Scribd
Upload
277 views30 pages

Managing Active Directory in A Hybrid Environment

This document provides an overview of Module 11 which covers managing Active Directory in a hybrid environment. It discusses extending an on-premises Active Directory domain into Azure, directory synchronization options between on-premises AD and Azure AD, and implementing federation through Active Directory Federation Services. The module includes lessons on extending the domain, directory synchronization, and federation. It also provides instructions for a lab exercise to configure directory synchronization between on-premises AD and Azure AD.

Uploaded by

Alok Sharma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
277 views30 pages

Managing Active Directory in A Hybrid Environment

This document provides an overview of Module 11 which covers managing Active Directory in a hybrid environment. It discusses extending an on-premises Active Directory domain into Azure, directory synchronization options between on-premises AD and Azure AD, and implementing federation through Active Directory Federation Services. The module includes lessons on extending the domain, directory synchronization, and federation. It also provides instructions for a lab exercise to configure directory synchronization between on-premises AD and Azure AD.

Uploaded by

Alok Sharma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 30

Module 11

Managing Active Directory in a


Hybrid Environment
Module Overview

Extending On-Premises Active Directory into Azure


Directory Synchronization
• Implementing Federation
Lesson 1: Extending On-Premises Active
Directory into Azure

Demonstration: Preparing the Environment


Hybrid Active Directory as a Component of Azure
Summary of Active Directory and Microsoft Azure
Active Directory Integration Options
Identifying Reasons to Extend Active Directory to
Microsoft Azure
Planning Domain Controllers in Microsoft Azure
Discussion – Placing Domain Controllers in
Microsoft Azure
• Process for Extending an On-Premises Domain
into Azure
Demonstration: Preparing the Environment

To prepare the lab environment for this module,


you must:
• Sign in to your Microsoft Azure subscription
• Prepare the Azure environment
Hybrid Active Directory as a Component of Azure

Compute Data Services Network Services


Virtual Machines Storage Virtual Networks

PaaS Cloud Services SQL Database Traffic Manager

Websites Backup ExpressRoute

Mobile Services Site Recovery

App Services
Media Services Active Directory Automation

Service Bus MFA CDNs

Push Notifications
Summary of Active Directory and Microsoft
Azure Active Directory Integration Options

• Extend on-premises Active Directory into


Microsoft Azure
• Synchronize Active Directory with Azure Active
Directory
• Optional password synchronization
• Implement trust relationship and single sign-on
• Active Directory Federation Service (AD FS)
• AD FS Proxy or new Web Application Proxy (WAP) in
Windows Server 2012 R2
Identifying Reasons to Extend Active Directory to
Microsoft Azure

Resilience

Cost control

Global reach

Directory synchronization
Planning Domain Controllers in Microsoft Azure

• Plan Microsoft Azure architecture


• Plan inter-site connectivity
• VPN server
• Public static IP address
• Site-to-site VPN

• Plan forest and domain relationship


• Separate forest
• Separate domain
• Domain controller in same domain

• Plan Active Directory sites


• Separate sites for on-premises and Microsoft Azure DCs
• Site link properties

• Plan FSMO roles and GC placement


Discussion – Placing Domain Controllers in
Microsoft Azure

• Would your company consider deploying a DC


for your on-premises AD DS domain in Azure?
• What benefits would you expect to realize?
• What would be your reservations about using
this approach?
Process for Extending an On-Premises Domain into Azure

Create Virtual Network

Create Storage Account

Create Virtual Machine and assign IP address

Install and configure DNS

Promote Server to Domain Controller


Lesson 2: Directory Synchronization

Overview of Directory Synchronization


Comparing DirSync, Password Sync, and Single
Sign-On
Discussion – Which option is suitable for my
environment?
Preparing On-Premises Active Directory for
Directory Synchronization
Cleaning up Active Directory
Installing and Configuring Directory
Synchronization
• Managing and Monitoring Directory
Overview of Directory Synchronization

Objects and attributes


Azure
Directory

Some “write-back”

On-premises
AD

Synchronization tools:
• DirSync
• AADSync (part of AAD Connect)
Comparing DirSync, Password Sync, and Single Sign-On
Factor DirSync Only DirSync with DirSync with
Password Sync Single Sign-On
Sync users, groups and contacts to Yes Yes Yes
Azure
Sync incremental updates to Azure Yes Yes Yes
Enable hybrid Office 365 scenarios Yes – limited Yes – limited Yes – full support
support support
Users can sign on with on-premises No Yes Yes
credentials
Reduce password admin costs No Yes Yes
Control password policies from on- No Yes Yes
premises directory
Enable cloud-based MFA Yes Yes Yes
Enable on-premises MFA No No Yes
Authenticate against on-premises No No Yes
directory
Implement single sign-on with No No Yes
corporate credentials
Customize sign-in page No No Yes
Limit access to services based on No No Yes
Discussion – Which option is suitable for
my environment?

• Which directory synchronization option


would be optimal for your company?
Preparing On-Premises Active Directory for
Directory Synchronization

• Review DC requirements
• Review DirSync computer requirements
• Review hardware recommendations
• Review object limits
• Review administrator accounts
• Review network ports
• Review UPN requirements
Cleaning up Active Directory

• IdFix
• Identify and remediate AD object synchronization
errors, such as:
• Duplicate or malformed proxyAddresses
• Duplicate or malformed userPrincipalName
• Can filter by OU
• ADModify.NET
• Make attribute changes to multiple objects, such as:
• Changes to UPNs across OUs or whole domains
Installing and Configuring Directory Synchronization

1. Activate DirSync in the Azure Portal.


2. Download and install directory
synchronization.
3. Start the configuration wizard and enable
required options.
4. Configure any filtering options using the FIM
management interface.
5. Synchronize directories.
Managing and Monitoring Directory Synchronization

• Verifying DirSync
• Change a user account
• Force replication or allow automatic sync to take place

• Forcing replication
• Setup wizard
• Start-OnlineCoexistenceSync
• Miisclient.exe

• Changing default synchronization schedule


• Edit %ProgramFiles%\Windows Azure Active Directory
Sync\Microsoft.Online.DirSync.Scheduler.exe.config
• Change <add key=”SyncTimeInterval” value=”3:0:0″ />
• Restart DirSync service
Lesson 3: Implementing Federation

Introduction to Claims-Based Authentication and


Federated Trusts
Overview of AD FS and Web Application Proxy
Processing Authentication Claims
Planning Active Directory Federation Services
Preparing for Active Directory Federation Services
Deploying Active Directory Federation Services
• Discussion – Determining Integration
Requirements
Introduction to Claims-Based Authentication and
Federated Trusts
Azure T Security Token (Claim)
Application
2 Azure
AD
T 7

8 Trust 6
1
3
Session
5 T
Security Token
Identity Provider 4 Service (AD FS)
On-premises AD
Overview of AD FS and Web Application Proxy

• AD FS is an example of a Security Token Service


• AD FS servers:
• Authenticate users against Active Directory Domain
Controllers
• AD FS Proxy or WAP servers:
• Provide Internet accessible service, and protect AD FS
servers
• Are located in the perimeter network and redirect the
incoming authentication request to the AD FS server
Processing Authentication Claims

1. Client makes an authentication request to a


resource controlled by Azure Active Directory.
2. Authentication request is redirected to the on-
premises federation service, typically through a
proxy.
3. The proxy passes the request through to the server
running the AD FS service. AD FS checks that the
user is authenticated against Active Directory.
4. Creates a token that contains claims about the user.
5. AD FS passes that token back to Azure.
6. Azure then generates a security token that grants
access to the requested resources.
Planning Active Directory Federation Services

• Planning for Devices and Browsers


• Plan Server Placement
• Plan Server Numbers
• Plan Access Filtering
• Plan ADFS High Availability
• Plan Database Servers
Preparing for Active Directory Federation Services

• Review Account Requirements


• Existing user account
• Group managed service account

• Review Namespace Requirements


• Review DNS Requirements
• Host records configured for internal and external DNS

• Review Certificate Requirements


• Token signing self-signed, automatically roll over
• Encryption SSL certificate, manual update

• Review Firewall Requirements


• Review Load-Balancing Requirements
• Server farm and proxies
Deploying Active Directory Federation Services

1. Install and configure AD FS.


2. Install and configure proxy servers.
3. Convert domain to federated.
Discussion – Determining Integration Requirements

• Analyze the requirements

• Propose a solution
Lab: Managing an Active Directory Hybrid Environment

Exercise 1: Configuring Directory Synchronization


• Exercise 2: Synchronizing Directories

Logon Information
Virtual Machine: 20533B-MIA-CL1
User Name: Student
Password: Pa$$w0rd

Estimated Time: 40 minutes


Lab Scenario

A. Datum currently uses single sign-on for on-


premises applications. As part of A. Datum’s
evaluation of Microsoft Azure, you need to test
that A. Datum users can use the same credentials
that they use to access resources on the A. Datum
intranet to access resources in Azure. When users
change passwords and other directory details, you
want to ensure these changes will be reflected in
both your on-premises and Azure Active
Directories. In this lab, you will evaluate this hybrid
environment.
Lab Review

In this lab, you successfully configured Directory


Synchronization between on-premises Active
Directory and Microsoft Azure.
Module Review and Takeaways

• Review Question(s)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy