In this video, Pete Zerger explains how to verify the readiness of your Windows Server Active Directory and Azure Active Directory environments for synchronization with Azure AD Connect. Learn how to identify and remediate common issues before configuring
- [Instructor] Before configuring directory synchronization, we need to check a few important items to ensure our environment is ready for this major step. The first step in the process of assessing our readiness for domain synchronization is determining what state our Windows Server Active Directory data is in. The Microsoft IdFix tool was created to help us quickly look at our directory data and highlight issues that will give us problems implementing Azure AD Connect to synchronize our directory data or in rolling out Office 365.
We can download IdFix for free from the Microsoft Download Center. IDFix will detect a number of conditions, including: illegal characters, duplicate entries, invalid formatting on attributes with requirements. For example, such as an SMTP address. Nonroutable domain names, like .local and length errors. If we skip the previous step, the problems that exist in our Windows Server Active Directory are going to be propagated to Azure AD, further complicating the cleanup effort.
This is likely to result in somewhere between a little and a lot of extra work compared to if we had run the IdFix tool ahead of configuring Azure AD Connect. Maybe you've already skipped step one, set up replication, and are now having some issues. If this describes your situation, a KB article titled 2530569 troubleshooting single sign on setup issues in Office 365, Intune or Azure, offers guidance on cleaning up these conflicts in your Windows Server Active Directory in Azure AD.
If we haven't already, we need to configure name resolution for our Azure AD domain. We need to configure the DNS zone that matches the UPN suffix on our AD users. To do this, sign into the Azure portal, browse to active directory, your default directory to Domains, click Add a Custom Domain, enter the name of your domain, and Add to proceed to the next screen. To ensure the domain is ready, there are a couple of additional boxes we need to check.
After we add the Custom DNS Domain, Azure AD will prompt us to verify ownership. The second screen of the domain wizard gives us what we need to complete this step. We'll add a TXT record to DNS presented by the wizard and wait for it to propagate and then click the verify button. If we can't verify a custom domain name, we can try the following: start with the most common and work down the list. First, do nothing, wait an hour, propagation can take time.
Ensure the DNS record was entered correctly and that there are no typos. And if neither of the first two work, make sure the domain was not added to one of your other directories, or in any of our other organizations' Azure tenants. If a domain name was previously verified in another directory, it has to be deleted before we can add it somewhere else. If our Azure Active Directory is part of an Office 365 deployment, we can use the Check DNS option present in the Office 365 admin center and portal.office.com Go to admin, domains, and click the Check DNS button to see if there are any issues with your DNS configuration.
If there are issues, the wizard will report suggested resolutions.
In this course—the first in the series—Microsoft MVP Pete Zerger takes you through the basics of setting up endpoint protection. He begins by explaining how to set up Azure Active Directory Premium. Next, he goes into enabling multi-factor authentication, followed by setting conditions for secure access. To wrap up, Pete covers managing mobile devices with Intune, and publishing applications with Azure AD App Proxy.
- Setting up Azure Active Directory for an organization
- Enabling user-level and application-level multi-factor authentication
- Setting conditions for secure access
- Planning a mobile device management (MDM) strategy
- How Intune (standalone) MDM works
- How Intune mobile application management works
- Publishing applications with Azure AD App Proxy
- Assigning users and groups