Microsoft 365 integration with on-premises environments

-

Sync your users

Synchronization is the process of keeping user accounts, devices, and groups, up to date based on conditions set by the admin. Both ‎Azure Active Directory‎ (‎Azure AD‎) cloud sync and ‎Azure AD Connect‎ synchronize and link user accounts, devices, groups, and password hashes (not passwords) from an on-premises ‎Active Directory‎ to ‎Azure AD‎ to maintain a single sign-on experience.

Note that only ‎Azure AD‎ cloud sync supports the following features:
  • Connect to multiple disconnected on-premises ‎Windows‎ Server ‎Active Directory‎ forests
  • Multiple active agents for high availability
  • Lightweight agent installation model

For this exercise, we would be syncing our on-premises server to the cloud for continuous sync. ‎Azure AD Connect‎ is great for companies that still rely on a large IT infrastructure that is hosted locally in the office. Also, I have installed a fresh image of Windows Server 2019 Datacenter to show the roles being added and synced. Once installed, we would be asked to create an Administrator account with which we would be signing in and once signed in, Server Manager would automatically open. Lets add AD DS role on the server by clicking Add Roles and Features:


On the first start, you would be prompted with an introduction on the Add Roles and Features Wizard, you can check skip this page by default for next time to skip from displaying it



Check the Role-based or feature-based installation as we are installing AD DS and click Next


Next, we would be selecting the server from the server pool on which we want to install the roles. We would be seeing a list of servers, if there are more than one, but as this is a new server, we would only see one, select it and click next:



On the next screen, we would see a list of server roles that can be installed. We would select Active Directory Domain Services:


On the pop-up, select Add Features:

The next screen would be to add features, where the Group Policy Management feature is already checked and we would leave it as is, as it would very useful in managing Group Policies across organization. Hit Next.


The next couple of windows are informative and we can forward to the last window when we have an option to Install.



As it might take a few moments, we can close the wizard or keep it open to see the installation done:


Now, we would promote the server to a Domain Controller (DC) either by going to the notification or Server Manager > AD DS > Promote 



We would need to Add a New Forest as there are no forests yet on the AD DS server and provide a root domain (e.g. contoso.local):


Uncheck the Domain Name System server option as we would not be setting up DNS server at this point. Leave the functional levels to default and provide Admin password:


The wizard should detect the NetBIOS domain name by itself, click next:


The wizard would take the default locations of the database, log files, and SYSVOL, which are all used for different purposes. We'll leave the default locations and hit Next:


Review the configuration and hit Next. It will begin the prerequisite checks. We got a warning which can be ignored at this point, hit Install:


Once the installation is done, the server should reboot automatically as it mentions as well, if it does not, we'll restart manually.

Now let's create a few users and sync them with the cloud. Go to the Server Manager > Tools > Active Directory Users and Computers


We should see our domain controlled there, right-click on it and create a new Organizational Unit to sync only those users to cloud.



Before adding users to the Synced OU, let's first add the custom domain to the AD. Click on Tools > Active Directory Domains and Trusts. Right-click the domain and select Properties:



Add the vanity domains here and hit Ok once done:


Now let's go back to the AD Users and Computers and add 2 test users with the vanity domain in the Synced OU:


It should look something as below:


Before we start synchronizing our users, we can run IdFix to identify and correct errors like duplicates and formatting problems in our ‎Active Directory‎ Domain Services (AD DS) domain. Fixing errors before we synchronize takes less time than resolving them later, but we would skip this step for now as we do not have a lot many users to syncronize.

Now download the Azure AD Connect from the following link and start the installation:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=47594

You agree the T&C on the Welcome page of Microsoft Azure Active Directory Connect and hit Next to continue. As we are syncing only certain OUs from our AD, we would customize the settings for the sync as below:


We would leave all the sync service options unchecked and click Install:


On the User sign-in page, we would be doing Password Hash Sync and click Next:


The below article mentions about decision tree on which method to be used when and would be very useful in planning user sign-in according to the needs:

Provide the Azure AD Admin credentials to connect to Azure AD:


Click on Add Directory and create a new AD account on the new window:


We should be seeing our custom domain already appearing and verified as the UPN suffix on the next screen. Make sure to select userPrincipalName attribute of AD to be used as Azure AD username and check the option to continue without matching all UPN suffixes to verified domains, in our case:


On the next screen, select 'Sync selected domains and OU' to sync only Synced OU from our AD to cloud and hit Next.


We would keep the identifiers as is for the users and click next:


On the next step, we can choose a group of people to pilot the sync deployment, but we would sync all users and devices and hit next:


Leave the optional features as it is and hit Next


Click install on the next screen to finish the setup and sync the objects:


The installation should be complete with some warnings which can be ignored for our practice. Click on Exit to finish and exit out of the program:



Search for Synchronization Service and open it:


We can see that a full sync was done once we finished the setup:


Let's check on the Azure AD portal if we can see the users we created synced to the cloud by going to the AAD portal > Users and search for the user


By default, the sync is done every 30 minutes, but if we need to make any changes or create an object and want to force sync the changes done on-prem, we can do a Delta Sync by PowerShell which does not sync the whole directory but only the changes made which is preferred in a production environment. You can run the same by the following command:

Start-ADSyncsyncCycle -PolicyType Delta

We can also schedule it as per our needs and the below would help understand better:


Hope this was helpful and see you next time with some other lab :) 

Comments

Post a Comment