Forum Discussion

AlexPawlak's avatar
AlexPawlak
Brass Contributor
Sep 24, 2019

AD Sync not strictly required?

Hey there! I'm experimenting with WVD deployments. Currently I managed to build WVD RDS session host as WinServer2019 Smalldisk, that is also a domain controller for itself. Upon creation, I creat...
AlexPawlak's avatar
AlexPawlak
Brass Contributor

michawets Thanks for response!

That I did is that I duplicated identities - there is an account name "john@domain.com" coming from Windows Server AD and same account "john@domain.com" in Azure AD. AAD tenant is linked to WVD Tenant, user authenticates with their AAD credentials. Then, upon opening an app, they are prompted once again for credentials - this time for Windows Server AD. 

To give my testing a bit more context - I'd like to publish WVD to very small, non-technical organizations who have no IT infrastructure at all. I prefer to keep their identities in AAD only, but since Windows Server doesn't (hopefully yet!) support AAD join, it needs to be comboed that way. To keep things resilient to failure I do not want to build Windows Server AD - so I want to make it as basic as possible. 

I was worried that there might be some licensing check/enforcement to see if user entity is linked to RDP CAL with SA (or CSP one), but I don't think that's the case and these licenses need to be inventoried and linked as "classic" Server CALs ? 

 

Thanks!

Alex P

michawets's avatar
michawets
Iron Contributor
Sep 25, 2019

Hi AlexPawlak ,

 

As I already thought and stated, the UPN & password hashes do match in Windows AD & Azure AD, making it possible for the user to sign in. :smile:

But as soon as Windows AD or Azure AD changes, it would fall apart. :flushed:
Therefor, AD Connect syncs the useraccounts from Windows AD to Azure AD, keeping passwords in sync (with Writeback capabilities).
Azure AD DS goes a step further, it starts from Azure AD, and makes a Windows AD available in your VNET, also keeping it in sync.

 

Regarding the licensing: it could be possible to connect without proper license, but this is not guaranteed. I would recommend to assign an eligible license to the user(s) which are listed here at the FAQ.

https://azure.microsoft.com/en-gb/pricing/details/virtual-desktop/ 

  • AlexPawlak's avatar
    AlexPawlak
    Brass Contributor
    Sep 25, 2019

    OK 🙂 So that kind of makes it clear - AD Connect is preferred method of making password sync, but if I want to keep entities separate, I just need to make sure the password remains the same 🙂 

    The licenses are bought, with VLSC or CSP, and only assigned as "entitlement" on paper, contrary to "classic" RD Licensing - where the licenses have had to be technically activated on license server - is this the right approach? 

    Thanks!

Resources