Home / Nerdio Academy / Nerdio / Nerdio Fundamentals: Hybrid AD Continued

Nerdio Fundamentals: Hybrid AD Continued

0 commentsMay 31, 2019Videos

Joseph Landes
In this session we are going to continue to talk about hybrid active directory, otherwise known as hybrid AD. We’ll dive deeper into the functionality contained in Nerdio for Azure, and how MSP’s can take advantage of hybrid AD as their costumers continue to move from on premise environments, to the cloud with Microsoft Azure. Enjoy the session.

Vadim Vladimirskiy
We talked about how active hybrid AD is created. We spin up an additional domain controller in Azure. We joined it to the domain over the VPN tunnel that existed on premises environment. We promoted to a domain controller. We do some DNS and other kind of routing magic in the back to make it all workable. We create a bidirectional transitive trust between the Nerdio active directory, and the external active directory that’s being controlled by the newly created domain controller in Azure.

Vadim Vladimirskiy
And then the third step, right so step number one was VPN, step number two was setting up this domain trust, step number three was setting that domain as managed. And by setting the domain as managed, if you recall the UI inside of map changes, and in the UI you now see additional things and that’s what we’re going to spend some time on today. But so now if we’re done with step number three, all that happens is we now have UI that has visibility of the external AD, but we haven’t imported any users yet, right?

Vadim Vladimirskiy
So step number four in this list basically tells you that when you go, remember we’re using AD connect that’s running in the existing environment. In most cases it already exists within the environment, but in some cases it will get installed on the newly created domain controller VM in Azure. And in that case we just want to be sure that this newly added OU, the users in group OU, is included in the scope, right?

Vadim Vladimirskiy
Depending on how the original AD connect is configured, it may not have all the OU’s selected by default, in which case because this is a brand new OU that got created in this process, it will not be synchronized, and we need it to be synchronized to Office 365. So this step just basically tells the administrator to go in and make sure to check the new users in group OU to be included in the scope of the AD connect synchronization. Okay?

Vadim Vladimirskiy
And then the final step is this user import step. We wanted to extend an existing active directory, because we wanted to reuse existing accounts, right? Meaning we wanted to be able to log in or have users log in with the same domain that they’re logging in with today, with the same username, same password, same everything without giving them a brand new account, and a brand new active directory identity. So that was ultimately the goal.

Vadim Vladimirskiy
So now in order to accomplish this goal, what we need to achieve is we need to get that user that exists in the other domain to appear in this manage users screen, which it will not appear there by default. Right? The user list from creating hybrid AD doesn’t change. So we got to do one more thing, and this one more thing is the import of the user from the existing active directory, into the users’ management module in the [NAP 00:04:06].

Vadim Vladimirskiy
And the way that happens in the back end, it’s actually pretty simple. All that does is it moves the user object in the external AD from wherever it’s currently located, whatever OU it’s currently in, into this newly created users and groups OU within the same domain. Right? So the user object is exactly the same, the only thing that changes is it changes locations. And the ramification of that for those of you who work with the group policies, that there maybe some GPO’s that apply to it in a source OU that you just have to make to consider of how those are going to affect the user by not applying by default to the new destination OU, which is the users and groups/active users.

Vadim Vladimirskiy
So that’s where it’s going to move. It’s going to move from wherever it is today, into this users and groups active users OU in the same domain. And then the administrator just needs to decide what to do with GPO. Some GPO’s maybe relevant, some may not be relevant, and the very same GPO’s can easily be applied to another OU. ‘Cause remember again, this is all happening within the same domain, so you use the same group policy manager tool, all of that is pretty easy and doable by anybody who manages active directory.

Vadim Vladimirskiy
Okay, so the way the UI looks is you go into this import users button, which exists under next to the trust. Next to the hybrid AD connection that we’ve set up under onboard domains. You go in and you find the users you want to import, and you can do single selection, or multiple selections. You can have a very flexible UI as to who you want to import. You can search users by name or by OU. Let’s say I want everybody from the AM West Funding Corp. Right? So there we go. Everybody from that OU I can then select all, and click import.

Vadim Vladimirskiy
Okay, so all that’s going to happen once I click import is all of these users will be taken out of this source OU and moved into the destination OU, then a user list synchronization will be triggered. Okay, so this user list is going to ger refreshed right after that import happens, and all of these users will show up in this list. They will not have any desktops assigned to them. They will have their office licensing, their email address, usernames, everything will be the same as it was in the existing OU that they are moved from, from the source.

Vadim Vladimirskiy
And the only thing that’s left for us to do is going to be assign the users to a desktop, and the way we do that as you recall, we can either click on individual users, and assign them to either RDS, session host collection, or VDI desktop, or we can use our bulk user update tool to assign multiple users at the same time. Okay? So that sort of achieves the objective of being able to use the same user accounts that are currently used on [PREM 00:07:20] inside of Nerdio with Nerdio desktops.

Vadim Vladimirskiy
All right so now let’s think of this logically. So if we’ve now integrated the NAP into an external OU, there are certain management options that live, I’m sorry we’ve integrated NAP with an existing active directory. There are certain management options where active directory is below them. Meaning they integrate with it, things like users, and contacts, and groups, and servers and then there are certain objects that are really directory unaware, right? What do I mean by that?

Vadim Vladimirskiy
So for instance, backup has nothing to do with active directory. Networking has nothing to do with active directory. Right? Those are networking and infrastructure constructs that live outside of a directory, okay? Now other objects, we’ll start with servers as an example, are aware of active directory. So the first thing we’ll look at is we’ll look at servers, and when things start out, out of the box, every server will have the Nerdio that INT domain as the only domain that it’s in right now, right?

Vadim Vladimirskiy
Because we haven’t done anything to create a server in the external AD. So what we’ll do is if we go to add a new server, I think I showed this to you yesterday, but you’ll see that by default you’ll be able to, you’ll have this external AD selected and you will be able to select Nerdio that INT, if there is ever a use case. We haven’t seen that to be the case. Usually 90 if not 100% of the time if hybrid AD is implemented, then they want to be using the external AD.

Vadim Vladimirskiy
So when you add a server, this server will be added into the new domain. So that’s pretty simple, right? This is just making a particular Windows VN a member server of the on premise, or the existing active directory. Then the next object I want to discuss is security group, right? And then we’ll get to distribution list. So security group very similar to the server, is obviously active directory aware.

Vadim Vladimirskiy
It’s an object within active directory, so when you add a security group then you get to select which active directory it gets created in, and the nice thing is the way NAP is implemented is it will allow you to add members from both active directories. So for example you could have users who are in Nerdio that INT that can be added into a user group which is in the external AD, and vise versa. You can create a Nerdio that INT group or a Nerdio that INT AD group and add members to it from the other domain.

Vadim Vladimirskiy
And the reason this is possible is because this is all based on the transitive bidirectional trust that exists between the two forces. Okay, so that’s security groups. Why would you want to do this? Well let’s say for whatever reason you have a folder on FSO-1, okay so that’s actually a good example. So FSO-1 is a file server that by default is configured to have all of the GPO-ed, the folder redirection. Things like documents and desktops, and user profiles get redirected to the file server.

Vadim Vladimirskiy
Because file server is created when the account is provisioned. It’s a member of Nerdio that INT. So even when you have users from the external AD connecting to their desktop, their content, their documents and desktop items get redirected here. Right? So how does that happen? They’re in two different domains. The reason that happens is because the trust is in place, FSO-1 allows members of the other domain to connect to file shares on it, okay?

Vadim Vladimirskiy
And that would be kind of the use case for security groups that have crossed domain members in them. Okay the remaining three objects to talk about are distribution lists, users, and associated desktops. Okay? And before we can talk about those three objects, we need to understand how the whole concept of domains works in Nerdio. Okay? So on the domain screen, again forget about the active directory domain trust section, which is where we spent most of our time.

Vadim Vladimirskiy
This domain section can have, by default, two types of domains. There could be a public domain, or what’s called an internal domain. An internal domain, all it is, is a UPN inside of active directory, but it does not have a corresponding public domain in Office 365, whereas a public domain has both. It’s a UPN and active directory that’s matched to a public domain in Office 365.

Vadim Vladimirskiy
So when we enable hybrid AD, when we set something as NAP managed, this column gets added in here, and then the system intelligently determines which domain that exists in Office 365 and inside of active directory, belongs to which directory. So if a few obvious things. So this domain will obviously be part of Nerdio. It’s nowhere to be found in the external AD, whereas maybe this domain, which is the existing costumer domain, is identified as being part of this active directory.

Vadim Vladimirskiy
So why am I bringing this up? The reason I’m bringing this up is you can see that there is a one to one mapping between an email domain, which is this, and an active directory that, that domain is associated with. You could not have the same email domain in two different active directories, because then you have UPN conflicts, and you have all kinds of issues. So it’s a one to one relationship. So now understanding there is a one to one relationship between an email domain and the active directory within which it exists, we can look at how users get added.

Vadim Vladimirskiy
So let’s say we go to add a user, when we go to add a user the default domain, let me just show you what I mean by default domain. There’s going to be a little star next to the domain right here, signifying it’s the default. It’s something you could set any of these as the default, and all that does is it’s going to select that from the drop down when you add a new user. So let’s go back to new user.

