Integrate Azure AD Domain Services with your RDS deployment
You can use Azure AD Domain Services (Azure AD DS) in your Remote Desktop Services deployment in the place of Windows Server Active Directory. Azure AD DS lets you use your existing Azure AD identities in with classic Windows workloads.
With Azure AD DS you can:
- Create an Azure environment with a local domain for born-in-the-cloud organizations.
- Create an isolated Azure environment with the same identities used for your on-premises and online environment, without needing to create a site-to-site VPN or ExpressRoute.
When you finish integrating Azure AD DS into your Remote Desktop deployment, your architecture will look something like this:
To see how this architecture compares with other RDS deployment scenarios, check out Remote Desktop Services architectures.
To get a better understanding of Azure AD DS, check out the Azure AD DS overview and How to decide if Azure AD DS is right for your use-case.
Use the following information to deploy Azure AD DS with RDS.
Before you can bring your identities from Azure AD to use in an RDS deployment, configure Azure AD to save the hashed passwords for your users’ identities. Born-in-the-cloud organizations don’t need to make any additional changes in their directory; however, on-premises organizations need to allow password hashes to be synchronized and stored in Azure AD, which may not be permissible to some organizations. Users will have to reset their passwords after making this configuration change.
Deploy Azure AD DS and RDS
Use the following steps to deploy Azure AD DS and RDS.
Enable Azure AD DS. Note that the linked article does the following:
- Walk through creating the appropriate Azure AD groups for domain administration.
- Highlight when you might have to force users to change their password so their accounts can work with Azure AD DS.
Set up RDS. You can either use an Azure template or deploy RDS manually.
Use the Existing AD template. Make sure to customize the following:
Resource group: Use the resource group where you want to create the RDS resources.
Right now this has to be the same resource group where the Azure resource manager virtual network exists.
Dns Label Prefix: Enter the URL that you want users to use to access RD Web.
Ad Domain Name: Enter the full name of your Azure AD instance, for example, "contoso.onmicrosoft.com" or "contoso.com".
Ad Vnet Name and Ad Subnet Name: Enter the same values that you used when you created the Azure resource manager virtual network. This is the subnet to which the RDS resources will connect.
Admin Username and Admin Password: Enter the credentials for an admin user that's a member of the AAD DC Administrators group in Azure AD.
Remove all properties of dnsServers: after selecting Edit template from the Azure quickstart template page, search for "dnsServers" and remove the property.
For example, before removing the dnsServers property:
And here's the same file after removing the property: