When setting up Office 365 environment, if you want to use your Active Directory domain, you need to use Azure AD set the synchronization service. In the past we need to set DirSync place here, and now need to install and configure the successor Azure AD Sync or Azure AD Connect synchronization service. Can download this tool or by downloading the Microsoft Azure Active Directory Connect to do this, simplify the installation process, it is better to get started.
AAD Connect Overview
Azure AD Connect is a wizard that automatically perform the following steps
- Installation prerequisites, such as module and Azure Active Directory PowerShell Microsoft Online Services Sign-in Assistant.
- Azure AD Sync installed and configured as a synchronous engine and enable directory synchronization clients of Azure tenants
- According to customers like the option to configure the login password synchronization or AD FS, and includes all the necessary configuration in the Azure
With the release of Azure AD Connect, we now have three tools that will provide Azure AD / Office 365 directory synchronization.
- Microsoft Azure Active Directory Synchronization Tool (DirSync) - The synchronization tool will eventually quit, but there is no ETA.
- Azure AD Sync - when Azure AD Connect officially released, "independent" version of the tool will be disabled.
- Azure AD Connect - after DirSync disabled, this will be the only synchronization tools available tools. It includes as Azure AD Sync synchronization engine.
Other Azure AD Connect sync options and seamless migration from the DirSync, there is no longer a separate Azure AD Sync and Azure AD Connect version. And future versions DirSync we do not plan. Azure AD Connect Now is your one-stop shop for synchronization, and hybrid combinations to log all connections.
Set in the statement, Microsoft Azure Active Directory Connect tool to help you through the installation prerequisites, these prerequisites to AD users and groups from the local AD synchronized to Azure AD. If the product does not exist, it will be automatically installed;
- For IT professionals Microsoft Online Services Sign-in Assistant
- For Windows PowerShell in Windows Azure Active Directory Module
- Microsoft Visual C ++ 2013 redistributable package
Installation Prerequisites
When you are ready prerequisites will be installed Azure AD Connect synchronization service. Azure AD Connect synchronization service requires a SQL database, you can configure an existing database, otherwise it will automatically install a version of SQL Express. Next, we need to provide a user name Azure AD user as a member of the Global Administrator role.
Connected to Azure AD
After synchronization service and connect it to the Azure AD is installed, we can customize the configuration Azure AD Connect synchronization services, and other functions. So, if we do not choose to use the Quick Setup shown below, we can
Configuring single sign-on and password synchronization AD FS United.
Use the Custom option
I will select the "joint AD FS" and connect my Active Directory. Microsoft Azure Active Directory Connect allows you to synchronize multiple directories.
The next step is that you can filter by user and group DN or group members.
Screening or sync everything
接下来,您需要配置如何标识本地目录中的用户。用户在多个目录中仅代表一次还是在多个目录中存在用户身份。根据属性,您可以配置必须如何匹配用户。如果仅将一个Active Directory用作源,则可以轻松使用默认值,如下所示。
选择属性
如您所见,Microsoft Azure Active Directory Connect工具在很大程度上帮助您设置同步服务。除此之外,您还可以配置以下功能:
Exchange混合部署
Exchange混合部署功能通过将一组特定的属性从Azure AD同步回您自己的Active Directory,从而允许Exchange邮箱在本地和Azure中共存。
密码回写
如果密码在Azure AD中发生更改,它将被写回到您自己的Active Directory中。
用户写回
如果在Azure AD中创建用户,它将被写回到您自己的Active Directory中。
和:
- Azure AD应用程序和属性筛选
- 组重写
- 设备同步
- 目录扩展名属性同步
选择以下两个选项,如下所示,我们可以在本地Active Directory中配置写回位置。
附加选项
接下来,您需要配置一个新的AD FS服务器场Windows Server 2012 R2。指定用于保护客户端和AD FS之间的通信的SSL证书。证书文件应位于pfx中。
由于ADFS利用SSL,因此我们需要具有SSL证书。您可以尝试三种选择,但只有一种可行:
- 自签名证书
- 内部PKI颁发的证书
- 来自第三方公共CA的证书
Office 365需要在ADFS基础结构上看到有效的服务通信证书,因此您将不得不从公共CA购买证书。Office 365将不信任自签名的或来自内部CA的服务通信证书。对于令牌解密和令牌签名证书,我们可以使用自签名证书。这些与服务通信证书是分开的。
请遵循所选CA的文档以请求,安装并完成证书。所需的步骤因供应商而异,并且随时间而变化。确保您没有丢失任何更新的中间证书!
We will initially deploy the ADFS server and add another ADFS server in the future to achieve redundancy.
Add a federation server on Windows Server 2012 R2, AD FS service to specify the installation location
Adding Proxy Server on Windows Server 2012 R2, specify the installation Web application proxy location
Next, specify the proxy trust certificates. Web application proxy requires credentials to request a certificate from the federation server.
It can be used as GMSA ADFS service account. GMSA will automatically update the credentials of the service account, the administrator password will be ignored.
In this case, the standard service account.
Select Azure AD domain combined with a local directory. Hosted domain to a federated domain
Really good Wizard The final step is to install and configure synchronization service, AD FS and WAP server.
Complete the configuration
At present, make sure you have created a DNS record, so that the client can resolve your Federation Service internally and externally.
Additional steps
This topic describes the configuration of the AD FS additional steps after installing a federation of servers, comprising:
- Open the "ADFS Management" snap-in
- AD FS service configuration for the name resolution
- Add nodes to the farm
- Add the Web application proxy
- Enable device registration services
For more information about how to deploy AD FS, see how to deploy AD FS 2012 R2 Server in Windows .