WEBVTT

0:00:03.180000 --> 0:00:09.100000
 In this video, we're going to take
 a look at Azure AD Connect.

0:00:09.100000 --> 0:00:14.580000
 In particular, we're going to take a look
 at our configuration requirements,

0:00:14.580000 --> 0:00:17.100000
 what we need to do, what
 are the prerequisites.

0:00:17.100000 --> 0:00:21.640000
 I'm really going to go through and
 just demonstrate Azure AD Connect.

0:00:21.640000 --> 0:00:26.800000
 I think it's a fairly straightforward
 installation and configuration.

0:00:26.800000 --> 0:00:30.000000
 With that said, let's go
 ahead and jump right in.

0:00:30.000000 --> 0:00:34.720000
 Let's start out talking about our
 configuration requirements.

0:00:34.720000 --> 0:00:37.860000
 The first thing that you need to understand
 is that you can only have

0:00:37.860000 --> 0:00:45.540000
 one active Azure AD Connect
 server per Azure AD tenant.

0:00:45.540000 --> 0:00:49.540000
 Now, you can have more than one server
 set up, but any additional servers

0:00:49.540000 --> 0:00:53.360000
 are set up as what are
 called staging servers.

0:00:53.360000 --> 0:00:58.420000
 The staging server is going to synchronize
 the data from your active directory.

0:00:58.420000 --> 0:01:01.180000
 It's just not going to synchronize
 it all the way between your on-prem

0:01:01.180000 --> 0:01:03.880000
 and your Azure AD.

0:01:03.880000 --> 0:01:07.320000
 That's fine, but that's
 the first thing.

0:01:07.320000 --> 0:01:11.520000
 Now, the second configuration
 requirement is SQL Server.

0:01:11.520000 --> 0:01:15.800000
 I don't consider SQL Server to
 be a prerequisite exactly.

0:01:15.800000 --> 0:01:19.520000
 I'm going to talk about prerequisites
 in just a moment, because if you

0:01:19.520000 --> 0:01:25.260000
 don't already have SQL Server, then when
 you install the Azure AD Connect

0:01:25.260000 --> 0:01:30.160000
 service, it will install what's called
 SQL Server Express Local DB, which

0:01:30.160000 --> 0:01:32.240000
 is a local copy of SQL Server.

0:01:32.240000 --> 0:01:37.040000
 But if you already have SQL Server,
 you can use that, of course.

0:01:37.040000 --> 0:01:40.060000
 Now, what are some of
 the prerequisites?

0:01:40.060000 --> 0:01:47.620000
 Well, first of all, the minimum server
 requirement is Windows Server 2008

0:01:47.620000 --> 0:01:53.720000
 R2. It's kind of interesting because
 if you're using Windows Server 2008

0:01:53.720000 --> 0:01:57.940000
 R2, it's recommending you have the
 latest service pack in patches.

0:01:57.940000 --> 0:02:02.240000
 However, if you're using the right-back
 functionality, you have to have

0:02:02.240000 --> 0:02:07.260000
 at least Windows Server 2008 R2 service
 pack one, which of course, if

0:02:07.260000 --> 0:02:10.540000
 you've got the latest patches in service
 packs, you will, of course, have

0:02:10.540000 --> 0:02:13.240000
 beyond that, but that's
 a requirement.

0:02:13.240000 --> 0:02:16.420000
 There's a couple of other requirements
 as far as the actual server.

0:02:16.420000 --> 0:02:22.980000
 If you are using a group managed service
 account, then you need at least

0:02:22.980000 --> 0:02:26.880000
 Windows Server 2012 because they
 didn't exist before then.

0:02:26.880000 --> 0:02:31.720000
 And that's just a way of managing
 your service account identity.

0:02:31.720000 --> 0:02:39.680000
 And also, if you're going to use ADFS,
 then you need Windows Server 2012

0:02:39.680000 --> 0:02:46.640000
 R2 in order to have your web application
 proxy server work with Azure

0:02:46.640000 --> 0:02:50.160000
 AD. So those are the
 server requirements.

0:02:50.160000 --> 0:02:52.460000
 A couple of other minor
 requirements.

0:02:52.460000 --> 0:02:53.740000
 Well, this one's not minor.

0:02:53.740000 --> 0:02:55.120000
 This one's also important.

0:02:55.120000 --> 0:02:57.680000
 You have to have a domain
-joined server.

0:02:57.680000 --> 0:03:01.220000
 I cannot use this and install this
 and configure this on a standalone

0:03:01.220000 --> 0:03:04.900000
 server. That's a big one.

0:03:04.900000 --> 0:03:08.440000
 Two others that are possibly
 less critical.

0:03:08.440000 --> 0:03:17.580000
 You have to have TLS 1.2, which if you're
 running on Windows Server 2008

0:03:17.580000 --> 0:03:25.860000
 R2 or later, excuse me, not 2008 R2
 2012 or later, then you're going to

0:03:25.860000 --> 0:03:26.900000
 have that automatically.

0:03:26.900000 --> 0:03:31.240000
 On 2008 R2, it's an option
 that you might need to set.

0:03:31.240000 --> 0:03:35.580000
 The other thing is that this is
 kind of an interesting one.

0:03:35.580000 --> 0:03:42.280000
 You have to have the PowerShell transcript
 group policy disabled on your

0:03:42.280000 --> 0:03:45.180000
 Azure AD Connect server.

0:03:45.180000 --> 0:03:47.460000
 I will tell you not being
 a group policy person.

0:03:47.460000 --> 0:03:49.720000
 I've never seen that before,
 but it's a requirement.

0:03:49.720000 --> 0:03:52.420000
 I've never run into
 it just so you know.

0:03:52.420000 --> 0:03:57.540000
 Now, if you are working with ADFS, there's
 a couple of additional requirements

0:03:57.540000 --> 0:04:05.300000
 for ADFS. First of all, you need WinRM
 available on your ADFS servers.

0:04:05.300000 --> 0:04:08.200000
 You also need a couple
 of SSL certificates.

0:04:08.200000 --> 0:04:10.060000
 There's going to be
 two that are used.

0:04:10.060000 --> 0:04:14.660000
 One is going to be the token signing
 certificate, and that can actually

0:04:14.660000 --> 0:04:18.500000
 be self-signed. But the other is going
 to be for your public identity

0:04:18.500000 --> 0:04:21.700000
 so that when users are redirected, they're
 going to be able to redirect

0:04:21.700000 --> 0:04:26.120000
 over HTTPS. That's going to have to
 be from a certificate authority.

0:04:26.120000 --> 0:04:30.840000
 In addition to that, you want to think
 about your DNS settings because

0:04:30.840000 --> 0:04:35.320000
 you're going to have both an internal
 and an external access to ADFS for

0:04:35.320000 --> 0:04:40.760000
 the internal. You would want to direct
 users directly to the ADFS server.

0:04:40.760000 --> 0:04:45.500000
 For the external, you would want to
 direct users to the web application

0:04:45.500000 --> 0:04:48.860000
 proxy, which is going to be the public
 endpoint that's made available

0:04:48.860000 --> 0:04:55.420000
 for ADFS. In addition to that, there
 are a number of ports that you need

0:04:55.420000 --> 0:05:00.920000
 as well. I'm just going
 to take a look at these.

0:05:00.920000 --> 0:05:03.360000
 We've got internal ports.

0:05:03.360000 --> 0:05:06.380000
 You can see there's quite a number of
 internal ports not going to go over

0:05:06.380000 --> 0:05:14.920000
 all of those. The only external ports
 that we really need are 80 and 443.

0:05:14.920000 --> 0:05:16.980000
 That's kind of convenient.

0:05:16.980000 --> 0:05:19.520000
 Those are outbound connections.

0:05:19.520000 --> 0:05:21.020000
 They're 80 and 443.

0:05:21.020000 --> 0:05:30.100000
 You can run with 80 and 443 between
 your on-prem Azure AD Connect server

0:05:30.100000 --> 0:05:32.740000
 and Azure itself.

