Forum Discussion
Requirement to have an on-prem AD
HandA
on-prem AD is not required.
AD requirements:
Option 1: Domain controller that is synchronized with Azure Active Directory. The domain controller can be on-prem or in cloud. To synchronize with Azure Active Directory install Azure Active Directory Connect.
Option 2: Azure AD Domain Services domain in Azure (automatically synced with Azure Active Directory)
MicrosoftHybrid-join means joining the machine to Active Directory, and then having those device objects synced with Azure AD Connect to Azure AD (with writeback). One of a few ways of accomplishing this is joining the machine to a domain created in Azure Active Directory Domain Services (AAD-DS) - as that is Active Directory as a service, which is automatically synced to an Azure AD that you configure when you set up AAD-DS.
Note: Azure Active Directory (Azure AD) is not the same thing as Azure Active Directory Domain Services (https://azure.microsoft.com/en-us/services/active-directory-ds/).
While it is possible to join Windows 10 machines directly to Azure AD, and there are many great reasons to do that rather than joining or hybrid-joining with an Active Directory domain (particularly in a modern management environment), it is not supported for Windows Virtual Desktop. The Windows Virtual Desktop service specifically requires that the machine is joined to an Active Directory Domain.
"The Windows Virtual Desktop service specifically requires that the machine is joined to an Active Directory Domain."
That means an on-premise Active Directory instance? Or can that be Azure Active Directory Domain Services?
I guess I'll just have to try it out.
The key things to ensure are
1. Make sure you have DNS set up on your vNet to point to the DNS IP's of the AADDS Dc's\DNS
2. Make sure you force a password change on the account you are using to join the wvd's to the domain
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization
"For cloud-only Azure AD environments, https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds in order for the required password hashes to be generated and stored in Azure AD. For any cloud user account created in Azure AD after enabling Azure AD Domain Services, the password hashes are generated and stored in the NTLM and Kerberos compatible formats. All cloud user accounts must change their password before they're synchronized to Azure AD DS."
3. The account used for the domain join doesn't have MFA enabled
I had problems with the domain join also for months but once i figured out I had to setup the environment in powershell first I got past it! 415Group_Ray
- I swear I've tried every article I could find on the matter (including those with PS commands). I still could not get passed domain joining my instance. I spent almost an entire day on it. Azure support was little help. If you could find the article you used I could give it a shot.
ADDS by itself we just retired on premise 3 weeks ago we use cloud authentication now and not having those noisy servers running all the time has been great! 415Group_Ray
- Thanks for the reply Tommy. Are you running a hybrid AD environment using Azure AD Connect? Or are you running Azure ADDS all by itself?
I have WVD running in a production environment and it is critical to business what I can say to get this going with aads you need to setup just about everything in powershell first then do your deployment. There is a document floating around here that helped me greatly. 415Group_Ray
- Any news on this? I'm testing out WVD on an Azure trial for potential use and running into the issue where I can't deploy using Azure ADDS only.
- Christian_Montoya
Marcel Biebricher : No, it does not. VMs domain-joined to the Azure AD DS instance cannot be configured to be hybrid, as Azure AD DS does not allow that.
We're continuing to investigate the "100% cloud" scenario, but nothing to report at this time.
Christian_Montoya Josh Bender Mike Amox
If we choose option "b.", does the scenario support hybrid Azure AD join for the VMs joined to Azure AD DS ?
According to https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization#synchronization-from-on-premises-ad-ds-to-azure-ad-and-azure-ad-ds for Azure AD Domain Services it is not supported to sync from Azure AD DS to Azure AD.Any news on support for "100% cloud"? Would love to see this 🙂
- Christian_Montoya
LA99-999_ : If you are using password hash sync, you should be good to go. Because you are already syncing the password hashes, you can choose either of the two options for your Active Directory in your virtual network:
a. Connect your network to your on-premises infrastructure with an ExpressRoute or Site-to-Site VPN, then domain-join your VMs to that Active Directory.
orb. Enable Azure AD Domain Services in your Azure subscription, then domain-join your VMs to that Active Directory.
I am currently syncing users and groups with password Hash sync (from on-prem ad to cloud)
To deploy WVD do I also have to enable single sign-on and pass-trough authentication and having Domain services running in Azure?
- I think you are getting this error because the User which you provided as tenant Admin while deploying the host pool is not yet added to Windows Virtual Desktop Application as a tenant creator.
You can check if the user is already added from here:
Go to Active Directory -> Enterprise Applications -> Windows Virtual Desktop -> Users and groups This worked for me - after adding a custom domain and changing the admin user from the onmicrosoft.com address.
M.
- Christian_Montoya
Stavros Mitchell : It should not matter which OS you're basing it off of. With the error you're hitting, make sure that you can install the PowerShell locally and connect with the same username or service principal. If it's a user and requires MFA, then deploying the Azure Marketplace offering will fail because MFA cannot happen in the background.
Thanks for your quick reply the only thing i am doing different is i was using the windows 10 enterprise mulit session instead of you are using server 2016 datacenter wonder if that could be causing the issue
Hi Stavros,
I do not think I did anything special. I simply followed the steps to add AADDS in a very detailed fashion. (I assume you also have done that and verified that you can join a computer to the domain)
FYI: I am using 2016 datacenter as the base for my session host image.
I then followed the detailed steps in https://docs.microsoft.com/en-us/azure/virtual-desktop/ Tutorial.
(Go back and re-read and make sure you have not missed any steps.)
FYI: I used the following options
- Shared desktop
- 2 VM
- Pretty much default all the way.
I have tested many times and never had any problems even when moving to ARM Template use.
Again - very hard to speculate on what problem you may be hitting, but maybe it is not related AADDS use.
Hope this can help in some small way.
Cheers,
Johan
Hi, I am just curious how did you get it to work with AAD DS . My Deployment keeps on failing on
/dscextension with the error:
" PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service."
Everywhere i been searching is saying its not possible with AADDS.
thanks for the help
- Mike AmoxThat's a hybrid domain join, as you joined and active directory domain, not an Azure AD join. That is supported.
So i have on premise AD with AD connect syncing to Azure AD. Then i created an Azure AD Domain instance and bound it to a VNET and then used that network to connect my Windows Virtual Desktop to and join that domain. So its not joining azure AD directly but a fully synced Azure AD Domain services which is syncing with Azure AD. So technically you arent joining Azure AD natively.
Ron Howe I got it to work with only Azure AD and Azure AD DS together.
I started with an Azure AD and added/verified a custom domain.
I created an admin in this custom domain.
I then added Azure AD DS referring to the custom domain
I changed the password of my domain admin to allow it to synch with Azure AD DS
I verified that I could join a workgroup windows server to Azure AD DS with my admin
Adding the host pool to the domain and adding users to the domain worked fine.
Testing to connect with assigned users worked ok
No need for any on premise domain in my case.
