Azure AD profile:
Azure Active Directory (Azure AD) is a multi-tenant provided by Microsoft, cloud-based identity management and directory services. Azure AD core directory services, identity and access management application protection into one solution, providing standards-based platform to help developers provide access control for applications based on centralized policy and rules.
Azure AD advantage
Azure AD can help you:
· Create and manage a single identity across the enterprise for each user, so that users and groups with Azure AD Connect to keep pace.
· Through local applications and cloud applications to enforce a rule-based validation of multiple identities , enable application access security.
Who uses Azure AD
Azure AD applies to application developers as well as Office 365, Azure users.
· For application developers. Azure AD identity management solutions by providing organizations with millions of global integration used to help you focus on building applications.
· For Office 365 customers and Azure customers. You already using Azure AD. Each Office 365 and Azure Azure AD tenant is actually a tenant, so you can begin to manage user access to integrated cloud applications immediately.
Azure AD How reliable?
Azure AD multi-tenant, geographic distribution, high-availability design means you can rely on it to address the most critical business needs. Azure AD run in 28 data centers with automatic failover. This means that even if the data center goes down, a copy of the directory data will be present in at least two other regionally disparate data centers, and is available for instant access.
For more information about service level agreements, please refer to service level agreements .
AD domain structures using Azure VM Control
1. configured accordingly in the virtual machine Azure portal;
Private IP address must be static
Changing the DNS for the virtual machine private address;
2. through Server Manager, select the "Add Roles and Features";
3. "Next";
4. The default selection "role-based or installation function", and press the "next";
5. Select the appropriate server, press the "next";
6. Check the "Active Directory Domain Services" role;
7. In the dialog box, click on the "Add Features";
8. Back to the actors page click "Next";
9. Continue to click "Next";
10. Click "Next";
11. Check the automatic restart the server, and click "Install";
12. When the installation is completed, click on "Close";
13. Click on the upper right corner in the Server Manager symbol, and select "this server to a domain controller";
14. Select "Add new forest" and enter the root domain name, click Next;
15. 配置AD域还原模式密码,点击“下一步”;
16. 点击“下一步”;
17. 确认域名,点击“下一步”;
18. 点击“下一步”;
19. 点击“下一步”;
20. 通过先决条件检查后,点击“安装”;
配置验证自定义域名
1. 在Azure门户中选择“Azure Active Directory”选项卡,点击自定义域名;
2. 点击“添加自定义域”;
3. 输入域名,点击“添加域”;
4. 到DNS域名服务提供商中,添加相应TXT记录;
5. 回到Azure门户页面,点击“验证”按钮;
6. 提示验证成功;
当新添加的域验证通过以后,即可把新添加的域作为主域名,新创建的账号就可以使用所添加的域名来进行登录。
安装并配置Azure AD Connect
此步骤是为了把Azure AD与本地AD做结合,并同步本地域用户账号
1. 以域管理员账号登录Azure虚拟机;
2. 下载Azure AD Connect;
3. 运行Azure AD Connect;
4. 可以选择自定义/使用快速设置,这里文档选择“自定义”;
5. 选择所需要安装的组件,并点击“安装”;
6. 配置登录验证方式,点击“下一步”;
7. 配置Azure AD管理员,点击“下一步”;
8. 按“添加目录”,连接到本地AD;
9. 输入与管理员账号,进行AD连接验证;
10. 通信验证通过后,点击“下一步”;
11. 验证AD登录配置;
12. 选择需要同步的域和OU,点击“下一步”;
13. 点击“下一步”;
14. 筛选需要同步的内容;
15. 点击“下一步”;
16. 完成配置验证后,点击“安装”;
17. 配置完成,点击“退出”
账号同步
返回Azure门户,打开Azure Active Directory服务选项卡,点击所有用户,即可看到本地的AD账号已经同步到Azure AD中。
Azure AD Connect默认为每15分钟同步一次,如需要手动进行同步,可以在本地域控打开“Synchronization Service Manager”工具进行手动同步。
删除经过AD同步的自定义域名
如果组织不再使用某个自定义域名,或者需要在另一个 Azure AD 中使用该域名,可以从 Azure AD 中删除该域名。
要删除自定义域名,则必须先确保目录中没有任何资源依赖域名。 在以下情况下,,无法从目录删除域名:
· 任何用户都有包含域名的用户名、电子邮件地址或代理地址。
· 任何组都有包含域名的电子邮件地址或代理地址。
· Azure AD 中的任何应用程序都具有包含域名的应用 ID URI。
必须更改或删除 Azure AD 目录中的任何此类资源,才能删除自定义域名。
当按照删除的要求,依然不能正常删除自定义的域名,请参考如下操作:
1. 安装Azure AD管理模块
Install-Module AzureAD
2. 安装MSOnline 模块
Install-Module -Name MSOnline
3. 连接AzureAD
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud
4. 运行命令Connect-MsolService -AzureEnvironment AzureChinaCloud
5. 运行命令(Get-MsolCompanyInformation).DirectorySynchronizationEnabled
6. 运行命令Set-MsolDirSyncEnabled -EnableDirSync $false
7. 再次运行命令(Get-MsolCompanyInformation).DirectorySynchronizationEnabled
8. 在正式删除域名前,需要把与之关联的账号删除或更改登录域名;
9. 打开Azure门户,进入Azure Active Directory选项卡,并导航到“自定义域名”,选择相应的域名进行删除操作;
So far, the custom domain deleted successfully ~ ~! !