Home / Nerdio Academy / Nerdio / Nerdio Fundamentals: Provisioning Continued

Nerdio Fundamentals: Provisioning Continued

0 commentsMay 19, 2019Videos

Joseph Landes:
In this session, we are going to continue with our discussion on how to provision and Azure environment using Nerdio. In the last session, we focused on the provisioning of private networks and the storage environment, and we will continue by showing you how to stand up the rest of the environment, including the active directory domain controller, ADFS, the file server, Office 365, the RDS environment, the golden VDI image, the first VDI desktop, and more. Enjoy the session.

Vadim Vladimirskiy
Okay, so let’s keep moving forward. We spoke about the virtual network with its subnets, network security groups that get set up. We also talked about the fact that many of these VM templates, there are a handful of them, get copied from a template environment as we have set up in the south-central region in Azure. That takes quite a bit of time just to copy those templates, so if we look at the provisioning logs for, let’s say, the latest account that got provisioned … Okay, we can’t see it from here, so let’s click login on this account.

Vadim Vladimirskiy
We’ll go to logs, provision, and tasks and look at that. Okay, so the next thing is the configuration of the main controller, so at this point, all of the templates are copied. It took about an hour in this case to copy the templates. This step creates a server called DC01. The disk is already there which has been copied. It creates the virtual network, places … I’m sorry, creates the virtual NIC, places that NIC inside of the subnet, the LAN subnet specifically, and then it spins up the domain controller.

Vadim Vladimirskiy
It then goes into the main controller and does a bunch of powershell that configures it to serialize the environment, make it completely unique from every other environment, Sysprep-type of operations. It also resets all the administrator passwords to something that’s very secure and random, and those passwords get stored in an Azure key vault. By the time that it’s done, you basically have a domain controller that is running on a managed disk, so you’ll see by default this is going to be an E disk, which is a standard SSD. 128 gigabytes is the size of the original disk. There are no data disks attached.

Vadim Vladimirskiy
It will have a static IP address assigned to it, so if we go in the networking, we’ll see that there is a network card attached. It’s called VC01NIC. It has a private IP address, and then it has a public IP address. The reason it has a public IP address, as we discussed yesterday, is that there is a firewall rule that allows the NAP to remotely connect and configure various aspects of the active directory and other things on DC01 from the NAP, so that’s primarily what that IP address is used for. It’s not available to be accessible from other places on the internet, just from the NAP.

Vadim Vladimirskiy
Okay. In addition to customizing active directories, setting the various policies, resetting the passwords as we spoke about, it also enables the AD Connect installation that is pre-staged on the DC01 template. Basically, that installation is not pointing at any particular Office 365 account, but as you recall, we actually typed in the credentials of an Office 365 global administrator when the account was provisioned, so those credentials get passed to the domain controller to the AD Connect services, and those get enabled and configured to now start synchronizing with the Office 365 Azure ID tenant that this account is being provisioned into.

Vadim Vladimirskiy
Step number four, what happens is there is a validation of core quota. Remember, we talked about each subscription having a certain limit. We do validations throughout because there have been situations when somebody initiated a provisioning job and then for whatever reason the core quota wasn’t sufficient, so because the main controller is just a single core, before going through and provisioning all these additional VMs, there is a core quota validation that happens at this point.

Vadim Vladimirskiy
If there isn’t going to be sufficient core quota to proceed, then the job is just going to basically pause and wait for remediation before it proceeds. With managed disks, ultimately at the Azure Fabric level, there are storage accounts, and managed disks are still VHD files inside of those storage accounts, but what makes them managed is that all of that is abstracted from you, so you don’t really know what the storage account is. You don’t have to worry about managing that storage account. Microsoft does that for you, so the way that you interact with the disk is just like you would interact with a network card. It’s a complete entity that you can just attach to a VM versus an unmanaged disk you have to deal with what’s the file, where is it stored. It’s a little bit more cumbersome to deal with it, so you don’t get to specify the storage account parameters, but there is a storage account underneath each managed disk, but users don’t get visibility of any of that.

