ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Azure AD and OnPrem Windows Server 2016

    Scheduled Pinned Locked Moved IT Discussion
    59 Posts 4 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bigbearB
      bigbear @scottalanmiller
      last edited by

      @scottalanmiller I'm half way there, the AAD may work for RDS without the need for and AD server.

      I'm waiting for my AAD DNA ip addresses to generate!

      1 Reply Last reply Reply Quote 1
      • bigbearB
        bigbear
        last edited by

        UPDATE:

        The lack of guides for this is really stunning. If you arent syncing with any OnPrem AD you have to have to have 365/Azure AAD users reset their password.

        Officially Joined Server 2016 instance to ADD and rebooting now. I would hope RDSH will be easy to deploy next.

        The cost of running the same spec VM on Azure is about $35 more than Azure. However the cost of VULTR goes up $56 for the minimum 2016 server to add a domain controller. Plus on Azure I wont have to manage Active Directory.

        Maybe $150 in total cost to run a 14GB instance for RDSH isn't too shabby.

        1 Reply Last reply Reply Quote 0
        • bigbearB
          bigbear
          last edited by bigbear

          And it's official, Azure AD only, no premise AD or synced AD, and a single RDSH deployed and working!

          Lots of notes scratched out to the side.

          scottalanmillerS 1 Reply Last reply Reply Quote 1
          • DashrenderD
            Dashrender
            last edited by

            Can you lay out the setup you put together.
            Thanks

            bigbearB 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @bigbear
              last edited by

              @bigbear said in Azure AD and OnPrem Windows Server 2016:

              And it's official, Azure AD only, no premise AD or synced AD, and a single RDSH deployed and working!

              Lots of notes scratches out to the side.

              Sweet!!

              1 Reply Last reply Reply Quote 1
              • bigbearB
                bigbear @Dashrender
                last edited by bigbear

                @Dashrender said in Azure AD and OnPrem Windows Server 2016:

                Can you lay out the setup you put together.
                Thanks

                Yea I will definitely post up what I did. At the moment I am trying to connect a site to site VPN to a Vultr instance as Azure VM pricing is actually a lot higher now that I am comparing config details.

                You have to deploy all this using the ASM model, it doesnt work in ARM. So using the classic GUI or ASM Powershell commands both seem to work.

                1.) Create a classic vnet and subnet range in the data center where you will deploy servers that will joing AAD

                2.) If you dont have Azure AD, deploy it. Its already deployed as Basic if you have Office 365. Under you AAD in the Classic Portal create a group with EXACTLY this name AAD DC Administrators Add your AAD users that will have permission to join servers to AAD, or that will manage AAD through the AD snap-ins.

                3.) Under your AAD in the classic portal, go to configure. Half way down the page there is an option under domain services called Enable Domain Services For This Directory This is what provides Kueberos/NTLM to Azure AD.

                Enable this and select the virtual network you created.

                Eventually, under DNS Servers two IP addresses will appear. This took forever, like 20 minutes

                4.) Go back to your virtual network and place those two DNS servers in your new virtual network. These will then be added to your virtual machines and are your AAD DNS Servers.

                5.) At this point, for no known reason, you need to change your the Office 365 work password you are using if you have recently enabled password sync and/or user password management. I am not referring to syncing to a premise AD, that is not required. It appears to be for syncing AAD with Office 365 accounts.

                6.) Deploy a Server 2016 VM in Classic Mode or using ASM powershell commands. It seems 2016 and 2012 are able to join Azure AD.

                7.) Once you are in your new VM, use the FQDN (domain.com) of your active directory domain to join the domain. It will pop up for authentication. Use the UPN model without the .com. = domain\username and password. This would be any AAD user that was added to the special admin group you created above.

                When you reboot you can login with your UPN or your email address if it matches the UPN model.

                8.) From there, I deployed a basic RDS server and its been working great. A litty pricier than I first though, but I am working on linking the ASM Virtual Network to a VULTR deployed pfsense instance with a site to site VPN. So if that works an on premise server could also be joined. However I am sure not if this would be feasible given then any drop in internet or VPN connection would cause user's havoc.

                1 Reply Last reply Reply Quote 2
                • bigbearB
                  bigbear
                  last edited by

                  Dropping a note on this. Azure AD Domain Controller services does actually charge a minimum of .15/hour, so there is a $90 minimum cost for enabling this feature.

                  Not really a deal killer, but as @scottalanmiller alluded to they seem to spin up an S1 instance that you cant control and manage that NTLM/Domain Controller part for you.

                  1 Reply Last reply Reply Quote 0
                  • stacksofplatesS
                    stacksofplates
                    last edited by

                    Coming from me who doesn't deal with Microsoft. This whole thread sounds soo confusing.

                    scottalanmillerS 1 Reply Last reply Reply Quote 1
                    • scottalanmillerS
                      scottalanmiller @stacksofplates
                      last edited by

                      @stacksofplates said in Azure AD and OnPrem Windows Server 2016:

                      Coming from me who doesn't deal with Microsoft. This whole thread sounds soo confusing.

                      Seriously. Everything around Azure, Azure AD and AD is ridiculous and unnecessarily confusing. From confusing tech to intentionally overlapping names.

                      1 Reply Last reply Reply Quote 2
                      • DashrenderD
                        Dashrender
                        last edited by

                        It sounds like a mixing of old and new ways to work.. /sigh.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in Azure AD and OnPrem Windows Server 2016:

                          It sounds like a mixing of old and new ways to work.. /sigh.

                          That's exactly what it is. Just gatewaying to a traditional AD server.

