With Azure RemoteApp we have 2 deployment options. First we can deploy Azure RemoteApp in a Cloud Based deployment. When this deployment model is selected the Azure RemoteApp environment will be deployed in a workgroup. When you select a Hybrid deployment the Azure RemoteApp environment will be joined to an Active Directory domain so when provisioned the environment is fully domain joined and can be managed through your existing domain based management solutions. Looking at the pre-requisites of a Hybrid deployment an ‘On-Premise’ Active Directory and an Azure-VNet is needed to deploy a hybrid deployment. In most of the hybrid deployment scenarios a VPN connection between on premise and Azure is also mentioned. In this blogpost I want to describe the steps needed to create a hybrid Azure RemoteApp deployment based on the fact that all components are hosted on Microsoft Azure.
Let’s first start with showing a graphical overview about how the Hybrid Azure RemoteApp deployment looks like when all components are hosted on Microsoft Azure.
This environment will consist of the following minimal components:
- 1x Virtual Machine with Windows 2012 R2 as AD Domain Controller (including AD Sync to Azure Active Directory)
- 1x Azure Virtual Network with the above VM registred as DNS Server
- 1x Virtual Machine with Windows 2012 R2 as Template VM for the Azure RemoteApp disk image
The above resources are the minimum resources needed to deploy a Cloud Only Hybrid Scenario. I’ve executed the following steps to deploy a Cloud Only Hybrid Deployment:
- Deploy a Windows 2012 R2 VM and install the VM as an Active Directory Domain Controller.
- Create an user account for Azure Active Directory Synchronization and grant the needed rights.
- Install the Microsoft Azure Active Directory Sync Services tool
- Configure the synchronization between the AD Active Directory and you Azure Active Directory
- When the synchronization is active, configure the UPN on the users of your Active Directory. The steps are described here.
- After the user accounts have the correct UPN and are synced to Microsoft Azure Active Directory the next step is to create RemoteApp OU and a Service Account with the rights to add servers to this OU. The steps are well described here.
- Now it’s time to create a Template Image and add or upload the image to the Azure RemoteApp templates section. Creating a RemoteApp template image is not described in detail in this blogpost. A clean install of Windows 2012 R2 is enough to complete this blogpost. Please note the following Image Requirements for Azure RemoteApp custom images.
- Now it’s time to create your Hybrid Collection by clicking on the ‘+’ icon on the Azure Management Portal > App Services > RemoteApp >Create with VNET. Enter a Name and select a plan and click Create RemoteApp Collection.
- When the collection is created enter the collection and configure the Hybrid Collection. First select your Virtual Network by clicking on ‘Link a virtual network’. Select your Azure Virtual Network and click on OK.
- Then click on ‘Join Local Domain’ and enter your local domain information including the account created in step 6.
- The last step in the configuration phase is to select your custom image as a template image. After selecting the image the provisioning phase should start.
- When the Hybrid deployment is provisioned you need to publish applications from in you Hybrid collection
- The last step is to configure user access to your hybrid collection. When you have added your users to the collection you can log on with one of the users and starting the published applications.
So with the above steps you’ve created a hybrid domain joined Remote App collection which runs completely on Microsoft Azure. No ‘on-premise’ components are used. If you want to integrate App-V in your Azure RemoteApp images you can look into these links Azure RemoteApp: App-V Support Part 1 and Azure RemoteApp: App-V Support Part 2.
that’s a good option to have, specially if you wish to have a domain controller under your control and not have to do an on-premise setup if you can avoid it. I was just wondering whether the remoteapp users could be given access to shared folders and access to specific folders, based on groups and OUs on the active directory domain controller? Would it necessitate terminal services instead?