Next up in deploying virtual desktops within an Azure lab environment is to create users. This process is quite simple. In the Overview section of Azure Active Directory, click on Users.
For purposes of the lab, we are then going to click on + New User.
You can invite a user but, to keep it simple, I’m just going to create a few new users manually. Since I’m a fan of Tron and Tron Legacy, my first user is going to be Flynn. You’ll assign a username, the full display name, and then optionally a first and last name. You can allow the system to auto-generate a complex password or create your own. I’m a big fan of complex passwords so I’m going to generate an 18+ character password with special characters. You will also want to assign a usage location for the user. This is critical for license assignment. As Butt (2015) points out, usage location helps Microsoft apply any regional license restrictions such as voice and video or other country-specific items and should ALWAYS be a part of your workflow.
You may want to continue this process a few times to have users to test with as you do varying Azure labs and exercises.
Alright, now that we have some users’ set up, we need to deploy Azure Active Directory Domain Services (AADDS). Azure AADDS provides domain services for domain join, group policy, Kerberos, LDAP, NTLM, and other types of authentication (Microsoft 2021). Azure AD DS integrates with the tenant that you’ve already set up letting users sign into services, servers, and other resources with their credentials without having to create additional servers in the tenant. See the Microsoft link below for additional detail!
To deploy AADDS, use the search bar in Azure to find Azure Active Directory Domain Services.
Click on + Create within Azure AD Domain Services. You’ll select your Azure subscription and assign a resource group. A resource group is a container that holds related resources. For purposes of this lab, I’m going to create a resource bucket called AZ-140. All of our resources for this virtual desktop lab will be deployed to this resource group. Microsoft has quite a bit of reading on resource groups but, basically, they allow you to allocate resources in groups that make sense for your organization so that you can deploy, update, and delete resources as a group (Microsoft, 2019).
You will use the domain you created for the DNS domain, this should be prefilled. Then we need to select our region and SKU. We are going to use standard for our SKU. SKU options include Standard, Enterprise, and Premium. This determines pricing, features, and resources available. There is a great table here (https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/) that denotes pricing per hour, object counts, and backup features! We will then select a forest type of User. User forests are chosen when you are predominantly performing user sign-ins and application or workload authentication per the portal. User forests receive copies of users, groups, and group memberships from both Azure and on-premise domains if the connector is deployed.
After everything is filled out you will click next and move onto Network provisioning. As noted in the portal, this subnet is dedicated to Azure AD Domain Services. You aren’t adding additional servers to this subnet, it should be used just for Azure AD Domain Services. The default name aadds, which you might recognize from earlier, is Azure Active Directory Directory Service virtual net. You can leave this at default however, I recommend adding a new subnet. I’m going to create a new network that is a /16. Then the subnet for the virtual directory will be a smaller subnet of 10.0.1.0/24. This could be 10.0.0.0/24, 10.0.2.0/24, … anything within the virtual address space a second ago. The subnet will be a smaller piece of the virtual network. We will also need to deploy a management server for AADDS requiring another subnet for the management server. For purposes of this lab, I’ll make that subnet 10.0.2.0/24. The management VM will allow us greater management ability than using the built-in web portal and allow for the segmentation of systems.
Upon selecting our AADDS subnet, we get a message that network security groups will automatically be created to protect the domain services! Thank you, Microsoft. For purposes of the lab, all things can be left to default in the additional items for review after clicking next.
You can now click through and hit create!
The deployment will take a few minutes and the status will be reflected on your portal as follows.
When all is well, you’ll see green checkmarks for your virtual networks, security groups, and domain services. This takes a long time. I’m at over 60 minutes and still building! We need to wait until deployment is 100% complete. So, during the break, here’s what we’ve created so far network segment-wise:
You’re likely going to see a warning at the top to fix configuration issues on your domain. If you click on the error as seen below, you’ll notice the AADDS-vnet is missing DNS servers. You can simply hit the fix button and the proper DNS settings will be applied. When you press fix, this will let you know that it’s going to add DNS server settings for the service IP’s 10.0.1.4 & 10.0.1.5.
If you look at the resource pools for the instance AZ-140, you’ll notice on the AADDS-vnet that two DNS servers are added after hitting fix including the two DC’s created automatically by Azure to support the tenant of 10.0.1.4 & 10.0.1.5.