Vadim Vladimirskiy
Okay, so let’s keep moving forward. We got our core validation, then we do an ADFS federation setup, so the way ADFS works is that there is a service that runs on top of DC01, which is the ADFS service, that allows you to federate the same identity from active directory and make it usable inside of Azure ID or Office 365, and then in order to get to that ADFS server or into that service running on DC01, the security practice that’s recommended is having a proxy server that sits in a DMZ.

Vadim Vladimirskiy
There is an HTTPS that’s open from the outside into the server, and then there is another HTTPS tunnel open from this proxy server into DC01 which is where the ADFS is running, so there’s really no ADFS running on the proxy server. All it’s doing is it’s intercepting the traffic and passing it through to DC01.

Vadim Vladimirskiy
For instance, if this server is down, if the proxy server, the ADFS proxy, is down, as long as you’re inside of the LAN, like for example you’re on one of these VMs, your authentication for ADFS will continue working because that’s a local service available inside of the network, but as soon as you go outside of the network if you’re trying to authenticate with Office 365 from outside of the Nerdio deployment, it redirects you to an ADSF URL and that passes through this DMZ, and if this server is down, then it will not work, so just want to be clear that there is a service that’s running on DC01 and then there’s a proxy server which tunnels that connection from the public internet.

Vadim Vladimirskiy
What happens during this step, the ADFS federation services, is that the proxy server is spun up inside of the Nerdio resource groups. In this case, let’s look at that environment. You’ll see there will be a PRX01 machine that spun up. There are a couple things that are unique about this machine that’s a little bit different than the other ones.

Vadim Vladimirskiy
First of all, because there’s really nothing to pre-configure on it, it’s a very basic vanilla Windows image with just the ADFS proxy service installed and configured to talk to DC01. We don’t build it from an existing template. Instead, we simply deploy it from the image library that Azure has, so it starts out as a blank VM, nothing custom about it, and then it gets customized, joined, actually, no, sorry, it doesn’t get joined to the main because it’s in the DMZ, but the services that get installed on the ADFS proxy gets loaded at runtime, so configuring the proxy server doesn’t happen from a disk that was copied. It happens from the Azure image library with the plain vanilla Windows 2016 server installed.

Vadim Vladimirskiy
Also, because ADFS proxy’s a very light service and it’s not CPU-bound … I’m sorry, it’s not IO-bound meaning it doesn’t leverage the hard disk that much. It’s really only using the CPU and RAM a little bit. What you’ll notice if you look at the default deployment and you look at the disks associated with each VM, you’ll notice that the proxy server has an S disk which, remember, that’s standard HDD. Sorry, I’m pointing at the wrong one, but it’s the same concept. You get an S10 as opposed to the default is E10 for all the other servers, and it used to be a P10, but this has always been an S10, and the reason is it gets very little use. It doesn’t need to be fast. It doesn’t rack up lots of operations, that something costs money, and this the cheapest disk.

Vadim Vladimirskiy
For example, an S10 is between $4 and $5 a month versus an E10 is about eight or nine, and then the P10 is about $19 or $20, so it’s a quarter of the cost of a P10 and half the cost of an E10.

Vadim Vladimirskiy
We got the ADFS proxy, then we set up the file server. The file server is a template. It’s pre-configured quite a bit. It’s currently a Server 2012 R2 VM, and we intentionally did that. It’s the only 2012 R2 VM and we decided to make it a 2012 as opposed to 2016 like all the rest of the VMs because we wanted to have some VM ready to go in the environment that was backwards-compatible. Maybe there was an application like QuickBooks that didn’t support 2016 and people wanted to use it, so we wanted to have a server right out of the box that was backwards-compatible.

Vadim Vladimirskiy
Over the last few months, we’ve had a number of partners who said, “Hey, why is it 2012? We want everything to be consistent on 2016,” so in the next few weeks, we are going to make the default deployment of a file server to be a 2016 VM rather than a 2012. This file servers get created, as I mentioned, from the template, joins to the domain. There are file shares on it. They are the standard file shares you’re familiar with. There’s a public share. There is a department share. There is a user share. There’s also a hidden install share where we have Office 365 downloaded and various other installations.

