Enrolling Windows Server 2016 Instances In Azure AD Domain Services - Part Two

Posted on Fri 02 December 2016 in Azure • 2 min read

So when we kicked it off in the previous part I was ranting on about how we got to this point. It might be a snooze fest, but it gives you some background. You can find part one

... And now we continue

To kick it off we started up three VMs and joined them to our superawesome.onmicrosoft.com directory (not the real one).

Did I remember to tell you that all the different domains are in the same directory in Azure AD?

Then we added the following server roles to them:

  • A Remote Desktop Gateway with a Web Gateway
  • A Remote Desktop Session Host
  • A Remote Desktop Connection Broker with Licensing role

After setting up the roles on the instances it was time to check out how we would do our access policies and group access to the published applications. It became apparent that this was a no-brainer because there weren't any difference between an Azure AD Domain Services joined or an on-prem joined server in regards to authentication on RDS.

However...

When we tried to give access to some users we found that they couldn't get access even though they were already in the correct groups and had sufficient privileges. At first this was quite baffling and there was no obvious reason that they were denied access.

After some hard core documentation reading and fine-print scanning the super simple solution revealed it self as "change the password". All users that have been created before the activation of Azure Directory Services have to reset their password so that it gets rehashed. This was also clearly stated on the settings page where we enabled DS, but it somehow eluded us.

It's also important to remember that if you have to add external users (not in the customers directory), you need to give them a someuser@contoso.onmicrosoft.com account before you add their actual User Principal Name (john@doe.com). This is due to the fact that there isn't any credential sharing between Azure AD and a would be on-prem directory.

powershell azure active directory domain services