0:05:32.740000 --> 0:05:35.800000
 As far as all the internal connections,
 those are going to be between

0:05:35.800000 --> 0:05:42.200000
 your domain controller or controllers
 and your Azure AD Connect server.

0:05:42.200000 --> 0:05:45.840000
 If the Azure AD Connect server is in
 your DMZ, then of course you're going

0:05:45.840000 --> 0:05:49.920000
 to have to have the appropriate firewall
 connectivity between that server

0:05:49.920000 --> 0:05:54.360000
 and the DMZ and your domain controllers
 that are in your primary network.

0:05:54.360000 --> 0:05:58.420000
 If you're using ADFS, you can see there's
 a couple of additional ports

0:05:58.420000 --> 0:06:00.040000
 that are necessary.

0:06:00.040000 --> 0:06:05.940000
 With that said, let's go ahead and take
 a look at how we would go about

0:06:05.940000 --> 0:06:07.620000
 setting this up.

0:06:07.620000 --> 0:06:13.620000
 What I want to do first
 is pull this up.

0:06:13.620000 --> 0:06:25.160000
 This is a network diagram of how the
 emulator on-premises network is set

0:06:25.160000 --> 0:06:31.140000
 up. We've got a domain
 controller, ADDSDCVM.

0:06:31.140000 --> 0:06:34.420000
 It is in the internal
 network subnet.

0:06:34.420000 --> 0:06:41.800000
 I've got a DMZ subnet which has my
 Azure ADDC which is going to be my

0:06:41.800000 --> 0:06:46.520000
 connect. Both of these have NSGs.

0:06:46.520000 --> 0:06:51.720000
 The NSG for the internal is more restrictive
 than the NSG for the server

0:06:51.720000 --> 0:06:55.720000
 that I am deploying Azure
 AD Connect onto.

0:06:55.720000 --> 0:07:00.220000
 They're all in one network
 that can communicate.

0:07:00.220000 --> 0:07:06.580000
 What I'm going to do now is pop over
 to my Azure AD Connect server.

0:07:06.580000 --> 0:07:11.200000
 On this Azure AD Connect server, the
 first thing that I'm going to do

0:07:11.200000 --> 0:07:15.800000
 is download and install
 Azure AD Connect.

0:07:15.800000 --> 0:07:21.340000
 Again, this is a member server that's
 part of the on-prem domain that

0:07:21.340000 --> 0:07:23.680000
 I'm emulating. I say emulating.

0:07:23.680000 --> 0:07:27.120000
 It's a domain. It's an active
 directory domain.

0:07:27.120000 --> 0:07:29.860000
 You can actually download
 this from anywhere.

0:07:29.860000 --> 0:07:35.840000
 This just ends up downloading, opening
 up a Microsoft download site.

0:07:35.840000 --> 0:07:41.080000
 Once you start downloading, I used to
 make people watch this whole thing,

0:07:41.080000 --> 0:07:42.800000
 but there's really no need to.

0:07:42.800000 --> 0:07:47.460000
 There's two settings that you are too
 strange you want to be careful with.

0:07:47.460000 --> 0:07:50.660000
 The first is when it first pops up,
 you don't want to use the express

0:07:50.660000 --> 0:07:56.020000
 settings. Express settings is going
 to give you a limited configuration.

0:07:56.020000 --> 0:07:58.820000
 In fact, really basically
 no configuration.

0:07:58.820000 --> 0:08:00.320000
 You want to go ahead
 and select customize.

0:08:00.320000 --> 0:08:03.520000
 That's going to give you the options
 and it's not really terribly hard

0:08:03.520000 --> 0:08:09.200000
 to do. Another thing, when you select
 the customize, one of the first

0:08:09.200000 --> 0:08:13.700000
 screens you'll see is the list
 of required components.

0:08:13.700000 --> 0:08:18.120000
 You can choose to go to
 custom install location.

0:08:18.120000 --> 0:08:21.140000
 If you already have SQL Server and
 you don't want this to install it,

0:08:21.140000 --> 0:08:23.500000
 you can use an existing
 SQL Server.

0:08:23.500000 --> 0:08:26.100000
 Now, use an existing
 service account.

