Test Lab Guide: Creating a Windows Azure
AD and Windows Server AD Environment
using Azure AD Sync
Microsoft Corporation Published: December 2014 Author: Mark Grimes
Acknowledgements
Special thanks to the following people for reviewing and providing invaluable feedback for this document:
Joe Davies, Bill Mathers, Andreas Kjellman
Abstract
This document will assist IT professionals, administrators, architects, and developers with in creating a test lab that uses Windows Azure Active Directory and Windows Server AD. The on- premises Active Directory identities will be synchronized by using Azure AD Sync.
Copyright
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.
© 2014 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Windows Azure, Forefront, MSDN, Outlook, SharePoint, SQL Server, Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of companies.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment using
Azure AD Sync ...4
In This Guide...4
Test Lab Overview...4
Test Lab Guide Specific Requirements ...5
Steps for Creating a Windows Azure AD and Windows Server AD Environment Test Lab ...6
Test Lab Guide Specific Information and Instructions ...6
Step 1: Set Up the Configuring the Windows Server 2012 R2 Base Configuration Test Lab for Hybrid Identities Synchronization ...7
PowerShell you Windows Server 2012 R2 VM to make a DC fast! ...7
Step 2: Sign-up for a Windows Azure 30-Day Trial ...7
Sign-up for a Windows Azure 30-Day Free Trial ...8
Step 3: Create a Windows Azure AD Tenant ... 12
Create a Windows Azure AD Tenant ... 12
Step 4: Prepare the Windows Azure AD Tenant for Synchronization ... 14
Verify your domain... 14
Set domain as Primary ... 16
Create a global administrator account in our Windows Azure AD tenant. ... 17
Activate Windows Azure AD Tenant for Synchronization ... 25
Step 5: Create Organizational Units and Test Users in Windows Server AD ... 26
Create Organizational Units ... 26
Create Test Users ... 27
Step 6: Download and Install Azure AD Sync ... 28
System Requirements... 28
Test Lab Guide: Creating a Windows Azure
AD and Windows Server AD Environment
using Azure AD Sync
Windows Azure AD and Windows Server AD
In This Guide
Whether you already have Microsoft Azure and an available domain controller, or not, t his guide contains instructions for setting up a test lab for Azure AD Sync between Microsoft Azure and Windows Server Active Directory. This Test Lab Guide is partially based on the existing Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment. This guide is also a reference article for SMB Common Identities, an article to help small and medium sized business understand all of the common identity scenarios that will enable identity integration with Microsoft Azure and Windows Server Active Directory. Once a common identity is established, then Microsoft Azure, acting as an identity hub, can facilitate seamless sign-on with SaaS applications along with various other capabilities such as mobile scenarios and using Intune.
A full copy of this document is available for offline viewing here.
NOTE: If your small or medium sized business is going to have only Cloud Identities i.e. you will not maintain servers on-premise and will only use Microsoft Azure Active Directory, then this Test Lab Guide does not have a use case. This Test Lab Guide is ONLY to provide guidance in simplifying synchronization of an on-premise Active Directory Domain Controller with Microsoft Azure Active Directory.
Test Lab Overview
In this test lab, we move from the original base configuration to using the base configuration that is enabled for cloud related technologies. This means that the machines are no longer isolated from the internet and are able to communicate with cloud services such as Windows Azure. No
Test Lab Guide Specific Requirements
There are no additional hardware requirements. There is one additional software requirement, which is for the Azure AD Sync tool. There are also few specific things that this test lab will require. The table below provides a list of these requirements.
The following table provides a summary of the required items for this test lab guide.
Requirement Comment
Windows Azure 30-day Trial Windows Azure Free Trial
A Microsoft Account Microsoft account
A Mobile Phone that can receive text messages
Required for Windows Azure verification.
A valid Credit Card Required for Windows Azure Free Trial.
Steps for Creating a Windows Azure AD and
Windows Server AD Environment Test Lab
There are eight steps to follow when setting up the Creating a Windows Azure AD and Windows Server AD Environment Test Lab Guide.
Step 1: Set Up the Configuring the Windows Server 2012 Base Configuration Test Lab for Public Cloud Technologies - The Base Configuration is the core of all Test Lab Guide scenarios. This test lab guide has been modified so that the base configuration can be used with cloud technologies.
