Azure AD Connect
Azure Ad Connect is a tool provided by Microsoft that allows to extend the scope of AD accounts for cloud services. Indeed the AD user accounts can be used only in an AD domain. To allow a user to use the login and password in a cloud service (Azure, EMS, Office 365,…) it is necessary to proceed with the synchronization of accounts. Several solutions are possible, using ADFS server, the password synchronization or Azure AD pass-through). The tool can be installed on a domain controller or a member (joined to the domain or workgroup) server.
It is possible to synchronize multiple AD forests for a same nevertheless requirements are to be respected.
Synchronize multiple AD Forest
Let’s take as an example the synchronization of two forest AD to synchronize on a holding. The two forests are connected by a VPN IPSec and firewall on each side.The Azure AD Connect Server cannot be installed on only one of the two AD forests. Indeed it is not possible to use more than one server by tenant. It is not necessary to have a relationship of trust between the two AD forests however conditional forwarders must be added in the DNS console. The following ports are used, it is therefore necessary to allow the traffic in each firewall :
- Protocol DNS, Port 53
- Protocol Kerberos, Port 88
- Protocol MS-PRC, Port 135
- Protocol LDAP, Port 389
- Protocol LDAP/SSL, Port 636
- Protocol RPC, Port 49152-65535
For more information see https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-ports
Change UPN and Domaine in Active Directory
It is necessary to add in the portal Office 365, public domain names. From office.microsoft.com portal, access the administration portal, and then click Add a domain.
A wizard is running, enter the domain name, and then click Next.
A TXT record needs to be created, the value is given by the wizard. This operation allows to check the domain name. It is not possible to use it as long as the value is not added. Due to the change in the public DNS, click check.
Validate the following windows without making changes. The synchronization of Active Directory in Azure AD account requires to change the UPN (User Principal Name). The UPN is added from the console Domain and Trust AD. It is necessary to access the properties of domain and trust (click right properties) then add the desired UPN.
From the console users and computers AD, go to the user account that must be synchronized and access its properties. On the accounts tab, change the account’s UPN suffix so that it uses the public domain name. Repeat for all accounts that must be synchronized. UPN change can have an impact on certain application. Filtering of user accounts to be migrated will be performed using a security group. Create a global security group (the name didn’t matter) and then add the users.
Install Azure AD Connect
Azure AD Connect can now be installed on a server (2008 R2, 2012 or 2012 R2). It is necessary at first to proceed to download the software Link for Download
For Windows Server 2008 R2 servers, it is necessary to install the following components :
Windows Management Framework 3.0 : Link for download
.Net Framework 4.0 : Link for Download
Run the downloaded file, and then proceed with the installation.
After installation, a Wizard starts to perform the installation and configuration of Azure AD Connect. Accept the terms of the license agreement by clicking I accept the terms of the license and privacy statement.
In the Quick Setup window, click Customize
In the window install the necessary components, click install without making any changes and lauch installation.
It is necessary to select the desired type of synchronization. The choice has been made to synchronize the hash of the password in Azure AD. For this, it is necessary to check the password synchronization option, and then click Next.
A connection to the Azure AD directory is required. Enter the username and password of Azure in the window connect to Azure AD. Click next to proceed with the connection.
Enter the name of the Active Directory forest and a user name and password. Click on a directory to add, and then click Next.
A check of the UPN suffix as well and the external domain check is performed, click next. Filtering is operated through a security group, so it is necessary to leave the default choice in the filter window by domain or organizational unit.
In order to position the desired filtering, select Sync selected in the window filter the users and devices. Enter the name of the group, and then click Resolution.
Validate the following windows without modification.
Synchronize another AD forest on the same tenant
As for the first AD forest, it is necessary to add the public domain name to Office 365 portal and verify. Next the UPN suffix can be added and the UPN of the user modified.To add a new forest, it is necessary to double click Azure AD Connect present on the desktop. Azure AD Connect Server.
A Wizard starts, click set up. Select Customization of the synchronization options and then click Next.
A connection to the Azure AD directory is required. Enter the username and password of Azure in the window connect to Azure AD. Click next to proceed with the connection.
Enter the name of the Active Directory forest and a user name and password. Click on a directory to add, and then click Next.
A check of the UPN suffix as well and the external domain check is performed, click next. Filtering is operated through a security group, so it is necessary to leave the default choice in the filter window by domain or organizational unit.
In order to position the desired filtering, select Sync selected in the window filter the users and devices. Enter the name of the group, and then click Resolution.
Validate the following windows without modification.