Submit a request

Nerdio Help Center

Nerdio NFA QuickStart Guide


Applies to : Nerdio for Azure (NFA) Managed Service Partners (MSPs)


This quick start helps you understand basic terminologies used in setting up and using Nerdio for Azure (NFA) accounts: 


Quotas

Azure subscriptions have a core quota limit imposed by Microsoft (https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits). All Azure subscriptions have quotas by VM series. Ensure that your subscription has sufficient core quota to provision a new NFA account.  If it doesn’t, please request an increase from Microsoft or your CSP provider (https://docs.microsoft.com/en-us/azure/azure-supportability/resource-manager-core-quotas-request). You can find more information about core quotas while provisioning an NFA account:

CoresQuota.PNG


Global admins

Both Azure and Office 365 subscriptions require a user account with global admin privileges to integrate with Nerdio.  Additionally, for Azure, the account being used with Nerdio needs to be an owner in the subscription.  It is best, but not required, to use a user account that has @tenant.onmicrosoft.com as its domain. If such a user account doesn’t exist you can create one in the Azure portal, make it a global admin and assign it the Owner role on the Azure subscription (https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator).

During the provisioning process Nerdio will create two new system admin accounts:

  • NerdioAzureAdminXXXX@tenant.onmicrosoft.com
  • NerdioO365AdminXXXX@tenant.onmicrosoft.com

*(where XXXX is the tenant ID)

These accounts must not have MFA enabled or you must add the NAP IP range as a trusted location.  See https://help.nerdio.net/hc/en-us/articles/360020261572-Can-I-enable-MFA-on-my-Azure-and-Office-365-user-accounts- for more information.

Superhero

NERDIO SUPERHERO TIP
bulletpoint Both Azure and Office 365 Subscriptions require an account with global admin privileges to integrate with Nerdio

A change or removal of global admin users that were part of Nerdio provisioning will impact the operation of the Nerdio Admin Portal (NAP).


 


Production vs non-production

Specifically for trials and proof of concept environments we strongly recommend procuring an Office 365 trial subscription.  These subscriptions are free for 30 days and typically include the appropriate licensing to have the best and most secure POC or trial experience.  Additionally, we highly recommend being a signed partner before moving a prospect or client into production environment with Nerdio.  The resources that are available to our partners provide exceptional value to ensure customers have a smooth and successful transition into Azure.  


Resource Group (RG)

A resource group is a container that holds related resources for an Azure solution. In Azure, you logically group related resources such as storage accounts, virtual networks, and virtual machines (VMs) to deploy and manage them.  The default resource group name for NFA is “NerdioRG”, although you can change this default name during provisioning on the Add NFA Account screen.

Superhero NERDIO SUPERHERO TIP
bulletpoint Anything in the resource group that was created by Nerdio should not be removed. Everything that is in there is needed.

Migration methods

Two methods of migrating workloads and desktops into Nerdio

  • Greenfield
    • A new Nerdio for Azure deployment always starts out as Greenfield, meaning that it is completely independent of anything that existed previously both in Azure or on-prem and cannot interfere with any production environment.  Once the new NFA environment is provisioned and tested, it can be “plugged” into an existing production environment by using the Hybrid AD feature (see below) or users can be imported into the Greenfield AD from an existing AD or Office 365 Azure AD. Every common directory migration path can be accommodated with NFA.
    • Importing users from Office 365 - https://help.nerdio.net/hc/en-us/articles/115003067071-How-do-I-import-users-from-Office-365-
  • Hybrid AD
    • Hybrid AD is an advanced Nerdio feature that allows an existing Active Directory (AD) to be connected to and managed by the Nerdio Admin Portal (NAP). Hybrid AD is typically used when an organization wants to retain its existing Active Directory deployment and has no plans to create a fresh AD instance in the cloud. Hybrid AD allows the existing AD to be extended into the Nerdio deployment to leverage Nerdio capabilities within the existing AD.
    • Hybrid AD: https://help.nerdio.net/hc/en-us/articles/115003090851-I-want-to-manage-on-prem-Active-Directory-users-with-Nerdio