0:08:26.100000 --> 0:08:30.980000
 If you are an enterprise admin, when
 you run this installation, then you

0:08:30.980000 --> 0:08:34.120000
 do not need to pre-configure
 any accounts.

0:08:34.120000 --> 0:08:40.220000
 If, however, you're not an enterprise admin,
 then you will need two accounts.

0:08:40.220000 --> 0:08:44.020000
 You're going to need a service account
 that is set up to run the service

0:08:44.020000 --> 0:08:48.680000
 and a separate account that is used to
 access your on-prem Active Directory

0:08:48.680000 --> 0:08:55.280000
 domain. The account that's accessing Active
 Directory needs specific rights

0:08:55.280000 --> 0:08:57.820000
 within Active Directory,
 and you can look that up.

0:08:57.820000 --> 0:09:02.900000
 But just be aware that that does need to
 be set up if you're not an enterprise

0:09:02.900000 --> 0:09:06.280000
 admin. I am an enterprise admin, so I
 don't really have to worry too much

0:09:06.280000 --> 0:09:14.080000
 about that. Then also specify custom
 sync groups, and we don't need to

0:09:14.080000 --> 0:09:18.420000
 do that. Now, what that does, if I go
 through both of those, which already

0:09:18.420000 --> 0:09:22.160000
 did, let me close that
 so it's not confusing.

0:09:22.160000 --> 0:09:27.600000
 Here's the actual installation
 and configuration.

0:09:27.600000 --> 0:09:30.500000
 This is actually where I am already,
 I've gone through those screens,

0:09:30.500000 --> 0:09:35.040000
 and I need to make a choice as to how
 I want to have the user sign in.

0:09:35.040000 --> 0:09:39.060000
 I've got password hash, so
 that's sync with password.

0:09:39.060000 --> 0:09:41.720000
 I've passed through authentication
 as an option.

0:09:41.720000 --> 0:09:45.120000
 If I have ADFS, I can
 federate with that.

0:09:45.120000 --> 0:09:49.420000
 But I also have support for
 third party federation.

0:09:49.420000 --> 0:09:53.180000
 Ping federate is actually integrated
 directly if you're using the Ping

0:09:53.180000 --> 0:09:58.520000
 product. Then you can set that
 up from this installation.

0:09:58.520000 --> 0:10:02.360000
 Other federation tools, other federation
 systems are supported, but you're

0:10:02.360000 --> 0:10:06.040000
 not going to be able to configure them through
 the Azure AD Connect installation.

0:10:06.040000 --> 0:10:10.060000
 You'd have to refer to that product
 to get the entire process.

0:10:10.060000 --> 0:10:12.320000
 The other thing that I am going to do,
 so I'm going to go with just password

0:10:12.320000 --> 0:10:16.220000
 hash, and I'm going to
 enable single sign-on.

0:10:16.220000 --> 0:10:21.120000
 Now, when I enable single sign-on,
 that means that people that are on

0:10:21.120000 --> 0:10:25.920000
-premises, when they go to a cloud application
 that is controlled by the

0:10:25.920000 --> 0:10:30.040000
 Azure AD that I'm setting up here, they're
 not going to have to authenticate.

0:10:30.040000 --> 0:10:32.180000
 It's going to pick up
 their authentication.

0:10:32.180000 --> 0:10:34.540000
 Now, there's two things
 that I need to do.

0:10:34.540000 --> 0:10:36.240000
 Two accounts that I need to have.

0:10:36.240000 --> 0:10:43.620000
 One is I need a global administrator account
 in the tenant that I am working

0:10:43.620000 --> 0:10:50.580000
 with. I had already run this once, and
 I forgot to delete these people.

0:10:50.580000 --> 0:10:56.380000
 And through the magic of pause, they
 are now removed, as though I didn't

0:10:56.380000 --> 0:10:59.860000
 add them in in the first place.

0:10:59.860000 --> 0:11:05.860000
 There we go. Now, I do need a global
 administrator account, which I've

0:11:05.860000 --> 0:11:10.840000
 got. The global administrator account
 cannot be the account that you use

0:11:10.840000 --> 0:11:13.620000
 to create the tenant.

0:11:13.620000 --> 0:11:16.900000
 It has to be an account that is considered
 a cloud account in the tenant

0:11:16.900000 --> 0:11:23.560000
 itself. So, here I've got GAA at iany
-demo.com, which is my account here.

0:11:23.560000 --> 0:11:28.060000
 So, that gives me the ability
 to set this up.

0:11:28.060000 --> 0:11:47.360000
 I'm going to go ahead
 and use that.

0:11:47.360000 --> 0:11:49.320000
 And it is logging me in.

0:11:49.320000 --> 0:11:54.840000
 And now, the next step that I have
 here is to connect up to the local

0:11:54.840000 --> 0:11:58.360000
 Active Directory.

0:11:58.360000 --> 0:11:59.560000
 Now, here I've got two options.

0:11:59.560000 --> 0:12:02.680000
 I can either create a new Active Directory
 account that's going to be

0:12:02.680000 --> 0:12:07.640000
 used by the Azure AD Connect to Synchronize,
 or I can use an existing

0:12:07.640000 --> 0:12:12.160000
 AD account. In order to create a new
 account, I have to be an enterprise

0:12:12.160000 --> 0:12:16.540000
 admin. In order to use an existing
 AD account, that account has to be

0:12:16.540000 --> 0:12:21.040000
 pre-created with the appropriate
 rights within Active Directory.

0:12:21.040000 --> 0:12:27.300000
 Here, we're going to
 go ahead and go.

0:12:27.300000 --> 0:12:32.380000
 So, login has the account that I'm using
 because it is, in fact, an enterprise

0:12:32.380000 --> 0:12:46.320000
 admin. Get that running.

0:12:46.320000 --> 0:12:50.120000
 All right. Now, sometimes
 it will, oh, no, it did.

0:12:50.120000 --> 0:12:51.520000
 Okay, good. No, we're good.

0:12:51.520000 --> 0:12:55.980000
 So, I've got ineedemo.com,
 which is my directory.

0:12:55.980000 --> 0:13:04.380000
 Now, the next page, it's checking for
 the Azure AD Sign-In Configuration.

0:13:04.380000 --> 0:13:07.780000
 In some cases, when you get to this
 page, it's going to yell at you.

0:13:07.780000 --> 0:13:15.100000
 Your next button will be grayed out,
 and there'll be a checkbox saying

0:13:15.100000 --> 0:13:17.020000
 that you don't have
 a verified account.

0:13:17.020000 --> 0:13:21.940000
 Now, the reason that happens is because
 you haven't verified the domain

0:13:21.940000 --> 0:13:29.180000
 name. I have a custom domain name
 that I've added to this tenant.

0:13:29.180000 --> 0:13:34.840000
 Here I have ineedemo.com, and that
 makes the whole process happy.

0:13:34.840000 --> 0:13:41.920000
 If you do not have a verified domain
 name, then you can still synchronize,

0:13:41.920000 --> 0:13:46.840000
 but your users are going to have to
 log in with whatever domain names

0:13:46.840000 --> 0:13:48.520000
 available in the tenant.

0:13:48.520000 --> 0:13:54.220000
 So, in other words, instead of logging
 in as Bob at ineedemo.com, I would

0:13:54.220000 --> 0:14:02.780000
 be logging in as Bob at ineedaz300 to,
 I think that's it, dot onmarkshoff

0:14:02.780000 --> 0:14:04.360000
.com. This is a little bit clumsy.

0:14:04.360000 --> 0:14:11.640000
 If you're using ADFS, you have to have
 the Azure AD domain verified for

0:14:11.640000 --> 0:14:15.560000
 your on-prem Active Directory
 domain name.

0:14:15.560000 --> 0:14:23.700000
 I can also choose the OU's, and I have
 this Corp users, which has two

0:14:23.700000 --> 0:14:29.060000
 users in it. That's an organizational
 unit that I've already created.

0:14:29.060000 --> 0:14:34.080000
 Then I have settings for determining
 the uniqueness of my users.

