How to setup Azure Windows Virtual Desktop (WVD)

This tutorial explains the steps required to setup WVD. Note: at the point of writing this tutorial, WVD is not data residency compliant and some of the meta data will be saved in US.

Pre-requisites

To setup WVD for this tutorial, we need the following:

• Azure Active Directory (AAD)
• A Windows Server Active Directory (AD) Domain Controller (DC) on Azure Virtual Machine (VM)
• Azure AD Connect
• Azure Windows 10 Enterprise multi-session Desktop VMs as the virtual desktop session hosts for WVD and will be domain joined to the AD on Azure VM

All the resources will be created in East US region for this tutorial.

Before we start, let’s see how the environment looks like and what we are trying to achieve.

• I have two VNets in the same region.
• VNet1 (left) will host the WVD host pool, sessions hosts and workspace.
• VNet2 (right) will host the AD on Azure VM to mimic an on-premise AD DC and Azure AD Connect is configured to sync to AAD using express setup (i.e. Password Hash Synchronization) for ease of setup.
• VNet1 is peered to VNet2 so that the WVD session hosts are able to domain joined with the AD DC on Azure VM.

Create Azure VM for AD DC in VNet 2

• Search for Virtual machines in the search field in Azure Portal.
• Click Add then Virtual machine to add a new virtual machine.
• In Basics tab, enter the details of the VM to create e.g. subscription, resource group, VM name, region, etc.

• For Inbound port rules, for ease of setup, select Allow selected ports option for Public inbound ports and select RDP (3389) in the Select inbound ports dropdown.

• Click Next: Disks at the bottom or Disks tab at the top to proceed.
• In Disks tab, select the OS disk type (selected Standard HDD in this case to save cost) and Encryption type (leave it at default).

• I’ve added a data disk to host the AD DS directories by clicking Create and attach a new disk and enter details like Name, Source type (selected None for an empty disk), Size (selected Standard HDD and 32GB to save cost) and Encryption type (leave it at default).

• Click OK and click Next: Networking at the bottom or Networking tab at the top to proceed.
• In Networking tab, select the Virtual network and Subnet where this VM will be provisioned. Click Create new for Public IP to assign a new public IP address to the VM. Leave NIC network security group at Basic. Select Allow selected ports option for Public inbound ports and select RDP (3389) for Select inbound ports to allow RDP access for ease of setup.

• Click Next: Management at the bottom or Management tab at the top to proceed. For this tutorial, i will leave everything at default for Management, Advanced and Tags. You can configure it if you want.
• Click Review + create at the bottom to validate the settings and click Create at the bottom to create the VM once the validation passed. Wait for it to complete.

Setup AD DC

• Go to VM resource created above and in the Overview blade, click Connect and click RDP.

• Click Download RDP file and click on it at the bottom of your browser to launch the Remote Desktop Connection client.
• Enter the credentials entered when creating the VM.

• Wait for awhile and Server Manager will launch.
• Click on Add roles and features on the Dashboard blade.
• For Before you Begin, click Next.
• For Installation Type, select Role-based or feature-based installation option and click Next.
• For Server Selection, select Select a server from the server pool option and ensure the VM is highlighted i.e. selected in the Server Pool section. Click Next.
• For Server Roles, select Active Directory Domain Services in the Roles section and click Next.
• A pop-up to install additional features required for ADDS. Leave everything at default. Click Add Features.
• For Features, click Next.
• For Confirmation, click Install and wait for it to complete or you can close the screen if you don’t want to wait.

Promote Server to Domain Controller

• Once the installation completes, go back to the Server Manager Dashboard screen and you will notice that there is a notification on the flag icon. Click it and click Promote this server to a domain controller.

• For Deployment Configuration, select Add a new forest and enter contoso.com (for ease of setup) for the Root domain name.
• For Domain Controller Options, leave the Forest & Domain functional level as Windows Server 2016. Under Specify domain controller capabilities, Domain Name System (DNS) server is selected by default (in case you have a different DNS server, please un-tick the DNS box & make sure you change the preferred DNS IP address in the Network & Sharing Center to point to your existing DNS server). Under the Type the Directory Services Restore Mode (DSRM) password, key in any password that belongs to Administrator and click Next.
• For DNS Options, click Next.
• For Additional Options, verify that your NetBIOS is pointing to your domain name (CONTOSO in this case) and click Next.
• For Paths, you can just leave it at default or in my case, i changed it to F drive instead of C drive to change ADDS database, log & sysvol file to a different location. (Note: you will need to initialize the data disk created when provisioning the VM by opening Disk Management and right click on the uninitialized volume and click Initialize disk. Right click on the initialized disk, click Create a Simple Volume, enter a volume name if you want and perform a quick format.) Click Next.
• For Review Options, validate and click Next.
• For Prerequisites Check, make sure you see “All prerequisite check passed successfully. Click install to begin installation.” message at the top. If there are any errors, go back and fix it. Click Install.
• If everything goes well, you will see the AD installation progress moving, wait for it to complete and the VM will auto reboot.
• After the VM rebooted, you can now login as a Domain Administrator.

Add a new AD User (with Add workstation to domain rights)

• In Server Manager Dashboard, click Tools and click Active Directory Users and Computers to add a new user.

• Click contoso.com to expand it.

• Right click Users, select New and click User

• Enter the new user details e.g. First name, Initials, Last name, User logon name, etc. In this tutorial, my new user logon name is joindomain@contoso.com. This logon will be used subsequently for creating the WVD session hosts which will used it to join the session hosts to the contoso.com domain. Click Next.

• Enter the passwords and uncheck User must change password at next logon checkbox. Click Next.
• Click Finish to add the new user.
• Back to the Server Manager Dashboard, click Tools and click Group Policy Management.

• Click on Domains and click on contoso.com to expand it.

• Right click on Default Domain Policy and click Edit...
• Click Policies, Windows Settings, Security Settings, Local Policies and User Rights Assignment.

• Double click on Add workstations to domain to open the properties screen.
• Click on Add User or Group…

• Click Browse…

• Enter joindomain in the Enter the object names to select section and click Check Names.

• Click OK and OK and Apply and OK on the subsequent screens.
• You’ve successfully added a new AD user with permission to add workstation to domain.

Install Azure AD Connect

• Download and run Azure AD Connect in AD DC VM.
• Select Express setup and go through the installation. This is the easiest way to setup AD Connect which will use Password Hash Synchronization.

Modify VNet1 DNS Server

This is necessary because in order for the WVD session hosts to be able to join domain, it needs to know where is the AD DC created above. As we are not able to configure the DNS of the session hosts, we will need to set the DNS Server at VNet1 to point to the AD DC’s private IP address.

• Search for Virtual machines in the search field in Azure Portal.
• Select the AD DC VM created above and take note of the VM’s private IP (on the Networking section) in the Overview blade.

• Search for Virtual networks in the search field in Azure Portal.
• Select VNet1 resource in Azure Portal
• Click on DNS servers blade on the left menu
• Select Custom and enter the private IP address of the AD DC on Azure VM above. I’ve also added Google DNS (8.8.8.8) as well.

• Click Save.

Setup WVD Host Pool

• Search for Windows Virtual Desktop in the search field in Azure Portal.
• Click on Create a host pool.

• For Basics tab, enter the host pool details e.g. Subscription, Resource group, Host pool name and Location. Leave Validation environment as No. Note: right now the location of host pool is only available in US at the point writing this tutorial.

• For this tutorial, i’ve selected Pooled for Host pool type with 2 Max session limit and Breadth-first for Load balancing algorithm.
• Click Next: Virtual Machines at the bottom or Virtual Machines tab at the top.
• Select Yes for Add virtual machines option.
• Enter the VM details e.g. Resource group, Virtual machine location, Virtual machine size, Number of VMs, Name prefix, Image type, Image and OS disk type. Note: you can actually select the VMs to be located in a different resource group and region from the host pool which is useless so that we can deploy the VMs nearer to the users.

• Enter the Network and Security details e.g. Virtual network, Subnet, Public IP (recommend to select No), Network security group, Public inbound ports and Specify domain or unit.

• For Administrator account, enter joindomain@contoso.com and its password created in the AD DC server.
• Click Next: Workspace at the bottom or Workspace tab at the top.
• Select Yes for Register desktop app group and click Create new for To this workspace to create a new workspace.

• You can create Tags if you want to.
• Click Review + create at the bottom to validate the settings and click Create at the bottom to create the host pool once the validation passed. Wait for it to complete.

Assign users to WVD Applications Group

• Create another new AD user e.g. wvdpocuser@contoso.com in the AD DC VM and ensure the user is synced to Azure AD. Validate it by clicking on Azure Active Directory blade on the left menu in Azure Portal.

• Click Users blade.

• Click Add filters to filter users by Directory synced.

• Ensure that the wvdpocuser and joindomain user are listed.
• Search for Windows Virtual Desktop in the search field in Azure Portal.
• Select Application groups.

• Click the application group resource shown. If not there, create a new application group.

• Click on Assignments to assign a user to use WVD.

• Click Add to add a new user.

• Search for the user you want to add i.e. wvdpocuser.

• Click Select to add.
• You’ve successful added a new user to use WVD.

Testing It

To test it quickly, you can use the following approaches.

Remote Desktop client

• Install Remote Desktop client on your machine from Get started with the Windows Desktop client | Microsoft Docs
• Run and click on Subscribe with URL on the ellipses at the top right corner with https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery and login using the account you added in the Application Group above

Web client

• Open https://rdweb.wvd.microsoft.com/arm/webclient on the web browser
• Then login using the account you added in the Application Group above.

• Once logged in, you should be able to see the Application Group.

• Click it to launch.
• The system will prompt for permissions to access local resources. Click on Allow to proceed and it will connect and launch the virtual desktop.

• In the next window, enter the same credentials (without the domain) in Step 2 and click Submit.

• If everything goes well, you should be able to see the Windows 10 desktop.

• You can go to Session hosts blade in check where the session is initiated.