Blog Address:https://blog.51cto.com/14669127
Since 2010, with the continuous promotion and improvement of cloud platforms, many companies have embarked on cloud services to ensure the security of data in the public cloud management, scalable while also reducing work-related IT operation and maintenance .
In recent years, more and more companies have to migrate all users from the local Domain Controller and Exchange Server and other platforms to the cloud management platform, for the convenience of administrators to understand and deploy transparent implementation of the embodiment of clarity, here to share relevant experience for everyone to learn and discuss.
In this paper, the deployment of Azure AD Connect (free tool included in Azure subscription) as the user from the On Premise Server synchronized to Azure AD solutions, why did he choose Azure AD Connect as a solution to deliver it? Because Azure AD connect is a tool for Microsoft to meet and implement Hybrid identity and design, which replaces the old version of identity integration tools, such as DirSync and Azure AD Sync, it can be integrated On Active Directory and Azure AD Premise user access public cloud or On identity when Premise resources to improve user productivity, for example, users can use a single identity to access local applications and cloud services like Office 365.
Before deploying Azure AD Connect, consider the following seven points to consider:
AD 1.Azure
○ you need to use Azure Portal or Office 365 Portal Connect to manage Azure AD
○ Domain, you need to add and verify a valid domain, Domain can not use the default (contoso.onmicrosoft.com)
○ a default is 50 K Azure AD Objects, when you verify domain, objects limit will reach 300 k objects, if you need more Objects in Azure AD, it is necessary to submit ticket for Microsoft release restrictions.
The Data-premise 2.On
○ Before synchronizing Azure AD and Office 365, recommended IdFix to identify duplicate Active Directory error and formatting issues
○ ensure Azure AD enabled Sync Features
§ the On Premises: Azure AD Connect Sync (Sync Engine)
§ Azure AD: Azure AD Sync Service Connect
feel honored to the Active Directory-Premises
○ AD Schema version and Forest functional level must be Windows Server 2003 and above
○ If you plan to use Password writeback, then the domain controller must be Windows Server 2008 R2 and above
○ ensure that the use of Azure AD domain controller is writable permissions
○ Directory Recycle the Bin is recommended to enable the Active
4.Azure AD Connect Server
○ Azure AD Connect can not be installed in Small Business Server, it must be Windows Server 2012 standard or above,
○ not recommended Azure AD Connect installed on a Domain Controller, Server deployment Azure AD Connect needs as a Domain Member
○ If you deploy ADFS, then the Server must be installed on Windows Server 2012 and later
○ If you deploy ADFS, need SSL Certificates and configuration, name Resolution
○ If global admin enabled the MFA, you need to trust the URL in the browser's trusted site list in
https://secure.aadcdn.microsoftonline-p.com
○ (single synchronization, unnecessary steps) Microsoft proposed to strengthen the Azure AD Connect Server, to reduce security ***
§ the Securing of the Administrators Groups
§ the Securing Built-in Administrator Accounts
§Security improvement and sustainment by reducing attack surfaces
§ Reducing the Active Directory attack surface
5.Azure AD Connect Server needs SQL
○ Connect Azure AD requires SQL Server Database is used to store identity data, we can also directly choose Express mode at the time of deployment, use SQL Server Express to do storage, there are 10 GB of storage space, you can manage 100,000 objects. If you need to manage more Directory objects, you need to deploy Server SQL (in the Microsoft SQL Server from 2012)
6.Accounts
○ Azure AD Administrator account, Ltd. Free Join
○ the Active Directory Admin ON premise (the Exchange Admin)
7.Connectivity
○ the DNS server must be able to resolve to the on-premises and Active Directory name of Azure AD endpoints.
○ If your internal network firewall, need to open ports in the connection between the server and your Azure AD domain controller
○ Azure AD Connect 和 Azure AD通信协议和端口
Deploy Azure AD Connect related Summary:
1. Before deploying Azure AD Connect, need to Azure AD (Office 365) Add and verify Domain (Godaddy also need to perform configuration), or sign in Azure AD will fail when configuring Azure AD Connect.
2.https://www.microsoft.com/en-us/download/details.aspx?id=47594 下载并安装Azure AD Connect
3.如果你是single-forest domain并且使用Password hash synchronize作为身份验证,那么可以使用默认的Express settings进行安装和部署Azure AD Connect
4.如果从On Premise Active Directory 同步用户+ attributes+organization时非全部同步,而是按照OU分批同步或者 user attribute 同步有特殊要求,那么需要在最终configure 步骤,取消勾选“start the synchronization process when Configuration completes”复选框
参考文章:
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-recycle-bin
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-connectivity