1
00:00:01,640 --> 00:00:04,770
And you can get the Azure AD Connect software from

2
00:00:04,770 --> 00:00:06,370
the Microsoft Download Center.

3
00:00:06,370 --> 00:00:08,370
So I'm just going to run through a setup,

4
00:00:08,370 --> 00:00:13,000
and this is laying down a wizard interface that we use to configure the service.

5
00:00:13,000 --> 00:00:16,270
It's going to install the AD Sync Windows Service,

6
00:00:16,270 --> 00:00:19,680
it's going to give us a PowerShell module called ADSync,

7
00:00:19,680 --> 00:00:23,500
and it's also going to give us a couple other graphical utilities we

8
00:00:23,500 --> 00:00:26,710
can use to customize the synchronization connection.

9
00:00:26,710 --> 00:00:32,010
Now you could use, if you wanted to, the ADSync PowerShell module to configure,

10
00:00:32,010 --> 00:00:33,790
but I'm going to use the wizard.

11
00:00:33,790 --> 00:00:36,820
And, by the way, see this shortcut, AD Connect,

12
00:00:36,820 --> 00:00:39,260
you would rerun the wizard whenever you want to

13
00:00:39,260 --> 00:00:41,740
reconfigure the service on this machine.

14
00:00:41,740 --> 00:00:44,670
So let's agree to the license terms and continue.

15
00:00:44,670 --> 00:00:48,080
I'm not going to do Express, and I would recommend you not do that either,

16
00:00:48,080 --> 00:00:51,470
because that just assumes that you've got a single forest,

17
00:00:51,470 --> 00:00:55,120
one or more domains, and you're going to synchronize all attributes.

18
00:00:55,120 --> 00:00:55,290
No,

19
00:00:55,290 --> 00:00:57,990
you want to go customize so that you have much

20
00:00:57,990 --> 00:00:59,950
better control over the environment.

21
00:00:59,950 --> 00:01:04,240
Now, by default, Azure AD Connect installs the LocalDB,

22
00:01:04,240 --> 00:01:08,960
which is the smaller, scaled‑back, free SQL Server database engine.

23
00:01:08,960 --> 00:01:12,170
But you can use an existing full fledged SQL Server,

24
00:01:12,170 --> 00:01:13,270
as you can see here,

25
00:01:13,270 --> 00:01:17,460
you can map to an existing service account instead of creating a new one,

26
00:01:17,460 --> 00:01:19,870
so these are just some overrides.

27
00:01:19,870 --> 00:01:23,550
I'm going to click Install to let the service install

28
00:01:23,550 --> 00:01:28,710
the dependencies as it sees fit, installing the Visual C++ Redistributable,

29
00:01:28,710 --> 00:01:31,410
eventually it's going to show LocalDB,

30
00:01:31,410 --> 00:01:33,880
and it's going to register the service account,

31
00:01:33,880 --> 00:01:35,190
and so on, and so forth.

32
00:01:35,190 --> 00:01:37,390
The service, by the way, is called ADSync.

33
00:01:37,390 --> 00:01:40,510
I Think I mentioned that, but just in case I forgot.

34
00:01:40,510 --> 00:01:42,360
Okay, this is an important page,

35
00:01:42,360 --> 00:01:46,840
because it gives us our opportunity to choose Password Hash Synchronization,

36
00:01:46,840 --> 00:01:49,440
Pass‑through authentication or Federation.

37
00:01:49,440 --> 00:01:52,870
I'm going to go with Password Hash Synchronization and click Next.

38
00:01:52,870 --> 00:01:55,160
Now you should know that if you start with,

39
00:01:55,160 --> 00:01:59,230
say, Password Hash Sync, but then later decide that you want to change it,

40
00:01:59,230 --> 00:02:01,600
you can, you just need to rerun the wizard.

41
00:02:01,600 --> 00:02:06,190
And also, when you're using the non‑cloud sync version of Azure AD Connect,

42
00:02:06,190 --> 00:02:08,720
you're going to have to repeat this process on other

43
00:02:08,720 --> 00:02:11,760
machines for "high availability".