Step 2: Sign-up for a Windows Azure 30-Day Trial – In this step we sign up for our Windows Azure trial.
Step 3: Create a Windows Azure AD Tenant – In this step we create our Windows Azure Active Directory tenant.
Step 4: Prepare the Windows Azure AD Tenant for Synchronization – In this step we configure our tenant so that it can synchronize with our on-premise Active Directory.
Step 5: Create Organizational Units and Test Users in Windows Server AD – In this step, we create the on-premise AD structure that we are going to synchronize with our Windows Azure AD tenant.
Step 6: Download and Install Azure AD Sync – In this step we download, install, and do an initial configure of the software that will be used to synchronize our directories.
Step 7: Configure Azure AD Sync to specific Organizational Units – In this step, we customize the Microsoft Azure AD Synchronization Tool to only synchronize certain users from our on-premise AD.
Step 8: Run Azure AD Sync and Verify Results – In this step we run the tool and verify the results.
Test Lab Guide Specific Information and
Instructions
The following section is a list of additional information on configuring the test lab. It also includes items that may be omitted from the test lab guides that this test lab builds upon. This is to allow for quicker deployment.
The following is a list of general information and instructions
This test lab can be setup with just one DC1 either on-premise or within Azure Active
Step 1: Set Up the Configuring the Windows
Server 2012 R2 Base Configuration Test Lab
for Hybrid Identities Synchronization
Set up the Base Configuration test lab based on the instructions in Windows Server 2012 R2 Test Lab Guide. The TechNet article Configuring the Windows Server 2012 Base Configuration Test Lab for Public Cloud Technologies further describes the overall setup. For the purposes of this Test Lab Guide, the APP1 server will not be used. But it can be built for other Test Lab Guides on TechNet. You ONLY need a DC1 built for this scenario.
NOTE: If you already have a Domain Controller setup on-premise, then there is no need to complete this step. OR, if you have a base Windows Server 2012 R2 server in Hyper-V or built in your Azure Portal. This example lab was setup with a Domain Controller running in Hyper-V on a Windows 8.1 Host along with an MSDN subscription to Microsoft Azure. Below are the
PowerShell commands that will elevate your Windows Server to a Domain controller quicker than you can click it!
PowerShell you Windows Server 2012 R2 VM to
make a DC fast!
If you already have a base Windows Server 2012 R2 image lying around and can use it for this lab, simply run the following two commands from PowerShell ISE.
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName contoso.com
The command above comes from the Windows Server 2012R2 Test Lab Guide. That document will also have you create a test user as well. Any user accounts necessary to set up Azure AD Synchronization are fully described in the steps below.
* NOTE: if you have used the same mobile phone to set up other tenants or trials, the mobile verification may fail. This is for security. If that does happen, contact the support on that same page and they will fix this to allow the same mobile number to be reused
Signing up for Azure involves the following steps below.
Sign-up for a Windows Azure 30-Day Free Trial
Use the following procedure to sign-up for a Windows Azure free trial.
1. Open Internet Explorer and navigate to http://azure.microsoft.com 2. At the very top, click Free Trial. This will go to the free trial page.
3. On the free trial page, click Try it now. You will be asked to sign-in with your Microsoft account.
4. After signing in, you will see the sign-up page. Verify the information in section 1, About you
To Sign-up for a Windows Azure 30-Day Free Trial
5. In section 2, enter your mobile phone number and click Send Text Message. Wait for the message to be sent to your phone.
7. Next enter your valid credit card information in section 3 as shown below.
8. Read the Windows Azure Agreement, Offer Details, and Privacy Statement then place two checks in the boxes and click Sign Up. This will take you to a screen that provides a summary of your subscription. At the top click Portal.
9. This will take you to the Windows Azure Portal. You will be presented with the Windows Azure Tour wizard. If you haven’t taken the tour before it is short and worth walking through. Otherwise you can close it.
Step 3: Create a Windows Azure AD Tenant
Now that we have a Windows Azure subscription, we are going to create a Windows Azure Active Directory Tenant. This will be the cloud directory that we synchronize our on-premise AD
directory with.
Create a Windows Azure AD Tenant
Use the following procedure to sign-up for a Windows Azure free trial.
1. If you are not already signed in to the Windows Azure Portal, do this first.
2. In the Windows Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Windows Azure portal.
4. At the bottom, click New. This will bring up a pop up menu, where you will select Directory on the right-most column.
To Create a Windows Azure AD Tenant
5. Click Custom Create. Then fill out the fields below in the Add directory dialog box. For the name, use a unique name that you would like to use for your lab. If the new is not unique, the interface will let you know! The green check mark lets you know when it is unique.
5. Ensure Create new directory is selected and then enter the Name, Domain Name, and select a country or region from the drop-down. Click the check mark in the lower right hand corner.
6. The directory should now be created and will appear at the top of the “active directory”
page in the Azure Portal.
Step 4: Prepare the Windows Azure AD
Tenant for Synchronization
Now that we have a tenant, we must prepare it in order to synchronize it with our on-premise Active Directory. This step involves the following:
Verify your domain
Set domain as Primary
Create a global administrator account in our Windows Azure AD tenant.
Active Windows Azure AD Tenant for Synchronization
Verify your domain
the first thing we had to do was verify the domain. If you choose to take the same approach, then use the following steps to verify your domain.
NOTE: This is NOT required to do this lab. Although in our example, we did purchase a domain name and set it up. If you have or do purchase a Domain Name at a Registrar, the detailed steps are included at Verify a domain at any domain name registrar on MSDN. The example steps used in the validation of this lab are outlined below. Once your new domain name is verified, then further bellow you will set it to be the primary domain name to be used.
1. If you are not already signed in to the Windows Azure Portal, do this first.
2. In the Windows Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Windows Azure portal.
3. On the right, click on our newly created tenant. This will bring up <Your Directory>
directory screen.
4. At the top, click on Domains, this will bring up the domains screen.
5. At the bottom of the “Domains” page, click Add. This will bring up the add domain wizard.
6. Enter your registered <domain name> in the box and click add.
Important
Do not place a check in the single sign-on box. This TLG does not demonstrate To verify your domain
9. This may take a little while but once it is verified you will see the status change to verified.
Set domain as Primary
Now that the domain has been verified, we need to set the domain as our primary domain. Use the following procedure to set our verified domain to the primary domain.
4. At the top, click on Domains, this will bring up the domains screen.
5. At the bottom of the screen, click Change Primary. This will bring up a change primary screen.
6. Make sure that your domain is selected under the New Primary Domain heading and click the check mark.
7. Your domain should now be set as the primary domain.
Create a global administrator account in our
Windows Azure AD tenant.
4. At the top, click on Users, this will bring up the users screen. There should be only one account in here, the Microsoft account you used to sign-up for your Azure subscription.
5. At the bottom, click Add User. This will bring up the add user wizard.
6. Enter a user name for the user and then click the arrow in the lower right.
7. Enter the first name, last name, display name, and select Global Administrator from the drop-down. Click the right arrow.
8. Click the create button to create the user and get a temporary password.
9. This will create the account and assign it a temporary password. Use the icon next to the temporary password to copy it to the clipboard.
10. This will bring up a pop-up asking whether or not to allow Internet Explorer access to the clipboard. Click allow access. Click the check mark.
12. This will sign you out and you will see a screen that says you have been signed out.
Click Sign In Using Your Organizational Account.
13. Now sign-in to the portal with the newly created administrator account using the
14. Once signed in, you will be prompted to change your password. Go ahead and set the password to one of your choosing. This password will be required again when we setup the Azure AD Sync tool so don’t forget it! Click submit.
15. Windows Azure will now attempt to log you on. You will see a screen that says you do not have a Windows Azure subscription associated with this account. This is correct as our subscription is associated with our Microsoft account. At this point, just close Internet Explorer because the password has been changed.
Activate Windows Azure AD Tenant for
Synchronization
Finally, we need to flip the switch that allows us to synchronize with this directory in Windows Azure. Use the following procedure to activate this Windows Azure AD tenant.
1. Sign back in to the Windows Azure Portal with the original account you first started with.
To Active Windows Azure AD Tenant for Synchronization
Step 5: Create Organizational Units and Test
Users in Windows Server AD
Now that we have Windows Azure AD set up, we need to create the Organizational Unit structure in our on-premise AD environment and populate the OU’s with a couple of users. This step consists of the following.
Create Organizational Units
1. On DC1 (Or whatever DC you are using), open Active Directory Users and Computers 2. Right-click on smbaadsync.com (or the name of your forest) and select New and then
select Organizational Unit.
3. In the name box, enter AADSYNC_USERS and click Ok.
4. Right-click on AADSYNC_USERS and select New and then select Organizational Unit.
5. In the name box, enter Engineering and click Ok.
6. Right-click on AADSYNC_USERS and select New and then select Organizational Unit.
7. In the name box, enter Sales and click Ok.
8. The OU structure should now look like this
Create Test Users
Now we will create one user in each of the new OUs that we created. One in Engineering and one in Sales. Use the following procedure to create the Users.
1. Right-click on Engineering and select New and then select User.
2. Enter the following and then click Next.
First Name: Britta
Last Name: Simon
Full Name Britta Simon
User logon name: bsimon
3. Enter a password for the user, remove the check from User must change password at next logon and place a check in Password never expires.
4. Click Finish.
5. Right-click on Sales and select New and then select User.
To create test users
Step 6: Download and Install Azure AD Sync
Now that we have prepared Microsoft Azure AD and created our test OU structure and populated it with users, we can download and install the Azure AD Sync tool. The following section consists of the following:
Download and Install the Microsoft Azure AD Synchronization Tool
Configure the Microsoft Azure AD Sync Tool
System Requirements
You need an account with local administrator privileges on your computer to install AADSync.
Additionally, an Azure Account needs to be created in your AAD Tenant that has the Global Administrator Role selected.
AADSync requires a SQL Server database to store identity data. By default a SQL Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is created on the local machine.
These are both the minimum and the supported Operating Systems: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2.
SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000 objects. If you need to manager a higher volume of directory objects, you need to point the installation process to a different version of SQL Server.
Download and Install the Microsoft Azure AD
Synchronization Tool
1. You can download the Azure AD Sync tool from Microsoft Azure AD Sync tool – 64 bit.
2. Once the download is complete, navigate to the file that was downloaded and double- click on Azure AD Sync.exe. You may get a security warning asking if you want to run this file. Click Run.
3. On the Welcome screen, click Next.
4. On the License Terms screen, review the terms, click the I agree to the license terms check box, and then click Install in the lower right of the window.
7. If the step above fails, exit the dialog box. Click the start menu and type DirectorySyncTool. You will see the requirement as noted below
8. Now log off of DC1 and log back on. The reason for this is that the account you installed the Azure AD Sync tool with was added to newly created security groups and we want to refresh your security token.
Warning
Configure the Microsoft Azure Active Directory
Sync Tool
Now, log back on to DC1 and we will begin with the initial configuration of the Azure AD Sync tool. This will be a simple configuration and the next step will walk us through the advanced configuration of scoping our OUs. Use the following procedure to run the Azure AD Sync Configuration Wizard.
1. On your Domain Controller, click the Windows Icon in the lower left corner, this will take you to the Start screen.
2. On the Start Screen, type Dir to find the DirectorySyncTool and Select it
3. On the Azure AD Credentials screen, enter the username and password of the global administrator account you created for your tenant. Click Next.
To configure the Microsoft Azure AD Sync Tool
4. On the AD DS Credential window, enter your Active Directory Forest, Username and Password. Click Add Forest and then click Next.
5. On the User Matching window below, most SMB organizations will just click Next. If other options need to be considered, see the article Matching across forests for more information on the options shown below.
The sourceAnchor attribute is an attribute which is not changing during the lifetime of a user object. In single-forest and environments and where the account is never moved between forests, then objectGUID is a good candidate. If the user is moved between forests or domains, then an alternative attribute must be selected.
The userPrincipalName attribute is the user’s login ID in Azure AD. By default the userPrincipalName attribute in ADDS is used. If this attribute is not routable or not suitable as the login ID a different attribute, such as mail, can be selected during the install.
8. On the Optional Features windows, leave the defaults and click Next. Note the little blue information icons which will also go to that specific page to learn more
9. This will begin the Configuration. Once the configuration is complete, click Next.
10. On the Finished screen, deselect the check mark out of Synchronize now and click Finish.
Step 7: Configure Azure AD Sync to specific
Organizational Units
Now that we have installed and initially configured Azure AD Sync, we are going to do some advanced configuration so as to only synchronize certain OUs and not our entire on-premise Active Directory. This section consists of the following:
Create a service account to run the Active Directory Connector
Configure Azure AD Sync to Specific Organizational Units
Create a service account to run the Active
Directory Connector
The account used by the Active Directory Connecter is created by the Azure AD Sync tool during configuration. If we want to synchronize everything in our directory we can use this account, however because we want to scope this to only specific OUs, we need to create an account to run the Active Directory Connector. Some of you may ask why we can’t just change the password of the account that was created by Azure AD Sync. The reason is this can because issues with the automatic synchronizations and this is an unsupported configuration. For purposes of this test lab, we will make the service account a member of domain admins. For information on restricting the connector with the least amount of privileges required, see the Forefront Identity Manager documentation. Use the procedure to create a service account.
1. In Active Directory Users and Computers, right-click on the Users OU and select New and then select User.
2. Enter the following and then click Next.
First Name: AD Connector
Last Name: Account To create a service account
6. In the properties, at the top, click Member Of and click Add.
7. In the Select Groups box, enter domain admins and click Check Names. This will resolve with an underline. Click Ok.
8. Click Apply. Click Ok. Close Active Directory Users and Computers.
Configure Azure AD Sync to Specific
Organizational Units
Use the following procedure below to configure Azure AD Sync to only synchronize specific organizational units of your on-premise AD.
1. Navigate to “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Azure AD Sync”
and double-click miisclient.exe.
Shortcut Tip: click the Start menu and type miisclient, then select it.
2. In the Synchronization Service Manager tool, first click the Connectors button beneath the menu, and then double-click on the “Active Directory Domain Servers” Connector to bring up the Active Directory Connector properties again.
3. On the left, click Configure Directory Partitions. This will bring up the Configure Directory Partitions section.
To configure Azure AD Sync to specific organizational units
5. Now the containers screen will come up. The easiest way to configure this is to deselect the check box from the root of the tree. In this example below, DC=contoso,DC=com.
This will remove all of the checks. Now place a check mark in just the
AADSYNC_USERS container. This will check that container and all child containers. In our case, this includes the Engineering and Sales containers.
7. Since we deselected Synchronize now at the end of the Azure AD Sync tool, it created a “disabled” task in Task Schedule. You will need to enable this for synchronization to occur. From the Start menu, start typing Task Scheduler until it appears in the menu and then select it.
8. Click on Tasks Scheduler Library on the left window, and then right click on Azure AD Sync Scheduler in the middle pane and select Enable.
9. From the Actions pane on the right, select Run to force a synchronization so that the results will appear below. After that, the synchronization will repeat every 3 hours.
Verify the User has been synchronized
Now we will verify that the users have been synchronized. Use the following procedure to verify the user has been synchronized.
1. Open Internet Explorer and navigate to http://manage.windowsazure.com and log in with your Microsoft account.
2. In the Microsoft Azure Portal, on the left, scroll down and click Active Directory. This will take you to the active directory screen in the Microsoft Azure portal.
3. On the right, click on your domain. This will bring up your directory screen.
4. At the top of the window, click on Users, this will bring up the users screen. You should see our two new users.
Verify the password has been synchronized.
Now we will verify that the password has been synchronized. To do this we will log on to http://myapps.microsoft.com with Lola Jacobson’s account. This will show her the applications that she has access to and she will also be able to view attributes associated with her account.
This site uses cloud authentication against your instance of Microsoft Azure AD.
1. Sign out of Windows Azure and close any open browsers. Then re-open Internet Explorer and navigate to http://myapps.microsoft.com.
To verify the User has been synchronized
To verify the password has been synchronized.
2. Log in as Lola Jacobson @ your domain. You should see the applications screen similar to the one below.
3. Now, at the top, click profile. You should see the attributes and have the ability to change your password.
Warning
The attributes actually will say N/A since we did not configure any of these.
4. You can now close Internet Explorer.
Summary
This ends the Test Lab Guide: Setting up Azure Active Directory and Azure AD Sync. We have