Whitelabel

  • Logo
    • The height of the logo image will be constrained to a maximum of 65 px.
      Also, it is recommended to use an image with a 120 px width and transparent background (png is the preferred format).
  • Site icon (favicon)
    • The height of the favicon image will be constrained to a maximum of 16 px.
      Also, it is recommended to use an image with a 16 px width and transparent background.
  • App name
    • Nerdio Admin Portal will be accessible at http://AppName.adminportal.pro and RDP files will be pointing at rdsXXXX.adminportal.pro (where XXXX is a unique Nerdio account ID that gets assigned during provisioning of a new account)

Once the whitelable setup is complete, remember to toggle the ON button. Once you have toggled this feature, please log out and then back in to leverage the newly activated feature. whitelabelenable.JPG

More info - https://help.nerdio.net/hc/en-us/articles/115001989712-I-want-to-white-label-Nerdio


Domains and AD

  • By default, the Active Directory (AD) domain in a new Nerdio deployment is called nerdio.int.  This can be changed during the provisioning process on the Add NFA Account screen.  Once set, this AD forest name cannot be changed.
  • An existing Active Directory (e.g. on-prem) is referred to as "external AD" as it is outside of Nerdio. And is also referred to as “on-prem AD”, “existing AD” or “EAD”.
  • Before you integrate an existing AD with Nerdio ensure that the Office 365 environment is configured to synchronize with the existing AD using the ADConnect tool from Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-express)

Suggestions for best practice in a Nerdio environment

  • Office 365 user imports and settings
    • Create a user in O365 to have as a test import
      • Make them the same as the most critical user (groups, security and use case)
    • Only after a successful single user test should a bulk import be considered
      • Make sure to include a simple password reset as part of the test
    • Use the bulk tool to assist with password management
    • Nerdio can manage a users Office 365 Multi-factor Authentication setting
      • If this feature was not enabled prior to Nerdio, we highly recommend enabling that feature post go-live

Uninstalling/Removing Nerdio

It is very typical to have proof of concepts and trial environments that have reached end of life and need to be destroyed.  The following items should be observed when a Nerdio tenant needs to be destroyed.

  • Do not make any changes in Azure or O365 with permissions and global admins that are specific to Nerdio - this will impede the destroy process
    • In order for Nerdio to effectively remove its services and components, the global admins need to remain available during the destruction of the specific tenant
  • Nerdio during the destroy process has options available to leave existing subscription items intact.
    • Only a trial Office 365 subscription should be considered for full destruction
    • If a production Office 365 subscription was provisioned with Nerdio, please ensure you select the appropriate options during the destruction process.

Step by step details on how to destroy an existing Nerdio tenant.


 

Note: The components mentioned below should not be changed to ensure functionality within the NFA environment:

 

Administrator on DC01

Do not change the password or disable the domain administrator DC01 in the Nerdio environment.  This particular account is used to manage communication between the environment and the Nerdio Admin Portal. Please contact support if you have a security or process concerns as a change to this account will affect the operation of the Nerdio environment.


AD Organizational Units (OUs) in Nerdio AD
  • Nerdio is always provisioned with a brand-new Active Directory (AD) forest, fully configured and optimized for a cloud IT deployment. The name of the Nerdio AD is nerdio.int, but it can be changed during the provisioning process
  • Nerdio stores all user and group objects in an OU called “Users and Groups”.  The Nerdio Admin Portal (NAP) will have visibility of items inside of this OU or any of its sub-OUs
  • You can create your own OUs within Active Directory to assign group policies & manage resources like users, computers or groups, etc.  However, be sure that all sub-OUs are created under “Users and Groups” OU

System Objects OUs

Do NOT make any changes to objects within the “System Objects” OU in AD.  Doing so can cause the Nerdio Admin Portal to lose connectivity with the environment.


Group Policy Objects 

Do NOT make any changes to the default Group Policy Objects.  The default GPOs were created to maintain and provide value across multiple areas and features in a Nerdio environment.  These default GPOs follow Microsoft Best Practices and are aligned with maintaining a secure and fully functioning environment.


VPN

A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel.  Azure recommends route-based VPN connections (IKEv2) but support for policy based connections is available (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps).

Was this article helpful?
0 out of 0 found this helpful

Comments

Please sign in to leave a comment.