Apr 15 2020 04:32 PM - edited Apr 15 2020 10:56 PM
This guide walks an IT administrator through the steps needed to configure an existing Windows Virtual Desktop (WVD) hostpool with profiles stored on an Azure Files storage account. Authentication will be via a domain controller (aka native AD).
The diagram below represents the environment we are starting with:
The full guide for setting up Active Directory (AD) authentication over SMB for Azure file shares (AFS) is available here.
Global administrator on Azure AD is required to be able to assign RBAC permission. Contributors cannot assign permission to other users, as outline here.
Account with Owner permissions on the Azure subscription.
Account that is part of Active Directory (AD). This account needs to be able to sing into VM that is joined to the domain and have permission to create new accounts.
Note: Please note all prerequisites must be met.
There are certain policies that may block creating and using the account that represents the storage account (for example, if maximum password length is set to less than 80 characters the AD will not accept the new account). Such policies need to be disabled for the OU where the AD account representing the storage account is to be created.
Prior to creating a storage account Azure Files tier must be selected. Azure Files offers two different tiers of storage, premium and standard, to allow you to tailor your shares to the performance and price requirements of your scenario:
Depends on the target performance, cost, and regional considerations, you can select the most appropriate performance tier for storing the user profile data. We have included our recommendation based on the performance of the typical remote desktop workloads types.
File Tiers |
|
Light |
Less than 200 concurrent active users: Standard file shares |
More than 200 concurrent active users: Premium file shares. You may also consider using Standard file shares with multiple shares if you are scaling up from existing Standard file shares or plan to manage scale out for cost efficiency. |
|
Medium |
Premium file shares |
Heavy |
Premium file shares |
Power |
Premium file shares |
You can leverage the guidance above and further optimize for your WVD scenario. Detailed information of Azure Files on performance targets (Standard, Premium) and pricing is available to help you further fine tune the file share solution.
These steps need to be ran from a machine that is already domain joined. In our environment this will be done from the VM running the domain controller.
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Import-Module -Name .\AzFilesHybrid.psd1
Connect-AzAccount
Select-AzSubscription -SubscriptionId <subscription name>
Important: the below command supports capability for adding new account to an organization unit via the switches -OrganizationalUnitName and -OrganizationalUnitDistinguishedName. For more details, please visit.
Join-AzStorageAccountForAuth -ResourceGroupName "<rg-name>" `
-Name "<sa-name>" `
-DomainAccountType "ComputerAccount" `
-OrganizationalUnitDistinguishedName "<ou-distinguishedname-here>"
# Grab the storage account info (creates an array)
# $storageaccount = Get-AzStorageAccount `
# -ResourceGroupName "<resource-group-name>" `
# -Name "<storage-account-name>"
$storageaccount = Get-AzStorageAccount -ResourceGroupName <RG> -Name <storageacct>
# Verify - List the directory service of the selected service account
$storageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOptions
# Verify - List the directory domain information if the storage account has enabled AD authentication for file shares
$storageAccount.AzureFilesIdentityBasedAuth.ActiveDirectoryProperties
At least one user, likely and administrator will need to be assigned Storage File Data SMB Elevated Contributor. The administrator will be used to assign NTFS permissions on the files share.
For all users that need to have FSLogix profiles stored on the SA assign Storage File Data SMB Share Contributor. It is a best practice to create an AD group for all users that need to have FSLogix profiles.
To assign RBAC permissions:
Repeat the above steps for all users that need to have FSLogix profiles but change the role to Storage File Data SMB Share Contributor.
Note: the accounts being used here must be create in the domain controller and synched to Azure AD. Accounts sourced from Azure AD are not appropriate.
Once RBAC permission have been assigned the next step is to configure the NTFS permission. There are two pieces of information we need from Azure portal to complete the NTFS permission:
For example: \\customdomain.file.core.windows.net\<fileshare-name>
From the VM running the domain controller open the command prompt.
Run command below to mount the Azure files share and assign it a drive letter
net use <desired-drive-letter>: <UNC-pat> <SA-key> /user:Azure\<SA-name>
Use Windows File Explorer to grant full permission to all directories and files under the file share, including the root directory.
In this section we cover the steps needed to configure a VM with FSLogix. These steps need to be completed on all VMs. There are multiple ways to deploy in bulk and configure FSLogix that do not require work on each individual VM. More information on those available
Once the VM has been restarted sign in with a user that has permission on the session host and on the file share.
When the session has been established and start menu is visible:
Note: For troubleshooting FSLogix please follow the guide here.
May 20 2020 09:57 AM
@Christian_Pedersen Robocopy and latest AzCopy 10.4.0 can help migrate from standard to premium while preserving ACLs.
May 20 2020 10:24 AM
@Nagorg-Terralogic We are close. Our current target for AD integration GA is June of this year. (Subject to change).
May 20 2020 10:26 AM
@Gunjan Jain great news... Will keep my eye's open for this!
May 20 2020 10:27 AM
May 22 2020 01:56 AM
Has anybody benchmarked login performance with this setup? I'm currently seeing 25-45sec login times since enabling FSLogix (Premium SA with 1024gb quota).
The "Please wait for FSLogix" bit seems to take the lions share of that. Login times are <10sec with FSLogix disabled.
Is this normal?
May 29 2020 01:04 AM
Is this happening on every log on? or just on profile creation
May 29 2020 01:13 AM
@Stefan Georgiev Every logon, I've got the times down to around 25sec now (15 of that is the loading FSLogix Profile bit) by ramping up the storage account to 1024GB (we only need 80gb, so seems a bit of a waste) so storage performance does seem to have an ever diminishing benefit.
Just trying to understand if this is normal/acceptable - if it is, the 'costs' are almost certainly worth the benefits of using FSLogix anyway.
May 29 2020 03:22 PM - edited May 29 2020 03:24 PM
@townendk For small # of users and size, you probably be OK with the standard tier. Benefits for premium comes from a larger scale, when users can pool resources and get benefits of higher IOPS/throughput of a large premium share. Did you try with standard tier? Please make sure large file shares is enabled to get increased scale for the standard tier.
May 31 2020 02:28 AM
@Gunjan Jain Yes We tried Standard initially and it was borderline unusable. Login times of 3-5minutes.
Jun 12 2020 01:04 AM - edited Jun 15 2020 03:37 AM
@Stefan Georgiev recently I've tried to set it up, with a tenant which uses a 3rd party tool to sync the on-premises accounts. (for evaluating better SSO options)
The fact that the users then are shown as "Azure Active Directory" seems to effectively prevent the access to the ad-integrated storage account.
This is more to inform others that it seems that you must use Azure AD-Sync.
See attached screenshot from Debug-AzStorageAccountAuth
Regards,
Jun 12 2020 09:02 AM
@Benjamin Graus TY Benjamin, I am not surprise but it is excellent that you have validate
Jun 12 2020 11:25 AM