AzureADConnectFriday,August4,20177:45AM

Workwithamock,on-premisesWindows2016infrastructureconnectingittoanOffice365tenantviaADConnect.

ThisworkshopcentersaroundhelpingtheuserbetterunderstandthebasicsofAzureActiveDirectory,includingOffice365.Byparticipatinginthisworkshop,userswilllearnhowtoconnectandsynchronizeanon-premisesActiveDirectorywithAzureAD.Participantswillalsogaininsightintoconfiguringfilteredsynchronizationandenablinghealthmonitoringfortheiron-premisesAD.

WhatYouWillLearnConnectingOffice365withOn-PremisesADAzureADConnectFilteringPasswordSynchronizationPasswordWritebackAzureADHealth

IdealAudienceCISOsandVPsofInformationSecurityCIOsITManagersActiveDirectoryandNetworkAdmins

ThisworkshopcentersaroundhelpingtheuserbetterunderstandthebasicsofAzureActiveDirectory,includingOffice365.Byparticipatinginthisworkshop,userswilllearnhowtoconnectandsynchronizeanon-premisesActiveDirectorywithAzureAD.Participantswillalsogaininsightintoconfiguringfilteredsynchronizationandenablinghealthmonitoringfortheiron-premisesAD.

TimeEstimate:6.0hours

Overview

SetupRequirementsThefollowingworkshopassumesthatyouhaveusedtheAzureWorkshopsCLItopre-createthenecessarylabenvironment.TousetheAzureWorkshopsCLI,youwillneedthefollowingapplicationsinstalledonyourlocalmachine:

Node.jsGit

Asstatedabove,thesetoolsarenecessaryfordownloadingandrunningtheCLIlocally.Downloadandinstallthesetoolsaccordingtotheinstructionsontheirrespectivewebsite.

AdditionalRequirementsAdditionally,youwillneedasubscription(trialorpaid)tobothOffice365andMicrosoftAzure.Pleaseseethenextpageforhowtocreatetrialsubscriptionsinboth.

Requirements

DemoDomainForthepurposesofthisworkshop,youwillneedademodomainname-adomainnamethatyouwillnotberequiredtoregisterwithadomainnameregistrar(DNR),butwillbeusedasyourfictitiouscompany.We,ofcourse,donotwanttouseanydomainnamesassociatedwithproductionaccounts.

Thesimplewaytodothisisallowaservicetocreateoneforus.So,tocreatearandomdomainname,we'llactuallyusearandomusernamegenerator.

Openabrowsertohttp://jimpix.co.uk/words/random-username-generator.aspandclickthegreen"Go!"buttonclosetothetopofthepage.Upondoingthis,youwillbepresentedwith25differenttwo-wordcombinations.Pickonethatyoulikeorclickthegreen"Refresh"buttonuntilyoudo.

Onceyoufindadomainname,writeitdown;youwilluseitfortheremainderoftheworkshop.

Office365Nowthatwehaveadomainname,let'screatea1-monthtrialOffice365account.ThiswillautomaticallycreateadomaininAzureADwhichwe'llconnecttovirtualdatacenterlaterintheworkshop.

Directyourbrowswertohttps://products.office.com/en-us/business/office-365-affiliate-program-try-business-premium.InordertotakeadvantageofsomeoftheAzureActiveDirectorypremiumfeatures,wewillneedtheBusinessPremiumeditionofOffice365.

1. Beginbyclickingonthegreenbutton"Startyourfreebusinesstrial".

2. Completetheformonthefirstpage:

Chooseyourcountry(thiscannotbechangedlaterduetodatasovereigntyandotherfactors)EnteryournameEnteranemailaddress(thisshouldbealegitimateemailaddressasthiswillbetheadministrator'ssecurity/resetemail)Enteraphonenumber(enteralegitimatecellphonenumberinordertotestmulti-factorauthentication)EnteryourcompanynamefromaboveChooseacompanysize

Office365andAzureRegistration

3. Fortheformonthesecondpage:

Enterausernameforyourselfinaformatyouprefer(e.g.ifyournamewasJohnDoe,youcouldenter:john.doe,jdoe,john_doe,etc.)Foryourcompany,enterthecompanynamefromabove(NOTE:youwillseeherethattheinitialdomainnamewillbeyourcompany.onmicrosoft.com.ThisistheAzureActiveDirectorydomaintowhichwewillconnectlaterintheworkshop.)Ifyourdomainnamehasalreadybeenused,tryanotheronefromthepreviouslist.Enterandconfirmyourpassword

4. Proveyouarenotarobotbyenteringatelephonenumberatwhichyoucanreceiveatextorphonecall.

5. Enterthecodethatwastext'edtoyouorthatyoureceivedfromtheauto-attendant.

Itshouldtakelessthanaminutetocreateyouraccount.Aftertheprocessiscomplete,youshouldseeamessagestatingthatyouarereadytogo.Whileyouaccountwascreatedinlessthanaminute,itmaytakeuptoanother15minutesorsotofinishcreatingalloftheadditionalservicesinOffice365.That'sfine,asitwillbeawhilebeforeweactuallyneedthem.

Finally,rememberthistrialaccountisonlygoodfor30days.WhileMicrosoftwillnotinitiallydeleteyouraccount,theywilldisablefunctionality.

AzureFinally,weneedtocreateatrialAzuresubscription.Believeitornot,wearealreadyusingAzureActiveDirectorybecausewejustsetupOffice365.Office365usesAzureADunderneathtomanageallofourexchangeusers.WesimplyneedtocreateasubscriptionsothatwecanleverageAzure'sotherofferings.

Directyourbrowsertohttps://azure.microsoft.com/en-us/free/andbeginbyclickingonthegreenbuttonthatreadsStartfree.

IMPORTANT:Onthesign-upformpage,youshouldseeyournewemailaddressthatassociatedwithyournewOffice365account.Ifnot,clickonSignOutandre-authenticateusingyournewlyformedcredentials(e.g.username@yourcompany.onmicrosoft.com).

1. Inthefirstsection,completetheforminitsentirety.Makesureyouuseyourrealemailaddressfortheimportantnotifications.

2. Inthesecondsection,enterarealmobilephonenumbertoreceiveatextverificationnumber.Clicksendmessageandre-typethereceivedcode.

3. Enteravalidcreditcardnumber.NOTE:Youwillnotbecharged.Thisisforverificationofidentityonlyinordertocomplywithfederalregulations.Youraccountstatementmayseeatemporaryholdof$1.00fromMicrosoft,but,again,thisisforverificationonlyandwill"falloff"youraccountwithin2-3bankingdays.

4. AgreetoMicrosoft'sTermsandConditionsandclickSignUp.

Thismaytakeaminuteortwo,butyoushouldseeawelcomescreeninformingyouthatyoursubscriptionisready.LiketheOffice365trialabove,theAzuresubscriptionisgoodforupto$200ofresourcesfor30days.After30days,yoursubscription(andresources)willbesuspendedunlessyouconvertyourtrialsubscriptiontoapaidone.And,shouldyouchoosetodoso,youcanelecttouseadifferentcreditcardthantheoneyoujustentered.

Congratulations!You'venowcreatedanOffice365tenant;anAzuretenantandsubscription;and,havelinkedthetwotogether.

InstallingtheCLIOnceyouhavetherequisitesinstalled,youwillthenneedtoinstalltheCLI.TheCLIcanbeinstalledfromthecommand-lineorterminalpromptusingNode.js.

First,openacommand-linewindoworterminalprompt.Then,typethefollowingcommand:

npminstallazworkshops-cli-g

Runningthiscommandwilltakeafewsecondstocomplete.But,doingsowilldownloadtheAzureWorkshopsCLI,alongwithitsdependencies,intoadirectorythatislocatedinagloballyaccessiblepath.

AzureSubscriptionAsstatedintherequirementssection,theworkshoprequiresanactiveAzuresubscription.

RecommendationItisrecommendedthatyoudonotuseanAzuresubscriptionthatiscurrentlybeingusedforproduction.TheCLIwillcreateit'sownresourcegroups,butitisnotthebestpracticetoutilizeproductionenvironmentsfortestingandworkshops,suchasthis.

Forbestresults,itisrecommendedthatyousetupregisterforthetrialsubscriptionasoutlinedonthepreviouspage.

CreatingtheLabEnvironment

Setup

BuildTimeTheautomatedbuildingofthelabenvironmentcantakeapproximately30minutestocomplete.Itisbesttobeginthisprocesswhileyouarereviewingtheworkshopmaterial.

VerifyInstallationoftheCLIFromaprompt,enterthefollowingcommand:

azworkshops--version

AsuccessfulexecutionofthecommandshouldprintthecurrentversionoftheAzureWorkshopsCLIwhichcanbefoundintherightcolumn,slightlydownthepage,oftheNodePackageManagerwebsite.Ifyoudonotseeaversionnumber,returntotherequirementssetupandtryreinstallingthem.

Ifyousuccessfullyseethecorrectversionnumber,youarereadytobeginthelabsetup.

BuildtheEnvironmentFromaprompt,enterthefollowing:

azworkshops

1. Youwillbepresentedwithamenufromwhichtochooseabaseconfiguration.ChoosethebaseconfigurationforBasicActiveDirectory.

2. YouwillthenneedtoauthenticatewithAzure.Visithttp://aka.ms/deviceloginandenterthecodeprovidedtoyou.

3. Choosethesubscriptionthatyouwouldliketouseforthisworkshop.

4. Selectthelocationforthecreatedresources.Itisbesttochoosealocationthatisclosesttoyouinordertoreducelatency.

5. Youwillthenbepromptedwithadditionalconfigurationquestions.

1. FortheADdomainname,enteryourcompanynamefromthepreviouspagewith'.local'astheTLD(e.g.mycompany.local).

2. FortheNETBIOSname,itshouldautomaticallybeanALLCAPSversionofthecompanynamethatyoujustentered(withoutthe'.local'TLDextension).Ifso,justpressEntertoacceptthedefault.Ifnot,enteravalidNETBIOSname.

6. Aftercompletingtheconfigurationquestions,thebuildingofthelabenvironmentwillbegin.Oncecompleted,youwillbepresentedwithallofthelab'sconfiguredsettings(e.g.resourcegroup,domain,domainadmin,password,etc.)Itisbesttocopythisdownforfutureuse.

ObjectiveYouhavejustcreatedalabenvironmentinAzure.Thelabenvironmentisintendedtomimicabasic,on-premisesdatacenter.Thisdatacenter,beingextremelybasic,consistsofasingleActiveDirectorydomaincontrollerandautilitymachine.

ThefirstobjectiveisforyoutobecomefamiliarwithconnectingtoandnavigatingtheAzureportal.Wewillalsoexplorethecomponentsinourvirtual"datacenter"thattheCLIcreatedforus.Finally,wewillconnecttoourremotedatacenter.

AzurePortalBasicsLet'sstartbyconnectingtotheAzureportalandbecomingfamiliarwithnavigation.

1. Openabrowserandnavigatetohttp://www.azure.com.

2. Inthetop-rightcornerofyourscreen,youwillseethemenuoptionPORTAL.Clickonit.

3. Ifyouhavenotalready,youwillberequiredtoauthenticate.

4. Afterauthenticationissuccessful,youwillbedirectedtoyourDashboard.Thedashboardisconfigurablebyadding,removingandresizingtiles.Additionally,youcanhavemultipledashboardsdependingonyourpreferences.Youcouldhavedifferentdashboardsforresourcesdedicatedtodifferentfunctions,linesofbusiness,orforoperations.

5. Ontheleftwillbeyourprimarynavigationalmenu.Youshouldseealistoffavoritedservicesonthemenuwithdescriptions.(NOTE:Thesizeofyourmenumaydifferfromthatofothersdependingonthenumberofservicesyouhaveselectedasafavorite.)Ifallyouseeareicons(nodescriptions)onyourmenu,yourmenuiscurrentlycollapsed.Clickthe"hamburger"

toexpandit.

6. Prettyclosetothetopofyourmenu,youshouldseeResourceGroups .Clickthisoption.

7. UponclickingtheResourceGroupsmenuitem,abladewillopenrevealingyourcreatedresourcegroups.Inthislist,youshouldfindtheresourcegroupthattheCLIcreatedforyou.Itbeginswithazworkshops_basicAD_,followedbyadatetimestamp.(NOTE:Ifyoudonot

ExploringAzure

seethislistedinyouravailableresourcesgroups,ensurethatintheseconddropdownboxabove,youhavethecorrectsubscriptionselected.ThisshouldbethesamesubscriptionyouchoseearlierintheCLI.)

8. ClickingonthisresourcegroupwithexpandanotherbladelistingalloftheresourcescreatedbytheCLI.Whatyoushouldseelistedaretwostorageaccounts,twovirtualmachines,twonetworkinterfacecards,onepublicIPaddressandonevirtualnetwork.

(NOTE:Thedatetimestampsforyourstorageaccountswillbedifferent.)

ResourceDescriptionsAsstatedinthepreviousstepandindicatedbythepreceedingscreenclipping,theCLIcreated8differentresourcesinthisgroupfortheworkshop.Let'sexploretheseisalittlebitmoredetail.

Thefirsttwoitemslistedarestorageaccounts-oneforthevirtualmachinediskdrivesandanothertostorediagnosticlogsfromtheVMs.StorageaccountsmustbegloballyuniqueacrossAzure.Therefore,we'veappendeddatetimestampstotheendofourstorageaccountnamesinordertopreventcollision.

Next,youwillseetwovirtualmachines-dc1andutility-listed.dc1isourActiveDirectory'sdomaincontroller.Eachmachinerequiresanetworkinterfacecardforconnectivity.Additionally,theutilityVMhasapublicIPassignedtoit.ExposingourdomaincontrollerviaapublicIPisaverybadpractice.Therefore,wewillremotelyconnecttoourvirtualnetworkviaourutilityVM.AllmachinesinAzure,bydefault,haveconnectivityouttotheInternet.But,onlyVMsthathavepublicIPscanbeaccessedfromtheInternet(e.g.outsideofthenetwork).

Finally,ourVMsareconnectedtoeachotherbyutilizingavirtualnetwork.WiththeexceptionofstorageandafewotherresourcesinAzure,avirtualnetworkisrequired.

ViewingResourceDetailsLet'stakeamomentandviewsomeoftheinformationabouttheVMsthatwerecreatedforus.Let'susetheutilityVMasourexample.

1. FindtheutilityVM andclickonit.Thiswillexpandanotherbladewithourdetailsforthevirtualmachine.

2. IntheOverviewpane,you'llimmediatelyseethreesections:

1. Actions-allowsyoutoperformvariousactionsonthevirtualmachine(e.g.connect,start,stop,etc.)

2. Information-displaysvariousinformationaboutyourvirtualmachine(e.g.resourcegroup,location,status,IPaddress,etc.)

3. Metrics-reportsvariousperformancemetricsregardingyourvirtualmachine(e.g.CPU,network,etc.)

3. Now,let'slookatonemorepageforsomeadditionaldetails.Intheleftpane(stillontheutilityblade),approximatelyhalf-waydown,clickonProperties .Onthisblade,youwillfindadditionalinformationliketheprivateIPaddressandspecificresourceID.Whilethereareotherplacestofindthisinformation,thisprovidesaquick-accessmethod.

ConnectingtotheNetworkWewillnowremotelyconnecttoourvirtualnetwork.Remember,exposingourdomaincontrollersviaapublicIPisunsafeandnotrecommended.We've,therefore,createdautilityvirtualmachine-sometimesknownasabastionserver-thatwillallowusanentrypointintoournetwork.

1. MakesureyouhavetheutilityVMselectedandclickonOverview .

2. IntheActionssection,clickConnect .ThiswilldownloadaRemoteDesktop(Protocol)profiletoyourmachine.

3. OpentheRDPprofile.(NOTE:Youmayreceiveawarningthat"Thepublisherofthisremoteconnectioncan'tbeidentified."ProceedbyclickingonConnect.)

4. Windowssecuritywillpromptyoutoenteryourcredentials.EnterthefullADcredentialsthatwasreportedtoyouearlierbytheCLI(e.g.azurecloud\cloudadmin).Additionally,enteryourpassword.ClickOK.

5. Ifthecredentialswereenteredsuccessfully,youshouldberemotelyconnectedtotheutilityVM.

6. (Optional)Ifyou'dlike,onceyouareconnectedtotheutilityVM,youcanconnectremotelytotheActiveDirectorydomaincontroller("dc1")inthevirtualnetwork.SimplyopenupRemoteDesktopintheactive,remotesessionandusetheinternal,privateIP(e.g.10.3.1.4)astheaddress.Usethesamecredentialstoconnecttothedomaincontrollerasyoudidwiththeutilityvirtualmachine.

ThiscompletesoursimpleintroductionintonavigatingthroughAzure.We'llgointomoredetailasweworkthroughtherestoftheworkshop,butthisisenoughtogetusstarted.

ObjectiveWecoulduseourdomaincontrollerfortheADConnectsynchronizationserver,butthisisabadidea.There'stypicallymultiple(primary,secondar,maybemore)domaincontrollersinanActiveDirectoryenvironment.Weareonlyallowedtohaveoneactive/hotADConnectsynchronizationserverinourenvironment.Whathappensifthedomaincontrollerwherethethesynchronizationtoolisinstalledfails?Wewouldlosesynchronizationcapabilities.

Let'screateastandaloneADConnectsynchronizationserver.

CreatetheServerinAzureIfyouarenotcurrentlyatdashboardwithintheAzureportal,goaheadandcloseallblades.

Ontheleftmenu,youshouldseeVirtualmachines .Clickit.

1. Intheactionssectionofthevirtualmachinesblade,clickon .

2. IntheSearchComputesearchbox,typeinWindowsServer2016Datacenter.PressEnter.

3. Inthereturnedresults,choosetheoptionthatsimplyreads.

4. Inthenextblade,makesureResourceManagerisselected.Then,clickCreate.

5. Thereare4sectionstoconfigurethevirtualmachine.

1. Basics

Name:ad-connectVMdisktype:SSDUsername:cloudadminPassword:Pass@word1234ConfirmPassword:<sameasabove>Subscription:FreeTrialResourceGroup:Useexisting-<usethesameresourcegroupcreatedbytheCLI>Location:<usethesamelocationyouchoseintheCLI>

CreateConnectServer

Savemoney:No2. Size

DS1_V23. Settings

Usemanageddisks:NoStorageaccount:<usethesamestorageaccountcreatedbytheCLI>(e.g.azwdata###)Network:vnetSubnet:default(10.3.1.0/24)PublicIPaddress:(clickonit&Createnew)

Name:connect-ipAssignment:Static

Networksecuritygroup(firewall):NoneExtensions:NoneAvailabilityset:NoneBootdiagnostics:EnabledGuestOSdiagnostics:DisabledDiagnosticsstorageaccount:<usethesamestorageaccountcreatedbytheCLI>(e.g.azwdiags###)

4. Summary(justclickOKtocontinue)

Themachinewechoseforthisworkshopisrelativelysmall.Afterall,weonlyhave4identitiesthatwe'llbesynchronizingwithAzureAD.Ifthiswasaproductionenvironmentwewouldhavetotakeintoconsiderationthatpasswordsync'soccurapproximatelyevery2minuteswhilefullsynchronizationhappensevery15-30minutes.Forproduction,wewouldneedtochooseamachinethatismorecapableofhandlingtheworkload.

Keepinmind,thatwearetreatingAzurelikeouron-premisesdatacenter.Inreality,wewouldhavesimplycreatedanewVMinouron-premiseshypervisor(Hyper-V,VMware,etc.)

AddMachinetoDomainWeneedtoaddthenewmachinetoourActiveDirectorydomain.ADConnectmustbeinstalledonanAD-joinedmachine.

SetthePrivateIPasStaticBeforeweaddthemachinetothedomain,weneedtosettheprivateIPtostaticsothatAzure'sDHCPserverdoesn'treassigntheIPtoanothermachine.

1. Ifyouarenotviewingthedetailsonthenewlycreatedmachine,clickontheVirtualmachines menuitem,thenclickonthead-connectmachineinthelist.

2. Onceyou'veclickedonthead-connectmachineandareviewingthemachine'sOverview

blade,chooseNetworkinterfaces .

3. Intheresultinglistofnetworkinterfaces,choosethesingleNICthatislisted(e.g.ad-connectXXX).

4. Onthenetworkinterfacemenu,clickonIPconfigurations .

5. Theresultinglistshouldonlycontainasingleconfiguration-ipconfig1.You'llnoticethatundertheheadingPRIVATEIPADDRESS,theconfigurationislistedasDynamic.Clickonthisconfiguration.

6. Inthesettingsfortheconfiguration,underPrivateIPaddresssettings,changetheAssignmenttoStatic.(TheIPaddressshouldbe10.3.1.6.Ifitisnot,updateit,aswell.)

7. ClickSave.

Youcannowclosethetwoblades(e.g.ad-connectXXX,networkinterface)toarriveatthemainNetworkinterfaces bladeforthead-connectvirtualmachine.

ConnecttotheMachineviaRemoteDesktopToconnecttothemachineremotely,weneedtodownloadtheRemoteDesktopProtocol(RDP)profile.

1. ClickontheOverview toreturntothegeneralinformationforthead-connectvirtualmachine.

2. IntheActionssection,clickonConnect .ThiswilldownloadtheRDPprofiletoyourmachine.

3. Opentheprofileandacceptanywarnings.

4. Fortheusername,enter\cloudadmin(withthebackslash).And,forthepassword,enterPass@word1234.ClickOK.

5. Again,acceptanywarnings.

AddtheMachinetotheDomainWhenyouinitiallyconnecttothemachine,youwillseetheServerManagerdashboard.

We'vealreadysettheIPonthenetworkinterfacecard(NIC)tobestaticinAzure.Technicallyspeaking,we'vecreatedareservationinAzure'sDHCPserverfortheNICinourvirtualnetwork.However,beforeweaddthemachinetothedomain,itisbestifwesettheIPasstaticwithinWindowsServer'sTCP/IPconfiguration.

1. IntheleftmenuofServerManager,clickonLocalServer.

2. Intheresultingpage,you'llseeacoupleofsections.ThefirstsectionislabeledProperties.Propertieshastwocolumns.Half-waydowntheleftcolumn,you'llseeEthernetfollowedbyanumber.Besidethis,youwillseeinblueIPv4addressassignedbyDHCP,IPv6enabled.Clickonthis.

3. ThiswillopentheNetworkConnectionswindow.Right-clickonthesinglelistedadapterandclickonPropertiesinthecontextmenu.

4. InthePropertieswindowfortheNIC,scrolldownuntilyouseeInternetProtocolVersion4(TCP/IPv4).Highlightit,thenclickProperties.

5. Enterthevaluesasyouseethembelow.

6. ClickOK,theClose.NOTE:ClickingClosewillcauseabriefinterruptioninyourconnectivity.That'sokay.Theconnectionshouldbere-establishedwithinacoupleofseconds.

7. Oncetheconnectionhasbeenre-established,youcanclosetheNetworkConnectionswindow.

8. BackinthePropertiessection,inthehalf-waydowntherightcolumn,youwillseeIEEnhancedSecurityConfiguration.Totherightofthatinblue,youprobablyseeOn.Clickonit.

9. IntheInternetExplorerEnhancedSecurityConfigurationdialog,chooseOffforboth,AdministratorsandUsers.Then,clickOK.

10. Oncemore,inthePropertiessection,theseconditemlistedintheleftcolumnreadsWorkgroup.Totherightofthat,youwillseeinblueWORKGROUP.Clickonit.

11. IntheSystemPropertiesdialog,half-waydown,clickontheChangebutton.

12. IntheresultingComputerName/DomainChangesdialog:

1. LeavetheComputernameasitis(e.g.ad-connect).2. UnderMemberof,changetheselectiontoDomainandenterthedomainnameyouenteredearlierintheCLI(e.g.mycompany.local).

3. ClickOK.4. FortheusernameandpasswordenteryourDomainAdminusernameandDomain

AdminPassword,respectively,asreportedpreviouslybytheCLI.5. ClickOK.

Ifallgoeswell,youshouldbeaddedtothevirtualdatacenterdomainandreceiveamessagestatingasmuch.Tocompletethiswillrequireareboot,thusdisconnectingyoufromyourremotesession.

ObjectiveThisnextobjectiveisverysmall.WesimplywanttoverifyourAzureADdomainsettingsandenablepremiumfeatures.

VerifytheDomainIfyouarenotcurrentlyatdashboardwithintheAzureportal,goaheadandcloseallblades.

1. Ontheleftmenu,youshouldseeAzureActiveDirectory .Clickit.

2. Ontheleft,inthenewlyexpandedAzureActiveDirectorymenu,clickonDomainnames.

3. YoushouldseeyourOffice365domainnamelistedandsetasPrimary.

Youmaynotice,atthispoint,thatifwewantedtoaddacustomFQDNtoAzureAD(e.g.yourcompany.com),wecoulddosoherebyselectingtheAdddomainname itemfromtheActionsmenuatthetop.

AfterweaddedourcustomFQDN,wewouldberequiredtoverifyourownershipofthedomainbyaddingaTXTDNSrecord.Oncewecompletedtheverificationprocess,wecouldthenchoosetosetourcustomdomainasPrimary.

UnderstandthatthePrimarydomainisnottheonlydomainwecansynchronizewithouron-premisesdomain.Inthecasethat,let'ssay,wehavemultiplebusinessunitsthathavetheirownAccountsDomain,wecouldhavemultiplesubdomainslistedhere.Then,eachbusinessunit'sADwouldsyncwithitsrespectivesubdomaininAzureAD.

Forourworkshop,theOffice365domain(e.g.<yourcompany>.onmicrosoft.com)issufficient.

EnablePremiumFeaturesEventhoughweareusingatrialofOffice365BusinessPremiumforourworkshop,AzureADPremiumisadifferentSKU.We,therefore,havetoenablethefeaturesbeforewecanusethem.

1. WhilestillinAzureActiveDirectory,clickontheLicenses menuitem.

ViewAzureDomain

2. Inthenextmenu,clickontheAllproducts menuitem.

3. Onthenextpage,intheActionssection,clickonTry/Buy .

4. Youwillnowseetwooptionsforenablingpremiumfeatures-AzureADPremiumandEnterpriseMobilitySuite.Forourworkshop,AzureADPremiumissufficient.ClickonFreetrialintheAzureADPremiumtile.

5. Thiswillinitiatea30-daytrialofAzureADPremiumfeatures.ClickActivate.

YouwillneedtorefreshyourInternetbrowsertoseetheeffectsofenablingAzureADPremium.WithintheAzureActiveDirectoryblades,youmayhavenoticedagraybarstatingthatsomeofthefeatureswereonlyavailableinAzureADPremium.OnceyourefreshyourbrowserandreturntoAzureActiveDirectory,youshouldnolongerseethegraybarand,instead,seeallfeaturesactivated.

ObjectiveIntypicalon-premisesinstallationsofActiveDirectory,utilizeddomainnameextensions,suchas".local",createwhatareknownasnon-routabledomains.Inotherwords,there'snosuchtop-leveldomain(TLD)extension.InthewordsofMicrosoft'ssupport:

SynchronizationAzureADConnectonlysynchronizesuserstodomainsthatareverifiedbyOffice365.ThismeansthatthedomainalsoisverifiedbyAzureActiveDirectorybecauseOffice365identitiesaremanagedbyAzureActiveDirectory.Inotherwords,thedomainhastobeavalidInternetdomain(forexample,.com,.org,.net,.us,etc.).IfyourinternalActiveDirectoryonlyusesanon-routabledomain(forexample,.local),thiscan'tpossiblymatchtheverifieddomainyouhaveonOffice365.

Theobjectiveforthisstepistomodifyourlocaldomaintocreatearoutabledomain.WewillthenupdatetheUPNofouruserstotakeadvantageofthisnewdomain.

AddUPNSuffixesWewillneedtoremotelyconnecttodc1inordertoupdateActiveDirectory.Becausedc1isnotaccessiblefromoutsideofthenetwork,we'llneedtoconnecttoitthroughtheutilityvirtualmachine.

EnabletheADDSSnap-InBydefault,themachinesdonotincludetheActiveDirectorymanagementsnap-in.Foreasiermanagement,let'sgoaheadandenableit.

1. GoaheadandRDPintotheutilityvirtualmachine.OnceconnectedtotheutilityVM,RDPintodc1.Youcanconnecttodc1byusingit'sDNShostname(e.g."dc1")orit'sIPaddress,10.3.1.4.

PrepareNon-RoutableDomain

2. Onceconnectedtodc1,ServerManagershouldautomaticallyopen.Ifitdoesn't,goaheadandopenitnow.

3. Inthetop-rightofServerManager,clickonManage.Then,clickonAddRolesandFeatures.

4. Inthe"Beforeyoubegin"screen,click"Next."

5. Makesure"Role-basedorfeature-basedinstallation"isselected,thenclick"Next."

6. Forthedestinationserver,yourlocaldomaincontrollershouldbehighlighted.Click"Next."

7. Wedon'tneedtoaddanyadditionalrolesatthispoint,sojustclick"Next."

8. Forfeatures,weneedtoaddtwofeatures.Youcaninstallbothbyselecting:RemoteServerAdministrationTools>RoleAdministrationTools>ADDSandADLDSTools>ADDSTools.ThiswilladdtheADDomainServicessnap-inandcommand-linetools.

9. Click"Next."

10. Finally,click"Install."

Thisshouldonlytakeaminuteortwotocomplete.Youcanclick"Close"whentheprocesshascompleted.

AddSuffixtoADDomainsandTrustsWiththesnap-ininstalled,wecaneasilyaddtheUPNsuffixtoourActiveDirectory.

1. Ifit'snotstillopen,launchServerManager.

2. Inthetop-rightofServerManager,clickonTools.Then,clickonActiveDirectoryDomainsandTrusts.

3. IntheActiveDirectoryDomainsandTrustswindow,right-clickActiveDirectoryDomainsandTrustsintheleftpane,andthenchoose"Properties."

4. IntheAlternativeUPNsuffixesbox,enteryourfulldomainofyourOffice365tenant(e.g.<yourcompany>.onmicrosoft.com).Click"Add."

5. Click"OK."

ChangetheUPNsuffixforexistingusersNowthatwe'veaddedanalternativeUPNtoourdomain,weneedtoupdateeachofouruserstousethisdomainastheprimaryUPNasthatiswhatAzureADConnectusestomatchidentities.

1. Again,ifit'snotstillopen,launchServerManager.

2. Inthetop-rightofServerManager,clickonTools.Then,clickonActiveDirectoryUsersandComputers.

3. IntheActiveDirectoryUsersandComputerswindow,expandyour".local"domainandclickonUsers.

4. Thereare3useraccountsforwhichweneedtoupdatetheUPN(NOTE:Wedonotwanttosyncthelocalcloudadminenterpriseadministratoraccounttothecloudinordertopreserveboundaries.YoushouldutilizeaseparateaccountinAzureforadministeringAzureAD.)

JimSmithRichardJacksonSallyHolly

5. Foreachoftheseaccounts,righ-clickontheaccountandchooseProperties.

6. ClickontheAccounttab.

7. Inthedropdownlistnexttotheusername,changetheselectionfromyourlocaldomaintothe"onmicrosoft.com"domain.Click"OK."

Congratulations!YourlocalActiveDirectoryisnowreadytobeginbasicsynchronizationwithAzureAD.

OnethingtokeepinmindisthatupdatingtheUPNinthelaststepnowrequiresthesethreeuserstousetheFQDNoftheonmicrosoft.comaccountratherthanthe.localdomainiftheyusethefirst.last@domain.localformatfortheusername.However,mostusersdon'tloginusingaFQDN.Insteadthey,likewhatwe'vedoneinthisworkshop,usethepre-Windows2000methodofspecifyingtheusername(e.g.MYCOMPANY\first.last).Nottoobigofadeal,but,again,justsomethingtomakenoteof.

Finally,ifyouhavealotofusersinyourdomain,manuallyupdatingtheUPNdomainforeachusercanbeatedioustask.Luckilyforus,here'saPowerShellscriptforthat:

$LocalUsers=Get-ADUser-Filter{UserPrincipalName-like'*mycompany.local'}-PropertiesuserPrincipalName-ResultSetSize$null

$LocalUsers|foreach{$newUpn=$_.UserPrincipalName.Replace("mycompany.local","mycompany.onmicrosoft.com");$_|Set-ADUser-UserPrincipalName$newUpn}

ObjectiveWearenowfinallyreadytobegintheconfigurationofoursynchronizationprocess.Uponcompletionofthisstep,yourvirtualdatacenterwillbesync'ingwithAzureAD.

InstallAzureADConnectTohaveourlocaldomainsynchronizewithAzureADweneedAzureADConnect.Wewillinstallitonthead-connectvirtualmachine.

1. Asyouhavepreviouslyconnectedtothead-connectandutilityVMsalready,let'sRDPtothead-connectmachineoncemore.

2. Onceyou'vesuccessfullyconnecttoad-connect,youwillneedtodownloadandinstalltheAzureADConnecttool.Youcandownloaditfromhttps://www.microsoft.com/en-us/download/details.aspx?id=47594.

3. UponinstallingAzureADConnect,itwillautomaticallyrun.

4. ChecktheboxagreeingtothelicensetermsandclickContinue.

5. Forthemoment,ExpressSettingsaresufficient.We'llcustomizeitlater.So,goaheadandclickUseexpresssettings.

6. Oncethebasicinitializationhascompleted,youwillbeaskedforyourAzureADcredentials.EnterthecredentialsyouuseforauthenticatingagainstAzureforyourtrialsubscription(e.g.<yourusername>@<yourcompany>.onmicrosoft.com).ClickNext.

7. ForconnectingtoADDS,usethecloudadmincredentialsprovidedtoyoubytheCLI(you'vealsousedthesecredentialsforconnectingremotelyintotheVMs).

8. ThenextscreenconfirmsmappingbetweenthelocalUPNandaverifieddomaininAzureAD.Sincewedon'thaveaverifieddomaininAzure-we'rejustusingthedefault*.onmicrosoft.com-alllocalaccountswillbe"re-mapped"totheonmicrosoft.comdomain.Forourworkshop,wecansimplychecktheboxnexttoContinuewithoutanyverifieddomainsandclickNext.

9. BEFOREYOUCLICKInstall,unchecktheboxnexttoStartthesynchronizationprocesswhenconfigurationcompletes.Otherwise,allaccounts(includingsystemaccounts)willbesynchronizedcreatingalotofbloatinourAzureAD.We'regoingtocreatesomefilters

InstallingAzureADConnect

beforeweconductourfirstsync.

10. Now,you'rereadytocompletetheinstallforAzureADConnect.ClickInstall.

Afterafewminutes,youshouldreceiveconfirmationthattheconfigurationhascompleted.Itmayalsogiveyouacoupleofhouse-keepingrecommendations.GoaheadandclickExittoexittheinstaller.

ConfigureSynchronizationFiltersWeneedtocreatesomefilterstoonlysynchronizeouruserswho'sUPNshavebeenupdatedtothe"new"domain.

Inordertodothis,weneedtocreatewhat'scalleda"PositiveFilter."Basically,we'reinstructingADConnectto"onlysyncthese."Keepinmindthat,bydefaultADConnectwillsyncallusersinourdomain(orOU,dependinghowwehaveconfiguredthesyncscope).So,inordertocreateapositivefilter,weneedtocreatetworules-onethatspecifieswhichuserstosync;and,anotherthatinstructsADConnecttonotsyncalloftheremainingusers.

BothofourrulesareconsideredIncomingSyncRules(ISR)becausetheyaredeterminingwhatdataweareallowingintothemetaversefromourlocalActiveDirectory.

First,let'sbeginbyopeningupthesynchronizationrules.IntheStartMenuofthead-connectVM,clickonSychronizationRulesEditor.You'llseeapproximately15-20defaultrules.We'regoingtoaddourtworulestothetopinorderforourrulestotakeprecedence.

UsersMatchFilterThisfilterwillinstructwhichuserswedowanttosyncwithAzureAD.

1. IntheSynchronizationRulesEditorclickonAddnewrule.

2. Description:

1. Name:UPNDemo-UsersMatchFilter2. Description:Onlysyncuserswhomatchouronmicrosoft.comUPN3. ConnectedSystem:chooseyour.localdomain4. CSObjectType:user5. MetaverseObjectType:person6. LinkType:Join7. Precedence:508. EnablePasswordSync:check

3. Scopingfilter:

1. ClickAddgroup2. ClickAddclause3. Intheclause,enterthefollowingvaluesforeachcolumn,respectively:

Attribute:userPrincipalNameOperator:ENDSWITHValue:<yourcompany>.onmicrosoft.com

4. Joinrules:leaveblank

5. Transformations:

1. ClickAddtransformation2. Inthetransformation,enterthefollowingvaluesforeachcolumn,respectively:

FlowType:ConstantTargetAttribute:cloudFilteredSource:False

6. ClickSave.

UsersCatch-AllFilterThisfilterwillinstructwhichuserswedonotwanttosyncwithAzureAD.

1. IntheSynchronizationRulesEditorclickonAddnewrule.

2. Description:

1. Name:UPNDemo-UsersCatch-AllFilter2. Description:Catchandfilteroutallotheruserswhodonothavethe

onmicrosoft.comdomain.3. ConnectedSystem:chooseyour.localdomain4. CSObjectType:user5. MetaverseObjectType:person6. LinkType:Join7. Precedence:99

3. Scopingfilter:leaveblank

4. Joinrules:leaveblank

5. Transformations:

1. ClickAddtransformation2. Inthetransformation,enterthefollowingvaluesforeachcolumn,respectively:

FlowType:ConstantTargetAttribute:cloudFilteredSource:True

6. ClickSave.

BeforeyouclosetheSyncrhonizationRulesEditor,noticethatatthebottomofthewindow,youareableexportrulestoaPowerShellscript.Foranycustomrules,thisshouldbepartofyourdisasterrecoveryplanincasetheADConnectsynchronizationserverfails.Youmaynowclosetheeditor.

EnablePasswordWritebackOnelastthingwewanttodoisconfiguretheAzureADConnecttooltowritebackpasswordchangestoourlocalActiveDirectory.Additionally,rememberthat,duringinstallation,weelectedtonotstartthesynchronizationservice.So,wegoingtodothat,aswell.

1. Onthedesktopofyourad-connectVM,youshouldseeanewiconforAzureADConnect.Goaheadandopenthetool.

2. Immediately,you'llnoticethatwhiletheconnecttoolisopen,theserviceissuspended.

3. ClickConfigure.

4. SelectCustomizesynchronizationoptionsandclickNext.

5. TypeinyourcredentialsforAzureandclickNext.

6. TypeinyourcredentialsforthelocalActiveDirectoryandclickNext.

7. IntheDomainandOUFiltering,weonlywanttosyncourUsersgroup.ThiswillkeepAzureADniceandtidy.So:

1. SelectSyncselecteddomainsandOUs.2. ExpandthelocaldomainanduncheckallOUsexceptUsers.3. ClickNext.

8. CheckbothPasswordsynchronizationandPasswordwriteback.ClickNext.

9. BEFOREYOUCLICKConfigure,checktheboxnexttoStartthesynchronizationprocesswhenconfigurationcompletes.Thistime,wewantthesynchronizationservicetobeginsync'ingourusers.

10. ClickConfigure.

11. Oncetheconfigurationhascompleted,youshouldreceiveaconfirmation.ClickExit.

ConfirmingaSuccessfulSynchronizationGivethesynchronizationserviceaminuteto"spinup"andconductitsfirstsync.Then,let'sheadovertoourAzureportaltoconfirmthatthesynchronizationwassuccessful.Onceyou'vereachedyourAzureportal,performthefollowingsteps.

