Azure Active Directory Domain Services provides a simple solution to Active Directory when deploying workloads in Azure using the Citrix Cloud XenApp and XenDesktop Service or the newly-released XenApp Essentials and XenDesktop Essentials services. Azure AD Domain Services provides AD domain controllers as a service, eliminating the complexity of setting up AD, the ongoing maintenance costs of patching and backing up domain controllers, and the operational expense of domain controller VMs in Azure. This blog post will walk you through the deployment of a XenApp Essentials catalog using Azure AD Domain Services.
Azure AD Domain Services is ideal for pure cloud deployments of Windows applications and desktops where not only the applications, but also their dependencies, such as file and database servers, are also moved to Azure. Azure AD Connect can be used to replicate user identities from an on-premises AD into the Domain Services domain, so users can use their existing logon credentials when accessing the apps and desktops, as shown in the diagram below.
However, note that Domain Services may not be suitable for hybrid use cases, where workloads in Azure continue to access resources on-premises. In this case, the user’s identity in Azure will have a different SID and logon token from on-premises. In some cases, users may be re-prompted for credentials each time they access an on-premises resource. In other cases, applications may break completely if they depend on Windows integrated authentication. For hybrid workloads, we continue to recommend a traditional AD deployment, where domain controllers are deployed on VMs in Azure, connected back to on-premises using a VPN or ExpressRoute as shown below.
The rest of this blog will walk through the set-up of a XenApp Essentials environment using Azure AD Domain Services. The steps below assume you already have an Azure subscription, and have purchased the XenApp Essentials service in Azure Marketplace.
Setting up Domain Services also requires administrator permissions on your Azure subscription in order to access the classic portal. If you only have RBAC access (e.g. owner, contributor, reader), you will not have sufficient permissions to configure Domain Services. You can validate your permissions by clicking on the top right menu, selecting “My permissions,” and confirming it says “You are an administrator on the subscription…”
Step 1: Create an Azure Active Directory
If you haven’t already configured Azure AD in your subscription, go to New -> Security + Identity -> Azure Active Directory. Give it a unique name, and click the Create button.
Wait one to two minutes, and Azure AD will be created.
Step 2: Create a domain administrators group
Navigate to the newly-created Azure AD domain, click the Groups tab and click Add Group from the task pane at the bottom of the page. You must create a security group with the exact name “AAD DC Administrators”. Users of this group will have similar permissions to domain administrators in Domain Services—they will be able to add users and machines and also configure GPOs in AD. However, note that these users are not truly domain admins in the sense of traditional AD—Domain Services is a PaaS service and doesn’t provide full admin permissions to customers.
We’ll defer creating users and adding them to the group until later. Note that any users created before Domain Services is configured will need to reset their passwords later in order to use Domain Services.
Step 3: Create a classic virtual network
At the time of this blog (April 2017), Domain Services only supports classic virtual networks, not Azure Resource Manager. However, classic and Resource Manager networks can easily be peered, enabling Domain Services to work with the Resource Manager provisioning in XenApp Essentials.
Create a classic virtual network by clicking New -> Networking -> Virtual Network, and be sure to change the deployment model dropdown to Classic before continuing.
When creating the classic virtual network, be sure to pick an IP address range that is different from the one we wish to use with the XenApp Essentials service. It really only needs 2 usable IP addresses, so a /24 is more than sufficient.
Step 4: Create a subnet for the Azure virtual network
Navigate to the Azure classic portal, click Networks, and open the newly created virtual network. Under the Configure tab, click “add subnet” and specify a subnet, then save the change.
Step 5: Enable Azure AD Domain Services
Next, also in the classic portal, navigate to the Active Directory node and open the newly-created AAD domain.
Under the Configure tab, scroll down to Domain Services and set “enable domain services for this directory” to YES. The DNS name and virtual network should be automatically populated.
Then click the Save icon at the bottom. This step takes 30 minutes to one hour to set up Domain Services.
Once Domain Services is provisioned, you will see a new section labeled “IP Address” under the Domain Services section. At first, there may only be a single address there, but continue waiting and refreshing the page until two appear. Once two IP addresses appear, be sure to make a note of these values as they are needed later for configuring DNS.
Step 6: Add users
Click on the Users tab then click Add User from the task pane at the bottom of the page to create user accounts. We should create at least one user to use for provisioning machines and add this user to the AAD DC Administrators group.
Important: Any user accounts created in Azure AD before enabling Domain Services must change their password before they will be able to log in with Domain Services.
Step 7: Update DNS settings for the classic virtual network
Continuing in the classic portal, click Networks and open the virtual network in which Azure AD Domain Services was enabled. Click the Configure tab and scroll down to DNS Servers. Enter the two IP addresses from the Domain Services configuration. Click Save on the task pane at the bottom of the page.
Step 8: Create a Resource Manager virtual network
Switch back to the new Azure portal and create a Resource Manager virtual network by clicking New -> Networking -> Virtual Network. Be sure to change the deployment model to “Resource Manager.” This virtual network must be located in the same region as the classic virtual network.
Step 9: Update DNS settings for the Resource Manager virtual network
Navigate to the newly created Resource Manager virtual network and select the DNS Servers node. Select Custom and enter the two IP addresses of Azure AD Domain Services.
Step 10: Peer the virtual networks
Also within the virtual network settings, select the Peerings node. Click Add and change the Peer details to Classic to see the classic virtual network. Select the classic virtual network in which Domain Services was deployed and click OK.
Our Azure subscription is now ready to deploy XenApp. We have a Resource Manager virtual network with an AD domain provided by Domain Services. The steps below show the new XenApp Essentials service, but similar steps would also work with XenDesktop Essentials or the XenApp and XenDesktop Service.
In XenApp Essentials, create your first catalog. When linking your Azure subscription, select the Resource Manager virtual network and subnet created above.
When joining the local domain, enter the .onmicrosoft.com domain name created by Domain Services. For the Service Account Name, specific one of the Azure AD users who was added to the AAD DC Administrators group. Be sure to specify the username in UPN format.
Finally, click Start Deployment to create the catalog. We now have a working XenApp catalog, without having to create or maintain Active Directory!