0:14:34.080000 --> 0:14:37.920000
 If I've got multiple, particularly if
 I have multiple forests, and I have

0:14:37.920000 --> 0:14:42.920000
 trust relationships between the forests,
 I may have an account that is

0:14:42.920000 --> 0:14:46.860000
 identified in multiple
 directories.

0:14:46.860000 --> 0:14:51.100000
 You're going to have your primary, and
 then you may have secondary instances

0:14:51.100000 --> 0:14:53.980000
 of that account if you set up trust
 relationships and you've given that

0:14:53.980000 --> 0:14:59.040000
 account right. What this does, it says,
 okay, first of all, I have a simple

0:14:59.040000 --> 0:15:03.420000
 situation. Users are represented
 only once across all directories.

0:15:03.420000 --> 0:15:07.400000
 If they are represented across multiple
 directories, how are they related?

0:15:07.400000 --> 0:15:10.900000
 Most typically, they would be related
 by the mail attribute, but you can

0:15:10.900000 --> 0:15:13.700000
 see that there's other
 options as well.

0:15:13.700000 --> 0:15:19.500000
 The other setting here is the way that
 the objects, the Active Directory

0:15:19.500000 --> 0:15:23.700000
 objects are uniquely identified, and
 by default, I'm going to let Azure

0:15:23.700000 --> 0:15:28.660000
 select that, or you could pick
 your own unique attribute.

0:15:28.660000 --> 0:15:31.660000
 We'll let Azure select that.

0:15:31.660000 --> 0:15:35.840000
 The next thing you can do, this
 is actually pretty cool.

0:15:35.840000 --> 0:15:40.340000
 You can set up a group, one group, and
 identify that group as your sync

0:15:40.340000 --> 0:15:44.920000
 group. This would be a security group
 in Active Directory, and I can set

0:15:44.920000 --> 0:15:51.100000
 up my security group and just
 sync across for that.

0:15:51.100000 --> 0:15:56.280000
 That would allow me to take users who
 may be across multiple organizational

0:15:56.280000 --> 0:16:01.380000
 units and even multiple directories, put
 them all together, and just choose

0:16:01.380000 --> 0:16:02.860000
 the ones that are in that group.

0:16:02.860000 --> 0:16:06.820000
 It just gives you a centralized way of
 managing if you're not synchronizing

0:16:06.820000 --> 0:16:12.660000
 everyone. Next, I have my optional features,
 and you can see some of those

0:16:12.660000 --> 0:16:17.520000
 are grayed out because I just don't have
 that set up, but I do want password

0:16:17.520000 --> 0:16:23.800000
 right back. You go
 to Single Sign-On.

0:16:23.800000 --> 0:16:30.060000
 Because I have selected Single Sign-On,
 I need to provide a domain administrator

0:16:30.060000 --> 0:16:34.740000
 account that's going to configure the
 Active Directory domain to allow

0:16:34.740000 --> 0:16:38.700000
 this. I'm just going to use my standard
 account, because it's an additional

0:16:38.700000 --> 0:16:45.340000
 enterprise, of course, then
 it's a domain admin as well.

0:16:45.340000 --> 0:16:50.800000
 I can remember my password,
 which I believe I did.

0:16:50.800000 --> 0:16:59.020000
 There we go. Now it's installing, and now
 it's going to start the synchronization.

0:16:59.020000 --> 0:17:02.300000
 I'm going to just wait, and I'm going
 to be quieted, so hopefully we'll

0:17:02.300000 --> 0:17:05.220000
 be able to fast forward this for you
 a bit, and we'll come back, and all

0:17:05.220000 --> 0:17:11.000000
 of this should be synchronized.

0:17:11.000000 --> 0:17:15.820000
 All right. Now you can see that the
 users from the on-prem environment

0:17:15.820000 --> 0:17:19.580000
 have been synchronized
 over into Azure AD.

0:17:19.580000 --> 0:17:23.380000
 That means that these logins can now be
 associated with the cloud applications

0:17:23.380000 --> 0:17:28.280000
 that in Turner are associated with
 the Azure AD tenant, and then these

0:17:28.280000 --> 0:17:32.840000
 users will have direct access to the
 appropriate cloud applications.