1
00:00:01,440 --> 00:00:05,550
In this demonstration, we'll set up Azure AD Connect synchronization.

2
00:00:05,550 --> 00:00:10,710
I'm on my rootdc1 domain controller and the timw.info domain.

3
00:00:10,710 --> 00:00:11,830
Now in the real world,

4
00:00:11,830 --> 00:00:14,860
I would install Azure AD Connect, not necessarily on

5
00:00:14,860 --> 00:00:17,320
domain controllers, but on member servers,

6
00:00:17,320 --> 00:00:21,090
but it is supported to put the service on a domain controller.

7
00:00:21,090 --> 00:00:23,530
Now there's some prerequisites that are also exam

8
00:00:23,530 --> 00:00:25,270
alerts that we want to take a look at.

9
00:00:25,270 --> 00:00:27,620
You want to make sure in your Azure subscription,

10
00:00:27,620 --> 00:00:30,270
particularly in your Azure Active Directory tenant,

11
00:00:30,270 --> 00:00:32,880
that you've configured your business domain names.

12
00:00:32,880 --> 00:00:34,470
When you start your subscription,

13
00:00:34,470 --> 00:00:38,820
you name your Active Directory with a globally unique DNS name, but that's

14
00:00:38,820 --> 00:00:41,730
not going to work when you're synchronizing from on‑prem.

15
00:00:41,730 --> 00:00:45,720
So I verified ownership of my timw.info domain.

16
00:00:45,720 --> 00:00:49,260
You verify ownership by creating a resource record in your

17
00:00:49,260 --> 00:00:51,750
zone, and Azure will perform a lookup.

18
00:00:51,750 --> 00:00:55,940
And if the record exists, then you've demonstrated you own that zone.

19
00:00:55,940 --> 00:00:56,360
Also,

20
00:00:56,360 --> 00:01:00,040
if I go to the Users page and show you if we click New user to

21
00:01:00,040 --> 00:01:02,380
create a new user directly in our tenant,

22
00:01:02,380 --> 00:01:06,250
the actual sign‑in name is a User Principal Name format.

23
00:01:06,250 --> 00:01:09,390
So you want to do everything you can to make sure that your

24
00:01:09,390 --> 00:01:13,950
local Active Directory users have not only a UPN suffix that

25
00:01:13,950 --> 00:01:18,770
matches the domain in Azure, but the best case scenario is that the username,

26
00:01:18,770 --> 00:01:24,100
the UPN, matches the user's SMTP email address. This way, when you give your

27
00:01:24,100 --> 00:01:27,740
users instructions for signing into your Azure AD cloud apps,

28
00:01:27,740 --> 00:01:31,340
you can just tell them to use their email address. Now you know and I

29
00:01:31,340 --> 00:01:34,560
know it's not an email address, but they don't need to know that, and

30
00:01:34,560 --> 00:01:37,420
then the password that they normally use at work,

31
00:01:37,420 --> 00:01:38,150
in other words,

32
00:01:38,150 --> 00:01:41,710
their local password, okay? Now what if your local Active

33
00:01:41,710 --> 00:01:44,330
Directory is not already named as such?

34
00:01:44,330 --> 00:01:47,800
Fortunately, as you can see in my Domains and Trusts console,

35
00:01:47,800 --> 00:01:51,280
my root domain is already called timw.info.

36
00:01:51,280 --> 00:01:54,430
But what if you've got a multi‑domain environment or maybe even

37
00:01:54,430 --> 00:01:58,540
a multi‑forest environment? You can add alternate UPN suffixes

38
00:01:58,540 --> 00:02:00,740
and then update those local users.

39
00:02:00,740 --> 00:02:03,530
What we can do in the Active Directory Domains and Trusts

40
00:02:03,530 --> 00:02:07,210
console is select the root node and go to Properties, and

41
00:02:07,210 --> 00:02:08,830
we can add that suffix in.

42
00:02:08,830 --> 00:02:09,630
For example,

43
00:02:09,630 --> 00:02:13,620
I'm going to add pluralsight.com. Now that's bogus, of course. I'm not

44
00:02:13,620 --> 00:02:16,610
going to actually go forward with that, but notice that Active

45
00:02:16,610 --> 00:02:18,870
Directory had no problem with my doing that.

46
00:02:18,870 --> 00:02:21,980
And now what I would want to do is for the users that I want to

47
00:02:21,980 --> 00:02:24,250
replicate into the cloud, I'm, by the way,

48
00:02:24,250 --> 00:02:26,290
not going to replicate all accounts.

49
00:02:26,290 --> 00:02:29,360
What I recommend is that you do this migration,

50
00:02:29,360 --> 00:02:31,760
although it's not a migration. To do this synchronization,

51
00:02:31,760 --> 00:02:35,320
let's put it that way, on an OU by OU basis.

