Shulou(Shulou.com)06/02 Report--

Blog Address: https://blog.51cto.com/14669127

Since 2010, with the continuous promotion and improvement of the cloud platform, many enterprises have embarked on cloud services to ensure the security and scalability of data management on the public cloud while reducing the work related to IT operation and maintenance.

In recent years, more and more enterprises have migrated users from local platforms such as Domain Controller and Exchange servers to cloud platform management. In order to facilitate administrators' understanding of the implementation plan and the transparency and clarity of deployment and implementation, here is a sharing of relevant experience for everyone to learn and discuss.

This article focuses on deploying Azure AD Connect (a free tool included in Azure subscriptions) as a solution for synchronizing users from On Premise Server to Azure AD, so why choose Azure AD Connect as the delivery solution? Because Azure AD connect is a tool designed by Microsoft to satisfy and implement Hybrid identity, it replaces old identity integration tools such as DirSync and Azure AD Sync. It can integrate On Premise Active Directory with Azure AD. Users can provide public identification when accessing Cloud or On Premise resources to improve user productivity. For example, users can use a single identity to access local applications and cloud services, such as Office 365.

Before deploying Azure AD Connect, you need to consider the following seven considerations:

1.Azure AD

○ you need to use Azure Portal or Office 365 Portal to manage Azure AD Connect

○ Domain, need to add and verify a valid domain, cannot use default domain (contoso.onmicrosoft.com)

○ An Azure AD defaults to 50K Objects. When you verify domain, objects limit will reach 300k objects. If you need more Objects in Azure AD, you need to submit ticket for Microsoft to release the restrictions.

2.On-premise data

Before ○ synchronizes Azure AD and Office 365, it is recommended that you use IdFix to identify errors such as repetition and formatting problems in Active Directory

○ ensures that Sync Features is enabled in Azure AD

§On Premises:Azure AD Connect sync (sync engine)

§Azure AD:Azure AD Connect Sync Service

3.On-Premises Active Directory

○ AD Schema version and Forest functional level must be Windows Server 2003 or above

○ if you plan to use Password writeback, then domain controller must be Windows Server 2008 R2 or above

○ ensures that the domain controller used by Azure AD is writable

○ recommends enabling Active Directory Recycle Bin

4.Azure AD Connect Server

○ Azure AD Connect cannot be installed on Small Business Server, must be Windows Server 2012 standard or above

○ does not recommend that Azure AD Connect be installed on Domain Controller. The Server that deploys Azure AD Connect should be used as domain member.

○ if you deploy ADFS, then Server must be installed on Windows Server 2012 or above

○ if you deploy ADFS, you need SSL Certificates and configuration, name resolution

○ if global admin has MFA enabled, you need to trust the URL in the browser's trusted site list

Https://secure.aadcdn.microsoftonline-p.com

○ (individual synchronization, unnecessary steps) Microsoft recommends that Azure AD Connect Server be strengthened and security reduced.

§Securing administrators groups

§Securing built-in administrator accounts

§Security improvement and sustainment by reducing attack surfaces

§Reducing the Active Directory attack surface

SQL Server required by 5.Azure AD Connect

○ Azure AD Connect needs SQL Server Database to store identity data. We can also directly select Express mode during deployment, which uses SQL Server Express for storage. It has 10 GB storage space and can manage 100000 objects. If you need to manage more Directory objects, you need to deploy SQL Server (Microsoft SQL Server from 2012)

6.Accounts

○ Azure AD Global Administrator account

○ Active Directory Admin on premise (Exchange Admin)

7.Connectivity

The ○ DNS server must be able to resolve to the names of on-premises Active Directory and Azure AD endpoints.

○ if your intranet has a firewall, you need to open a port between the Azure AD connection server and your domain controller

○ Azure AD Connect and Azure AD communication protocols and ports

Summary of deployment Azure AD Connect:

1. Before deploying Azure AD Connect, you need to Add and verify Domain in Azure AD (Office 365) (and Godaddy is also required to configure it), otherwise sign in Azure AD will fail when configuring Azure AD Connect.

2. Https://www.microsoft.com/en-us/download/details.aspx?id=47594 download and install Azure AD Connect

3. If you are single-forest domain and use Password hash synchronize for authentication, you can use the default Express settings to install and deploy Azure AD Connect

4. If you synchronize users + attributes+organization from On Premise Active Directory not all, but according to OU batch synchronization or user attribute synchronization has special requirements, then you need to uncheck the "start the synchronization process when Configuration completes" check box in the final configure step

Reference article:

Https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-portshttps://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-recycle-binhttps://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisiteshttps://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phshttps://docs.microsoft. Com/en-us/azure/active-directory/hybrid/tshoot-connect-connectivity

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.