Tuesday 16 May 2023

Deploying and Configuring Azure Active Directory Domain Services (AADDS) to Provide Legacy Authentication Protocols in Azure

Azure AD Domain Services (AADDS) is a way to provide legacy authentication protocols to your Azure Virtual Networks, without having to build AD Domain Controllers or provide any kind of reach back to your existing AD infrastructure. AADDS is a Microsoft-managed deployment of Active Directory, where the customer/tenant is not responsible for management of the underlying compute, storage and networking surrounding the service.

Azure AD Domain Services provides a one-way synchronization from Azure Active Directory to the managed domain. In addition, only certain attributes are synchronized down to the managed domain, along with groups, group memberships, and passwords. The integration is to the AAD tenant which is already present when AADDS is created from an Azure subscription.

As this is a managed service, it is expensive and tenants/customers do forfeit a number of control factors which might make using AADDS in a production context a challenge. Many organisations do end up ruling out using AADDS due to its short comings around management. That said, many are using AADDS in production to offer authentication for services such as AVD, which still requires the Session Hosts to be joined to a traditional Active Directory. As all of the objects are pulled from the AAD tenant into AADDS, it is possible to have cloud-only objects synced to AADDS, in which none of the objects which are synced from traditional AD into AAD are then further synced from AAD to AADDS. This is configurable when the AADDS instance is being created, this is highlighted below.

Information: You can only create a single managed domain serviced by Azure AD Domain Services for a single Azure AD directory. This means that each AAD tenant can only have one AADDS domain regardless of how many customers, subscriptions etc are served from that tenant. This is a potential limitation but is impossible to overcome due to the nature of the sync relationship between AAD to AADDS.

Common use cases and patterns to consider AADDS for:

  • Legacy authentication is required in a cloud-only environment, when no traditional AD DS exists.
  • No cross site connectivity between on premise and Azure is available, this makes extending the existing AD DS to Azure difficult.
  • Domain Services are required in an air gapped manner for services such as Remote Desktop Services (RDS) or Azure Virtual Desktop (AVD).

Information: Although AADDS might read as an extension of your existing directory services, please note that this is an entirely new AD DS domain. Therefore any application authentication integrations would have to be reconfigured to trust the new domain during a migration to Azure. Please do not forget that as this is a new domain, any AD controls such as groups, service accounts used to control in-application functionality or permissions would have to be recreated. It is possible to leverage Group Policy Objects (GPOs) in AADDS.

Azure Portal and search for Azure AD Domain Services (AADDS) and click Create.

On the Basic tab, we must select a Subscription for the AADDS instance. A DNS Primary Name is already required, this is the internal DNS namespace which is used to built and create the new AD DS. The infrastructure to support the AADDS must be hosted within an Azure region, I have selected UK South below. We have also selected the Enterprise SKU.

The Networking tab for AADDS is important as the AADDS service must be joined to a virtual network to ensure applications and services can use the legacy domain. In this example we create a new virtual network and subnet, please note the AADDS service will be created into a new subnet. Nothing else should be deployed into this subnet as it must be exclusively for AADDS. The AADDS will have private addresses within this subnet which are used in the DNS Server configuration to ensure servers and clients can discover the AADDS service/domain.

The Administration tab outlines what existing users and groups within the AAD are granted privileged access to the AADDS managed domain. Please note you are not granted Domain Administrator or Enterprise Administrator rights in the managed domain. You also cannot extend the schema of the Active Directory, therefore limiting the usage of custom attributes for complex application scenarios. Management of the AADDS domain is done with the users who are populated within the AAD DC Administrators group. This group starts out life in the AAD as an assigned group. You then add members to this AAD group which are then granted management permissions within the new AADDS domain.

You will notice below the check box for "All Global Administrators of the Azure AD Directory" is selected. This ensures that all Global Admins within the tenant are also given management permissions within the domain, over and above the AAD DC Administrators. 

We now configure what objects we would like to sync into the new directory. By default you can configure full sync. This is where objects which originated from on premise AD but have been synced to AAD would then be pushed into the AADDS. The architecture looks something like this, where the on prem AD syncs to AAD via AD Connect, then AADDS syncs from AAD into the managed domain. There would never be a direct link between AADDS and on prem AD.

You can of course select, Cloud-only where only objects which have originated in the AAD tenant are then synced to the AADDS instance, leaving behind anything in AAD which originated from on prem AD.

It is possible to fine tune the security settings for parameters such as TLS, NTLM, Kerberos etc. It is probably only advisable to do this if you have a compelling reason to. 

