Reference Architecture
Windows Virtual Desktop Design: Two AD Forests, On-Premises AD Sync to Azure, Design with VPN
Summary
This blog post is inspired by one of my recent partner engagements where we took a closer look at different identity strategies when deploying Windows Virtual Desktop (WVD) in multi-forest hybrid environment. In this blog post we will take a look at three different design options when deploying WVD solution in a hybrid environment with multiple domains. We talk about options with and without VPN, different identity strategies (Azure AD Domain Services vs AD DS), Azure hub-spoke landing zone architecture for WVD, domain joins for session hosts and end-to-end WVD design.
Microsoft Documentation
These architectures are based on best practices and recommendations base on Microsoft documentation.
AAD Connect Topologies here
Compare AAD DS, AD, AAD here
WVD Documentation here.
Github Link to Download Visio
Visios for all the different design are available on my github repo
Use case: WVD Architecture for Multi-forest design in a Merger and Acquisition scenario
Environment:
These architecture are based on the following existing AAD Connect topology
Image Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies
- Two Active Directory domains on-premises (companyA.com) and (companyB.com)
- Azure AD Tenant for the Combined new company : NewCompanyAB.onmicrosoft.com
- Verified domains in Azure for CompanyA.com and CompanyB.com
- Azure AD Connect Syncing users from both CompanyA.com and CompanyB.com to Azure AD tenant (NewCompanyAB.onmicrosoft.com)
Design Considerations in Azure
- Shared Services HUB spoke design is used as a landing zone in Azure. Domain Controllers in shared services hub in Azure and replicated from on-premises domain controllers for both CompanyA.com and CompanyB.com
- Site-to-site VPN between on-premises and Azure
- WVD Session hosts deployed in Spoke VNETs joining the domain controllers in Azure
- Identity Considerations: Using Managed Service (AAD DS) vs Using Self Managed AD DS
Design Variations and architecture options
Two AD Forests, On-Prem AD Sync to Azure, Hybrid Design with VPN
Key Design Points: Requires VPN, DCs deployed in Shared Services HUB, WVD Sessions hosts joining DCs in Azure
Two AD Forests, On-Prem AD Sync to Azure, AAD DS (Managed Instance) without VPN
Key Design Points: Does not require VPN, No Iaas DC in Azure, Uses Managed Service with Azure AD Domain Services, WVD Session hosts joining AAD-DS (Managed instance)
Two AD Forests, On-Prem AD Sync to Azure, AAD DS (Managed Instance) with VPN
Key Design Points: Combines the above two designs.