I want to manage on premise Active Directory users with Nerdio

Most organizations have an IT environment in place before migrating to Nerdio. This IT environment typically includes an Active Directory (AD). Hybrid AD is an advanced Nerdio feature that allows an existing Active Directory to be connected to and managed by the Nerdio Admin Portal. Hybrid AD is typically used when an organization wants to retain its existing Active Directory deployment and has no plans to create a fresh AD instance in the cloud. Hybrid AD allows the existing AD to be extended into the Nerdio deployment to leverage Nerdio capabilities within the existing AD.

Background

Nerdio is always provisioned with a brand new Active Directory forest, fully configured and optimized for a cloud IT deployment. By default, the name of the Nerdio Cloud AD is nerdio.int but can be changed to a name of your choosing during provisioning. Users can be added to Nerdio AD one-at-a-time via the Users module; or in bulk using the Bulk User upload tool. During the on-boarding process, an on-boarding engineer will typically export users from existing AD using the AD Export feature and then import into Nerdio AD using the Bulk Users upload tool.

In some scenarios it is not desired to re-create users in a new AD domain such as when the existing users are already being synchronized with Azure AD using AADConnect tool from Microsoft. In other cases, especially in larger organizations, it is not possible to simply lift-n-shift the entire organization to a new IT environment, and a corresponding new Active Directory. This is where Hybrid AD comes in. Hybrid AD functionality makes Nerdio Admin Portal aware of an existing AD domain and allows all Nerdio functionality to be applied to existing AD objects without the need to re-create them in the Nerdio Cloud AD.

When Hybrid AD is in use, new objects can still be created in the Nerdio Cloud AD domain but the default destination for all new objects (users, groups, desktops, servers, etc.) is the external AD.

This article uses various terms. See below for a key of what each term means.

Preparing to setup Hybrid AD

There's are a few key pieces of information and access you will need to have handy to set up Hybrid AD:

1. Public IP address of your on-prem firewall and the local network subnet to establish a VPN connection between Nerdio and on-prem environment.
2. Admin access to on-prem firewall to create the IPSec VPN tunnel.
3. IP address of an on-prem domain controller and Domain Admins level user credentials. Note that Nerdio will need access to the FSMO roles master.
4. Domain name of external AD.
5. IP address of AD-integrated DNS server hosting your primary AD DNS zone (often the DC itself).
6. Preferred name of new AD domain controller, or whether the default of EAD-DC01 is acceptable.
7. IP address of the server running Azure ADConnect (often the DC itself). You can also install it on a new server in Nerdio.
8. List of users from EAD you want to manage using NAP.

Setting up Hybrid AD

There are four steps to setting up Hybrid AD.

Step I – VPN tunnel setup

First, create a VPN connection between Azure and on-prem (external) IT environment via NAP.

1. From the main menu on the left side, click Network - VPN connections.
2. Scroll to "VPN connections" section and click "Add VPN connection" button.
   
3. Enter information and click "Save".
4. You will now be shown a pop-up with VPN settings. Take information displayed and make appropriate entries on the firewall for on-prem environment.
5. Once VPN connection is established, status of VPN connection will change to "Connected".

Step II – Domain trust setup

Next, create a domain trust between NAD and EAD.

1. From the main menu on the left side, click Onboard - Domains.
2. Scroll down to "Active Directory Domain Trust" section and click "Add domain trust" button.
   
3. On the "Add Domain Trust" screen, first enter information about the on-prem domain controller, and then click "Test connection".
   
   Note: if NAP is unable to connect to the domain controller, you will see an error message like this:
   
4. If NAP is able to connect to domain controller, continue filling out rest of the fields on screen.
5. Click Save.

Setting up a domain trust in NAP automatically creates a new VM in Nerdio Azure resource group, promotes it to a global catalog domain controller of the trusted domain and creates a bi-directional trust between the NAD and EAD domains. Note: be sure that a site-to-site VPN tunnel is set up between NAD and EAD environment prior to setting up a domain trust.

The following steps are performed by the Nerdio automation engine during the domain trust setup process:

1. Validates prerequisites
   • Site-to-site VPN tunnel is up and EAD DC is reachable
   • AD functional level is 2008 or higher
   • EAD DNS server is reachable
   • Provided credentials have full access to DC and DNS server
2. Creates new VM in Azure to be used as domain controller. Default name is EAD-DC01, but can be overwritten on the Add Domain Trust screen.
3. Creates a new empty OU in EAD called "Users and Groups"
4. Creates a new administrator account in EAD called NerdioAdministrator and places the user object in "Users and Groups" OU. This user is a member of Domain Admins, Schema Admins and Enterprise Admins security groups in EAD.
5. Adds conditional forwarder zone for NAD on the EAD DNS server.
6. Adds conditional forwarder zone for EAD on DC01.
7. Joins EAD-DC01 to EAD domain.
8. Installs Domain Controller and DNS roles on EAD-DC01.
9. Creates AD replication subnet and site called Nerdio in EAD then adds the newly promoted EAD-DC01 to this new site.
10. Creates a two-way domain trust between NAD and EAD.

At this stage the domain trust allows AD resources from EAD to be seen in the Nerdio Admin Portal and NAD resources to be usable in EAD. These resources can only be seen in native Active Directory tools but not in NAP. For instance, a NAD user can be given access to a file share in EAD. Or an EAD user can be given access to a file share on FS01 in NAD.

The system can be used in this state if all that’s needed is a way to grant access to certain resources in one AD to users that are part of the other AD. EAD objects will not appear in NAP and desktops cannot be assigned to users in EAD.

Step III – Managed domain setup

Next, set trusted domain as "NAP Managed".