1. Ontheleftmenu,clickonAzureActiveDirectory .

2. IntheAzureActiveDirectoryblade,clickonUsersandgroups .

3. IntheUsersandgroupsblade,clickonAllusers .

Weshouldnowseeall3usersfromourlocalActiveDirectorylistedhere.Question...IfourAzureADgrowstoahugelistofusers,howwillweknowwhichusersoriginatedinthecloudandwhichonesaresync'edfromouron-premisesActiveDirectory?

Whilewearestillonthesameblade(viewingouruserslist),dothefollowing:

1. IntheActionssection,clickonColumns .

2. ChecktheboxnexttoSourceofauthority.

3. ClickApply.

Wenowseefromwhereourusersareoriginating,whetherthaton-premises(e.g.WindowsServerAD)orthecloud(e.g.AzureActiveDirectory).

Rememberthatanychangesmadetosynchronizedusers(e.g.WindowsServerAD)arereplicatedbackdowntoourlocalActiveDirectory.Howevercloudusersarenotsynchronized.

CompletingPasswordWriteback

IncompletingtheAzureADConnectconfiguration,weenabledpasswordwriteback.But,bydefault,usersaren'tabletoupdatetheirpasswordsinAzure.Weneedtoenableuserstohavetheabilitytoupdatetheirpasswords.

1. WhileyouarestillontheUsersandgroupsblade,clickonPasswordreset .

2. Youwillseeherethatself-servicepasswordisnotenabledforanyone.ClickonAllandthenclickSave.

3. Finally,let'sconfirmthatpasswordwritebacksareenabledinAzure.ClickonOn-premisesintegration .

4. Fromhere,youwillseethatpasswordwritebacksare,indeed,enabledalongwithrestrictingusersfromunlockingtheiraccountswithoutresettingtheirpasswords.

YounowhaveourlocalActiveDirectorysync'ingwithourAzureAD.

AdditionalNotesInterestinglyenough,ifyoulogoutofAzureandattempttologinwithoneoftheUPNsthatwassync'ed(forexample,jim.smith@<yourcompany>.onmicrosoft.comwiththedefaultpasswordPass@word1234),Azurewillrequireyoutosetupasecondaryauthenticationmethod-phoneoremail-priortobeingabletologin.

Also,ifyoulogintoyourOffice365trialtenant,you'llseetheusersfromyouron-premisesActiveDirectorylisted.Allyouwouldneedtodoatthispointisassignthemlicenses.

ObjectiveWearegoingtoconcludethisworkshopwithenablingmonitoringonourActiveDirectoryDomainServices.

InstalltheAgentInordertoseereportsforourdomainservices,weneedtoinstalltheAzureADConnectHealthAgentforADDSontoourdomaincontroller.

DisableIEESCBydefault,InternetExplorerEnhancedSecurityConfigurationisenabledwhichwillpreventusfromdownloadinganything.Weneedtodisablethis.(NOTE:Inproduction,youwouldtypicallynotdothis.Inproduction,youwouldleaveIEESCenabledandcopythedownloadedagentviaRDPontothemachine.However,sincethisisaworkshop,we'llmakesomeconcessions.)

1. Ifyou'renotstillconnectedtothedc1VM,goaheadanddothatnow.Asareminder,youwillneedtodosothroughtheutilitymachine.

2. Onceyou'veconnecteddc1,openServiceManagerifit'snotalreadyopen.

3. IntheleftmenuofServerManager,clickonLocalServer.

4. Intheresultingpage,you'llseeacoupleofsections.ThefirstsectionislabeledProperties.Propertieshastwocolumns.Half-waydowntherightcolumn,youwillseeIEEnhancedSecurityConfiguration.Totherightofthatinblue,youprobablyseeOn.Clickonit.

5. IntheInternetExplorerEnhancedSecurityConfigurationdialog,chooseOffforboth,AdministratorsandUsers.Then,clickOK.

DownloadandInstalltheAgentNowwe'rereadytodownloadandinstalltheagent.

1. Ondc1,openawebbrowserandgotohttp://go.microsoft.com/fwlink/?LinkID=820540.Thiswillautomaticallydownloadtheagent.

2. Oncethedownloadiscomplete,runit.

MonitoringHealth

3. IntheMicrosoftAzureADConnectHealthagentforADDSSetupwindow,clickInstall.

4. Onceithascompletedinstallationandhasinformedyouthatthesetupwassuccessful,clickConfigureNow.

5. ThiswillrunaPowerShellscriptandrequirethatyouauthenticatewithAzure.Enteryourcredentialsforyour<yourcompany>.onmicrosoft.comaccount.

6. Afterafewsecondsofwatchingthescriptcontinuetorun,youshouldseethattheAgentregistrationcompletedsuccessfully.GoaheadandclosethePowerShellwindow.

ViewAgentMetricsWe'renowreadytoseehowourdomaincontrollerisfunctioning.Let'sreturntoAzuretoviewthereports.

1. InAzure'sleftmenu,clickonAzureActiveDirectory .

2. IntheAzureActiveDirectoryblade,clickonAzureADConnect .

3. UnderHEALTHANDANALYTICS,clickonAzureADConnectHealth(Iknow,it'salittleobscure).

4. Therearethreesectionstothehealthdashboard-ADFS,ADConnect(Sync),andADDS.Sincewedon'thaveFederatedServicesconfigured,thistileshouldbeempty.However,youshouldseeboth,respective,domainsunderADConnectandADDS.Clickingonthesedomainswillgiveusdetailsofhowtheyarefunctioning.

AzureADConenctHealthisstillveryyoungindevelopment.Asyouclickaround,youmayfindsomefeaturesdisabled.KeepmonitoringthistoseehowitexpandstogiveyougreatervisabilityintoyourADinfrastructure.