Welcome Back, In part one of this series we discussed the concept of Azure Active Directory and how Azure AD can help the IT admins to use the Azure Services in Hybrid Deployment.
In Part two, we discussed the concept of Microsoft sync tools that will help you to sync your local AD to Azure AD in addition to the difference between DirSync and Azure AD Connect tool.
In this part we will start the installation and configuration of the Azure AD Connect tool and show you how this tool will sync the AD objects and passwords to Azure AD.
In this demo we will not use DirSync tool since the recommendation from Microsoft to use Azure AD Connect tool instead of DirSync.
so let’s discuss the requirement to install AD Connect tool:
1- the forest functional level should be at least windows 2003.
2-Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials. The server must be using Windows Server standard or better.
3- The machine will be used to install AD Connect must have windows 2008 or later.
4- AD Connect can be installed in the DC itself.
5- The Azure AD Connect server should be fully updated and patched.
6- If you plan to use the feature password synchronization, the Azure AD Connect server must be on Windows Server 2008 R2 SP1 or later.
since we use the feature of Password sync, we will install the Azure AD Connect in windows 2012 R2 (the DC itself) since it meets the requirement to be at least windows 2008 R2 SP1.
First of all, you should have an azure tenant, I will assume that you already have, if you don’t have an azure tenant you can sign up for free : https://azure.microsoft.com/en-us/pricing/free-trial/
Now, You should create Azure Active Directory to use it while installation of AD Connect, go to https://manage.windowsazure.com and login with your credential:
GO to Active Directory tab:
Click in the New button:
Navigate to App Services -> Active Directory -> Directory :
Choose custom Create:
Fill the required info:
Name: choose any meaningful name.
Domain Name: write your domain name, this domain will not appear for users later, so if you don’t find your domain name available, just choose any meaningful name, so I used azuredummies domain but I will use the real domain name stsazure.com later in this demo.
Country or Region: choose your country.
Now, wait a seconds and your directory will be available as below:
As you see, New Azure AD was created and online as below:
In Datacenter region, you will see that your Azure AD have three replica with three different regions to meet the SLA of Microsoft which is I think 99.95%
Click in the New Azure AD we just created, choose Domain Tab and click ADD A CUSTOM DOMAIN as below:
Now, right your domain that will be used and click Add:
Now, Microsoft need to verify that you are the owner of the domain, so Microsoft will give you a TXT record with a specific value as shown below, you need to create the TXT record in your public DNS to prove that you are the real owner of the domain:
After verifying you will see the status of the new domain will be verified as below:
Now we need to add a global admin user to the new domain to use it while installing the Azure AD Connect, to do that click in the new domain in our example (STSAzure.com), go yo users tab and click in the ADD button:
Fill the required information:
copy the password and finalize the wizard :
the new user created and appear in the users page as below:
Now, we will start the installation and configuration part of Azure AD connect, so after prepare the server which will be used to install the Azure AD Connect tool. navigate to https://www.microsoft.com/en-us/download/details.aspx?id=47594 and download the Azure AD Connect tool, copy the setup files to the server.
Note that before you install Azure AD Connect you should install .Net Framework 3.5
Double click in the setup file, In the welcome screen accept the agreement and click continue:
Click in use Express setting if you want to use default configuration, for example if you need to use external SQL server then you should click in customize but if you need to use express version of SQL you can click in use express setting, also there are another options in the customize installation but for our demo we can choose express setting, so click in USE EXPRESS SETTINGS as below:
Wait a seconds while the installation of some components finish:
Now, the wizard ask you for a global admin credential in your azure active directory, we already created the user in the above steps, enter the user credential and click Next, the wizard will try to connect to your Azure AD:
The Azure AD Connect server should have an internet access, in the end of this article we will discuss the ports and URL’s need to be accessible in the Connectivity section.
Uncheck start the sync process as soon as the configuration complete option and click Install:
Note: if you check start the sync process as soon as the configuration complete option, then the sync will start automatically and sync all objects (Users and Groups) to azure AD, in this demo I uncheck the option to show you how you can do OU filtering if you don’t need to sync all users and groups, so if you need to sync every thing you can check the option and skip the OU filtering steps.
OU filtering is a method using for sync specific users or groups to the Azure AD based in OU location, so I created an OU called Azure and create three users inside it as below:
Now , Navigate to C:\Program Files -> Microsoft Azure AD Sync -> UIShell and double click in the MSClient as below:
Go to the connectors tab, you will have two connectors used for syncing, the first one is for the cloud and the second one for the local AD, right click in the second connector (Demo.lab) and click properties as below:
Now choose Configure Directory Partitions tab and click in Container button as below:
Enter a user that have an permission to access your local AD and click OK:
In this demo, I will deselect all OU’s and select only Azure OU as below:
Navigate to C:\Program Files\Microsoft Azure AD Sync\Bin then write .\DirectorySyncClientCMD.exe delta and click Enter:
wait a minutes and the sync will be completed:
Wait around 30 minutes and you will see that the users will appears in the Azure AD portal as below:
Ad Connect connectivity:
(This section is copied from Microsoft site)
- If you have firewalls on your Intranet and you need to open ports between the Azure AD Connect servers and your domain controllers then see Azure AD Connect Ports for more information.
- If your proxy limits which URLs which can be accessed then the URLs documented in Office 365 URLs and IP address ranges must be opened in the proxy.
- If you are using an outbound proxy for connecting to the Internet, the following setting in theC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config file must be added for the installation wizard and Azure AD Connect sync to be able to connect to the Internet and Azure AD. This text must be entered at the bottom of the file. In this code, <PROXYADRESS> represents the actual proxy IP address or host name.
<system.net> <defaultProxy> <proxy usesystemdefault="true" proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>" bypassonlocal="true" /> </defaultProxy> </system.net>
If your proxy server requires authentication, then the section should look like this instead.
<system.net> <defaultProxy enabled="true" useDefaultCredentials="true"> <proxy usesystemdefault="true" proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>" bypassonlocal="true" /> </defaultProxy> </system.net>
With this change in machine.config the installation wizard and sync engine will respond to authentication requests from the proxy server. In all installation wizard pages, excluding theConfigure page, the signed in user’s credentials are used. On the Configure page at the end of the installation wizard, the context is switched to the service account which was created. See MSDN for more information about the default proxy Element.
- You also need to configure winhttp. Start a cmd-prompt and enter:
C:\>netsh netsh>winhttp netsh winhttp>set proxy <PROXYADDRESS>:<PROXYPORT>
If you have problems with connectivity, please see Troubleshoot connectivity problems.
In next parts we will integrate Azure AD with many Azure services such as Azure MFA and Azure Application proxing, so stay tuned 🙂
Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).