Technical Blog | REBELADMIN

Learn about Active Directory and Various Azure Services

Azure AD

Step-by-Step Guide: Azure Active Directory Domain Services resiliency with replica sets

In an Active Directory Environment, we keep additional domain controllers to improve resiliency. In this way, if one domain controller fails it will not make a big impact. We can further improve the resiliency of infrastructure by keeping an additional domain controller and mission-critical servers in a different location. So, in the event of a site failure, we will still have a domain controller and mission-critical servers running on a remote location. When we create the Azure Active Directory Domain Services managed domain, we provide a unique domain name. In the back end, Azure will deploy two domain controllers with this unique domain in your selected Azure region. This setup is called a “replica set“. Now, to improve resiliency, we can create additional replica sets in other Azure regions.

Each replica set uses a virtual network. All these virtual networks must be peered to create a mesh network to support the replication between replica sets.

Azure Active Directory Domain Services replica sets have the following characteristics.

• This feature is still in the preview stage.
• Each replica set contains the same data. You can’t use different domains for different replica sets.
• All replica sets will be placed in the same Active Directory site. Because of that the replication between replica sets is faster.
• All replica sets should create under the same subscription. You cannot have replica sets between different subscriptions.
• In the preview, you can have up to four replica sets.
• Replica sets only ensure the availability of the authentication services. But to use the full benefits of it, you need to consider how your Azure VMs, applications will work during a site failure.

In this demo, I am going to demonstrate how to create a replica set of existing Azure Active Directory Domain Services managed domain.

In my current setup, I already have Azure Active Directory Domain Services managed domain configured.

Azure Active Directory Domain Services managed domain properties

This is using REBELVN1 virtual network and aadds-subnet.

Azure Active Directory Domain Services managed domain properties page

REBELVN1 virtual network is set up under REBELRG1 resource group. This resource group is using “East US” Azure region. The Virtual network is using 10.0.0.0/16 address space. It has two subnets.

vmsubnet – 10.0.2.0/24 for virtual machines
aadds-subnet – 10.0.0.0/24 for Azure Active Directory Domain Services managed domain

Azure Active Directory Domain Services managed domain virtual network settings

In this demo, I am going to create a new virtual network in “West US” Azure region. Later this will be used to host the additional replica test. [Read more…] about Step-by-Step Guide: Azure Active Directory Domain Services resiliency with replica sets

How to add a session host to an existing Windows Virtual Desktop Host Pool (Spring 2020 Release)?

In my previous blog posts about Windows Virtual Desktop Host Pool (Spring 2020 Release), I have explained how to publish desktop and applications. These blog posts can be accessed using the following links.

1. Step-by-Step Guide to Windows Virtual Desktop (Spring 2020 Release)
2. Step-by-Step Guide: How to publish Applications using Windows Virtual Desktop (Spring 2020 Release)

With a growing demand for WVD resources, you may have a requirement to add additional session hosts to the existing Windows Virtual Desktop host pool. In this blog post, I am going to demonstrate how to add additional session host to Windows Virtual Desktop host pool.
Before we start, let’s go ahead and check how is my demo environment looks like and what I am trying to achieve.

azure infrastructure

• I have two Resource groups in place. EUSRG1 resource group is in Azure East US region and UKSRG1 resource group is in UK South Azure region.
• Resource in UKSRG1 resource group represents my on-premises infrastructure.
• I have a Windows AD server running in UKSRG1. It is syncing to Azure AD by using Azure AD Connect.
EUSVNet1 and UKSVnet1 are connected using Azure VNet-to-VNet VPN Gateway Connection (https://www.rebeladmin.com/2019/09/step-step-guide-setup-azure-vnet-vnet-vpn-gateway-connection-powershell-guide/). This way session hosts in EUSRG1 can be added to Windows AD using the standard method.
• I have set up two session hosts (REBELSH-0 & REBELSH-1) and added it to a host pool called REBELHP01. I also created a workspace (REBELWP01) in EUSRG1 resource group. Both session hosts are joined to Windows AD using the standard domain join method.

Add new session host to an existing Windows Virtual Desktop host pool

In this demo, I am going to add 3rd session host called REBELSH-2 to host pool REBELHP01.

To do that,

1. Log in to Azure portal as Global Administrator
2. Search for Windows Virtual Desktop and click on it.

search for Windows Virtual Desktop service

3. Then click on Host pools

Windows Virtual Desktop host pools [Read more…] about How to add a session host to an existing Windows Virtual Desktop Host Pool (Spring 2020 Release)?

Step-by-Step Guide: How to publish Applications using Windows Virtual Desktop (Spring 2020 Release)

In my previous blog post, I have explained how we can set up Windows Virtual Desktop (Spring 2020 Release) and publish desktops. If you didn’t read it yet, please go ahead and read it before we continue with this article as I am going to use the same system setup. You can access previous blog post using this link.
In this blog post, I am going to demonstrate how to publish applications using Windows Virtual Desktop (Spring 2020 Release).

