Lab Setup - Step Azure AD Connect PDF Free Download

1y ago

20 Views

1 Downloads

2.68 MB

33 Pages

Report/dmca

Download PDF

Transcription

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .A Place where cloud begins.AWS, Azure Cloud, DevOps and IT InfrastructurePostsAzure AD ConnectLab Setup – Stepby Step Guide June 22, 2020 asingh Leave a commentMost of the enterprise adopting cloud has a mixof on-premises and cloud based infrastructureand in such scenarios having simpli ed identitycontrol becomes key factor where you can useyour existing identities to control authenticationand authorization across all the applications andservices regardless of cloud or on-premises.Talking from Microsoft Azure’s perspective, withhelp of Azure Active Directory and Azure ADConnect we can implement “Hybrid Identity”solution which will simplify authentication andauthorization to all applications and servicesacross cloud and ect-lab-setup-step-by-step-guide/AWS What’sNew TweetsTweets by@awswhatsnewWhat’s New o@awswhatsneAmazonMachine Imagecopy limitsincreased to100 images perdestinationRegionAmazon EC2now allows youto copy up to100 AmazonMachine Images(AMIs)concurrently perdestinationregion peraccount, anincrease fromthe previouslimit of 50conc.aws.amazon.com/aboutaws/what 1/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .Azure AD Connect acts as bridge between yourAaon-premises Active Directory infrastructure andAzure AD, it synchronizes user accounts, groupmemberships, and credential hashes from an19 Dec 2020on-premises Active Directory to Azure AD. Wewould be able to utilize many good feature ofWhat’s New oAzure AD like Single-Sing-On (SSO)/Federation,@awswhatsneMFA, Hybrid Azure AD join, access control onAzure resources and O ce 365 using onpremises AD identitiesIn this guide, I will walk you through how tocon gure Azure AD Connect to synchronize onpremises AD identities with Azure AD, there aredi erent types of Azure AD Connect deploymentSoftwareproviders onAWSMarketplace cannow use theself-servicemanagementportal to updatetheir ContainerproductsEmbedView on Twittertopologies in the scenario of multiple forest andmultiple Azure AD Tenants. In this labimplementation guide, Azure AD Connectdeployment topology is “Single forest, singleAzure AD tenant”.There are various prerequisites to notebefore we can go ahead and install Azure ADConnect in our environment, please referbelow list of requirements for Azure AD, onpremises AD and Azure AD Connect server:Azure AD prerequisites:1. An Azure AD tenant. You get one with anAzure free trial also.2. Add and verify the domain you plan to use inAzure AD. This should be your publiclyregistered domain. For example, if you plan tup-step-by-step-guide/Microsoft AzureTweetsTweets by @AzureMicrosoft Az@AzureNavigating ajourney toadopting thecloud can seemdaunting.That's why welaunched the#AzureEnablement show—tohelp addressthe commonquestions andchallenges youmay face.2/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .use contoso.com for your users then make surethis domain has been veri ed and you are notGet the details:msft.it/6013pXRd1only using the contoso.onmicrosoft.com defaultdomain. Every new Azure AD tenant comes withan initial domain name, domainname .onmicrosoft.com. You can’t19 Dec 2020change or delete the initial domain name, butyou can add your organization’s names. Addingcustom domain names helps you to create userMicrosoft Aznames that are familiar to your users, such asJoin the#WindowsVirtualDesktop digitalevent onJanuary 28! Getbest practices tooptimize virtualdesktops andapps—and askyour questionsin the live chat.Register now:msft.it/6014pXBUYalain@contoso.com.In my lab, I have my a routable domain(cloudmegh.in) and my on-premises AD domainname is also same but in cause If your onpremises AD domain is non-routable domainthen you can follow this Microsoftdocumentation to solve the non-routabledomain problem by registering new UPN su x@Azureor su xes in AD DS to match the domain (ordomains) you veri ed in Microsoft 365/Azure AD.After you register the new su x, you update theEmbedView on Twitteruser UPNs to replace the .local with the newdomain name for example so that a useraccount looks like abc@contoso.com.https://docs.microsoft.com/enus/o directory-synchronizationOn-premises Active Directory prerequisites:1. Use IdFix to identify errors such as duplicatesand formatting problems in your directorybefore you synchronize to Azure AD and O guide/Cloud NativeTweetsTweets by@CloudNativeFdnCNCFRetweetedJulien Pivotto@roidelapluieGathering usescases / ideas /3/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .us/o ce365/enterprise/install-and-run-id x2. It is recommended to enable the ActiveDirectory recycle bin.design for@PrometheusIO Remote WriteReceivergithub.com/prometheus/pro 3. The AD schema version and forest functionalPlevel must be Windows Server 2003 or later. TheAgdomain controllers can run any version as longas the schema and forest level requirements aremet.4. If you plan to use the feature passwordwriteback, then the Domain Controllers must be23hCNCFRetweetedCloud Native Co@CloudNativeCNWindows Server Standard, Enterprise �主办方@Tetrateio，承办方 #云原生者们。我们下一期再见Datacenter editions.#CloudNativeon Windows Server 2008 R2 or later.5. The domain controller used by Azure AD mustbe writable. It is not supported to use a RODC(read-only domain controller) and Azure ADConnect does not follow any write redirects.Azure AD Connect server prerequisites:1. Azure AD Connect can only be installed on2. Azure AD Connect must be installed onWindows Server 2012 or later. This server mustbe domain joined and may be a domaincontroller or a member server.SQL for Azure AD Connect:20 Dec 2020EmbedView on Twitter1. Azure AD Connect requires a SQL Serverdatabase to store identity data. By default a SQLServer 2012 Express LocalDB (a light version ofSQL Server Express) is installed. SQL ServerExpress has a 10GB size limit that enables you tup-step-by-step-guide/KubernetsTweets4/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .manage approximately 100,000 objects. If youneed to manage a higher volume of directoryobjects, you need to point the installation wizardto a di erent installation of SQL Server.2. Microsoft Azure SQL Database is notsupported as a database.Accounts:1. An Azure AD Global Administrator account forthe Azure AD tenant you wish to integrate with.This account must be a school or organizationaccount and cannot be a Microsoft account.2. If you use express settings or upgrade fromDirSync, then you must have an EnterpriseAdministrator account for your on-premisesActive Directory.Network Connectivity:If your local network has rewall/proxy then youneed to ensure that all the required ports andTweets by@kubernetesioKubernetes@kubernetesioWith #K8s 1.20,infrastructureteams whomanage largescale#Kubernetesclusters areseeing thegraduation oftwo exciting andlong-awaitedfeatures:The PodResources APITheDisableAcceleratorMetricsfeatureMore about it!kubernetes.io/blog/2020/12/1 endpoints mentioned in below rtskhttps://docs.microsoft.com/en-20hus/o tSourcePath %252fen-Kubernetesgb%252farticle%252fo 8a211-3fe7-47cb-abb1355ea5aa88a2Azure AD Connect – Key Terminologies andComponents:On the blog:"#Kubernetes1.20: GranularControl ofVolumePermissionChanges"Azure AD Connect is a vast solution in itself soit’s not feasible to cover all the deep divearchitecture details in this post, below etup-step-by-step-guide/5/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .important AAD Connect terminologies andEmbedView on Twitterconcepts that you need to understand whenworking with Azure AD Connect.1. Azure AD Connect sync (sync engine)2. Connector3. Connected Data Sources or ConnectedDirectories (CD)TodayDecember 2020S M T W T F S4. Source anchor5. Connector Space (CS)6. Metaverse (MV)7. Joined Object (or connector object)8. Disjoined Object (or disconnector object)9. Provisioning10. Deprovisioning1 2 3 4 56 7 8 9 10 11 1213 14 15 16 17 18 1920 21 22 23 24 25 2627 28 29 30 31« JunIt will be good to refer below Microsoftdocumentations to dive deeper into Azure ADConnect architecture and above concepts.Azure AD Connect sync: Technical tive-CategoriesUncategorized zure AD Connect sync: Understanding ct-syncarchitectureAzure AD Connect Authentication (sign-in)Options:Below are the four di erent authentication (signin) mechanisms provided by Azure AD when youare using Azure AD Connect, based on setup-step-by-step-guide/6/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .feasibility from security and complianceperspective you can choose the one appropriate.During Azure AD Connect installation wizard youwill have the ability to choose one of theauthentication mechanism.1. Password Hash Synchronization (PHS):–When we install Azure AD Connect with“Express Settings” then Password HarshSynchronization (PHS) authenticationmechanism is the default con guration.–AAD Connect synchronizes a hash, of the hash,of an AD user’s password from an on-premisesAD to Azure AD.–To synchronize user’s password, Azure ADConnect sync extracts user’s password hashfrom the on-premises Active Directory. Extrasecurity processing is applied to the passwordhash before it is synchronized to the AzureActive Directory.–PHS process runs every 2 minutes and wecannot modify the frequency of this process.2. Pass-through Authentication (PTA):–Users credentials are validated by on-premisesActive Directory Domain Controller via AADConnect Authentication Agent, On-premises ADuser’s passwords are not stored in Azure AD inany form.–For Pass-through Authentication to work, usersneed to be provisioned into Azure AD from onpremises Active Directory using Azure ADConnect. Pass-through Authentication does notapply to cloud-only users.–Communication between Authentication -setup-step-by-step-guide/7/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .and Azure AD is uses certi cate-basedauthentication. These certi cates areautomatically renewed every few months byAzure AD.–Microsoft recommends to have more than oneAAD Connect Authentication Agent to providehigh availability of authentication requests.–PTA can also be used in conjunction with PHSfor high availability scenarios, As per Microsoft“Enabling Password Hash Synchronization givesyou the option to failover authentication if youron-premises infrastructure is disrupted. Thisfailover from Pass-through Authentication toPassword Hash Synchronization is notautomatic. You’ll need to switch the sign-inmethod manually using Azure AD Connect. If theserver running Azure AD Connect goes down,you’ll require help from Microsoft Support toturn o Pass-through Authentication.”3. Federation with ADFS:–In ADFS federation scenario, Azure AD will beredirecting authentication request to ADFS.4. Federation with PingFederate:–If you are already using PingFederate in yourenvironment then you may choose this methodfor authentication. AAD Connect nativelysupports PingFederate, please refer belowo cial document from PingFederate regardingimplementation of -step-by-step-guide/8/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .Azure AD Connect Server Installation:I have talked about some important conceptstheoretically, Now let’s go ahead and install theAzure AD Connect server in on-premises ADDSenvironment.1. Add Custom Domain (Routable) to AzureAD and make it as a “Primary Domain” forAzure AD:–Login to Azure portal and go to Azure ActiveDirectory–Click on “Add custom domain” option.–I’m adding my routable domain “cloudmegh.in”to Azure AD, Click on “Add t-lab-setup-step-by-step-guide/9/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–Once you add your custom routable domain toAzure AD, it needs to be veri ed. To verify thedomain you need to create TXT record in yourdomain registrar with below lab-setup-step-by-step-guide/10/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–My above domain is registered with Godaddy,so I logged into Godaddy console and add TXTrecord as below. Then I click on “Verify” buttonabove in Azure AD console. In few minutes it willverify your domain ect-lab-setup-step-by-step-guide/11/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–Now my domain is showing as “Veri ed” inAzure AD console.–Now I will set my custom domain as “Primary”for the directory, The primary domain is thedefault domain name for a new user when youcreate a new user. Setting a primary domainname streamlines the process for anadministrator to create new users in the ab-setup-step-by-step-guide/12/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .2. Download and run the Oce 365 IdFix tool:Before we synchronize our on-premises AD toAzure AD, its recommended to run IdFix tool,this tool identi es errors such as duplicates andformatting problems in your AD domain, you canrun this tool on domain joined machine orDomain Controller ab-setup-step-by-step-guide/13/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins up-step-by-step-guide/14/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .3. Enable AD Recycle Bin:Microsoft recommends enabling AD Recycle Binfeature in your on-premises AD environment, Ifyou accidentally deleted an on-premises AD userobject, the corresponding Azure AD user objectwill be deleted in the next sync cycle. By default,Azure AD keeps the deleted Azure AD userobject in soft-deleted state for 30 days.I ran below PowerShell cmdlet to enable ADRecycle Bin feature for my AD domain.Enable-ADOptionalFeature ‘Recycle BinFeature’ -Scope ForestOrCon gurationSet p-step-by-step-guide/15/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .Target cloudmegh.in4. Download and install Azure AD Connectserver:–Now I will go back to Azure portal and navigateto Azure Active Directory console, Go to AzureAD Connect and click on “Download Azure ADConnect” option which will redirect me to belowdownload link.Azure AD Connect etails.aspx?id -setup-step-by-step-guide/16/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–I have downloaded AAD Connect setup on myon-premises Windows Server where I will beinstalling this. This machine is running WindowsServer 2016 OS and joined to my AD domain“cloudmegh.in”.–I ran AAD Connect setup and installation wizardstarted, click on license terms agreement andthen click on “Continue” button to proceedfurther.–If you want to install AAD Connect with“Express Settings” it will install and con gureeverything with prede ned set of con gurationas shown in below snapshot. I’m going with“Customize” installation option in my setup-step-by-step-guide/17/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–I’m leaving below option to default (unchecked),you may specify the options as appropriate inyour environment. I clicked on “Install” buttonto proceed with AAD Connect server installation.–It will install and con gure the requiredcomponents now, Azure AD Connect requires aSQL Server database to store identity data. Bydefault a SQL Server 2012 Express LocalDB (alight version of SQL Server Express) is t-lab-setup-step-by-step-guide/18/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–Once it completes required componentsinstallation/con guration, it will move to belowoption where we need to choose authenticationmethod for users. I’m choosing “Password HashSynchronization” authentication mechanism.Click on “Next” to proceed further.–Now we need to provide user credential thatwill be used to connect to Azure AD tenant, thisuser should have Global Administratorpermission on your Azure AD ab-setup-step-by-step-guide/19/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–Now select AD Forest by clicking on “AddDirectory” which will be the connected datasource for AAD Connect sync.–Once you click on “Add Directory” it will ask youto provide user credentials that should setup-step-by-step-guide/20/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .minimum below permission for “Password hashsync” to function correctly. Depending uponwhat features you are using and whatinstallation method permission requirement willchange.Replicate Directory ChangesReplicate Directory Changes etup-step-by-step-guide/21/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–We have now added ADDS Forest“cloudmegh.in” successfully, click on “Next” toproceed lab-setup-step-by-step-guide/22/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–This below page allows us to review the UPNdomains present in on-premises AD DS andwhich have been veri ed in Azure AD. Thisallows us to con gure the attribute to use forthe userPrincipalName.Note: The attribute userPrincipalName is theattribute users use when they sign in to AzureAD and O ce 365. The domains used, alsoknown as the UPN-su x, should be veri ed inAzure AD before the users are synchronized.Microsoft recommends to keep the defaultattribute userPrincipalName. If this attribute isnon-routable and cannot be veri ed, then it ispossible to select another t-lab-setup-step-by-step-guide/23/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–By default all domains and OUs aresynchronized. If there are some domains or OUsyou do not want to synchronize to Azure AD, youcan unselect these domains and OUs.I have selected speci c OU “LabUsers” from myAD domain, AD users under this speci c OU willonly be synchronized to Azure AD, click on “Next”–I’m leaving below con guration to default onesand proceeding further.–I’m not con guring any sync ltering at t-lab-setup-step-by-step-guide/24/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–Now we have some “Optional features” ofAzure AD Connect that we can enable based onscenario and requirement, I’m enable“Password Writeback” feature which isimportant in hybrid environment where AzureAD is connected to an on-premises ADDSenvironment, this scenario can cause passwordsto be di erent between the two directories ifusers changes the password using Azure ADportal. By enabling password writeback,password changes that originate in Azure AD iswritten back to your on-premises directory.–Click on “Install” ab-setup-step-by-step-guide/25/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–It will take few minutes to complete thecon -lab-setup-step-by-step-guide/26/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–Finally the installation and con guration of AADConnect has completed successfully andsynchronization process has also been t-lab-setup-step-by-step-guide/27/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–After completion of Azure AD Connectinstallation and con guration, if you want to seethe existing con gure or would like to modifysomething, you need to open “Azure ADConnect” console and review it.–If you click on “View current con guration”, itwill show you your existing your existingsynchronization settings and features enable inyour AAD lab-setup-step-by-step-guide/28/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–If you open “Synchronization ServiceManager” you can see what’s happening withAAD Connect sync engine from synchronizationperspective and if there are any ab-setup-step-by-step-guide/29/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .–You can also stop the sync run manually ifneeded from here.Verify user sync from Azure AD console:–Since synchronization process was alreadyinitiated above, let’s go back to Azure AD ab-setup-step-by-step-guide/30/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .and see if objects were synchronizedsuccessfully.–Yes, I can see users from source “WindowsServer AD” in my Azure AD tenant whichcon rms sync process was able to synchronizethe users successfully.–We can sync status and last sync details as wellfrom here to validate when did the last synchappen.I will continue to explore other capabilities inAzure AD in hybrid identity scenario and willcover it in next -setup-step-by-step-guide/31/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins . Azure Kubernetes Service(AKS) – Part 2Leave a ReplyYour email address will not be published.Required elds are marked *CommentName *Email *WebsiteSave my name, email, and website in thisbrowser for the next time I lab-setup-step-by-step-guide/32/33

12/21/2020Azure AD Connect Lab Setup – Step by Step Guide – A Place where cloud begins .Post Comment Copyright 2020 A Place where cloud begins. —Primer WordPress theme by ab-setup-step-by-step-guide/33/33

Azure AD Connect server prerequisites: 1. Azure AD Connect can only be installed on Windows Server Standard, Enterprise or Datacenter editions. 2. Azure AD Connect must be installed on Windows Server 2012 or later. This server must be domain joined and may be a domain controller or a member server. SQL for Azure AD Connect: 1.