                          1 Reply Last reply Reply Quote 0
                          • bigbearB
                            bigbear
                            last edited by

                            At least it doesn't require on-premises AD. It's "all cloud". It just seems like they are deploying a traditional or perhaps publicly unavailable version of AD to instances you can't see.

                            I have found a couple Microsoft-supported ways to use RDS on Vultr. There is a workgroup mode and a Microsoft support article says deploying AD on the RDS server is appropriate in small environments where there is one server. I could then at least sync to Office 365.

                            I was also looking at JumpCloud, some kind of cloud directory service probably similar to Amazons. I could possibly join 2016 server to that and sync that back with Office 365. But I haven't seen anyone talking about it out there.

                            scottalanmillerS 2 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @bigbear
                              last edited by

                              @bigbear said in Azure AD and OnPrem Windows Server 2016:

                              At least it doesn't require on-premises AD. It's "all cloud".

                              Sort of but the way you are saying it is wrong. It's the same "on premises AD" that you run, it's just hosted elsewhere, the same as we've always done. So it's nothing new. We were doing AD on Azure or AD on Vultr long before there was Azure AD.

                              If that is all that you are getting, you can spin up a Windows instance on Vultr, make it a DC, install your VPN of choice and ta da.

                              Yes, it's "all cloud" but AD was always all cloud by that logic.

                              bigbearB 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @bigbear
                                last edited by

                                @bigbear said in Azure AD and OnPrem Windows Server 2016:

                                I was also looking at JumpCloud, some kind of cloud directory service probably similar to Amazons. I could possibly join 2016 server to that and sync that back with Office 365. But I haven't seen anyone talking about it out there.

                                Post a thread about it, JumpCloud is in the community here.

                                1 Reply Last reply Reply Quote 0
                                • bigbearB
                                  bigbear @scottalanmiller
                                  last edited by

                                  @scottalanmiller

                                  @scottalanmiller said in Azure AD and OnPrem Windows Server 2016:

                                  @bigbear said in Azure AD and OnPrem Windows Server 2016:

                                  At least it doesn't require on-premises AD. It's "all cloud".

                                  Sort of but the way you are saying it is wrong. It's the same "on premises AD" that you run, it's just hosted elsewhere, the same as we've always done. So it's nothing new. We were doing AD on Azure or AD on Vultr long before there was Azure AD.

                                  If that is all that you are getting, you can spin up a Windows instance on Vultr, make it a DC, install your VPN of choice and ta da.

                                  Yes, it's "all cloud" but AD was always all cloud by that logic.

                                  The difference seems to be that you cant access that VM or manage it. And from what I am reading there are some differences between the Azure AD DC on a premise AD deployment. I will search back and post.

                                  Because I didn't control a VM and DCPROMO in that whole process.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @bigbear
                                    last edited by

                                    @bigbear said in Azure AD and OnPrem Windows Server 2016:

                                    The difference seems to be that you cant access that VM or manage it.

                                    Right, MS is an MSP here on your behalf. That's all.

                                    1 Reply Last reply Reply Quote 0
                                    • bigbearB
                                      bigbear
                                      last edited by

                                      Which I think isn't bad, if we had 20 or 30 users I would say it justifies the cost. But spinning up 2016 on a virtual vultr vm now to see how it performs. I had one running before but did not pay attention to the streaming video/audio stuff.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @bigbear
                                        last edited by

                                        @bigbear said in Azure AD and OnPrem Windows Server 2016:

                                        Which I think isn't bad, if we had 20 or 30 users I would say it justifies the cost. But spinning up 2016 on a virtual vultr vm now to see how it performs. I had one running before but did not pay attention to the streaming video/audio stuff.

                                        The real trick here is, once you realize what it is and it is just a hosted AD server. Then that you can do that better on Vultr. Then you realize... WAIT, why am I using Windows for this? I can do it for $2.50 on Vultr with Linux!

                                        bigbearB 1 Reply Last reply Reply Quote 1
                                        • bigbearB
                                          bigbear @scottalanmiller
                                          last edited by

                                          @scottalanmiller said in Azure AD and OnPrem Windows Server 2016:

                                          @bigbear said in Azure AD and OnPrem Windows Server 2016:

                                          Which I think isn't bad, if we had 20 or 30 users I would say it justifies the cost. But spinning up 2016 on a virtual vultr vm now to see how it performs. I had one running before but did not pay attention to the streaming video/audio stuff.

                                          The real trick here is, once you realize what it is and it is just a hosted AD server. Then that you can do that better on Vultr. Then you realize... WAIT, why am I using Windows for this? I can do it for $2.50 on Vultr with Linux!

                                          In every case I agree except this one, lol. Giving winblows desktops to my team with access to all the CAD/Office drawings that run in windows apps is what I need.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @bigbear
                                            last edited by

                                            @bigbear said in Azure AD and OnPrem Windows Server 2016:

                                            @scottalanmiller said in Azure AD and OnPrem Windows Server 2016:

                                            @bigbear said in Azure AD and OnPrem Windows Server 2016:

                                            Which I think isn't bad, if we had 20 or 30 users I would say it justifies the cost. But spinning up 2016 on a virtual vultr vm now to see how it performs. I had one running before but did not pay attention to the streaming video/audio stuff.

                                            The real trick here is, once you realize what it is and it is just a hosted AD server. Then that you can do that better on Vultr. Then you realize... WAIT, why am I using Windows for this? I can do it for $2.50 on Vultr with Linux!

                                            In every case I agree except this one, lol. Giving winblows desktops to my team with access to all the CAD/Office drawings that run in windows apps is what I need.

                                            Not what I meant. I meant your AD server, there is no reason for it to be Windows. It can be a Linux AD server running on Vultr.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 2 / 3
                                            • First post
                                              Last post