Vadim Vladimirskiy
It is configured also with an SMTP service, and the SMTP service is used for a relay via the Office 365 exchange online deployment, so if somebody, for instance, has scanners on their networks and those scanners don’t support authentication, they just want to point them at an SMTP server on port 25 without any authentication, the file server is prepped and ready for that, so that’s one of the things that’s on there.

Vadim Vladimirskiy
The default configuration of the domain is that all users through GPO have their users, I’m sorry, have their desktop and documents folder redirected to the user share, and they also have, if they’re using RDS collections, they have a user profile disk that’s also redirected to Office, so on, so SF01 is pretty critical for everything to work. SF01 is the next thing that gets built. Then we get into Office 365, so lots happens at this stage. There is coordination between configuring the Office 365 tenant with the domain controller and AD Connect, so that stuff I mentioned about configuring AD Connect for synchronization I believe actually is done at this step.

Vadim Vladimirskiy
I guess it doesn’t take that long to get that done, so that wasn’t that bad. Office 365 is configured to enable directory synchronization if it isn’t already enabled, enable AD Connect, and configure it with the credentials that were passed to the provisioning job during deployment, and now you have a synchronization that happens from the DC01 into the Office 365 tenant where all of the user objects appear.

Vadim Vladimirskiy
Then we go to build the remote desktop, the RDS environment, so we start out by building the RD Gateway, so this is this machine right here. It’s RD01, RDGW01, sorry about that. It is a publicly-facing machine that is sitting in the DMZ and it’s configured for really good security posture. It doesn’t allow users who have domain admin rights to pass through it. It’s configured for tunneling, RDS connects into the LAN either directly to a desktop, directly to an RDS session host, or a connection broker if there is an RDS collection that’s in use.

Vadim Vladimirskiy
Again, it sits on the DMZ and has certain ports that are tunneled through. It’s configured by default for RDP desktop streaming rather than TCP streaming. It provides better performance for things like video and graphical things, and they’re basically a bunch of policies that are pre-staged on this server that use the various security groups that are configured in the active directory to limit access just to users who are entitled to desktops.

Vadim Vladimirskiy
For instance, when you assign a desktop to a user, that user gets dropped into the appropriate security group, and that security group is already preauthorized on the gateway to allow to come in through the gateway, so the only way to get into the network once everything is said and done is either through the proxy server for ADFS authentication or through the RD Gateway for streaming the desktop using the RDP version 10 protocol using UDP which provides for faster performance.

Vadim Vladimirskiy
The next thing we do is we take a copy of the RDSH01 machine, which is a template that is set up inside of our templates environment. Again, it’s copied. It’s serialized. It’s Sysprepped, and it’s added into this environment, so this is the first machine that comes online that gets powered on then configured, and then the next thing that happens is it gets shut down and it gets cloned to create the golden image for the VDI deployment, and the golden image for the VDI deployment becomes WS00.

Vadim Vladimirskiy
WS00 is what gets cloned every time a new VDI user is created in Nerdio, so for instance, if you go under the servers page, you’ll see there is a section for managed VDI golden desktop image. It is that WS00 VM. It happens to be powered on right now, so let’s go ahead and power it off in this case. It shouldn’t be running and you can see there is a message here, new desktops cannot be created while this golden image is in this state. It needs to be powered down and set as golden in order for you to be able to use it, so this becomes …

Vadim Vladimirskiy
The machine comes in as a single version of the VM. It’s a Windows Server 2016. It’s an RDS session host, then the session host gets cloned to WS00, and from that point forward, they’re completely independent, so any customizations or changes that we want to pre-stage in our templates environment only needs to happen on one VM, and then once the environment is deployed, that VM is cloned and is used in this way. Let’s go ahead and power this thing off.

