Submit a request

Nerdio Help Center

Considerations when Migrating a Hybrid-AD(HAD) "Domain Trust" NFA Account to NMM


Important Notification for NFA Partners Only
  • Only new NFA account creation will be unavailable on November 30th 2021
  • NFA will be fully supported until the official sunset - nfa.support@getnerdio.com
  • We encourage all partners to watch this video, read all of our supporting KB's and consider preparing for migrations in 2022. The entire Nerdio team is here to support and guide all of our amazing partners during this transition.

Important Definitions
  • "on-premises domain" is referring to your instance of AD_DS not provisioned by Nerdio/NFA
  • "Nerdio Domain" is referring to the local domain configured on DC01 during provisioning.
    • If you used provisioning defaults "Nerdio Domain" = nerdio.int
  • Still unsure if you have Hybrid AD(HAD) - You can confirm via the NAP

One of the biggest advantages of Nerdio Manager for MSP (NMM) over Nerdio for Azure (NFA) is the
ability to connect directly to existing domains. In NFA, you had to set up a hybrid environment to utilize
an existing on-premises Active Directory.  In NMM you can connect directly to an existing AD
without the need for the extra complexity of domain trusts. If you are migrating from NFA to NMM and
would like to simplify your environment, you can follow these steps to dismantle the Hybrid AD
configuration and connect NMM directly to your "on-premises domain".


This guide is supplemental to Migrating from NFA(Core and AVD) to NMM.  The following article addresses items specific to HAD and is only a companion to the process for Migrating from NFA(Core and AVD) to NMM.  Several migration aspects and considerations still apply and will need to be followed.


Prerequisites - Before you get started

Items to consider

  • From the domain controller on the local domain, on-prem or EAD-DC01, confirm that the right users or groups are member to the ADSyncAdmins group
    • Ensure there is complete command and control of AD Connect and that AD Connect is error free by looking in the AD Connect Services Manager from the start menu
  • Perform a complete review of Group Policy Objects
    • Any GPO that has links to the Nerdio AD Domain, nerdio.int in any examples in this document, will need to be unlinked to avoid producing error messages
  • Ensure that replication between servers for local domain is error free
    • When replication between servers is operating as expected changes can occur from any domain controller
  • Ensure domain and local admin accounts for resources are available and tested
    • Prioritize the setup for the local admin account on FS01 to allow for command and control of the VM in the event there is an issue during the domain join step
    • Review the permissions for the PROFILES share as you will be joining FS01 the on-prem domain
  • Perform a GPResult prior to changes to ensure Group Policy is error free
    • Link for performing GPResult can be found here
    • Using /r or /h flags is useful with visibility for policies executing on a host

Update DNS on VNet

DNS for your VNet must be pointing to the correct DNS server. Custom DNS for the VNet was automatically set by NFA to look at DC01 for name resolution. You’ll need to update this to use a cloud DNS server as your primary, preferably EAD-DC01. You can set any secondary/tertiary settings to point to an on-premise DNS server. Here is a screenshot where you can go in the Azure portal to set custom DNS servers”:

mceclip0.png

Choose custom and enter the DNS server IP for the EAD-DC01.


Steps to Migrate from NFA to NMM (2 Steps)

Important Note - Migration considerations 

Nerdio highly recommends keeping the migration scope narrow to only include a migration from NFA to NMM.  Adding additional changes or items during the migration can lead to errors that will create troubleshooting challenges.  By keeping a narrow scope any errors can be easily tied to a particular step.  This strongly applies to any consideration for migrating profile storage migration as well as user folder redirection changes with Documents, Favorites and Desktop  

 

The following document is a guide for creating an account in NMM as a Existing IaaS Deployment.   If you're not familiar with Adding Accounts in NMM please read our guide here.   

 

Step 1 - Follow the Standard NFA to NMM Migration steps as outlined here and include the modification below:

Modification 1 - Adding your Customers Account, Step 3 :

mceclip0.png

When defining the Domain name DO NOT USE NERDIO.INT or any other internal domain defined on the DC01.  You should input the on-premises domain name details here.

