Azure AD Connect

Azure AD Connect

Azure AD Connect

Azure Ad Connect is a tool provided by Microsoft that allows to extend the scope of AD accounts for cloud services. Indeed the AD user accounts can be used only in an AD domain. To allow a user to use the login and password in a cloud service (Azure, EMS, Office 365,…) it is necessary to proceed with the synchronization of accounts. Several solutions are possible, using ADFS server, the password synchronization or Azure AD pass-through). The tool can be installed on a domain controller or a member (joined to the domain or workgroup) server.
It is possible to synchronize multiple AD forests for a same nevertheless requirements are to be respected.

Synchronize multiple AD Forest

Let’s take as an example the synchronization of two forest AD to synchronize on a holding. The two forests are connected by a VPN IPSec and firewall on each side.The Azure AD Connect Server cannot be installed on only one of the two AD forests. Indeed it is not possible to use more than one server by tenant. It is not necessary to have a relationship of trust between the two AD forests however conditional forwarders must be added in the DNS console. The following ports are used, it is therefore necessary to allow the traffic in each firewall :

  • Protocol DNS, Port 53
  • Protocol Kerberos, Port 88
  • Protocol MS-PRC, Port 135
  • Protocol LDAP, Port 389
  • Protocol LDAP/SSL, Port 636
  • Protocol RPC, Port 49152-65535

For more information see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-ports

Change UPN and Domaine in Active Directory

It is necessary to add in the portal Office 365, public domain names. From office.microsoft.com portal, access the administration portal, and then click Add a domain.

Open O365 portal

A wizard is running, enter the domain name, and then click Next.

Add domain for Azure AD Connect

A TXT record needs to be created, the value is given by the wizard. This operation allows to check the domain name. It is not possible to use it as long as the value is not added. Due to the change in the public DNS, click check.

Value of the txt

Validate the following windows without making changes. The synchronization of Active Directory in Azure AD account requires to change the UPN (User Principal Name). The UPN is added from the console Domain and Trust AD. It is necessary to access the properties of domain and trust (click right properties) then add the desired UPN.

Add UPN Azure AD Connect

From the console users and computers AD, go to the user account that must be synchronized and access its properties. On the accounts tab, change the account’s UPN suffix so that it uses the public domain name. Repeat for all accounts that must be synchronized. UPN change can have an impact on certain application. Filtering of user accounts to be migrated will be performed using a security group. Create a global security group (the name didn’t matter) and then add the users.

Install Azure AD Connect

Azure AD Connect can now be installed on a server (2008 R2, 2012 or 2012 R2). It is necessary at first to proceed to download the software Link for Download

For Windows Server 2008 R2 servers, it is necessary to install the following components :
Windows Management Framework 3.0 : Link for download
.Net Framework 4.0 : Link for Download

Run the downloaded file, and then proceed with the installation.

Installing Azure AD Connect

After installation, a Wizard starts to perform the installation and configuration of Azure AD Connect. Accept the terms of the license agreement by clicking I accept the terms of the license and privacy statement.

Wizard Azure AD Connect

In the Quick Setup window, click Customize

Configure Sync

In the window install the necessary components, click install without making any changes and lauch installation.

Configure sync

It is necessary to select the desired type of synchronization. The choice has been made to synchronize the hash of the password in Azure AD. For this, it is necessary to check the password synchronization option, and then click Next.

Sync Azure password

A connection to the Azure AD directory is required. Enter the username and password of Azure in the window connect to Azure AD. Click next to proceed with the connection.

Enter credential Azure AD

Enter the name of the Active Directory forest and a user name and password. Click on a directory to add, and then click Next.

Configure Active Directory

A check of the UPN suffix as well and the external domain check is performed, click next. Filtering is operated through a security group, so it is necessary to leave the default choice in the filter window by domain or organizational unit.

Configure Active Directory sync

In order to position the desired filtering, select Sync selected in the window filter the users and devices. Enter the name of the group, and then click Resolution.

Select groups for synchronisation

Validate the following windows without modification.

Synchronize another AD forest on the same tenant

As for the first AD forest, it is necessary to add the public domain name to Office 365 portal and verify. Next the UPN suffix can be added and the UPN of the user modified.To add a new forest, it is necessary to double click Azure AD Connect present on the desktop. Azure AD Connect Server.

Azure AD Connect

A Wizard starts, click set up. Select Customization of the synchronization options and then click Next.

Personalize synchronization

A connection to the Azure AD directory is required. Enter the username and password of Azure in the window connect to Azure AD. Click next to proceed with the connection.

Configure User account Azure AD

Enter the name of the Active Directory forest and a user name and password. Click on a directory to add, and then click Next.

Enter Active Directory information

A check of the UPN suffix as well and the external domain check is performed, click next. Filtering is operated through a security group, so it is necessary to leave the default choice in the filter window by domain or organizational unit.

Azure AD Connect

In order to position the desired filtering, select Sync selected in the window filter the users and devices. Enter the name of the group, and then click Resolution.

Select sync

Validate the following windows without modification.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.