Multiple forests with AD DS, Azure AD, and Azure AD DS

Azure Active Directory
Active Directory Domain Services
Files

Solution Idea

If you'd like to see us expand this article with more information, such as potential use cases, alternative services, implementation considerations, or pricing guidance, let us know with GitHub Feedback!

This solution idea shows how you can deploy Azure Virtual Desktop (AVD) rapidly in a minimum viable product (MVP) or a proof of concept (PoC) environment with the use of Azure Active Directory Domain Services (Azure AD DS). Use this idea to extend on-premises multi-forest AD DS identities to Azure without private connectivity and also support legacy authentication.

Potential use cases

This solution idea also applies to mergers and acquisitions, organization rebranding, and multiple on-premises identities requirements.

Architecture

Azure Virtual Desktop with Azure AD Domain Services

Dataflow

The following steps show how the data flows in this architecture in the form of identity.

  1. Complex hybrid on-premises Active Directory environments are present, with two or more AD forests. Domains live in separate forests, with distinct UPN suffixes. For example, companyA.local with UPN suffix companyA.com, companyB.local with UPN suffix CompanyB.com, and an additional UPN suffix newcompanyAB.com.
  2. Instead of using customer-managed domain controllers whether on-premises or on Azure (that is, Azure IaaS domain controllers), the two cloud-managed domain controllers provided by Azure AD DS are used.
  3. Azure AD Connect syncs users from both CompanyA.com and CompanyB.com to the Azure AD tenant (NewCompanyAB.onmicrosoft.com). The user account is represented only once in Azure AD and private connectivity is not used.
  4. Users then sync from Azure AD to the managed Azure AD DS as a one-way sync.
  5. A custom and routable Azure AD DS domain name is created (aadds.newcompanyAB.com). The newcompanyAB.com is a registered domain to support LDAP certificates. It is generally recommended not to use non-routable domain names (such as, contoso.local) as it can cause issues with DNS resolution.
  6. The AVD session hosts join the Azure AD DS domain controllers.
  7. Host pools and app groups can be created in a separate subscription and spoke virtual network.
  8. Users are assigned to the app groups.
  9. Users sign in via AVD Desktop or web client with a format such as, john@companyA.com, jane@companyB.com, or joe@newcompanyAB.com, depending on the UPN suffix configured.
  10. Users are presented with their respective virtual desktops or apps. For example, joe@companyA.com will be presented with virtual desktops or apps in host pool A, jane@companyB will be presented with virtual desktops or apps in host pool B, and joe@newcompanyAB will be presented with virtual desktops or apps in host pool AB.
  11. The storage account (Azure Files used for FSLogix) is joined to the managed domain AD DS. The FSLogix user profiles are created in Azure Files shares.

Note

  1. For Group Policy requirements in Azure AD DS, you can install Group Policy Management tools on a Windows Server virtual machine that is joined to Azure AD DS.
  2. To extend GPO infrastructure for AVD from the on-premises domain controllers, manual export and import to Azure AD DS is required.

Components

Key technologies used to implement this architecture:

Next steps

For more information, see these articles: