Azure Active Directory Labs Series – AD Connect

Solution  · 

Back in June I had the pleasure of delivering a training on Azure Active Directory to two customer crowds.  I say pleasure because not only do I love to share knowledge but also, the preparation of the training forces me to go deep on some aspects of what I’m going to teach.

In that training there were 8 labs and I thought it would be great to share them to the more general public.  The labs follow each other and build on each other.

You can find the exhaustive list in Cloud Identity & Azure Active Directory page.  This is the sixth lab.

In the current lab we configure AD Connect to synchronize on premise AD with Azure AD.  We will install AD Connect on one of the Domain Controller created in an earlier lab. In a more realistic environment you would install AD Connect on a separate VM joined to the Domain Controller’s domain. The configuration would be very similar.

Configure Azure AD

  1. Go to the legacy portal @ https://manage.windowsazure.com
  2. Scroll down the left menu to the bottom and select Active Directory
    clip_image002
  3. You should see the following screen
    clip_image004
  4. Select a tenant you created for this lab & enter it
    clip_image006
  5. Select the Users menu
  6. At the screen bottom, click the Add User button
  7. An Add User dialog should appear
  8. For User Name, type SyncAdmin
  9. Click the next arrow at the bottom of the pop up
  10. Fill the User Profile form
    • First Name: Sync
    • Last Name: Admin
    • Display Name: Sync Admin
    • Role: Global Admin
    • Alternate email address: type your corporate email here
  11. Click the next arrow at the bottom of the pop up
  12. Click the Create button
  13. Copy the temporary password
  14. Create a permanent password for the newly created account
    1. Open an In private Browser Window
    2. Navigate to https://portal.azure.com
    3. In the Email or Phone, type the full name of the account
      You can find the name in the full name of your account in the last Add User screen (of course, you need to remove the single quotes)
      clip_image008
    4. In the password text box, paste the new password you copied previously
    5. Click Sign In
    6. You’ll be prompted to update the password ; do so & remember the new password
    7. Close the In private browser
  15. Back in the classic Azure portal, select the Directory Integration menu
    clip_image010
  16. Next to the Directory Sync select Activated option
    clip_image012
  17. At the bottom of the screen, click the Save button

Installing AD Connect

  1. Go to the Azure portal @ https://portal.azure.com
  2. In the left column menu, select Resource Groups
    clip_image014
  3. Select DCGroup
  4. Select adBDC Virtual machine
  5. RDP into it
  6. Go to http://go.microsoft.com/fwlink/?LinkId=615771
  7. Download the AD Connect tool
  8. Install it
  9. Agree on terms & conditions
  10. Given the simplicity of the setup (one forest, same VM as the DC), we can use the express settings
    Select Use express settings
    clip_image016
  11. The tool will install components as part of Synchronisation Service install, click Install
  12. Fill the Connect to Azure AD form
    clip_image018
    1. In the User name box, type the full name of the SyncAdmin account you created
    2. In the password box, type the password you typed when you updated the password of the account
  13. Click the Next button
  14. Fill Connect to AD DS form
    clip_image020
    1. In user name box, type dm.demo.com\syncaccount
    2. Enter the password you gave that account (likely Abc123!@#)
  15. Click the Next button
  16. Select Continue without any verified domains and click Next
    clip_image022
  17. You are ready to start synchronization, click Install
    clip_image024
  18. The installation & synchronization takes a few minutes
  19. Configuration should complete
    clip_image026

Validate synchronization

Here we’ll validate that the synchronization occurs.

  1. Back in the Azure AD tenant, select the Users menu
  2. You should now see more users
  3. Moreover, the users synchronized from on premise should be sourced from Local Active Directory (Sourced From column)
    clip_image028
  4. Select Max Eisenhardt (one of the synchronized account)
  5. You should see that fields are grayed out: you can’t modified synchronized objects since Azure AD isn’t the master of record of those objects
    clip_image030
  6. Open an In Private browser window
  7. Navigate to https://portal.azure.com
  8. In email box, type meisenhardt followed by @ & the name of your Azure AD (e.g. meisenhardt@vpllab.onmicrosoft.com)
  9. In password box, type the password you gave to on premise accounts (likely Abc123!@#)
  10. You should login to the portal with Max Eisenhardt credentials

Refine configuration

Here we’ll look at how we could refine the configuration of AD Connect.

  1. In the Active Directory VM, press the Windows key
  2. Press the down key
    clip_image032
  3. Click the Azure AD Connect App
    clip_image034
  4. In the tasks view, select Customize synchronization options
    clip_image036
  5. Click Next
  6. Fill the Connect to Azure AD form
    clip_image038
    1. In the User name box, type the full name of the SyncAdmin account (Azure AD)
    2. In the password box, type the password you typed when you updated the password of the account
  7. Click Next
  8. Fill Connect Directories form
    clip_image040
    1. In user name box, type dm.demo.com\syncaccount
    2. Enter the password you gave that account (likely Abc123!@#)
  9. Click the Next button
  10. Here we could filter on which domains / OUs we synchronize
    clip_image042
  11. Click the Next button
  12. Here we could configure other features, e.g. password writeback
    clip_image044

Post Lab

None.

Leave a comment