1. From the main menu on the left side, click Onboard - Domains.
2. Scroll down to "Active Directory Domain Trust" section, locate the domain you want to manage.
3. Click "Set as managed" button.
   
4. Indicate if Azure AD connect is already running on a server in EAD or if you want to have it run on the new domain controller that was spun up when domain trust was established (step II above).
   
5. Click Confirm button to confirm the action the action you are taking.

Setting the trusted AD domain as "NAP MANAGED" allows its objects to be visible and fully manageable in NAP. Desktops can be assigned to EAD users only when the trusted domain is “NAP MANAGED”.

The following steps are performed by the Nerdio automation engine during the "Set as NAP Managed" process:

1. Validates prerequisites
   • Specified Azure ADConnect server is reachable and AADConnect PowerShell commands are available.
   • If Azure ADConnect is not currently used within the EAD environment it should be installed on the newly created EAD-DC01 in Nerdio prior to setting the domain as “NAP MANAGED”.
2. Adds DC01 (10.125.1.10) as conditional DNS forwarder on EAD-DC01 for NAD DNS zone.
3. Adds EAD-DC01 as conditional DNS forwarder on DC01 for EAD DNS zone.
4. Adds EAD\NerdioAdministrator user and Nerdio Domain Admins group to Administrators Builtin group in EAD.
5. Adds DC01 to Builtin Terminal Server License Servers EAD group. This allows desktops that are members of the EAD domain to use DC01 Nerdio server as the RDS Licensing server.
6. In NAD, removes UPN suffixes that already exist in EAD.
7. Enables EAD suffixes for UPN routing on DC01. This allows for the ADFS infrastructure in Nerdio to be used for authenticating EAD users, if needed in the future.
8. Creates an organized sub-OU structure under “Users and Groups” OU in EAD.
9. Links optimized GPOs from NAD to the “Users and Groups” OU in EAD.
10. Creates “IT Department Group” in EAD under “Users and Groups\Security Groups” OU. This security group will have local administrator rights on desktop and server resources created in Nerdio.
11. Adds RDGW01 to RAS and IAS Servers group in EAD. This allows RDS Gateway in Nerdio to control connections to desktops that are going to be created in EAD.
12. Creates “Nerdio RDS Users Group” and “Nerdio VDI Users Group” groups in EAD under “Users and Groups\Security Groups” OU. Members of these groups will have access to RDS resources.
13. Adds “Nerdio RDS Users Group” and “Nerdio VDI Users Group” groups to RDG_CAP_AllUsers policy of RDGW01.

Step IV – Add OU to ADConnect sync list

Depending on your ADConnect settings, the newly created OU may not be included in the Azure ADConnect synchronization. If it’s configured to sync the entire AD forest then newly added OUs will be included in the scope. If it’s set to sync only selected OUs, follow the steps below to add to the list.

1. Log in to the server running Azure ADConnect with an administrator account.
2. In the Start menu, find "Synchronization Service" and run it as administrator.
3. Click on Connectors button at the top.
4. Edit the properties of the connector.
5. On "Configured Directory Partitions" menu click the Containers button. You can use the same administrator credentials on the Login screen.
6. Check the "Users and Group" OU and click OK, then OK again.

The next time synchronization runs all user and groups objects under “Users and Groups” OU will be synchronized with Office 365.

At this stage the trusted EAD domain is fully integrated with Nerdio. All operations performed by NAP are done inside of the newly created “Users and Groups” OU. This OU is mostly empty at this point. However, as resources (e.g. servers, desktops, users) are added or imported (see Step IV below) this OU will start getting populated and these objects will be visible in NAP. An “Active Directory” indicator has now been added to most objects in NAP such as groups, users, servers and desktops. Active Directory could be either NAD or EAD depending on where a particular object resides. When adding a new user or server you will see the option to select the destination Active Directory. By default, EAD will be selected but you can change it to NAD when appropriate.

Step V – User import

Lastly, decide which users from external AD you want manage in NAP and import them to Nerdio.

1. From the main menu on the left side, click Onboard - Domains.
2. Scroll down to "Active Directory Domain Trust" section, locate the one domain listed and click "Import users" button
   
3. On "Import users" screen, select one or more users you want to import. You can Ctrl+click or Shift+click to select multiple users.
4. Click "Import" button and confirm the action you are taking.

After creating the domain trust and setting the EAD as "NAP MANAGED" the existing EAD users have not been touched. To make them visible in NAP they must be "imported" to Nerdio. The import process simply moves the User object from its current location in EAD to the newly created "Users and Groups\Active Users" OU. Once the user object has been moved it becomes visible in NAP and is a fully functional Nerdio user. Desktops can now be assigned to EAD users.

IMPORTANT: Consider the implications of GPOs that apply to source OU from which the user objects are moved. Apply the needed GPOs or create new GPOs to the new user location.

Post-setup action items

A few items to consider once you have completed the setup:

• You will notice that a "Active Directory" field has been added to most modules in NAP (for example Users, Groups, Servers, etc.). This indicates which AD the objects resides in: NAD or EAD
• All objects in NAP reside in NAD (e.g. RDSH01 server, AITAdmin user, etc.) Objects cannot be moved from one AD to the other.
• When you create new objects (e.g. adding a new server), the object will be created in EAD by default. You can override the default and create object in NAD.
• Any RDS session host server objects you may have provisioned in the past reside in NAD. As a result, when you assign RDS desktops to users from EAD domain, there won’t be a RDS server to assign them to. Clone RDSH01 (from Servers module) and specify for it to be created in EAD. Once this is done, you’ll be able to assign RDS desktops to EAD users.

Removing domain trust or NAP management after it has been configured

At this time NAP does not have the ability to remove domain trust and management of external AD. This process must be done manually. Please consider the implications of implementing Hybrid AD carefully.