Vadim Vladimirskiy
Okay, and then a couple of minutes. If we refresh this screen, we should see that this WS00 is the allocated. All right, moving right along. Okay, so then once the golden image is created, which is WS00, then the next thing that happens is that the first VVI desktop is set up, so by default, if you look at any newly-provisioned environment, we have these four demo test users. The way they’re configured is these bottom three are assigned to RDSH01 by default. This one has been changed, but by default, it’s already SH01.

Vadim Vladimirskiy
Then the Andy IT admin is actually a VDI user that gets a dedicated machine, so this very first machine is created during provisioning, and then it’s assigned to Andy IT admin account. Once it’s provisioned, customers or partners can go in and delete the user, change the desktop type, reassign it, or whatever they want to do, but this just creates a more ready-to-go, out-of-the-box environment, which is why we create it in the first place.

Vadim Vladimirskiy
Okay, so what’s left? Then there is a test and finalize set, and a lot of loose ends that need to be done on the environment once everything is built happen at this stage. Just to give you a small example of what happens, you probably have noticed that when you log in as Andy IT admin and you go to Office 365, there’s like a little avatar picture, and all of that little stuff needs to happen all the way at the end because it needs to make sure that a domain was deployed, that AD Connect was configured and the synchronization happened, the licenses were assigned in Office 365, and once all of that happens, only then can you go in and put those final touches on it.

Vadim Vladimirskiy
We also configure out content filter, which is a piece of software called SafeDNS similar to OpenDNS, which is now Cisco Umbrella, and it configures the necessary account and policies and everything like that during this. Now with white-label 2.0, which is the ability to rename both the external domain, which is the nerdio.net, so when you generate an RDP file for a user and you open it up, what you’ll notice is that there is … Pre-configured into that file are these host names, so partners were asking for a way to obscure these, so we’ve created a new generic URL and new domain name called adminportal.pro, so it’s not connected to Nerdio, so the external domain gets replaced by adminportal.pro and the internal domain can get replaced by a custom specified AD name like we looked at yesterday on the provisioning screen.

Vadim Vladimirskiy
If that has been selected, which is hasn’t been in this particular case, that’s why we don’t see those tasks at the end here, but if that was selected, then there would be another set of tasks that would run at the end that would actually go in, replace the SSL certificates, change the URLs, and then also go in and change all of the internal domain references, as well, so those are additional tasks that get tagged on at the end of this.

Vadim Vladimirskiy
Okay, so, again, looking back at this environment, here is what we see. We see that WS00 was turned off. We see our domain controller. We see SF01. This is not a default server that gets deployed. That’s something that happens when you turn on performance monitoring inside of the Nerdio admin portal.

Vadim Vladimirskiy
Proxy server does get deployed and is running by default, so it needs to be stopped if you don’t want to be using ADFS and not run the server. RD Gateway does run. RD Connection Broker does not get created by default. That only happens if you add a collection, and we’ll have a whole session on how collections work and how to configure them.

Vadim Vladimirskiy
This is a template VM for collections, so the concept here is just like we have a template for VDI desktops that are dedicated, there’s also a template for the scale sets that are going to contain the individual RDS session hosts as part of RDS collection, so again, not a default VM, and you can see it’s also usually stopped because it’s only powered on to modify and make changes that are then pushed out to the collection.

Vadim Vladimirskiy
RDSH01 is a mandatory server. It must be in place. WS00 we talked about, and then the very first VM gets created, so the out-of-the-box environment looks like this minus some of the servers that were added as a result of customizing the environment, so what you’ll notice is that the main servers, the ones that are part of the default deployment are not … You don’t have the option to delete them, so you can delete DC01. You can delete FS01. You cannot delete any of the gateways or anything like that, but the Connection Broker is an example because that was added later on as part of the collection and it’s not really mandatory for the entire environment to function.

Vadim Vladimirskiy
Then there is a way to delete that server if there is double confirmation, so if you accidentally click on it, there’s two more confirmations you have to go through after clicking okay here, as well.

Videos in the series