The creation of an AADDS domain takes around 45 minutes so be patient and once the service has completed deploying you will be able to integrate the infrastructure behind the service. You will notice no Virtual Machines are available as part of AADDS, these are entirely abstracted from the customer.

To ensure your new managed domain is reachable you must find which IP addresses have been assigned to the AADDS Domain Controllers underneath the platform. Go to Properties from the AADDS resource object and you will find the addresses there. These are private addresses and we will configure our virtual network to use these addresses as the DNS to ensure the domain can be resolved. 

To do this, open up a virtual network and go to DNS Servers, then click on Custom. From here enter the addresses of the AADDS service and commit the change. This will ensure all infrastructure provisioned on this network will automatically be given these DNS addresses which will ensure the new AADDS domain can be resolved. If this is in place you should be able to join a new machine to your new domain. 

To manage the domain you should use something like the RSAT tools from a management workstation with the correct credentials. From here you will be able to open the domain tree, Group Policy etc.

Sunday 14 May 2023

Configure Azure AD Permissions for Azure Virtual Desktop (AVD) Scaling Plans to Operate

Azure Virtual Desktop Scaling Plans allows us to set on a schedule the amount of our Session Host hosts which are available to service AVD Host Pools. In order for us to do this, we must create a new role assignment and bind it to the Azure Virtual Desktop service object. This is set at the subscription level, which hosts the AVD service. 

From the Azure Portal, search for Subscriptions

Click on Access Control (IAM), and click under Role Assignments. Then click on Add.

From the Add Role Assignment wizard, search for a predefined role assignment called Desktop Virtualization Power On Off Contributor and select it. 

From the tab which allows us to choose where to bind this role assignment to, click Users, Groups and Service Principals. From here, use the side menu to search for Azure Virtual Desktop and select it.

Click Next and Complete to complete the role assignment.

With this configuration in place you will now be able to configure Scaling Plans for your AVD Host Pools. 

Tuesday 21 February 2023

Azure Virtual Desktop - Adding MSIX package to AVD Host Pool fails with "The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: pooled-0, Error: App contains untrusted signature. (Code: 400)"

When trying to add a new MSIX application package to an existing AVD Host Pool it fails with....

Error: ActivityId: 454-x Error: The MSIX Application metadata expand request failed on all Session Hosts that it was sent to. Session Host: pooled-0, Error: App contains untrusted signature. (Code: 400).

This error was due to the certificate which was used to sign the MSIX package was not installed correctly on the AVD Session Hosts. For the avoidance of doubt the certificate (PFX with the private key included) is required on all of the AVD Session Hosts. This would typically be issued centrally from an enterprise PKI (like AD CS in Windows Server) and distributed via Group Policy. However, in my development lab I created a self-signed certificate, therefore this PXF file had to be distributed to each of the AVD Session Hosts.

This certificate must be installed under Local Machine\Trusted People on each Session Host. I can honestly say I have never seen this part of the certificate store used for any other purpose. An automated install of the certificate will install it to the wrong place and you will get the 400 error listed above.

Monday 11 July 2022

How to deploy the Azure Stack Hub ASDK inside a nested Azure VM

The Azure Stack Hub ASDK is very useful for learning Azure Stack Hub and getting a general idea of how it works and how it differs from Azure Global. It does have its limitations, and is not suitable for any kind of production workload. Most people do not have a physical server laying around which can accommodate the heavy infrastructure needs of the ADSK. It is possible to nest the entire thing within an Azure VM, with that said, most people don't have access to an Azure subscription with no spending limit either. 

The Azure VM SKU selected below is Standard_E32s_v3 which has 32 vCPUs and 96GB of memory. This SKU also supports the ability to run nested virtualization. 

  • Open Azure Shell from the Portal - setting PowerShell as the language of choice.
  • Run Find-Script Deploy-AzureStackonAzureVM | Install-Module -Force to install the module to deploy a suitable VM to host the ASDK. 
  • From here run Deploy-AzureStackonAzureVM -ResourceGroupName myResourceGroup -Region 'West Europe' -VirtualMachineSize 'Standard_E32s_v3
  • Once the VM is deployed, RDP to it and open Powershell ISE as an Administrator.
  • Run cd C:\CloudDeployment to change directory.
  • Run .\Install-AzureStackPOC.ps1 to kick off the deployment/install of ADSK.
By default the script will assume you want to deploy the ASDK in "connected" mode integrated with an Azure AD instance. During the first steps of the script you will be promoted to sign up to Azure AD. This is the instance which will be used to authenticate to this ASDK. Please note that the authentication mode cannot be changed, post deployment and a redeployment would be required. 

