SOLVED

Requirement to have an on-prem AD

Brass Contributor

Looking at the documentation, it seems an on premise AD is required for Windows Virtual desktop in Azure and Azure domain join is not supported. Can anyone confirm if that's definitely the case? It seems poor to have a new cloud service launched that has a dependency on on-prem AD. 

49 Replies

@Johan_Eriksson 

 

Hi, I am just curious how did you get it to work with AAD DS . My Deployment keeps on failing on 

/dscextension with the error:

" PowerShell DSC resource MSFT_ScriptResource  failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service."

 

Everywhere i been searching is saying its not possible with AADDS.

 

thanks for the help

 

@Stavros Mitchell 

Hi Stavros,

 

I do not think I did anything special. I simply followed the steps to add AADDS in a very detailed fashion. (I assume you also have done that and verified that you can join a computer to the domain)

 

FYI: I am using 2016 datacenter as the base for my session host image. 

 

I then followed the detailed steps in https://docs.microsoft.com/en-us/azure/virtual-desktop/ Tutorial.

(Go back and re-read and make sure you have not missed any steps.)

 

FYI: I used the following options

- Shared desktop

- 2 VM

- Pretty much default all the way.

 

I have tested many times and never had any problems even when moving to ARM Template use.

 

Again - very hard to speculate on what problem you may be hitting, but maybe it is not related AADDS use.

 

Hope this can help in some small way.

 

Cheers,

Johan

@Johan_Eriksson 

 

Thanks for your quick reply the only thing i am doing different is i was using the windows 10 enterprise mulit session instead of you are using server 2016 datacenter wonder if that could be causing the issue

@Stavros Mitchell : It should not matter which OS you're basing it off of. With the error you're hitting, make sure that you can install the PowerShell locally and connect with the same username or service principal. If it's a user and requires MFA, then deploying the Azure Marketplace offering will fail because MFA cannot happen in the background.

@Josh Bender 

 

Thanks. I have this working now using Azure ADDS. Documentation seemed a bit unclear when I first looked at it

How were you able to get the machine to connect to the domain mine failed on domain join wondering If i can somehow do it manually

@HandA 

@HandA  Did you get it to work without need of on-premise AD or AD Connect?

I keep getting the following deployment fail error:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.","details":[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported a failure when processing extension 'joindomain'. Error message: \\\"Exception(s) occured while joining Domain 'mnetpr.com'\\\".\"\r\n }\r\n ]\r\n }\r\n}"}]}

@Alberto Rodriguez : Do you have access to those VMs? If you can RDP into them, please look at C:\Packages and navigate down to the JsonADDomainExtension folder, you should be able to find a "status" file (or equivalent). If you open it up, it will typically give you the reason that it errored out. Unfortunately, I do not have too many details at the moment because the documentation on the extension is fairly light.

@Christian_Montoya [{"version":"1","timestampUTC":"2019-05-02T15:37:19.805151Z","status":{"name":"ADDomainExtension","operation":"Join Domain/Workgroup","status":"error","code":1,"
formattedMessage":{"lang":"en-US","message":"Exception(s) occured while joining Domain 'azure.mnetpr.com'"},"substatus":[{"name":"JoinDomainException for Option 3 meaning 'User Specified'","status":"error","code":1,"formattedMessage":{"lang":"en-US","message":"ERROR - Failed to join domain='azure.mnetpr.com', ou='', user='arodriguez@azure.mnetpr.com', option='NetSetupJoinDomain, NetSetupAcctCreate' (#3 meaning 'User Specified'). Error code 1326"}},{"name":"JoinDomainException for Option 1 meaning 'User Specified without NetSetupAcctCreate'","status":"error","code":1,"formattedMessage":{"lang":"en-US","message":"ERROR - Failed to join domain='azure.mnetpr.com', ou='', user='arodriguez@azure.mnetpr.com', option='NetSetupJoinDomain'
(#1 meaning 'User Specified without NetSetupAcctCreate'). Error code 1909"}}]}}]

@Johan_Eriksson 

 

This worked for me - after adding a custom domain and changing the admin user from the onmicrosoft.com address.

 

M. 

I think you are getting this error because the User which you provided as tenant Admin while deploying the host pool is not yet added to Windows Virtual Desktop Application as a tenant creator.
You can check if the user is already added from here:
Go to Active Directory -> Enterprise Applications -> Windows Virtual Desktop -> Users and groups

I am currently syncing users and groups with password Hash sync (from on-prem ad to cloud)

To deploy WVD do I also have to enable single sign-on and pass-trough authentication and having Domain services running in Azure?

@aferinga 

I am currently syncing users and groups with password Hash sync (from on-prem ad to cloud)

To deploy WVD do I also have to enable single sign-on and pass-trough authentication with AD Connect and having Domain services running in Azure?

 

I am currently syncing users and groups with password Hash sync (from on-prem ad to cloud)

To deploy WVD do I also have to enable single sign-on and pass-trough authentication with AD Connect and having Domain services running in Azure?

@rpextech 

@LA99-999_ : If you are using password hash sync, you should be good to go. Because you are already syncing the password hashes, you can choose either of the two options for your Active Directory in your virtual network:

a. Connect your network to your on-premises infrastructure with an ExpressRoute or Site-to-Site VPN, then domain-join your VMs to that Active Directory.
or

b. Enable Azure AD Domain Services in your Azure subscription, then domain-join your VMs to that Active Directory.

@Christian_Montoya @Josh Bender @Mike Amox 
If we choose option "b.", does the scenario support hybrid Azure AD join for the VMs joined to Azure AD DS ?
According to documentation for Azure AD Domain Services it is not supported to sync from Azure AD DS to Azure AD.

 

Any news on support for "100% cloud"? Would love to see this :)

@Marcel Biebricher : No, it does not. VMs domain-joined to the Azure AD DS instance cannot be configured to be hybrid, as Azure AD DS does not allow that.

 

We're continuing to investigate the "100% cloud" scenario, but nothing to report at this time.

Any news on this? I'm testing out WVD on an Azure trial for potential use and running into the issue where I can't deploy using Azure ADDS only.

I have WVD running in a production environment and it is critical to business what I can say to get this going with aads you need to setup just about everything in powershell first then do your deployment.  There is a document floating around here that helped me greatly. @415Group_Ray