44
00:02:11,760 --> 00:02:14,710
Now it says here that we need to authenticate to our Azure

45
00:02:14,710 --> 00:02:17,440
AD Directory as a global administrator.

46
00:02:17,440 --> 00:02:21,270
Now, global administrator is the most powerful RBAC,

47
00:02:21,270 --> 00:02:24,310
or role‑based access control, role in Active Directory,

48
00:02:24,310 --> 00:02:25,810
so it's pretty important.

49
00:02:25,810 --> 00:02:30,340
I'm going to sign in as a delegated administrator account called melissa,

50
00:02:30,340 --> 00:02:33,540
and we'll see if that goes through, if I typed the password correctly.

51
00:02:33,540 --> 00:02:34,280
Yeah, it did.

52
00:02:34,280 --> 00:02:37,770
So now we connect our local Active Directory to Azure.

53
00:02:37,770 --> 00:02:40,910
So we've got DIRECTORY TYPE is just Active Directory,

54
00:02:40,910 --> 00:02:43,330
and if we were in a multi‑forest environment,

55
00:02:43,330 --> 00:02:44,840
we can select it here.

56
00:02:44,840 --> 00:02:46,540
I'm going to choose Add Directory,

57
00:02:46,540 --> 00:02:50,680
and now we have to authenticate with an Enterprise Admin credential.

58
00:02:50,680 --> 00:02:56,040
This would allow Azure AD Connect to create and manage a service account for us.

59
00:02:56,040 --> 00:03:00,010
So what I'll do is authenticate with my Enterprise Admin here,

60
00:03:00,010 --> 00:03:02,060
provide those credentials, and click OK.

61
00:03:02,060 --> 00:03:03,140
So far, so good.

62
00:03:03,140 --> 00:03:06,600
We'll verify, yes, we just want the root domain here.

63
00:03:06,600 --> 00:03:07,470
We'll click Next.

64
00:03:07,470 --> 00:03:11,180
Now, we can see the child domain show up in the list,

65
00:03:11,180 --> 00:03:14,690
our alternate UPN Suffix show up in the list,

66
00:03:14,690 --> 00:03:20,030
and this allows you to verify that you do have a compatible domain in the cloud.

67
00:03:20,030 --> 00:03:24,940
It says here Users will not be able to sign into Azure AD with on‑premises

68
00:03:24,940 --> 00:03:29,300
credentials if the UPN suffix does not match a verified domain.

69
00:03:29,300 --> 00:03:31,660
And you can continue without matching.

70
00:03:31,660 --> 00:03:36,340
In my case, I know that I only want an OU from the root domain,

71
00:03:36,340 --> 00:03:39,290
and that is in fact verified on the Azure side,

72
00:03:39,290 --> 00:03:43,740
and we're using the userPrincipalName attribute to use.

73
00:03:43,740 --> 00:03:48,720
Now, it is possible to use another attribute as the Azure AD username,

74
00:03:48,720 --> 00:03:52,970
like maybe email address, for example, but I like to use userPrincipalName.

75
00:03:52,970 --> 00:03:55,730
Now because we have these other references,

76
00:03:55,730 --> 00:03:59,810
it's not going to actually let me continue unless I affirm that I'm

77
00:03:59,810 --> 00:04:02,530
going to continue without matching every suffix.

78
00:04:02,530 --> 00:04:03,210
That's fine.

79
00:04:03,210 --> 00:04:06,590
This is the main piece here, Domain and OU filtering.

80
00:04:06,590 --> 00:04:08,850
I want to deselect the child domain.

81
00:04:08,850 --> 00:04:11,450
I'm going to select my domains and OUs here,

82
00:04:11,450 --> 00:04:13,840
so I don't want to grab the child domain.

83
00:04:13,840 --> 00:04:18,820
And in the root domain, all I want at this point is the HQ Data Team.

84
00:04:18,820 --> 00:04:20,660
I'm doing a pilot, let's put it that way.

85
00:04:20,660 --> 00:04:23,470
So once we've verified that, let's click Next.

86
00:04:23,470 --> 00:04:25,850
This page allows you, again,

87
00:04:25,850 --> 00:04:31,530
to custom match attributes so that your users are identified only once.

88
00:04:31,530 --> 00:04:34,910
I mean, let's look at it this way, if you had child domains,

89
00:04:34,910 --> 00:04:41,730
you had a tim@timw.info in the root and a tim@child.timw.info,

90
00:04:41,730 --> 00:04:46,760
and you were looking at their sign‑in ultimately being tim@timw.info,

91
00:04:46,760 --> 00:04:49,140
that can definitely run into some problems.

92
00:04:49,140 --> 00:04:54,940
So this screen allows you to customize the anchor attribute to avoid conflicts.

93
00:04:54,940 --> 00:04:57,190
I don't need to do that in this case fortunately.

94
00:04:57,190 --> 00:04:58,330
Let's click Next.

95
00:04:58,330 --> 00:05:02,450
Here's where we can do an even more granular subset of the

96
00:05:02,450 --> 00:05:05,320
objects within that OU that'll be synchronized.

97
00:05:05,320 --> 00:05:07,070
I'm going to synchronize everything.

98
00:05:07,070 --> 00:05:08,090
Let me click Next.

99
00:05:08,090 --> 00:05:10,110
Optional features, this is important,

100
00:05:10,110 --> 00:05:13,230
because if you're going to support password writeback

101
00:05:13,230 --> 00:05:17,400
and self‑service password reset, you need to make sure to tick this box.

102
00:05:17,400 --> 00:05:20,470
Now note that that requires an Azure Active Directory

103
00:05:20,470 --> 00:05:24,100
Premium license for those users, and the group writeback,

104
00:05:24,100 --> 00:05:28,690
again, is something that's only available here in the non‑cloud sync version.

105
00:05:28,690 --> 00:05:31,430
Let's click Next, and it looks like we're ready to rock.

106
00:05:31,430 --> 00:05:33,080
Now, last point I want to mention.

107
00:05:33,080 --> 00:05:35,870
I'm going to leave Start the synchronization process

108
00:05:35,870 --> 00:05:38,060
on so we can actually run the sync.

109
00:05:38,060 --> 00:05:41,720
The staging mode is what you'd want to do on your secondary server,

110
00:05:41,720 --> 00:05:44,120
because if you're not using cloud sync,

111
00:05:44,120 --> 00:05:47,980
you can only have one AD Connect box actually running at a

112
00:05:47,980 --> 00:05:49,920
time because they're not aware of each other.

113
00:05:49,920 --> 00:05:51,730
So on your backup machine,

114
00:05:51,730 --> 00:05:55,480
you would run through the setup here exactly like we did on the primary,

115
00:05:55,480 --> 00:05:57,180
but you would enable staging mode.

116
00:05:57,180 --> 00:06:00,840
And then to take a service in or out of staging mode subsequently,

117
00:06:00,840 --> 00:06:04,750
you'd rerun the wizard and you'd have access to that checkbox again.

118
00:06:04,750 --> 00:06:05,720
That make sense?

119
00:06:05,720 --> 00:06:07,390
So let's go ahead and continue this.

120
00:06:07,390 --> 00:06:09,500
And while we're waiting for this to finish,

121
00:06:09,500 --> 00:06:12,750
I want to show you a couple of the graphical tools that you

122
00:06:12,750 --> 00:06:14,970
get when you install Azure AD Connect.

123
00:06:14,970 --> 00:06:16,930
One is the Synchronization Service.

124
00:06:16,930 --> 00:06:19,700
It's an old‑fashioned application for sure.

125
00:06:19,700 --> 00:06:22,360
And the other is the Synchronization Rules Editor.

126
00:06:22,360 --> 00:06:25,960
Now the Rules Editor, it's got a pretty difficult user interface,

127
00:06:25,960 --> 00:06:27,200
but long story short,

128
00:06:27,200 --> 00:06:31,780
this allows you to create and edit mappings between local Active Directory

129
00:06:31,780 --> 00:06:34,970
schema attributes and Azure Active Directory attributes.

130
00:06:34,970 --> 00:06:39,450
We have to remember that Azure AD is not an LDAP directory.

131
00:06:39,450 --> 00:06:41,160
It's a totally separate thing.

132
00:06:41,160 --> 00:06:43,630
But if you have extended your local schema,

133
00:06:43,630 --> 00:06:47,830
you may have user properties that you do want synchronized into the cloud,

134
00:06:47,830 --> 00:06:51,590
and you can extend the Azure AD attribute set to a degree.

135
00:06:51,590 --> 00:06:54,470
Check the exercise files if you want more info on that.

136
00:06:54,470 --> 00:06:56,280
So that's the Sync Rules Editor.

137
00:06:56,280 --> 00:07:00,060
The Synchronization Service Manager allows you to see a record of

138
00:07:00,060 --> 00:07:02,650
every synchronization option as it happens,

139
00:07:02,650 --> 00:07:06,000
and you can just get more detailed information on the

140
00:07:06,000 --> 00:07:09,500
connection between your local AD and Azure AD.

141
00:07:09,500 --> 00:07:13,850
And you can also do things like forcing a synchronization to take place.

142
00:07:13,850 --> 00:07:18,750
You just right‑click and choose Run, and it'll run a synchronization for you.

143
00:07:18,750 --> 00:07:21,440
And then lastly, you've got a PowerShell module.

144
00:07:21,440 --> 00:07:22,530
Unfortunately,

145
00:07:22,530 --> 00:07:26,760
the PowerShell support in Azure AD Sync doesn't work with PowerShell Core,

146
00:07:26,760 --> 00:07:30,570
so it's PowerShell Desktop only or PowerShell version 5.

147
00:07:30,570 --> 00:07:34,250
If I do a get‑command in the module ADSync,

148
00:07:34,250 --> 00:07:36,990
assuming that it's been installed, yes, it looks like it has,

149
00:07:36,990 --> 00:07:39,330
there's quite a few commands in there for sure.

150
00:07:39,330 --> 00:07:43,670
I don't think you're going to see any of these commands on your AZ‑800 exam,

151
00:07:43,670 --> 00:07:46,400
but a common one is Get‑ADSyncScheduler.

152
00:07:46,400 --> 00:07:50,720
This will give you your default replication interval.

153
00:07:50,720 --> 00:07:54,980
Now, understand that outside of password writeback and group writeback,

154
00:07:54,980 --> 00:08:00,820
this is a one‑way scheduled sync between local Active Directory and Azure AD,

155
00:08:00,820 --> 00:08:03,780
and the default interval is every 30 minutes.

156
00:08:03,780 --> 00:08:06,620
The Initial sync will likely be the biggest,

157
00:08:06,620 --> 00:08:11,930
highest impact, then subsequent syncs will just be delta or changes.

158
00:08:11,930 --> 00:08:15,770
Note that Get‑ADSyncScheduler also lets you know if

159
00:08:15,770 --> 00:08:18,080
StagingMode is enabled on that box.

160
00:08:18,080 --> 00:08:20,140
Fun fact, or not so fun fact,

161
00:08:20,140 --> 00:08:24,520
is this ADSync PowerShell module is not available in the PowerShell Gallery.

162
00:08:24,520 --> 00:08:28,290
You have to install the Azure AD Connect software to get it.

163
00:08:28,290 --> 00:08:29,860
It looks like we're good to go here,

164
00:08:29,860 --> 00:08:32,660
so let's check by coming up into our directory.

165
00:08:32,660 --> 00:08:37,590
Let's go to our Users list, and to compare against local Active Directory,

166
00:08:37,590 --> 00:08:40,720
we expect to see Brett Gordon and Betty Remy.

167
00:08:40,720 --> 00:08:44,990
So let me do a search in my Users list for Brett, and there is Brett right here.

168
00:08:44,990 --> 00:08:49,430
Note that his User principal name matches his local Active Directory name,

169
00:08:49,430 --> 00:08:52,570
and we can see Directory synced is set to Yes.

170
00:08:52,570 --> 00:08:54,440
If we do a search for Betty,

171
00:08:54,440 --> 00:08:58,070
Betty is here, so now we can populate Betty into Azure

172
00:08:58,070 --> 00:09:00,020
AD groups to our heart's content.

173
00:09:00,020 --> 00:09:03,120
We can give Betty privileges on our cloud apps,

174
00:09:03,120 --> 00:09:11,000
and we can give her role‑based access control assignments to our Azure subscription resources as well.