 

 

 

Seems like we’re in store for a repeat of Azure RemoteApp.

@christianmontoyaAnother week without status update?

Any progress of getting the WVD working again for all of us with Azure DS?

 

I have only one user out of 30 pilots that get sid failure?

  • Cannot see any different attributes on this specific user compared with another user created same week.
  • Both accounts created 3 years ago in a local AD.
  • Synced to Azure AD with AD connect.
  • Local AD and Azure AD connect dismounted and retired 12 month ago.
  • Azure DS started for WVD 3 months ago.

 /Mr-Tbone

 

/Torbjörn

@Torbjörn Granheden  @cititechs  @jeffb8 : Thanks for being patient with us. As an update, we've identified the issue and have taken the first step to solving it, just that's a multi-phase fix/roll-out.

 

Also, to address some of the feedback, in order to login users and work between cloud/on-prem accounts, there are only so many interfaces and returned values that the system gives us for logon. And, unfortunately, it wasn't as easy as rolling back because then we would then have other sets of users be unable to reconnect to existing sessions.

 

Will hope to have another update soon regarding the full fix.

@jeffb8 : Just to get more clarity, is it primarily this issue that you think will make it the next Azure RemoteApp? Is there other functionality that we're missing, should be focusing on, or should be fixing?

Hi @christianmontoya ,

 

The validation pool seems like a good idea (https://docs.microsoft.com/en-gb/azure/virtual-desktop/create-validation-host-pool)

 

However to make that really viable we need a schedule of upcoming releases to know when we should be validating (and potentially what specific areas to check). Is that something that is also going to be published?

 

Some control of when updates are pushed would also be very useful - for example if we find an issue during validation can we prevent that being pushed to our environments or would if just get pushed anyway after some timeout period?

 

Cheers,

Rich

@christianmontoya- one other thing to just mention - we recently had some other issues with AADDS and in conversations with the product group there they told us there is a new version of the sync process planned (quite soon I think) from AAD to AADDS - not sure if this helps you in any way with the issues you have - perhaps if you have any requirements for changes these could be included in what that team is doing?

@Richard Harrison : Great questions! We definitely intend to push out notice of things coming out the validation pool so it can be tested. We have done this in limited capacity and to smaller groups of customers, but we intend to use this more. We have also not pushed a build all the way to the general population due to issues we've seen in validation, so we plan on using it exactly like you're expecting.

 

And thank you for the notification. Will bring this up with the Azure AD DS team.

@christianmontoya I have deleted and re-created my WVD test environment several times, now I can't longer log in even with users created directly in the Azure cloud, with these accounts, the users before could login. I can no longer log in with synchronized users from my AD On-Premise (ADDS -> AAD -> AADDS) nor with the old ones created directly in Azure (AAD -> AADDS). I can only use the scenario if I create new users in Azure.

 

ErrorSource : RDBroker
ErrorOperation : OrchestrateSessionHost
ErrorCode : -2146233088
ErrorCodeSymbolic : ConnectionFailedUserSIDInformationMismatch
ErrorMessage : User wahtever@whatever: SID information in the database 'S-1-5-21-1201331163-3862359571-1670876360-8430' does not match SID information returned by agent
'S-1-5-21-1194805571-575163812-3500997978-1549' in the orchestration reply.. This scenario is not supported - we will not be able to redirect the user session.
ErrorInternal : False
ReportedBy : RDGateway
Time : 28/08/2019 3:24:57 p. m.

@christianmontoya

This issue specifically is **extremely** concerning - because this isn’t an edge case; this is a fundamental architecture/database design problem in how you uniquely identify users.

You don’t need to get AAD Domain Services or any other complicated scenario in the mix to reproduce this problem. All you need to do is delete **any** user in **any** kind of environment and then create a new one with the same upn. And bam, that user is screwed...forever.

Deleting and recreating the tenant doesn’t help any, which tells me that user registration data is stored independently of tenant data. This will lead down an avenue of problems with no end. There are alternative architectural approaches that would likely be more reliable.

@jeffb8 @christianmontoya 

 

I can attest this! It seems like a flaw in design.

 

What happend to me is the following:

I had a user in my old Azure AD tenant. lets call it tenant A, with a UPN of user@domain.com and used WVD succesfully there.

 

Now I moved my domain.com to another Azure AD tenant, tenant B. Setup Azure ADDS there and tried to login with a user with UPN user@domain.com, so the exact same UPN of the user that existed in tenant A. although offcourse it doesn't exists in tenant A anymore.

What I saw when I logged in, was the WVD tenant with the published desktops that I created in my Azure AD tenant A! AND I saw my new WVD tenant with the published desktops that I created in my Azure AD tenant B.

 

Now, when I tried to sign-in to the desktops from the new tenant B, I get the same error as everyone else, that the SID doesn't match with the one in the database. 

Yes, I can understand that it doesn't match if you still saved the SID from the user in tenant A. But this is a completely new user in tenant B.

 

Just like JeffN825 already concludes, this means that the user data is independent from the tenant data, which seems strange to me.

Also, I would like some way to delete my old user with its SID from this backend database.

@christianmontoya 

 

With each day that passes with no meaningful reply on this issue, I become more skeptical that the right team (one with extensive experience in distributed, AzureAD based authentication and authorization) is working on this product. I also wonder if the lack of/delay in reply is indicative of the team taking a pause to re-evaluate if they can successfully develop this solution...?

 

Is there any information you can provide that might alleviate this concern? 

I'm trying to add users from a 'invited user' source or from an 'external aad' source to a remoteapp group using powershell. I notice that only users created directly in AAD can be added, but externals or invited ones cannot. I keep getting the error  "The specified UserPrincipalName does not exist in the Azure AD associated with the RD tenant.".

 

Can anyone confirm if these external users or invited users should work with WVD? 

@Marcel A' Campo - external users can't work with WVD because they are not replicated via Azure AD Domain Services to the managed AD domain.

@christianmontoya

 

This issue a showstopper for us.  We're trying to roll out VDI for thousands of users globally.... but the inability to automate handling of multiple security identifiers is a bit deal.

 

Glad I encountered this now, instead of 2 months from now when a single user identity will exist in AADDS, AzureAD, and ADDS.  

 

@DubC85 @jeffb8 @Marcel A' Campo @Roel Everink @pau_pedroza @Torbjörn Granheden @cititechs / All :

 

To provide an update, we're still working on this fix. As alluded to before, the fix is 2 steps:

1. To create and populate the fields

2. To adjust the logic to use these fields

 

We've completed step #1 completely and #2 is what we're implementing/validating now. We expect this to complete and rollout within the next month.

 

This may still seem like a long time out, but we do want to be more cautious on the rollout and ensure we don't break user connections like the changes we made that landed here. There is always an option to push straight to production, but that also doesn't help us if there's another case that we missed and if we did quick validation.

 

Ultimately, we realize that this has led to the inability to quickly test out the service using Azure AD DS. Once the fix is live, you should be quickly unblocked, re-start efforts to evaluate the product as you need, and hope to see continued feedback as you have been so far on TechCommunity so far.

 

We will post back here as we progress further in the fix and when we have this available in the validation pools to test.

@christianmontoya 

 

Another month - alright.  Still paying for the actual resource (that doesn't work)...have been for several months now.  This has become very disappointing.  Standstill - Business Units waiting on the solution - complaining about chargebacks for the resource (that doesn't work) will be the next thing.

 

Please guys - get this fixed.

Hi @christianmontoya , is there any news on this?

This is a hard block for us as well!

@christianmontoya

Can you share some technical details on what these fields are and how they are used? Any details that would inspire confidence in the solution you’ve designed would be helpful.

@christianmontoya thanks for the update. 

 

We are waiting to deploy WVD with Azure AD DS and if I understand correctly it will be possible once the second fix is rolled out? We have host pools set as "Validation" host pools, can we hope to get the fixes out sooner to these hostpools?

 

Cheers,

Joakim

@Joakim Westin - I wouldn't count on this fixing the underlying issue. From the description of the fix, it sounds like it will just work around it for some situations.

@jeffb8 : Essentially, there are three pieces of information we need for processing the new or reconnecting user connection:

1. UPN in Azure AD token

2. SID in Azure AD token

3. SID that the on-premises domain sends back when it matches up the user

 

Everything is based according to the UPN, as that is provided in all tokens. The fixes will:

1. Update the SID for the UPN (accounts for user migration on premises or new instantiations of Azure AD DS for users sourced in Windows Server AD)

2. Update the SID that the on-premises domain sends back when it matches up the user, which is needed for manual/auto-reconnect scenarios.

 

We definitely hear feedback on "why SID?", but unfortunately that is needed for current logon APIs if we want to provide a consistent re-connect experience that can get triggered even if you lose Internet connectivity for a brief second or switch wireless networks.

I don’t understand how this will resolve the underlying issue, which is as simple to reproduce as deleting and recreating a user. Or deleting an AAD DS domain and recreating it. It seems that would still be broken after this fix.

Further, you say
“2. Update the SID that the on-premises domain sends back when it matches up the user, which is needed for manual/auto-reconnect scenarios.”

First - I assume you mean the RDSH agent? If so, how is the agent going to get the token for the current AAD user (which contains the SID you want)? If what you mean is that you’re going to try to silently acquire a token from the agent as the user...please don’t. The user could be subject to MFA policies which would muck you up even further...
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies