How to Create a Hybrid RemoteApp Collection

Domain Join Details

Back in the Azure management portal, click Join Local Domain in the quick start view of your app collection. Enter the name of the domain, the OU that you just created to join the RemoteApp session hosts and the service account details. The following image shows you how to do both of these steps:

Configuring how RemoteApp will join new session hosts to your domain [Image Credit: Aidan Finn]
Configuring how RemoteApp will join new session hosts to your domain (Image Credit: Aidan Finn)

Do not continue until you have double-checked:

  1. That the VPN connection is running.
  2. The local network settings of your VPN network are complete and include all networks of your server network.
  3. The DNS settings of the RemoteApp virtual network are valid and will resolve your AD’s domain name, the domain controllers, and the domain’s services.

Group Policy and More

When you deploy the session hosts of your new hybrid app collection, you are actually deploying virtual machines running the Session Host role in an RDS farm, with all the complexity of a RDS farm hidden by RemoteApp. These session hosts are domain members, just like with any virtual RDS farm that you might create on Hyper-V or on vSphere. They sign into the domain, apply group policy just like normal session hosts, and the users get login scripts and group policy just like any user signing into a traditional RDS farm. And that is where you can do some clever things:

  • Deploy Group Policy for the session hosts: Do things to lock down and secure the session hosts.
  • Deploy loopback policy processing for the users: Ensure that anyone logging into the session hosts receives a configuration that is appropriate for an RDS session, such as hiding the local drives of the session host, run login scripts, and more.

You’re doing user and machine administration at this point, something that you might have been doing for quite a long time!

Deploy Session Hosts

The next step is to create your first session host. Click Link A Template Image, click Link An Existing Template, and select one of the templates that you previously uploaded.
Now you must wait, possibly for quite some time — take lunch, go home, or find something else to do for an hour. Behind the scenes new virtual machines are being created and provisioned by Azure. A part of the provisioning process is to:

  1. Assign the DNS settings of the RemoteApp network in the IP stack of the session host guest OS.
  2. Attempt to join the guest OS to your domain using the details you previously supplied over the VPN connection that you previously created.

I have found that failures at this point are related to the domain join process:

  • The local network settings of the RemoteApp virtual network are incomplete or incorrect.
  • The DNS server settings in the RemoteApp virtual network are incorrect.
  • The specified DNS server(s) cannot resolve the domain name or domain services.
  • The RemoteApp service account in the Active Directory cannot join computers to the OU you specified.
  • The supplied domain join information is incorrect.

If the domain join works, then a new computer will be joined to your RemoteApp OU in Active Directory (not AAD). You can breathe a sigh of relief!

Two new hybrid RemoteApp app collection session hosts in Active Directory (Image Credit: Aidan Finn)
Two new hybrid RemoteApp app collection session hosts in Active Directory (Image Credit: Aidan Finn)

Publish Programs

You can publish any program that is installed in your custom template, assuming that it meets the technical requirements. Browse into the new app collection and then into Publishing. Click Publish RemoteApp Program. What you are doing here is selecting programs that are listed in the custom template’s Start Screen to be available to anyone that has permission to sign into the app collection.

Publishing Start programs in Azure RemoteApp (Image Credit: Aidan Finn)
Publishing Start programs in Azure RemoteApp (Image Credit: Aidan Finn)

After you have published something, you get a new Publish button. This allows you to reopen the above dialog to add or remove published programs. You can also publish programs based on their file path. This is a nice way to publish a useful program, such as File Explorer.
Publish programs based on their path (Image Credit: Aidan Finn)
Publish programs based on their path (Image Credit: Aidan Finn)

Assign Users

You are now ready to grant user access to the app collection. Browse to Assign Users in the app collection. You can either type in the UPN of the user name as it appears in both AAD and Active Directory, or create a CSV with lots of user UPNs and import that.

Grant users access to the hybrid RemoteApp app collection (Image Credit: Aidan Finn)
Grant users access to the hybrid RemoteApp app collection (Image Credit: Aidan Finn)

Now your users can sign into your hybrid RemoteApp app collection using the RemoteApp client for their device’s OS (Windows has a special client) and in their session:

  • Get Group Policy assigned to them
  • Access server network services
  • Have permission and access to domain services
  • Use their home directory
  • Share files with each other on file servers