Tag Archives: active directory

Upgrading to Azure AD Connect from AADSS

Microsoft recently released to GA (Generally Available) Azure AD Connect which is a much simplified installation and replacement for DirSync and Azure Active Directory Sync Services. Under the hood, it’s the same as Azure Active Directory Sync Services except it improves the installation experience. For an introduction to Azure AD Connect and why you might want to use it, give this place a visit.

I thought that, since I’ve already done a series on Azure Active Directory Sync Services, I’d simply show the process to upgrade from Azure Active Directory Sync Services to Azure AD Connect. It is pretty idiot proof so let’s get to it.

First, download Azure AD Connect. Once you’ve downloaded it, copy it to the server that is currently running DirSync or Azure Active Directory Sync Services and double-click it.

Continue reading Upgrading to Azure AD Connect from AADSS

Addendum: Getting started with Azure Active Directory Sync – UPN Suffix

Addendum: Getting started with Azure Active Directory Sync – UPN Suffix

In this post we’ll explore briefly using UPN (UserPrincipalName) suffix matching when configuring Azure Active Directory Sync Services. This particular configuration may seem like the silver bullet to getting our users synchronised in to the Azure AD correctly but it could also give you more problems if you don’t consider the rest of your infrastructure and how it may rely on that UPN suffix. I’d ask that you read this entry through before actually making any changes to your on-premises AD infrastructure.

Continue reading Addendum: Getting started with Azure Active Directory Sync – UPN Suffix

Getting started with Azure Active Directory Sync Part 3

Part 3: Getting started with Azure Active Directory Sync – Mopping up

Part 1: Getting started with Azure Active Directory Sync – Tools

Part 2: Getting started with Azure Active Directory Sync – Actually doing it

So, after completing the last mammoth post, we now have synchronisation working (for the most part) but we do have one user called Outside Azure that has picked up the default Azure AD domain suffix, which isn’t what we want, so we’ll explore a couple of ways of remedying this.

During the set up process, we also created a couple of user accounts; one on each of our on-premises AD and Azure AD. Both are the accounts involved in the synchronisation process. Now, best practice suggests we should change the passwords every 30 days but the reality is; we live in the real world. I’d like to think we all enjoy the luxury of waiting for our passwords to expire so we can reset them to keep our systems safe from information disclosure but most of us will likely want to know how to prevent these passwords expiring. This isn’t recommended per se but I’m going to tell you how to do it nonetheless.
Continue reading Getting started with Azure Active Directory Sync Part 3

Getting started with Azure Active Directory Sync Part 2

Part 2: Getting started with Azure Active Directory Sync – Actually doing it

Part 1: Getting started with Azure Active Directory Sync – Tools

Part 3: Getting started with Azure Active Directory Sync – Mopping up

In order to do this part, I have to make certain assumptions about your environment. If this isn’t exactly true for you, sorry but hopefully you can adapt the information here to assist.

The PRIMARY assumption here is that you want your users to log on to Azure AD using their externally routable primary email address. This will be the same as the mail attribute of their on-premises AD user object. My on-premises AD users log in using a format like this: lroberts@transishun.local but their primary email address is lewis.roberts@transishun.co.uk. I want them to log in to Azure AD using their external email address. The screenshots below might explain this better.

So, what if you don’t want to sync with the users’ primary email address and you’re happy to use the users’ normal username with the external domain? Well, the other option is to add a UPN suffix to your forest for the external domain but then users would need to log on to Azure AD using username@[thenewUPN] instead of using their, presumably more memorable, email address. You can add a new UPN in Active Directory Domains and Trusts – Google it. ;-). If I were adding a new UPN in the following examples, instead of using the mail attribute for Azure AD usernames, I would add the transishun.co.uk UPN in my on-premises AD and configure the Azure AD Sync Services program to use the UserPrincipalName attribute instead of mail. If this doesn’t make sense now, do the following steps in a test environment first then read my series addendum post.