Before we start, let’s go ahead and check how is my demo environment looks like and what I am trying to achieve.

azure infrastructure

• I have two Resource groups in place. EUSRG1 resource group is in Azure East US region and UKSRG1 resource group is in UK South Azure region.
• Resource in UKSRG1 resource group represents my on-premises infrastructure.
• I have a Windows AD server running in UKSRG1. It is syncing to Azure AD by using Azure AD Connect.
EUSVNet1 and UKSVnet1 are connected using Azure VNet-to-VNet VPN Gateway Connection (https://www.rebeladmin.com/2019/09/step-step-guide-setup-azure-vnet-vnet-vpn-gateway-connection-powershell-guide/). This way session hosts in EUSRG1 can be added to Windows AD using the standard method.
• I have set up two windows virtual desktop session hosts (REBELSH-0 & REBELSH-1) and a workspace (REBELWP01) in EUSRG1 resource group.
Both session hosts are joined to Windows AD using the standard domain join method.

I am going to create a new application group and publish Microsoft Word and Microsoft Excel Applications.

Create Windows Virtual Desktop Application Group

Let’s go ahead and create the application group for remote apps.

1. Log in to Azure portal as Global Administrator
2. Search for Windows Virtual Desktop and click on it.

Windows Virtual Desktop azure service

3. Then click on Application groups

WVD application group option

4. In Application group page click on + Add

add new application group [Read more…] about Step-by-Step Guide: How to publish Applications using Windows Virtual Desktop (Spring 2020 Release)

Step-by-Step Guide to Windows Virtual Desktop (Spring 2020 Release)

I wrote my first article about Windows Virtual Desktop when it was in the preview stage. There were few releases after that and some of the content of that original post is no longer relevant. So, I thought it is time to release a new article to avoid conflicts.
Windows Virtual Desktop is a cloud-based desktop and app virtualization service. If you ever worked with on-premises VDI solutions such as Microsoft RDS or Citrix, you may already know how much planning, management involve with it. It is costly as performance & availability of the solution depend on so many things such as networking, hardware resources, skills, connection, etc. But now with Windows Virtual Desktop, we can simply set up VDI solution with few clicks. With COVID-19 global pandemic, businesses had to allow their employees to work from home. With the help of Windows virtual desktop service, a lot of businesses were able to expand VDI to address the demand pretty quickly compared to other traditional on-premises solutions.

What is new on Windows Virtual Desktop Spring 2020 update?

• Windows Virtual Desktop is now integrated with the Azure portal. So, we can set up everything using the Azure portal. No PowerShell required.
• With the previous version, we were only able to publish RemoteApps and Desktops to individual users. But now we can publish to Azure Active Directory groups.
• You’re no longer required to complete Azure Active Directory (Azure AD) consent to use Windows Virtual Desktop. In the Spring 2020 update, the Azure AD tenant on your Azure subscription authenticates your users and provides RBAC controls for your admins.
• The earlier version of the Windows Virtual Desktop had four built-in admin roles that you could assign to a tenant or host pool. These roles are now in Azure role-based access control. You can apply these roles to every Windows Virtual Desktop Azure Resource Manager object, which lets you have a full, rich delegation model.
• Host pool deployment is now fully integrated with the Azure Shared Image Gallery. Shared Image Gallery is a separate Azure service that stores virtual machine (VM) image definitions, including image versioning. You can also use global replication to copy and send your images to other Azure regions for local deployment.

Source: https://docs.microsoft.com/en-us/azure/virtual-desktop/whats-new

Windows Virtual Desktop Prerequisites

To use Windows virtual desktop service, we need the following

• Azure Active Directory
• A Windows Server Active Directory in sync with Azure Active Directory. It can be either via Azure AD Connect or Azure AD Domain Services
• An Azure subscription that contains a virtual network that either contains or is connected to the Windows Server Active Directory
• Azure virtual machines for Windows Virtual Desktop service must be Windows Desktop Machines which join the Azure AD using a stranded method or Hybrid AD-join method. It can’t be Azure AD-Join.
• Azure virtual machines for Windows Virtual Desktop service only can have following supported x64 operating systems.

 Windows 10 Enterprise multi-session, version 1809 or later
 Windows 10 Enterprise, version 1809 or later
 Windows 7 Enterprise
 Windows Server 2019
 Windows Server 2016
 Windows Server 2012 R2

In this demo, I am going to demonstrate how to publish Desktops using Windows virtual desktop service. Before we start let’s see how is my demo environment looks like and what I am trying to achieve.

azure infrastructure

• I have two Resource groups in place. EUSRG1 resource group is in Azure East US region and UKSRG1 resource group is in UK South Azure region.
• Resource in UKSRG1 resource group represents my on-premises infrastructure.
• I have a Windows AD server running in UKSRG1. It is syncing to Azure AD by using Azure AD Connect. I can confirm Azure AD connect sync status is healthy.

