Implement Directory Synchronization

Azure Active Directory (Azure AD) Connect (formerly known as the Directory Synchronization tool, Directory Sync tool, or the DirSync.exe tool) is an application that you install on a domain-joined server to synchronize your on-premises Active Directory Domain Services (AD DS) users to the Azure AD tenant.

This labs are a replay of exercises done during my course on AZ-500 Microsoft Azure Security Technologies and is a proof of concept demonstrating how to integrate on-premises Active Directory Domain Services (AD DS) environment with an Azure Active Directory (Azure AD) tenant. Specifically, you want to:

• Implement a single-domain AD DS forest by deploying an Azure VM hosting an AD DS domain controller
• Create and configure an Azure AD tenant
• Synchronize the AD DS forest with the Azure AD tenant

objectives

In this lab, you will complete the following labs:

• Practical Labs 1: Deploy an Azure VM hosting an Active Directory domain controller
• Practical Labs 2: Create and configure an Azure Active Directory tenant
• Practical Labs 3: Synchronize Active Directory forest with an Azure Active Directory tenant

Prerequisites for this lab : PowerShell / Azure Account / Download Labs Files here

Practical Labs 1: Deploy an Azure VM hosting an Active Directory domain controller

• Task 1: Identify an available DNS name for an Azure VM deployment
• Task 2: Use an ARM template to deploy an Azure VM hosting an Active Directory domain controller

Task 1: Identify an available DNS name for an Azure VM deployment

In this task, you will identify a DNS name for your Azure VM deployment.

• Sign-in to the Azure portal https://portal.azure.com/.

Note: Sign in to the Azure portal using an account that has the Owner or Contributor role in the Azure subscription you are using for this lab.

• Open the Cloud Shell by clicking the first icon in the top right of the Azure Portal. If prompted, click PowerShell and Create storage.
• Ensure PowerShell is selected in the drop-down menu in the upper-left corner of the Cloud Shell pane.
• In the PowerShell session within the Cloud Shell pane, run the following to identify an available DNS name you can use for an Azure VM deployment in the next task of this exercise:

code

Test-AzDnsAvailability -DomainNameLabel exceedlab09142021 -Location 'East US'

• Note: Replace the <custom-label> placeholder with a valid DNS name that is likely to be globlly unique. Replace the <location> placeholder with the name of the region into which you want to deploy the Azure VM that will host the Active Directory domain controller you will use in this lab.

Note: To identify Azure regions where you can provision Azure VMs, refer to https://azure.microsoft.com/en-us/regions/offers/

• Verify that the command returned True. If not, rerun the same command with a different value of the <custom-label> until the command returns True.
• Record the value of the exceedlab09142021 that resulted in the successful outcome. You will need it in the next task.
• Close the Cloud Shell.

Task 2: Use an ARM template to deploy an Azure VM hosting an Active Directory domain controller

In this task, you will deploy an Azure VM that will host an Active Directory domain controller

• Open another browser tab in the same browser window and navigate to the https://github.com/Azure/azure-quickstart-templates/tree/master/application-workloads/active-directory/active-directory-new-domain.
• On the Create a new Windows VM and create a new AD Forest, Domain and DC page, click Deploy to Azure. This will automatically redirect the browser to the Create an Azure VM with a new AD Forest blade in the Azure portal.

On the Create an Azure VM with a new AD Forest blade, click Edit parameters.

On the Edit parameters blade, click Load file, in the Open dialog box, click \\AllFiles\Labs\06\active-directory-new-domain\azuredeploy.parameters.json, click Open, and then click Save.

• On the Create an Azure VM with a new AD Forest blade, specify the following settings (leave others with their existing values):

Setting	Value
Subscription	the name of you Azure subscription
Resource group	click Create new and type the name rg-exceed13102021
Region	the Azure region you identified in the previous task
Admin Username	exceedstudent
Admin Password	Pa55w.rd1234
Domain Name	adatum.com
Dns Prefix	Exceedlab09142021
VM Size	Standard_D2s_v3

• On the Create an Azure VM with a new AD Forest blade, click Review + create, and then click Create.

Note: Do not wait for the deployment to complete but instead proceed to the next exercise. The deployment might take about 15 minutes. You will use the virtual machine deployed in this task in the third exercise of this lab.

Result: After you completed this exercise, you have initiated deployment of an Azure VM that will host an Active Directory domain controller by using an Azure Resource Manager template

Practical Labs 2: Create and configure an Azure Active Directory tenant

In this exercise, you will complete the following tasks:

• Task 1: Create an Azure Active Directory (AD) tenant
• Task 2: Add a custom DNS name to the new Azure AD tenant
• Task 3: Create an Azure AD user with the Global Administrator role

Task 1: Create an Azure Active Directory (AD) tenant

In this task, you will create a new Azure AD tenant to use in this lab.

• In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure Active Directory and press the Enter key.
• On the blade displaying Overview of your current Azure AD tenant, click Manage tenant, and then on the next screen, click + Create.