52
00:02:35,320 --> 00:02:40,430
So I'm just going to replicate my HQ Data Team, which consists of two users and

53
00:02:40,430 --> 00:02:45,200
some groups. Now if we did need to update the UPN suffix for a user, we can go

54
00:02:45,200 --> 00:02:49,680
to their account page, and the alternate UPN suffix will show up here under

55
00:02:49,680 --> 00:02:53,460
User logon name. It's not showing up now because I'll have to restart the

56
00:02:53,460 --> 00:02:55,340
computer for that change to happen.

57
00:02:55,340 --> 00:02:59,790
But after I restart it, I would have the pluralsight.com entry here as well.

58
00:02:59,790 --> 00:03:04,090
Now in the real world, I would also use PowerShell to do that update in bulk.

59
00:03:04,090 --> 00:03:07,050
I wouldn't do it clicking, clicky, click through the GUI. Another

60
00:03:07,050 --> 00:03:10,430
exam alert is understanding just what IdFix is.

61
00:03:10,430 --> 00:03:13,450
IdFix is a click‑once streaming application.

62
00:03:13,450 --> 00:03:17,310
It's open sourced now at GitHub. And what it allows you to do is scan

63
00:03:17,310 --> 00:03:20,650
your local forest environment. First, you can go to Settings to

64
00:03:20,650 --> 00:03:22,780
determine the scope of what you're looking at.

65
00:03:22,780 --> 00:03:26,890
And by default, it will look at the current domain in the current forest.

66
00:03:26,890 --> 00:03:29,020
You can provide alternate credentials.

67
00:03:29,020 --> 00:03:31,200
And then when you have it run a check,

68
00:03:31,200 --> 00:03:34,600
it will give you a run down of any possible errors or

69
00:03:34,600 --> 00:03:38,630
synchronization errors that it finds, duplicate values and so on.

70
00:03:38,630 --> 00:03:41,140
It looks like it's actually found some here.

71
00:03:41,140 --> 00:03:45,750
And the idea is that you would then track those down and then requery until

72
00:03:45,750 --> 00:03:51,640
your problems are fixed, or you can actually take whatever action IdFix

73
00:03:51,640 --> 00:03:56,240
recommends and allow it to make the change for you. But IdFix is something

74
00:03:56,240 --> 00:03:59,970
that you'll want to work through prior to doing your first synchronization to

75
00:03:59,970 --> 00:04:03,860
help you avoid sync errors. Now you might think, well, Tim, why didn't you fix

76
00:04:03,860 --> 00:04:05,340
those issues that you saw?

77
00:04:05,340 --> 00:04:07,620
Part of this is that I want to show what happens if

78
00:04:07,620 --> 00:04:10,660
something goes wrong because one of the exam objectives is

79
00:04:10,660 --> 00:04:13,080
understanding Azure AD Connect Health.

80
00:04:13,080 --> 00:04:16,870
Now I mentioned that in Azure AD, the current vanguard,

81
00:04:16,870 --> 00:04:20,810
so to speak, with directory synchronization is a cloud‑based model.

82
00:04:20,810 --> 00:04:23,830
So back in the portal, if we come down to Azure AD

83
00:04:23,830 --> 00:04:27,010
Connect, we see Manage Azure AD cloud sync.

84
00:04:27,010 --> 00:04:31,480
So Microsoft really kind of leads you down that road. And long story short,

85
00:04:31,480 --> 00:04:34,550
what this is all about is you create one or more

86
00:04:34,550 --> 00:04:36,640
configurations, as they're called,

87
00:04:36,640 --> 00:04:41,520
where you tap into a local Active Directory domain, and there's

88
00:04:41,520 --> 00:04:44,280
not a support for passthrough or federation,

89
00:04:44,280 --> 00:04:48,070
so you're pretty much doing password hash sync. And you'll download a

90
00:04:48,070 --> 00:04:51,360
smaller agent than from what we're going to do today, and then you

91
00:04:51,360 --> 00:04:55,090
configure your scope of replication. And again,

92
00:04:55,090 --> 00:04:56,200
long story short,

93
00:04:56,200 --> 00:04:59,670
it's meant to just be a cloud‑hosted way to set up

94
00:04:59,670 --> 00:05:02,040
Azure AD account synchronization.

95
00:05:02,040 --> 00:05:05,640
That's about all I want to say about that because like I said, exam

96
00:05:05,640 --> 00:05:14,000
AZ‑800 assumes that we're not using Azure AD cloud sync, but we've gone and downloaded the Azure AD Connect MSI.