EUSVNet1 and UKSVnet1 are connected using Azure VNet-to-VNet VPN Gateway Connection (https://www.rebeladmin.com/2019/09/step-step-guide-setup-azure-vnet-vnet-vpn-gateway-connection-powershell-guide/). This way session hosts in EUSRG1 can be added to Windows AD using the standard method.
• I will setup windows virtual desktop session hosts and workspace in EUSRG1 resource group. Remote users will connect to windows virtual desktop workspace using public internet.

Modify EUSVnet1 DNS servers

We are going to start the configuration by modifying EUSVnet1’s DNS server settings. As per the above setup, EUSVnet1 virtual network can communicate with UKSVnet1 virtual network. But if we try to add a VM running in EUSVnet1 virtual network to Windows AD in UKSVnet1 virtual network, it will fail. This is because a VM in EUSVnet1 virtual network will not know how to find the domain as it is using Azure defined DNS servers. We can’t simply modify network adapter settings of the VM and point DNS to the Windows AD server. We have to do it in the virtual network level.

To update DNS server settings for the virtual network,

1. Log in to Azure Portal as Global Administrator
2. Search for Virtual networks in the search box.

virtual network properties

3. From the list of virtual networks, click on EUSVnet1

virtual network properties 2

4. In the virtual network properties page, click on DNS servers

virtual network dns settings

5. Then select Custom to define our DNS server list. In there add the private ip address of the Windows AD server. In my demo setup, it is 10.75.0.4. I also added google DNS 8.8.8.8 as a backup.
Once settings are in place, click on Save to apply the changes.

save virtual network dns settings [Read more…] about Step-by-Step Guide to Windows Virtual Desktop (Spring 2020 Release)

Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain

In an on-premises Active Directory environment, there can be application or service which required integration with Active Directory. With AD integration, the application can search for AD users, allow login, assign permissions, etc. This integration part is usually done using the Lightweight Directory Access Protocol (LDAP). By default, traffic over LDAP is not encrypted. Due to the vulnerabilities, Microsoft now recommends only to use secure LDAP (LDAPS, LDAP over SSL) connections to Domain Controllers. Azure Active Directory Domain Services (Azure AD DS) also support for secure LDAP connections. Most of the time the LDAP connection to Azure AD DS will be initiated over the public internet. So, it is important to have encryption in place to prevent man-in-the-middle attacks.

In this post, I am going to demonstrate how to enable secure LDAP for Azure AD DS. Before we start make sure you have the following prerequisites in place.

1. Valid Azure Subscription
2. Valid Azure Active Directory Domain Services

Azure Directory Domain Service instance is using default Microsoft domain name rebeladmlive.onmicrosoft.com. So, I have to use a self-sign certificate for it. To generate a self-sign certificate, we can use the following PowerShell commands. This can be run from any PC.

$domainname=”rebeladmlive.onmicrosoft.com”
$certlife=Get-Date
New-SelfSignedCertificate -Subject *.$domainname -NotAfter $certlife.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.$domainname, $domainname

create self sign certificate powershell

In above, replace rebeladmlive.onmicrosoft.com with your Azure Active Directory Domain Service instance name. As we can see, it created a wild card SSL for rebeladmlive.onmicrosoft.com under Computer account.

SSL certificate mmc

We need to export this certificate as .PFX file with private key to,

1. Use it during the secure LDAP setup and upload it to Azure
2. Import it to any other PC which like to initiate secure LDAP connection (The certificate must be imported into Computer Account\Personal\Certificates as well as Trusted Root Certification Authorities\Certificates. This is because the certificate is self-sign cert and it doesn’t have trusted root certificate)

To export certificate,

1. Right-click on the certificate and go to All Tasks | Export

export ssl certificate

2. It will open up the certificate export wizard, click on Next to start the process.

export certificate wizard screen 1

3. In the next window select Yes, export the private key, and click on Next.

export certificate wizard screen 2

4. In the Export file format window, match the following selection, and click on Next.

export certificate wizard screen 3

5. In the next window, define the password for the export file and click on Next.

export certificate wizard screen 4

6. Then, select the file path for the output and click on Next.

export certificate wizard screen 5

7. In the next window, click on Finish to complete the Export process.

export certificate wizard screen 6

Now we have the .PFX file. The next step is to import it again to Trusted Root Certification Authorities\Certificates. This is required as we are using a self-sign certificate for the exercise. [Read more…] about Step-by-Step Guide: Enable secure LDAP (LDAPS) for an Azure Active Directory Domain Services managed domain