 

NOTE!  -  You can confirm the DC01 Domain name in NFA via the Home Page.  Click the MORE button next to the Azure Region.

mceclip1.png

mceclip3.png

The domain name you will want to use will be visible from the menu items Onboard > Domains > Active Directory Domain Trust

 

Step 2 - Replicate Group Policy Objects from Nerdio Domain to on-premises Domain

Partner Consideration - The GPO's linked to the Nerdio Domain Users and Groups OU on DC01 will need to be recreated on the on-premises Domain. .  You can create new GPO's or you can export and import your GPOs.  Please ensure that those policies have the correct links after the import has been completed.  Check the links to ensure GPOs only have links to current and preferred internal domain.  

mceclip4.png

Having completed the above 2 steps, resume the migration by returning to the steps outlined in Migrating from NFA(Core and AVD) to NMM

Note:  While is possible to migrate a pool template to NMM, Nerdio recommends creating a new Windows 10 pool from a Marketplace Image.


Post Migration - Domain Maintenance (3 Steps)

When other non-Hybrid AD steps have completed (i.e. new images and pools are created) there are several steps to complete the migration away from HAD.  

Step 1 - Domain remove FS01 from the Nerdio Domain and Re-Join it to the on-premises Domain (current or preferred domain).

  • Ensure that you keep DC01 active during the unjoin rejoin process
  • Once FS01 is joined to the new domain log in as a domain admin to ensure there is proper access

Step 2 - Verify NTFS Permissions for FSLogix profiles and redirected folders

Step 3 - Delete domain trust

  1. In Active Directory Domains and Trusts, right-click your domain name and choose
    Properties.
  2. On the Trusts tab of the domain's Properties dialog box, select the trust to be removed
    and click Remove.
  3. You are asked whether you want to remove the trust from the local domain only or
    from the local domain and the other domain. Select “Yes, Remove the Trust from Both
    the Local Domain and the Other Domain”, type the username and password for an
    account with administrative privileges in the other domain, and then click OK.
  4. Click Yes on the next dialog box to confirm removing the trust.
  5. You are returned to the Trust tab of the domain's Properties dialog box. Notice that the
    name of the other domain has been removed.

 


Post Migration - NFA Destruction and Resource Cleanup

Important Note:  We highly recommend waiting for at least one business week before destroying the account in NFA.  DC01 will need to be present and booted for a proper destruction of the NFA account.  Keep in mind that a destruction selected in NFA will not delete Azure resources and will keep M365 accounts that will get renamed and require manual cleanup via the M365 portal.

Step 1 - Delete public IP address for EAD-DC01
Step 2 - Remove Nerdio(NFA) Account

Once the account is destroyed in NFA (no longer visible in the accounts section), you can safely delete DC01 and PRX01 as they no longer have any relationship or function in the internal domain.  

Step 4 - Delete PRX01

Step 5 - Delete DC01

Step 6 - If an existing backup policy is being linked in NMM, ensure neither VMs have been orphaned in the policy.


Having reached the end of the article, the following should be completed to allow for other migration tasks.

  • All Group Policy Objects exist and function in the preferred and current local domain
  • No domain trust exists with any additional internal domains
  • FS01 is joined to the current and preferred internal domain and will continue to serve file shares for PROFILES and USER redirected folders (with verified permissions)
  • PRX01 and DC01 are removed/deleted from the Azure Resource Group
  • The public IP attached to the EAD-DC01 (or custom host name for the External Active Directory Controller in Azure) has been removed/deleted
  • The NFA account is destroyed and no longer visible in the Nerdio Admin Portal (NAP)

With all of steps complete, proceed with all of the other items related to Migrating from NFA(Core and AVD) to NMM


MSP Considerations


New to NMM?

Was this article helpful?
2 out of 2 found this helpful
Important Notification for NFA Partners Only
  • Microsoft is sunsetting Azure Classic (not Azure Virtual Desktop (AVD)) - Microsoft Article
  • NFA sunset occurs February 20th, 2023
  • NFA will be fully supported until the official sunset - nfa.support@getnerdio.com

Comments

Article is closed for comments.