Nehali Neogi: 2020

Friday, July 31, 2020

Windows Virtual Desktop (WVD) - Multiple-forest Architecture

Reference Architecture

Windows Virtual Desktop Design: Two AD Forests, On-Premises AD Sync to Azure, Design with VPN

Summary

This blog post is inspired by one of my recent partner engagements where we took a closer look at different identity strategies when deploying Windows Virtual Desktop (WVD) in multi-forest hybrid environment. In this blog post we will take a look at three different design options when deploying WVD solution in a hybrid environment with multiple domains. We talk about options with and without VPN, different identity strategies (Azure AD Domain Services vs AD DS), Azure hub-spoke landing zone architecture for WVD, domain joins for session hosts and end-to-end WVD design.

Microsoft Documentation

These architectures are based on best practices and recommendations base on Microsoft documentation.

AAD Connect Topologies here

Compare AAD DS, AD, AAD here

WVD Documentation here.

Github Link to Download Visio

Visios for all the different design are available on my github repo

https://github.com/nehalineogi/azure-architectures

Use case: WVD Architecture for Multi-forest design in a Merger and Acquisition scenario

Environment:

These architecture are based on the following existing AAD Connect topology

Image Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies

Two Active Directory domains on-premises (companyA.com) and (companyB.com)
Azure AD Tenant for the Combined new company : NewCompanyAB.onmicrosoft.com
Verified domains in Azure for CompanyA.com and CompanyB.com
Azure AD Connect Syncing users from both CompanyA.com and CompanyB.com to Azure AD tenant (NewCompanyAB.onmicrosoft.com)

Design Considerations in Azure

Shared Services HUB spoke design is used as a landing zone in Azure. Domain Controllers in shared services hub in Azure and replicated from on-premises domain controllers for both CompanyA.com and CompanyB.com
Site-to-site VPN between on-premises and Azure
WVD Session hosts deployed in Spoke VNETs joining the domain controllers in Azure
Identity Considerations: Using Managed Service (AAD DS) vs Using Self Managed AD DS

Design Variations and architecture options

Two AD Forests, On-Prem AD Sync to Azure, Hybrid Design with VPN

Key Design Points: Requires VPN, DCs deployed in Shared Services HUB, WVD Sessions hosts joining DCs in Azure

Two AD Forests, On-Prem AD Sync to Azure, AAD DS (Managed Instance) without VPN

Key Design Points: Does not require VPN, No Iaas DC in Azure, Uses Managed Service with Azure AD Domain Services, WVD Session hosts joining AAD-DS (Managed instance)

Two AD Forests, On-Prem AD Sync to Azure, AAD DS (Managed Instance) with VPN

Key Design Points: Combines the above two designs.

Nehali Neogi

I am a Cloud Solution Architect at Microsoft enabling partner ecosystem to deliver scalable and best practice architectures. My interests are Software defined networking, open source technologies, linux and devops. I'm certified in Azure, VMware NSX, Linux and Cisco Systems with Masters in Computer Engineering from UMass, Lowell.