The AVD Directory Services Maze: Simplified & Standardised
Introduction
Welcome back! If you've already signed up, I hope you're finding real value in the content. And if you haven't yet - what are you waiting for? 📨
Today, we're diving into a critical piece of the AVD puzzle: Directory Services.
Think of directory services as the backbone of identity and access management. They ensure smooth authentication, authorisation and secure access to resources, keeping your AVD environment running efficiently.
But here's the key: choosing the right service doesn't just keep things organised; it can supercharge performance, security and scalability. 🔑
Let's break down why that matters and how your setup can be optimised. 📈
Directory Services - In the Wild
Having built numerous AVD environments, I've encountered just about every challenge you can think of. Under-resourced servers, incomplete user testing, and the head-scratcher that is directory service. Each obstacle, however, has been a lesson.
One of my biggest takeaways yet?
👉 Standardising your directory services for AVD is critical.
Let's break it down with a real-world scenario:
- Application Servers (VMs) joined to an AD DS instance.
- Session Hosts joined to the same AD DS instance, but also enrolled in Entra ID.
- Azure Files for shared data, linked to the same AD DS instance.
- Storage Account for FSLogix Profiles, but this time, joined to Entra ID via Kerberos.
- Cloud-only Entra ID users accessing the AVD environment.
Still with me? Nice work. 🙌
What we have here is a mix of directory services - a complex architecture designed to ensure all resources can communicate. But as you've probably guessed... this also introduces authentication challenges.
Now, here's the kicker:
Microsoft outlines supported directory services based on technical capabilities and the Cloud Adoption Framework. But just because something is supported doesn't mean it's the best approach for your environment.
Microsoft-Supported Scenarios
(Use this as a guide, not a rulebook!)
| Scenario | Details |
|---|---|
| Entra ID + AD DS | Hosts: AD DS Accounts: Entra ID & AD DS, synced |
| Entra ID + AD DS | Hosts: Entra ID Accounts: Entra ID & AD DS, synced |
| Entra ID + Entra Domain Services | Hosts: Entra Domain Services Accounts: Entra ID & Entra Domain Services, synced |
| Entra ID + Entra Domain Services + AD DS | Hosts: Entra Domain Services Accounts: Entra ID & AD DS, synced |
| Entra ID + Entra Domain Services | Hosts: Entra ID Accounts: Entra ID & Entra Domain Services, synced |
| Entra-only | Hosts: Entra ID Accounts: Entra ID |
🚨 Final Thought: While these scenarios are supported, always consider your specific business needs before choosing an approach.
The goal isn’t just to follow Microsoft’s guide, it’s to build a stable, secure, and scalable AVD environment for your customers.
Making the Right Call: Choosing Your AVD Directory Service
Navigating directory services can feel like a maze, especially with the table above - I admit, it still confuses me! However, I've built a simple flowchart to guide you in the right direction 🗺️
That said, this isn’t a one-size-fits-all solution. Your choice will always depend on your organisation or customers' unique environment, infrastructure and security needs.
Why does standardisation matter?
Because consistency in directory services isn't just about keeping things neat - it is about driving better business outcomes.
- Operational Efficiency: A standardised approach reduces confusion, minimises downtime and keeps your support team on delivering value rather than troubleshooting identity issues with customers' AVD environments.
- Stronger Security Posture: Unified authentication and authorisation mean fewer vulnerabilities, reducing the risk of a breach.
- Scalability Without The Headaches: A streamlined setup makes it easier to onboard users, integrate with other systems and scale the environment as your customers grow.
Standardising directory services isn't just a technical best practice, it's a strategic decision that directly impacts efficiency, security and long-term success.
Wrapping It Up
The relationship between Directory Services and AVD may seem complex but with the right approach, they don't have to be a headache. By now, you’ve probably realised that standardising isn’t just about ticking a technical box, it's about creating a more efficient, secure and scalable environment that delivers real business value.
By carefully selecting and aligning your directory services, you can reduce friction, enhance security and set yourself (and your customers!) up for long-term success. Whether you're navigating traditional AD DS, or going all-in on Entra ID, the key is choosing what truly works for your environment.
So, as you refine your AVD deployments, keep standardisation top of your mind. Your future self (and your support team) will thank you! 🤩