***During the first steps of the script you will be prompted for a password - this should match the local admin password of the Azure VM.***

The local admin password of the Azure VM will eventually become the Domain Admin password for the AD DS domain which is created as part of the ASDK deployment. As part of the script a domain AZURESTACK is created. 

The entire installation takes ~10h to complete and needs attention at various points throughout. 

The script will run for approximately 3-4 hours and then the RDP connection to the VM will break. Hard reboot the VM from the Azure Portal and log back in via RDP. 

As the script has not completed 100% at this point, we must rerun the script to ensure it picks up from where it left off. 

To do this cd C:\CloudDeployment and run the .\Install-AzureStackPOC.ps1 -Rerun

Once it is completed, login to the Azure VM using AZURESTACK\azurestackadmin and the original Azure VM local admin password. You will then be able to launch Hyper-V Manager and see all the VM's which are running to make the ADSK operate. 

Wednesday 6 April 2022

Create and Configure Certificates for Azure Gateway P2S VPN Connection

Azure offers the ability to create Site to Site and Point to Site VPN connections to Azure Virtual Networks using the native Azure Virtual Network Gateway. It is becoming increasing irritating to have VMs exposed to the Internet on port 3389 for RDP, therefore P2S VPN connections can be useful to remove the need to have these rules created on your NSGs. You can of course you Azure Bastion, but some people prefer a VPN-like connection. Authentication for P2S VPNs can be either AAD or by a pair of certificates. A root certificate installed at the VNG, with a subordinate client certificate from that root installed on the incoming, connecting device.

Create the root certificate using the following code, you can change the Subject field if you like. This is how the certificate will be identified within the local certificate store on the machine you generate the certificate on. You will notice that this command creates the root certificate under the CurrentUser context.

$rootcert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject “CN=RPBP2SRootCert” -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign

Create the client certificate from the root certificate, the linkage here is done by the Subject name, so ensure they match to avoid any problems with the trust chain. 

New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject “CN=RPBP2SClientCert” -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(1) `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation “Cert:\CurrentUser\My” `

-Signer $cert -TextExtension @(“{text}”)

Once the commands have completed you will notice both the certificates within the Current User trust store, the next step is to export the root certificate so that it can be imported into the VNG. 

The correct format is Base-64 (CER) as we must be able to open the exported root certificate with Notepad to copy the code onto the VNG.

Copy the content of the root certificate, excluding the BEGIN CERTIFICATE part. 

Head to the Azure Portal, then to the VNG. From here click on Point to Site Configuration and configure the connection pane as follows.

  • Address Pool - this is an address block which is required to assign to incoming VPN clients. This pool is virtual in nature and has no bearing on the address space used on the VN. 
  • Tunnel Type - select IKEv2 and OpenVPN (SSL) by default this configuration will attempt to connect via IKEv2 first, then fall back to SSL.
  • Authentication type - Azure certificate should be selected, it is possible to use AAD as well. 
The VPN Client comes pre-packaged with the correct certificate configuration once you make changes to the Azure Portal, be sure to redownload the client package if you have made changes here. 

Thursday 29 October 2020

Azure DevOps Release Pipeline fails with "The current operating system is not capable of running this task. That typically means that the task was written for Windows only." while trying to deploy a Azure DevOps Lab

 I was following this lab guide when I come up against this error, while studying for the AZ-400 certification.

The Hands on Labs really are great and should be used if you are learning Azure DevOps.


Once I followed through the lab I was faced with "The current operating system is not capable of running this task. That typically means that the task was written for Windows only." when I tried to run the Release Pipeline. The Build Pipeline completed without issue so I decided to dig in a bit to find the cause, for once the error message was pretty descriptive. 

It turns out I had miss configured the Release Pipeline stage which run Windows script to use a Ubuntu DevOps agent, which obviously caused the code to fail to execute. 

The fix here was to change this to a Windows-based agent pool so that the code could execute.


Monday 25 May 2020

Study Resources for Learning Docker and Passing the Docker Certified Associate (DCA) Certification

On the 23rd of March, the UK Government announced we would be entering “lock down” for the foreseeable future, with no real end date given. My role within Microsoft usually means that I’m travelling at least 3-4 times per month, with no trips possible due to lock down I decided that it was an opportunity to really study hard and skill up in some of my weaker areas.

