What is Azure Virtual Desktop?
Azure Virtual Desktop (formerly Windows Virtual Desktop) is a Remote Desktop Computer service with latest Windows Operating System and Office 365 ProPlus installed. It's a platform where anyone can access their work applications and data securely from anywhere and using any devices. It is not a physical machine which sits in your office or home; you can access your virtual desktop using remote connection and it has multi-session Windows 10. Therefore, Azure VD is a desktop applications and visualization service that runs on the Azure cloud.
What are the benefits of Azure Virtual Desktop?
Virtual desktops are an appealing option to employers as they provide cost and time savings, along with increased security and employee efficiency.
If your desktops are hosted virtually, employees and members of your team will be able to access them regardless of their location, situation, or device. This will significantly increase flexibility and save time within the workplace.
Azure VD can save your organization money, because you only pay for what you use. In addition, when using Azure VD, fewer infrastructure is required to run a distributed team. Updating various devices and regular maintenance and major upgrades can quickly become difficult therefore a virtual desktop becomes a solution, centralizing the update process to make it more dynamic.
In Azure VD, data is stored in a central system, which you can protect more strongly than you would be able on your employees' devices. Everything is centrally managed, allowing you to set the rules and keep your data secure in the right ways. Recovery procedure also minimizes downtime and potential damages.
Architecture Diagram
We will be creating a Domain Server , Host Pool and Storage Account for existing on-premise users who will login to Windows Virtual Desktop (Windows 10 + Office 365).
Please log into Azure Portal by your account e.g.: PBista@stardustbista.onmicrosoft.com
Note: For this lab purpose you need Microsoft Azure account.
Step 1: Deploying VM for Server 2019 Datacenter
- Resource Group: DC-RG
- Name: DC
- Image: Windows Server Datacenter 2019
- Inbound Port : RDP - Port 3389
In Create a Virtual Machine: Input the data as per below and don't lose Administrator account credentials.
Click on Next: Disks and leave as it is for lab purpose.
Click on Next: Networking and On Networking Tab. Then click on Virtual Network: Create New and Input data as per below:
Click OK button and Click Next: Management
On Monitoring Tab, Disable Monitoring by selecting radio button and Click on Next: Advance
Rest setup leave as it for now Select Review + create button.
If validation passed then select Create Button.
Click on Go to resource , we can see that the Virtual Machine DC Called is installed.
Now we are going to make changes in DNS level so click on left Networking
Click on Network Interface :
Click on IP Configurations
Click on the highlighted portion below,
Change Assignment: Dynamic to Static and click on Save
Click on Network Interface on top
Click on DNS servers on left hand side
Select Radio button to Custom and enter Static IP address you have Assign earlier to Static above.
Now change DNS to Virtual Network level:
Then select DC-VNet \> DNS servers
Select Radio button to Custom and enter Static IP address which you have Assigned Static IP address above.
Save it.
Step 2: Configuring Active Directory Domain Service
Click DC (VM Server 2019)
Click Connect and Select RDP
Download RDP File and Run and it will prompt you for Credentials:
Input Credentials e.g.: PBista and N@maste2021 and OK to login
After successfully login to the Server from Server Manager, select Manage \> Add Roles and Features.
Click Next\>Next\>Next and from Server Roles
Select Active Directory Domain Services \> Add Features
Click Next\>Next\>Next and Select Restart the Destination Server if Required
Click Yes and Click Install
After installation finished (Roles and Features), we have to promote server to Domain Controller:
Click on Promote this server to a domain controller
Step 3: Promoting Sever to Domain Controller
Select Add a new forest
Input Root domain name e.g. stardustbista.onmicrosoft.com ( whatever your Azure subscription Name )
Input DSRM Password:
Click Next\>Next\>Next\>Next and Review \>Install
After promoting the Domain Controller :
Step 4: Creating Storage Account
Search Storage accounts from search bar and select it.
Select Create
Resource group: Create New and Named FS-RG
Storage account name: stardust2021
Accept the default settings and Click Review + create and Select Create to Create Storage Account.
Click on Go to resource
Click on File Share from Data Storage
Click again + File share
Input data as per below:
- Name: profile
- Quota: 30GB
- Tiers: Hot
Step 5: Add Users and Organizational Unit to Active Directory
From Window server 2019, Server Manager \> Select Tools \> Active Directory Users and Computers
Create three Users and one OU :
- User one: wvdadmin
- User two: bistaprasiddha
- User three: ram
- Organization Unit : ONPREM
Now we have Users and OU in our on-premises AD domain controller and we need to sync to Azure AD therefore we need download and install a tool called " Microsoft Azure Active Directory Connect" from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=47594
When you run Microsoft AD Connect for the first time and get an error like above, follow the link provided above and run Powershell commands provided by Microsoft to fix above error.
Step 6: Installing Microsoft AD Connect
Select Agree and click on Continue.
Select Express Setting and provide Global Admin details to connect Azure AD.
Provide details to connect AD DS:
- User: PBista@stardustbista.onmicrosoft.com
- Pass: P@ssword2021
Select Continue without matching all UPN suffixes to verify domains and click on Next.
- Click on Install.
Step 7: Create a Host Pool
In search panel type: windows virtual desktop and select it.
In Azure Virtual Desktop , select Create a host pool :
Enter information as per below:
Review and Create.
Step 8: Assign Roles to Users
- Go to Resource Groups
- Open FS-RG (Storage Account)
- Click on Access Control (IAM)
Give wvdadmin (windows virtual desktop admin) to Owner access in FS-RG Resource group level.
Input Role: Owner and User as: wvdadmin (from active directory domain)
Click on Save.
Give specific access to other:
Search Resource group \> select FS-RG and Stardust2021 storage account
- FS-RG (Resource group)
- Stardust2021 (Storage account)
Click on Access Control (IAM)
Give access to wvdadmin and users with specific roles as per below:
1.This for Admin user
2.Assign Role for users bistaprasiddha and ram as per below:
Step 9: Enable AD DS authentication for your Azure file shares
The cmdlets in the AzFilesHybrid** PowerShell **module make the necessary modifications and enables the feature for you. After enabling the feature, you must configure your storage account and your AD DS, to use AD DS credentials for authenticating to your Azure file share. To enable AD DS authentication over SMB for Azure file shares, you need to register your storage account with AD DS and then set the required domain properties on the storage account.
To register your storage account with AD DS, create an account representing it in your AD DS. You can think of this process as if it were like creating an account representing an on-premises Windows file server in your AD DS. When the feature is enabled on the storage account, it applies to all new and existing file shares in the account.
Source: Microsoft Documentation
Download Module: https://github.com/Azure-Samples/azure-files-samples/releases
Select : AzFilesHybrid.zip and Extract zip file
When extracted copy the path and Run Powershell ISE as an Administrator. Click on New button.
Change path: cd and paste copied path
- cd C:\Users\PBista\Downloads\AzFilesHybrid
Run Powershell commands and for error got end of document.
#Change the execution policy to unblock importing AzFilesHybrid.psm1 module
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Currentuser
#Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path
.\CopyToPSPath.ps1
#Import AzFilesHybrid module
Import-Module -name AzFilesHybrid
After running Import-Module -name AzFilesHybrid command select " A" Yes to all.
Check Installed Module by Get-Module command and make sure Az script Modules type are installed.
#Login with an Azure AD credential that has either storage account owner or contributor RBAC assignment
Connect-AzAccount
It will prompt for storage account details so input AD DS storage account details:
- User: wvdadmin@stardustbista.onmicrosoft.com
- Password: N@maste2021 (input your password)
If you successfully connected then you will see below details:
#Select the target subscription for the current session
Select-AzSubscription -SubscriptionId "\<your-subscription-id-here\>"
Go to Search Bar in Azure Portal search word Subscription :
Select Subscription \> Click on Subscription Name \> Copy Subscription ID to clip board and Paste into Powershell command.
This will add your subscription to storage account for site share:
This command will allow file sharing option between AZ AD and AD DS.
join-AzStorageAccountForAuth -ResourceGroupName "FS-RG" -Name "stardust2021" -DomainAccountType "ComputerAccount" -OrganizationalUnitName "ONPREM" -Domain "stardustbista.onmicrosoft.com"
After successfully connected:
Now you can verify by checking AD Users and Computesr :
- Go to Active Directory Users and Computers
- Expand your Domain e.g.: stardustbista.onmicrosoft.com
- Click on ONPREM
- You can see computer account object as stardust2021
Step 10: Assign users for Desktop Application Group (DAG)
Add bistaprasiddha to test Windows 10 as a user:
- Home Portal \> Resource groups \> HP-RG** \> ITS-DAG \> Assignments**
- Click on ADD
- Choose a user:
Step 11: Map Network Drive
Go to Windows Server and click on File Explorer on Task Bar then navigate to Map network drive as follow:
In Map network drive window , Paste that URL path to Folder
Go to Azure Home and navigate to:
- Home \> Storage accounts \> stardust2021 \> profile
- Select Properties
- Copy URL path
And change accordingly like below and click on Finish :
This will prompt you for network credentials storage " stardust2021" and follow steps to copy storage account access key:
Navigate to Home (Portal)
- Home \> Storage accounts \> stardust2021
- Click Access Keys
- Click on Show Keys
- Copy Access Key to clip board.
Paste Access keys to below and click on Ok button.
Now you have map to network drive successfully:
For testing purpose create a folder call Images , we will then check if that folder will replicate to Azure Storage.
Navigate to Home (Portal)
- Home \> Storage accounts \> stardust2021
- Click on File Shares (under Data storage category)
- Click on profile
You can see that the folder you have created on Windows Server Network Drive is appeared on AZ AD storage account.
Apply NTFS file permission to that Map Network Drive :
Click on File Explorer on Task Bar then click on This PC and Right click on Mapped network drive and select Properties.
- Click tab Security
- Click Edit
- Click Add
- Type wvdadmin and click Check Names and click Ok button.
- Now Apply Full control to wvdadmin account:
- Check box Full control \> Apply \> Yes and Ok button.
For other users only give permission to Modify :
Repeat same procedure for rest of user accounts.
Step 12: Installing FsLogix and Making Changes in the Registry
In Azure Virtual Desktop FSLogix is designed to roam user's profiles in remote computing environments. FSLogix securely stores a complete user profile in a container.
We are going to install FsLogix agent to the Client WVD (Windows Virtual Desktop) machine. We are manually installing Fslogix in our WVD because we have only one WVD but in production environment use GPO to install it.
Note: Make sure your VM has public IP and Security group is attached with, Firewall Rule RDP port 3389 is open to remote connections.
Follow below steps:
- Home \> Virtual machines \> ITS-0
- Select Connect
- Select RDP
Download RDP File and Run.
Click Connect and enter your credentials as below and click Ok button:
- User: stardustbista\PBista
- Pass: N@mastebista2021 (input your password)
Download and install FsLogix agent into Windows Virtual Desktop (Windows 10).
Go to web browser and past link provided and download:
https://docs.microsoft.com/en-us/fslogix/install-ht
Extract zip file and navigate to folder as per below:
C:\Users\PBista\Downloads\FSLogix_Apps_2.9.7838.44263\x64\Release
And find the file called: FSLogixAppsSetup and run the executable file.
Install the FsLogix and Restart the computer.
Now we need to make some changes in Registry :
Go to windows task bar enter registry and open Registry Editor.
- Click on HKEY_LOCAL_MACHINE
- Click on SOFTWARE
- Click on FSLOGIX
- Right click on FSLOGIX and select New \> Key
- Enter Name Profiles (Note: if profile is not exist there)
- Right click on Profiles and select DWORD (32-bit) value
- Name : Enable
- Double click on Enable and enter value as 1
- Right click on Profiles and select Multi-String Value
- Name: VHDLocations
- Double click on VHDLocations and enter Value data ( path of the file share )
Navigate to Home (Portal)
- Home \> Storage accounts \> stardust2021
- Click on File shares
- Right click on profile
- Select Properties
- Copy URL path
- Paste that copied URL and modify it: \ stardust2021.file.core.windows.net\profile
- Click on OK
Finally we have achieved our goal; AVD installed and ready to run.
Now time to login WVD :
Copy and paste link to web browser: https://aka.ms/wvdarmweb
Provide you sign in credentials and click on Sign in:
It will display all your resources and double click on ITS-WS :
Provide your login credentials and click on Submit. Finally we are in Windows 10 (Wind Virtual Desktop).
You can create file, data or any other task save it and don't worry about losing it because this AVD has users roaming profile setup. It means from anywhere or any device you can remotely connect to this AVD with correct authorization and you can retrieve your data immediately.
Powershell Error:
You might get some error running Powershell script:
Azure AD Connect
- PS \> Import-Module ADSync
- PS\> Start-AdSyncSyncCycle -PolicyType Delta
Error:
Start-AdSyncSyncCycle : System.Management.Automation.CmdletInvocationException: File C:\Program Files\Microsoft Azure
AD Sync\Extensions\AADConnector.psm1 cannot be loaded because running scripts is disabled on this system
Solved:
- PS\> Set-ExecutionPolicy Unrestricted
- PS\> Get- ExecutionPolicy
PS\> Start-AdSyncSyncCycle -PolicyType Initial
Thanks so much for reading this article; I hope I was able to relay my knowledge on Azure. You have successfully completed all the steps to create AVD:
- Deploying On-Premises Windows Server with Active Directory and Domain Controller
- Created Users and OU
- Mapped Network Drive and Replicated to Azure Storage Account
- Apply NTFS Permission to Users
- Installed Azure AD Connect and Sync exiting On-Premises users and OU to Azure Active Directory.
- Created Storage Account in Azure.
- Give users permission to access Azure storage account.
- Created Host Pool
- Created AVD with MS Office 365
- Download FsLogix and installed in AVD for roaming profile of users.
Stay tuned for more articles on Azure in the coming days, thank you for your support.
Pralad is highly motivated IT professional with experience in system administration and design, deployments, migrations and operations. He has over eight years of experience in the industry. Over the period, he has gained significant amount of knowledge and experience in various industry leading technologies including but not limited to AWS, Microsoft Windows, Linux and VMware.
His expertise lies in the areas of cloud computing, unified communication, storage, backup, networking and security in mission critical environments. In addition to these, he has experience in stakeholder and project management as well.
Get connected with Pralad:
0 Comments