Continue reading Getting started with Azure Active Directory Sync Part 2

Getting started with Azure Active Directory Sync Part 1

Part 1: Getting started with Azure Active Directory Sync – Tools

Part 2: Getting started with Azure Active Directory Sync – Actually doing it

Part 3: Getting started with Azure Active Directory Sync – Mopping up

I’ve recently been involved in setting up an Azure Active Directory service and syncing it with an on-premises AD. The process is made to seem straightforward in Microsoft’s documentation but the management tools you need to download and install before you can successfully manage it are not well documented and in some cases, buggy too!

In order to administer your Microsoft Azure Active Directory, you’ll need to obtain these downloads.
Continue reading Getting started with Azure Active Directory Sync Part 1

Active Directory Recycle Bin

Windows Server 2008 R2 delivered a new feature called the Active Directory Recycle Bin which offers the ability to restore items deleted from the Active Directory database by restoring them from the Recycle Bin with the simplicity of….well, it’s not really that simple.

The premise is simple enough. You’ve deleted an item that you want to restore so instead of breaking out the backups, taking down a Domain Controller, booting in to DSRM and re-acquanting yourself with NTDSUTIL, you enable the Recycle Bin to save you all that hassle.

But wait a minute! Before enabling the Active Directory Recycle Bin (ADRB) there are a couple of caveats which you should be aware of. Now, Microsoft will tell you what you need to enable your use of ADRB such as:

  • Forest Functional Level: Windows Server 2008 R2.
  • All Domain Controllers running Windows Server 2008R2

…but the limits that enabling Active Directory Recycle Bin can have on restore operations is significant enough to ensure that your Backup Operators and Data Security personnel need to be consulted before you make a unilateral decision to enable it.

  1. Enabling ADRB transitions all currently Tombstoned (deleted) objects to the new Recycled object state. This effectively means that current Tombstoned objects (objects deleted in the last 180 days) should never be restored, either through object reanimation or via an authoritative restore.
  2. Similar to the above, once an object reaches the Recycled object state (after 180 days of being a Logically Deleted object) it cannot be restored or recovered from backup. Microsoft recommends that you do not use authoritative restores at all after enabling ADRB and that you only use ADRB to restore objects during their deleted object lifetime (DOL). This article: http://technet.microsoft.com/en-us/library/dd379542(WS.10).aspx details the recommendation which effectively means that restores must be done within the deleted object lifetime or you should consider the object completely unrecoverable. The deleted object lifetime can be adjusted at the expense of an increased AD database size and replication traffic but the default is 180 days.
  3. ADRB cannot restore changed objects – this must be done using an authoritative restore while the object is still live. Hopefully the proper use of change processes in your organisation should  minimise the eventuality of this occurring and permit the ability to simply undo a change but we all know what happens in the real world.
  4. Enabling ADRB results in the size of your Active Directory database increasing (and consequently the replication bandwidth requirements) to accommodate the new object states before objects deleted are completely removed from the database. The increase is dependent on the amount and type of objects created and deleted but since there is a new object state, the time the objects remain in the database is effectively doubled.

Once each of these discussion points has been thoroughly considered should you look at enabling the Active Directory Recycle Bin.

I know this subject is fairly old hat given that Windows Server 2012 is now available but I’m still astonished by the numbers of Active Directories that I come across that aren’t making use of the Active Directory Recycle Bin. Reading the pro-tip (can I call myself a pro?) enabling it in Windows Server 2012 is pretty much a no-brainer with the easy-peasy GUI on offer, just be mindful of the implications.

Pro tip: Although the procedure for using the Recycle Bin is currently based on PowerShell, Windows Server 2012 provides a Graphical User Interface to permit much simpler use of the Recycle Bin feature.

Admission: I actually wrote this article nearly 12 months ago but never finished it or published it – since then Windows Server 2012 has been released so I’ve made mention of that in the article.