This video demonstrates the installation and configuration of Azure Active Directory Connect to a Server 2012 R2 Active Directory.
- [Instructor] Now that we've had a discussion about Azure Active Directory Connect, let's actually see it in action. As you can see, I have logged in to Azure, and I happen to be in the BennettDemo Azure Active Directory. First thing I need to do is click on Azure Active Directory Connect. You can see that it's never run, and that's because it has never been installed. The only thing you'd really do from here is download the Azure Active Directory Connect tool. You can also do that by using your favorite search engine and searching for Azure Active Directory Connect tool download.
Let's flip over the server where we're going to install this. This server is a virtual server within Azure. It is on a network, and I have already downloaded the Azure Active Directory Connect tool, but to show you a little bit about this server, you can see that I have three users, which all happen to be part of the social media group. I have James K. Kirk. Apparently he's related to James T. Kirk. We have Leonard McCoy, and Montgomery Scott. I'm going to go ahead and cancel this, and they all happen to be in the bennettdemo.com domain.
I have already gone ahead and downloaded Azure Active Directory Connect, as I said, and we're going to go ahead and run the installation. One thing I do want to point out is that this server is our DC. DNS has been set up, and I have configured DNS within the virtual network on Azure. For our demonstration purposes, I'm installing Azure Active Directory Connect on this DC. Best practices, you would install it on a member server. I'm going to go ahead and run Azure Active Directory Connect.
The tool itself will go ahead and install all the additional components as required. Your installation may take a little bit longer, depending what you already have pre-installed. I'm going to go ahead and close my downloads window, and now we can start stepping through the tool itself. The first thing you'll do is agree to the license terms and privacy notice, and then click Continue. We have two options when we install Azure Active Directory Connect. We have the Express Settings, which will go ahead and synchronize our usernames, passwords, groups, and it will automatically configure password synchronization.
This is probably the easiest one to step through, but I want to show you the other options, so we're going to use Customize. Here, you can go ahead and make adjustments to changing the location for the installation, you can use an existing SQL server, you can change the service account, or you can specify custom sync groups. I'm not going to choose any of these. And go ahead and click Install. Required components will now be installed. Now that all the components have been installed, we can continue with the configuration.
We can do Password Synchronization. We could do Pass-through authentication, therefore password hashes are not stored in Azure. We can do Federation services if we wish, or do not configure. I'm going to go ahead and use Password Synchronization. I can also go ahead and enable single sign on. Selecting this will enable single sign on for our corporate desktop users. Then go ahead and click Next. Next, we need to add our credentials for our Azure Active Directory.
I'm entering the account, email@example.com. That user account is in Azure Active Directory, and it is a global user. I've added our password. The tool is now verifying those credentials, and this is why I added in the custom domain. Next, we need to add in our credentials for our on-premise Active Directory.
I'm going to go ahead, Add Directory, and perfect, that has been added for us. We can go ahead and add multiple directories as required. I'm going to go ahead and click Next. Remember one of the requirements is our UPN suffixes needs to match our verified custom domains in Azure Active Directory. So our Active Directory UPN suffix is bennettdemo, and in Azure, that has been verified. Again, we added that custom domain name for this reason.
We can go ahead and change the on-premise attribute to use for our Azure Active Directory username. I'm going to leave it as userPrincipalName, and go ahead and click next. Then we have the option to sync all domains and OUs, or we can select the domains and OUs that we'd like to sync. I'm going to go ahead and take everything. How do we want to identify our users? I'm going to go ahead and take the default, that our users are represented only once across all directories. If you're using multiple directories, you can go ahead and pick an attribute to match it to.
The source anchor, I'm going to leave this default, but again, you do have options here. We will choose the options that best suit your need. If you're just getting started, I tend to go with the defaults. Go ahead, click Next, and I'm going to go ahead and sync all users and devices. But again, I could go ahead and pick and choose if I wanted to do so. Then we have some optional features we can choose from. So we have Password synchronization is already selected for us, we can't do anything else. I'm going to go ahead and select Password writeback.
I do have the premium SKU here; therefore, I'm able to select this option. If I did not have the premium SKU, I would not be able to do so. This means that our passwords will be written from our cloud back to Active Directory. The rest of these, I'm going to leave. I'm going to go ahead and click Next, and finally, I need to enter in the domain administrator credentials. This will allow for single sign on.
There we go, and we click Next. And finally, we're ready to configure. We do have two options here. We can start the synchronization process when configuration completes, and that's normally what you would do. Our second option is enabling staging mode. Staging mode you'd use maybe if you were moving from on-prem Exchange into Office 365 would be an example. Then I'm going to go ahead and click Install. For the most part, I didn't make any changes to the configuration, and I could have used express setup, but I wanted to show you the options that were available to you.
Again, if you're just starting out, you may find the express setup the easiest way to go. This will take several minutes to configure, so we'll wait. You will notice that the Azure Active Directory Connect Health Agent is also being installed. It is part of the Azure Active Directory Connect tool. The installation configuration will probably take two to five minutes to complete. Once it is complete, you'll be presented with this page that your configuration succeeded. From here, you can exit.
Let's go back to Azure Active Directory to see if James K. Kirk, Leonard McCoy, and Mr. Scott have been synchronized to Azure Active Directory. We don't see any status updates on this page. It's because it needs to be refreshed. I'm going to go ahead and close this blade, and then reopen Azure Active Directory. You will notice that this page now looks a little different. You're going to notice that we have additional users. I'm just going to click into Users and Groups.
Let's go ahead and look at All users. You're going to notice that we have James Kirk here, we have McCoy, and then we have Scotty. We have additional groups that have also been added, including that social media group. Our Azure Active Directory Connect, it says sync is not enabled, but we can see that it has been enabled. One thing I do want to point out here is you'll notice that we have the Azure AD management experience is in preview. You can do everything I've done here in the classic portal, and normally, I recommend that you never use anything that is in preview, and wait 'til it goes to general availability.
Azure Active Directory has been in preview in the new portal for some time, and I expect it to become generally available within the near future. But there may be a few things because of this that don't quite work or may need to be tweaked. And of course, this is one of them. It is still indicating that sync has never run, yet we do see that our users are there. So keep that in mind when you're using the new portal. I can almost guarantee, if we went into the classic portal, it would say that the sync was fine.
And there you have it, installing Azure Active Directory Connect to connect your on-premise environment to your Azure Active Directory and syncing those usernames, groups, and passwords for you directly into Azure Active Directory.
- Azure AD
- Adding company branding
- Adding a custom domain
- AD Connect configuration
- AD Connect Health
- Administering users and groups
- Configuring SaaS applications
- Granting conditional access
- Revoking access
- Application proxy and discovery
- Integrating web and desktop applications
- Creating an Azure AD B2C directory
- Registering an application
- Creating a Microsoft identity