At this point, we are going to create a domain admin to continue domain management. Using the menu, we need to move back to Azure Active Directory and Users. We are going to add a new user with + New User.
In my case, I’m going to call the user ADDAUser, which I would never use outside of a lab but, you get the point! Same Domain we’ve been using and generate a complex password manually. To make the account a domain admin, you’ll want to select a group as shown below and choose the AAD DC Administrators group. This user will be able to manage the domain services.
At this point, we will want to sync the passwords and ensure all accounts are functional before we move on in the test environment. Simple enough. The URL to sign in on is: https://myapps.microsoft.com. Sign-in with the three accounts we’ve created including the two users and the DA. Note that since this is the “first time” the user is signing in, the passwords are reset for the user and they must enter new passwords. Simple enough, I added an ! to the end of the passwords for this lab.
Next, it’s important to deploy a management server for the Azure AD Domain as not all of the tasks can be accomplished over the web. To do this, we will deploy a Windows Server 2019 Datacenter edition to the management server subnet created earlier. To do this, we click on the hamburger navigation icon, click create a resource, and select Windows Server 2019 Datacenter.
In order to keep things simple, we are going to add it to our lab resource group “AZ-140”. Give the machine the name AADDSManagementServer. For purposes of the lab, you can choose the lowest size which is Standard_DC1_v2 – 1 vcpu, 3.5 GiB memory for $91.98 a month. Nobody said this stuff is free. Hopefully, you are doing this lab on a free credit from Microsoft! Note: the VM may be shut off when not in use! You also need to create a local admin for the virtual machine. After setting all of this, for security, only allow 3389 to the server. Microsoft is going to complain as this opens the server to RDP from any source IP. In a normal situation, this should be limited to necessary ports and protocols.
On the next tab, you’ll configure disks. For lab purposes, you can just choose Standard HDD to save money. Encryption at rest should be a given for any cloud-provisioned VM’s.
As we move to network configuration, we will want to put this server in the management subnet that we created earlier and outlined in our infrastructure diagram. Select the aadds-mgmt (10.0.2.0/24) subnet. We are going to change the NIC security to Basic and allow selected ports (3389) to open up RDP.
All other tabs can be left at defaults at this point. Please note, a price will now be shown for every hour that the server is running. In my case, the retail price is $0.1260 an hour. Still well within my free $200 credit. After you press create, you’ll notice we are back to the deployment details screen.
At this point, we should talk about controls to reduce costs. After the VM is successfully created we end up with an infrastructure that looks something like the following:
From the hamburger navigation, you can move to Virtual Machines and see a list of virtual machines.
Clicking on the server name “AADDSManagementServer” gives us the option to start the machine, stop the machine, and reboot the machine as needed. While the machine is shut down, costs are reduced. The management interface is as follows:
I had stopped my server in the previous screenshot to save on costs. If you start the server you should now be able to connect to the server over RDP using the local credentials that you started earlier. You can either press connect in the upper left or simply use your local Windows RDP client to connect to the public IP address. At this point, it’s time to install active directory management tools on the server over RDP. Typically, you would be focused on your normal security build process. For purposes of getting this up and running, we are just going to install the admin tool pack.
First, I’m going to set the timezone so that everything matches my location. In server manager, local server, click on the time zone and change it to the timezone of your choosing.
Now to manage our domain, we need to join the server to the domain. I’m going to skim past this a bit as it’s the same for any other Windows 2019 server! In the case of my lab, I’m going to make it richhornberger.com which was set up earlier!
Now, you may have been wondering why we created the ADDAUser (domain admin) account earlier. This is the time we are going to use that account to join our management box to the domain!
If all goes well, we should get a welcome to the domain message:
After reboot, we should be able to log in with our domain admin account (
If installation is successful, you should see the addition of the Active Directory in the Tools menu:
Tools like Active Directory Users and Computers should now be functional:
Sources:
Butt, J. (2015). Office 365 Features Limitations/Restrictions by Location. MSEXPERTTALK. https://msexperttalk.com/mystery-of-office-365-usagelocation/
Microsoft. (2019). Microsoft Azure Resource Manager resource groups using the Azure portal. https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal
Microsoft. (2021). Tutorial: Create and configure an Azure Active Directory Domain Services managed domain. https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance