Nerdio Help Center

I want to manage on-prem Active Directory users with Nerdio

Most organizations have an IT environment in place before migrating to Nerdio. This IT environment typically includes an Active Directory (AD). Hybrid AD is an advanced Nerdio feature that allows an existing Active Directory to be connected to and managed by the Nerdio Admin Portal. Hybrid AD is typically used when an organization wants to retain its existing Active Directory deployment and has no plans to create a fresh AD instance in the cloud. Hybrid AD allows the existing AD to be extended into the Nerdio deployment to leverage Nerdio capabilities within the existing AD.


Background

Nerdio is always provisioned with a brand new Active Directory forest, fully configured and optimized for a cloud IT deployment. The name of the Nerdio AD is nerdio.int. Users can be added to Nerdio AD one-at-a-time via the Users module; or in bulk using the Bulk User upload tool. During the on-boarding process, an on-boarding engineer will typically export users from existing AD using the AD Export feature and then import into Nerdio AD using the Bulk Users upload tool.

In some scenarios it is not desired to re-create users in a new AD domain such as when the existing users are already being synchronized with Azure AD using AADConnect tool from Microsoft. In other cases, especially in larger organizations, it is not possible to simply lift-n-shift the entire organization to a new IT environment, and a corresponding new Active Directory. This is where Hybrid AD comes in. Hybrid AD functionality makes Nerdio Admin Portal aware of an existing AD domain and allows all Nerdio functionality to be applied to existing AD objects without the need to re-create them in nerdio.int.

When Hybrid AD is in use, new objects can still be created in the nerdio.int domain but the default destination for all new objects (users, groups, desktops, servers, etc.) is the external AD.

This article uses various terms. See below for a key of what each term means.

Term Definition
Nerdio AD (NAD) Active Directory in the Nerdio domain nerdio.int
External AD (EAD) Active Directory in the existing domain. It is referred to as "external" as it is outside of Nerdio. Also referred to as on-prem AD or existing AD.

Setting up Hybrid AD

There are four steps to setting up Hybrid AD.

Step I – VPN tunnel setup

First, create a VPN connection between Nerdio and on-prem (external) IT environment.

  1. From the main menu on the left side, click Network - VPN connections.
  2. Scroll to "VPN connections" section and click "Add VPN connection" button.
    VPN1.PNG
  3. Enter information and click "Save".
  4. You will now be shown a pop-up with VPN settings. Take information displayed and make appropriate entries on the firewall for on-prem environment.
  5. Once VPN connection is established, status of VPN connection will change to "Connected".

Step II – Domain trust setup

Next, create a domain trust between Nerdio and external domain.

  1. From the main menu on the left side, click Onboard - Domains.
  2. Scroll down to "Active Directory Domain Trust" section and click "Add domain trust" button.
    HAD1.PNG
  3. On the "Add Domain Trust" screen, first enter information about the on-prem domain controller, and then click "Test connection".
    HAD2.PNG
    Note: if NAP is unable to connect to the domain controller, you will see an error message like this:
    HAD3.PNG
  4. If NAP is able to connect to domain controller, continue filling out rest of the fields on screen.
  5. Click Save.

Setting up a domain trust in NAP automatically creates a new VM in Nerdio Azure resource group, promotes it to a global catalog domain controller of the trusted domain and creates a bi-directional trust between nerdio.int and the external Active Directory (EAD) domain. Note: be sure that a site-to-site VPN tunnel is set up between Nerdio and EAD environment prior to setting up a domain trust.

The following steps are performed by the Nerdio automation engine during the domain trust setup process:

  1. Validates prerequisites
    • Site-to-site VPN tunnel is up and EAD DC is reachable
    • AD functional level is 2008 or higher
    • EAD DNS server is reachable
    • Provided credentials have full access to DC and DNS server
  2. Creates new VM in Azure to be used as domain controller. Default name is EAD-DC01, but can be overwritten on the Add Domain Trust screen.
  3. Creates a new empty OU in EAD called "Users and Groups"
  4. Creates a new administrator account in EAD called NerdioAdministrator and places the user object in "Users and Groups" OU. This user is a member of Domain Admins, Schema Admins and Enterprise Admins security groups in EAD.
  5. Adds conditional forwarder zone for nerdio.int on the EAD DNS server.
  6. Adds conditional forwarder zone for EAD on DC01.
  7. Joins EAD-DC01 to EAD domain.
  8. Installs Domain Controller and DNS roles on EAD-DC01.
  9. Creates AD replication subnet and site called Nerdio in EAD then adds the newly promoted EAD-DC01 to this new site.
  10. Creates a two-way domain trust between nerdio.int and EAD.

At this stage the domain trust allows AD resources from EAD to be seen in Nerdio and nerdio.int resources to be usable in EAD. These resources can only be seen in native Active Directory tools but not in NAP. For instance, a nerdio.int user can be given access to a file share in EAD. Or an EAD user can be given access to a file share on FS01 in Nerdio.

The system can be used in this state if all that’s needed is a way to grant access to certain resources in one AD to users that are part of the other AD. EAD objects will not appear in NAP and desktops cannot be assigned to users in EAD.

Step III – Managed domain setup

Next, set trusted domain as "NAP Managed".

  1. From the main menu on the left side, click Onboard - Domains.
  2. Scroll down to "Active Directory Domain Trust" section, locate the domain you want to manage
  3. Click "Set as managed" button and confirm the action you are taking.

Setting the trusted AD domain as “NAP MANAGED” allows its objects to be visible and fully manageable in NAP. Desktops can be assigned to EAD users only when the trusted domain is “NAP MANAGED”.

The following steps are performed by the Nerdio automation engine during the "Set as NAP Managed" process:

  1. Validates prerequisites
    • Specified Azure ADConnect server is reachable and AADConnect PowerShell commands are available.
    • If Azure ADConnect is not currently used within the EAD environment it should be installed on the newly created EAD-DC01 in Nerdio prior to setting the domain as “NAP MANAGED”.
  2. Adds DC01 (10.125.1.10) as conditional DNS forwarder on EAD-DC01 for nerdio.int DNS zone.
  3. Adds EAD-DC01 as conditional DNS forwarder on DC01 for EAD DNS zone.
  4. Adds EAD\NerdioAdministrator user and Nerdio Domain Admins group to Administrators Builtin group in EAD.
  5. Adds DC01 to Builtin Terminal Server License Servers EAD group. This allows desktops that are members of the EAD domain to use DC01 Nerdio server as the RDS Licensing server.
  6. In nerdio.int, removes UPN suffixes that already exist in EAD.
  7. Enables EAD suffixes for UPN routing on DC01. This allows for the ADFS infrastructure in Nerdio to be used for authenticating EAD users, if needed in the future.
  8. Creates an organized sub-OU structure under “Users and Groups” OU in EAD.
  9. Links optimized GPOs from nerdio.int to the “Users and Groups” OU in EAD.
  10. Creates “IT Department Group” in EAD under “Users and Groups\Security Groups” OU. This security group will have local administrator rights on desktop and server resources created in Nerdio.
  11. Adds RDGW01 to RAS and IAS Servers group in EAD. This allows RDS Gateway in Nerdio to control connections to desktops that are going to be created in EAD.
  12. Creates “Nerdio RDS Users Group” and “Nerdio VDI Users Group” groups in EAD under “Users and Groups\Security Groups” OU. Members of these groups will have access to RDS resources.
  13. Adds “Nerdio RDS Users Group” and “Nerdio VDI Users Group” groups to RDG_CAP_AllUsers policy of RDGW01.

At this stage the trusted EAD domain is fully integrated with Nerdio. All operations performed by NAP are done inside of the newly created “Users and Groups” OU. This OU is mostly empty at this point. However, as resources (e.g. servers, desktops, users) are added or imported (see Step 3 below) this OU will start getting populated and these objects will be visible in NAP. An “Active Directory” indicator has now been added to most objects in NAP such as groups, users, servers and desktops. Active Directory could be either “nerdio.int” or EAD depending on where a particular object resides. When adding a new user or server you will see the option to select the destination Active Directory. By default, EAD will be selected but you can change it to nerdio.int when appropriate.

Step IV – User import

Lastly, decide which users from external AD you want manage in NAP and import them to Nerdio.

  1. From the main menu on the left side, click Onboard - Domains.
  2. Scroll down to "Active Directory Domain Trust" section, locate the one domain listed and click "Import users" button
    HAD4.PNG
  3. On "Import users" screen, select one or more users you want to import. You can Ctrl+click or Shift+click to select multiple users.
  4. Click "Import" button and confirm the action you are taking.

After creating the domain trust and setting the EAD as "NAP MANAGED" the existing EAD users have not been touched. To make them visible in NAP they must be "imported" to Nerdio. The import process simply moves the User object from its current location in EAD to the newly created "Users and Groups\Active Users" OU. Once the user object has been moved it becomes visible in NAP and is a fully functional Nerdio user. Desktops can now be assigned to EAD users.

IMPORTANT: Consider the implications of GPOs that apply to source OU from which the user objects are moved. Apply the needed GPOs or create new GPOs to the new user location.


Removing domain trust or NAP management after it has been configured

At this time NAP does not have the ability to remove domain trust and management of external AD. This process must be done manually. Please consider the implications of implementing Hybrid AD carefully.

Was this article helpful?
0 out of 0 found this helpful

Comments

Please sign in to leave a comment.