Vadim Vladimirskiy
We’re going to click add new, and now we’ll see that this domain is selected. Okay now, we could select any of the other domains, like this one for example. And in this case, let’s select this domain. Okay, now why is this important? Let’s look at the VDI. So if I were to do this right now and I were to ask you, “Where would this user object get created?” Right, there is nothing in here that specified which active directory I want this user object to appear in, okay?

Vadim Vladimirskiy
But given what I showed you earlier, because there is a one to one relationship between an email address, or an email domain and active directory, by creating a user with this email address, which then by default drives that username, this username determines what active directory that object will get created in. So if I were to create the user like this, it would go into the external AD. If I were to create a user object like this, it would go into the Nerdio AD. How can I confirm this?

Vadim Vladimirskiy
So let’s look at the VDI user. So what happens when you create a VDI user? A new desktop gets spun up, and that desktop is a windows machine, right? So it’s got to be joined to a domain. So let’s see what happens. So now because hybrid AD is enable and you look at VDI, you can see on the bottom what active directory that user belongs to, or I’m sorry, what active directory this desktop is going to be added to. So now, watch what happens when I change it from this email to this email.

Vadim Vladimirskiy
You can right away see that now this desktop is going to be created in the external domain. So the important take away here is that the email address selection drives the decision of the system, where to place the user. Okay now let’s look at how this works for RDS. So if I’m selecting RDS, then what I would expect is that I will see all the RDS session hosts that are built inside of the external AD right here. Right? So I have a particular list.

Vadim Vladimirskiy
Now, what if I switch this to a Nerdio email address? Right, when I do that you can see my list is now changed and now I only have one session host which exists in the Nerdio that INT. So imagine this scenario, we spin up a brand new account with Nerdio that INT only. We enable hybrid AD, we import a user, and now we want to assign this user to an RDS session host. We come in here, we select the new, the email address that’s associated with the external active directory, and low and behold our list of RDS session hosts is empty.

Vadim Vladimirskiy
Well, why is it empty? It’s empty because there aren’t any session hosts at that point, to the starting point that are in the new active directory. We’ve never built one. So how do we build one? Very easy, we go to servers, we select let’s find the initial RDSH-01. Okay let’s say there it is. We select clone, and low and behold on the clone screen we now have an additional option where we get to select where this host is going to be stored.

Vadim Vladimirskiy
So we’re going to select this, going to click confirm, and that’s going to spin up a new VN, give it the next sequential number as a name, and now it’s going to be in the external AD so that when we come back to the user screen and we add a new user, and we select the email domain that corresponds to the new active directory, the external active directory, then when we select RDS we’ll now see that newly created RDS session host which we cloned from one of the other session hosts.

Vadim Vladimirskiy
Couple of other little nuances that I want to point out, so I told you I kind of over simplified by saying that the email address drives the directory selection, which is really true, but it’s only true due to this transitive relationship between email and username. So you’ll notice in Nerdio whenever you’re working with users, especially if you’re creating a new one, by default this checkbox will be checked. If this checkbox is checked, that means any changes I make here will be automatically made here.

Vadim Vladimirskiy
So any domain that I select will be selected there; however, there are some use cases, it’s rare, but they come up where these may not match. So let’s say I do this, and I say, “Okay, well I want this user to have this email address, but I want them to have the other local login. Is that possible?” Well the answer is no, you’ll see it filters this list out as well, because it won’t be possible to create a user inside of the external domain, or inside of Nerdio domain with an email address that doesn’t exist as a UPN in that domain.

Vadim Vladimirskiy
Okay? So that’s kind of the relationship between these two objects. When you import a user, a lot of times the email address may differ from their user name, and then what NAP is going to do, it’s going to leave this checkbox unchecked, because they don’t match from the get go, so it knows that if you make changes to one it should not make changes to the other. So it’s going to automatically uncheck that box. You’ll also notice that when I’m using external AD domain names, then there is a checkbox that goes away.

Vadim Vladimirskiy
By default, this checkbox for granting user admin rights, whether local admin or domain admin, exists when we’re dealing with the Nerdio that INT domain. As soon as you switch over to using external domain, NAP basically says, “You know what? We don’t want to mess with the domain admins or any other administrative groups in an AD that we didn’t create.” So we just eliminate this option so you can select it. So that’s why it disappears, because NAP doesn’t want to manage domain admin permissions for users in a domain that it didn’t create.

Vadim Vladimirskiy
Okay and then finally this last concept should be really easy, because now we’ve talked about security groups, and we talked about usernames. So when you add a distribution list, right? You’ll notice that there isn’t, so when adding a security group there was an active directory selection. When you’re adding a distribution list there isn’t an active directory selection. Why not? The answer should be pretty obvious, because we are going to automatically figure out what the active directory is, based on the email address that gets created here. So when you create a distribution list here, it’s going to go into Nerdio that INT, if you create it here, it’s going to go into the external AD.

Videos in the series