1. On the Basics tab of the Create a directory blade, ensure that the option Azure Active Directory is selected and click Next: Configuration >.
2. On the Configuration tab of the Create a directory blade, specify the following settings:

Setting	Value
Organization name	AdatumSync
Initial domain name	a unique name consisting of a combination of letters and digits
Country or region	United States

• Note: Record the initial domain name. You will need it later in this lab.
• Note: The green check mark in the Initial domain name text box will indicate whether the domain name you typed in is valid and unique. (Record your initial domain name for later use).

• Click Review + create and then click Create.

Note: Wait for the new tenant to be created. Use the Notification icon to monitor the deployment status.

Validate the check – you are not a robot

Click on Submit for the creation of the tenant

Task 2: Add a custom DNS name to the new Azure AD tenant

In this task, you will add your custom DNS name to the new Azure AD tenant.

1. In the Azure portal, in the toolbar, click the Directory + subscription icon, located to the right of the Cloud Shell icon.
2. In the Directory + subscription blade, click the newly created tenant, AdatumSync.

Note: You may need to refresh the browser window if the AdatumSync entry does not appear in the Directory + subscription filter list.

Click on Switch

• On the AdatumSync | Azure Active Directory blade, in the Manage section, click Custom domain names.

On the AdatumSync | Custom domain names blade, click + Add custom domain.

On the Custom domain name blade, in the Custom domain name text box, type adatum.com and click Add Domain.

On the adatum.com blade, review the information necessary to perform verification of the Azure AD domain name.

Note: You will not be able to complete the validation process because you do not own the adatum.com DNS domain name. This will not prevent you from synchronizing the adatum.com AD DS domain with the Azure AD tenant. You will use for this purpose the initial DNS name of the Azure AD tenant (the name ending with the onmicrosoft.com suffix), which you identified in the previous task. However, keep in mind that, as a result, the DNS domain name of the AD DS domain and the DNS name of the Azure AD tenant will differ. This means that Adatum users will need to use different names when signing in to the AD DS domain and when signing in to Azure AD tenant.

Task 3: Create an Azure AD user with the Global Administrator role

In this task, you will add a new Azure AD user and assign them to the Global Administrator role.

• On the AdatumSync Azure AD tenant blade, in the Manage section, click Users.
• On the Users | All users blade, click + New User.

• On the New user blade, ensure that the Create user option is selected, specify the following settings (leave all others with their default values) and click Create:

Setting	Value
User name	syncadmin
Name	syncadmin
Password	ensure that the option Auto-generate password is selected and click Show Password
Groups	0 groups selected
Roles	click User, then click Global administrator, and click Select
Usage Location	United States

• Note: Record the full user name. You can copy its value by clicking the Copy to clipboard button on the right hand side of the drop-down list displaying the domain name.
• Note: Record the user’s password. You will need this later in this lab.
• Note: An Azure AD user with the Global Administrator role is required in order to implement Azure AD Connect.

5. Open an InPrivate browser window.
6. Navigate to the Azure portal and sign in using the syncadmin user account. When prompted, change the password you recorded earlier in this task to Pa55w.rd1234.

Note: To sign in you will need to provide a fully qualified name of the syncadmin user account, including the Azure AD tenant DNS domain name, which you recorded earlier in this task. This user name is in the format syncadmin@<your_tenant_name>.onmicrosoft.com, where <your_tenant_name> is the placeholder representing your unique Azure AD tenant name.

• Sign out as syncadmin and close the InPrivate browser window.

Result: After you completed this exercise, you have created an Azure AD tenant, added a custom DNS name to the new Azure AD tenant, and created an Azure AD user with the Global Administrator role.

Practical Labs 3: Synchronize Active Directory forest with an Azure Active Directory tenant

In this exercise, you will complete the following tasks:

• Task 1: Prepare AD DS for directory synchronization
• Task 2: Install Azure AD Connect
• Task 3: Verify directory synchronization

Task 1: Prepare AD DS for directory synchronization

In this task, you will connect to the Azure VM running AD DS domain controller and create a directory synchronization account.

Before you start this task, ensure that the template deployment you started in the first exercise of this lab has completed.

• In the Azure portal, set the Directory + subscription filter to the the Azure AD tenant associated with the Azure subscription into which you deployed the Azure VM in the first exercise of this lab.
• In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Virtual machines and press the Enter key.
• On the Virtual machines blade, click the adVM entry.
• On the adVM blade, click Connect and, in the drop down menu, click RDP.
• In the IP address parameter, select Load balancer public IP address, then click Download RDP File and use it to connect to the adVM Azure VM via Remote Desktop. When prompted to authenticate, provide the following credntials:

Setting	Value
User name	exceedstudent
Password	Pa55w.rd1234

• Note: Wait for the Remote Desktop session and Server Manager to load.

Note: The following steps are performed in the Remote Desktop session to the adVM Azure VM.

• In Server Manager, click Local Server and then click IE Enhanced Security Configuration.
• In the Internet Explorer Enhanced Security Configuration dialog box, set both options to Off and click OK.
• Start Internet Explorer, navigate to https://www.microsoft.com/en-us/edge/business/download, download Microsoft Edge installation binaries, run the installation, and configure the web browser with the default settings.

• In Server Manager, click Tools and, in the drop-down menu, click Active Directory Administrative Center.
• In Active Directory Administrative Center, click adatum (local), in the Tasks pane, click New, and, in the cascading menu, click Organizational Unit.

• In the Create Organizational Unit window, in the Name text box, type ToSync and click OK.
• Double-click the newly created ToSync organizational unit such that its content appears in the details pane of the Active Directory Administrative Center console.

• In the Tasks pane, within the ToSync section, click New, and, in the cascading menu, click User.
• In the Create User window, create a new user account with the following settings (leave others with their existing values) and click OK:

Setting	Value
Full Name	aduser1
User UPN logon	aduser1
User SamAccountName logon	aduser1
Password	Pa55w.rd1234
Other password options	Password never expires

Task 2: Install Azure AD Connect

In this task, you will install AD Connect on the virtual machine.

• Within the Remote Desktop session to adVM, use Microsoft Edge to navigate to the Azure portal, and sign in by using the syncadmin user account you created the previous exercise. When prompted, specify the full user name you recorded and the Pa55w.rd1234 password.

• In the Azure portal, in the Search resources, services, and docs text box at the top of the Azure portal page, type Azure Active Directory and press the Enter key.
• In the Azure portal, on the AdatumSync | Overview blade, click Azure AD Connect.

• On the AdatumSync | Azure AD Connect blade, click the Download Azure AD Connect link. You will be redirected to the Microsoft Azure Active Directory Connect download page.
• On the Microsoft Azure Active Directory Connect download page, click Download.

• When prompted, click Run to start the Microsoft Azure Active Directory Connect wizard.
• On the Welcome to Azure AD Connect page of the Microsoft Azure Active Directory Connect wizard, click the checkbox I agree to the license terms and privacy notice and click Continue.

On the Express Settings page of the Microsoft Azure Active Directory Connect wizard, click the Customize option.

On the Install required components page, leave all optional configuration options deselected and click Install.

On the User sign-in page, ensure that only the Password Hash Synchronization is enabled and click Next.

On the Connect to Azure AD page, authenticate by using the credentials of the syncadmin user account you created in the previous exercise and click Next.

On the Connect your directories page, click the Add Directory button to the right of the adatum.com forest entry.

1. In the AD forest account window, ensure that the option to Create new AD account is selected, specify the following credentials, and click OK:

Setting	Value
User Name	ADATUM\Student
Password	Pa55w.rd1234

Back on the Connect your directories page, ensure that the adatum.com entry appears as a configured directory and click Next

• On the Azure AD sign-in configuration page, note the warning stating Users will not be able to sign-in to Azure AD with on-premises credentials if the UPN suffix does not match a verified domain name, enable the checkbox Continue without matching all UPN suffixes to verified domain, and click Next.

Note: As explained earlier, this is expected, since you could not verify the custom Azure AD DNS domain adatum.com.

• On the Domain and OU filtering page, click the option Sync selected domains and OUs, clear all checkboxes, click only the checkbox next to the ToSync OU, and click Next.
• On the Uniquely identifying your users page, accept the default settings, and click Next.
• On the Filter users and devices page, accept the default settings, and click Next.
• On the Optional features page, accept the default settings, and click Next.
• On the Ready to configure page, ensure that the Start the synchronization process when configuration completes checkbox is selected and click Install.

Note: Installation should take about 2 minutes.

Click on Next

Click on Install

Review the information on the Configuration complete page and click Exit to close the Microsoft Azure Active Directory Connect window.

Task 3: Verify directory synchronization

In this task, you will verify that directory synchronization is working.

• Within the Remote Desktop session to adVM, in the Microsoft Edge window displaying the Azure portal, navigate to the Users – All users blade of the Adatum Lab Azure AD tenant.
• On the Users | All users blade, note that the list of user objects includes the aduser1 account.

• Select the aduser1 account and, in the Profile > Identity section, note that the Source attribute is set to Windows Server AD.

Note: You might have to wait a few minutes and select Refresh for the aduser1 user account to appear.

• On the Users | All users blade, select the aduser1 entry.
• On the aduser1 | Profile blade, in the Job info section, note that the Department attribute is not set.

• Within the Remote Desktop session to adVM, switch to Active Directory Administrative Center, select the aduser1 entry in the list of objects in the ToSync OU, and, in the Tasks pane, in the ToSync section, select Properties.
• In the aduser1 window, in the Organization section, in the Department text box, type Sales, and select OK.

• Within the Remote Desktop session to adVM, start Windows PowerShell.
• From the Administrator: Windows PowerShell console, run the following to start Azure AD Connect delta synchronization:

code

Import-Module -Name 'C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1'

Start-ADSyncSyncCycle -PolicyType Delta

• Switch to the Microsoft Edge window displaying the aduser1 | Profile blade, refresh the page and note that the Department property is set to Sales.

Note: You might need to wait for another minute and refresh the page again if the Department attribute remains not set.

Result: After you completed this exercise, you have prepared AD DS for directory synchronization, installed Azure AD Connect, and verified directory synchronization.

Reminder: Don’t forget to delete or shutdown all unused Azure resources after your labs for cost saving