This helped me define my study plan for the rest of 2020, for me having a study plan aligned to getting certifications makes sense. The formality of having an exam booked with a syllabus of content to learn has always helped me keep on track. This is my justification for chasing certifications instead of “actual skills” even though the two overlap.

For the rest of 2020 I have set myself the goal of getting the following certifications:

  •     Docker Certified Associate (DCA)
  •     Linux Foundation Certified Systems Administrator (LFCS)
  •     Certified Kubernetes Administrator (CKA)
  •     Microsoft Azure Certified DevOps Expert (AZ-400)
The entire Containers and DevOps ecosystem has always interested me, it is also a critical area for my role as a Cloud Solution Architect with a focus on applications & infrastructure.

The first step was to get the Docker Certified Associate out of the way, which is what I am going to cover in this post. Docker was the obvious choice to start with in the journey to get deeper skills in the Container and DevOps ecosystem. Docker has become the industry leading container engine, with it being the default engine which is shipped with Kubernetes.

The Docker Certified Associate (DCA) certification is the only professional certification offered to cover Docker Inc and their technology. It is a multiple-choice exam with some new DOMC questions, delivered remotely which consists of 55 questions which must be answered in a 90-minute period. The DOMC questions are weird, I would use the following simulator to get an idea of what to expect before you go into the exam (link at bottom of page). Full details can be found here https://success.docker.com/certification

The following resources are what I used to get up to speed enough with Docker to pass the certification exam.

Video Training

The courses listed below are the ones in which I used before the exam. I took them in this order and learned something new from each of them. Many of the courses have overlapping content but that is not a bad thing when learning something new.

Pluralsight (Nigel Poulton)
Good intro course which covers many of the basics around containers and container orchestration. If you have some experience with containers you can probably skip this one, but I found it useful.

Pluralsight (Nigel Poulton)
Great course which was key for me to build that first level of formal knowledge around Docker. Not to be missed unless you have some production experience with Docker.

Pluralsight (Nigel Poulton)
Do this course if you have no other choice from the Pluralsight library. It is the most complete and well rounded of the courses and will put you in a good place to go deep with Docker. However, it does not cover all the areas of the DCA and will not make you exam ready alone.

Pluralsight (Nigel Poulton)
Short and sweet but to the point and covers loads of good detail on how networking in Docker works.

Pluralsight (Elton Stoneman)

Excellent course if you have some time before the exam to go deeper with Swarm. I did it to bridge some gaps but after passing the exam I do not plan to do much with Swarm as Kubernetes is the orchestrator of choice at work.

Udemy (Brett Fisher)

This is also an excellent course. I only did half of it which covered the Docker content but intend on going through the Kubernetes sections as well. This course does assume some knowledge but will help massively in getting prepared for the DCA. Brett does state this is not an exam prep course so other study is required to round off the areas this brushes over.
Linux Academy (William Boyd)
This is unmissable in the weeks before the DCA exam. It is very exam focused which none of the course above are. It covers off all the points on the DCA syllabus.

Linux Academy (Travis Thomsen)
Again don’t’ go into the exam without having watched this course. I skipped some of the earlier videos and went to my weak areas to ensure I filled the gaps. Highlight recommended. It is very fast paced so if you are building your own study plan do this course towards the end.

Linux Academy (Travis Thomsen)
Very good resource to help build the hands-on skills needed to be confident with Docker. I did this two days before the exam.

All the video content listed above is worthwhile and absolutely worth your time if you plan to sit the Docker Certified Associate (DCA) exam. I must say that Linux Academy stood out from the rest, probably because they provide hands on labs.

Reading Material

To supplement the video training, I also used the following resources:

The Docker Deep Dive Book – Nigel Poulton

This is an excellent book not only for study but for general reference as well. Just buy it and read it. It is on Amazon for less than a tenner. I also printed the exam blueprint and used it to cross check exam topics with the contents of this book. Not to be missed. I think the technical diagrams in this book are what stands out they are could even make it into design documents in some cases.

Docker Reference Architecture – Docker Inc

I read most of the relevant architectures a couple of times and did one last scan the day of the exam.

Docker Study Guide – Evgeny Shmarnev

This is a collection of Docker documentation which links to the exam content. I used it extensively and it was helpful.

Practice Exams

Practice exams are mandatory before sitting a certification in my experience. I used the following ones.

Linux Academy – offer practice exams as part of the courses.

Whiz Labs – Docker Certified Associate Practice Tests

Example Questions for DCA

Ref 1: (DOMC questions)