Lab Test
Lab Test
Lab Test
Acknowledgements
Special thanks to the following people for reviewing and providing invaluable feedback for this
document:
Joe Davies, Bill Mathers, Andreas Kjellman
Abstract
This document will assist IT professionals, administrators, architects, and developers with in
creating a test lab that uses Microsoft Azure Active Directory and Windows Server AD. The on-
premises Active Directory identities will be synchronized by using Azure AD Sync.
Copyright
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place
or event is intended or should be inferred.
© 2014 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Microsoft Azure, Forefront, MSDN, Outlook, SharePoint, SQL Server,
Windows, Windows PowerShell, and Windows Server are trademarks of the Microsoft group of
companies.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
Test Lab Guide: Creating a Microsoft Azure AD and Windows Server AD Environment using
Azure AD Sync........................................................................................................................................... 4
In This Guide .............................................................................................................................................. 4
Test Lab Overview .................................................................................................................................... 4
Test Lab Guide Specific Requirements ................................................................................................. 5
Steps for Creating a Microsoft Azure AD and Windows Server AD Environment Test Lab .......... 6
Test Lab Guide Specific Information and Instructions ......................................................................... 6
Step 1: Set Up the Configuring the Windows Server 2012 R2 Base Configuration Test Lab for
Hybrid Identities Synchronization............................................................................................................ 7
PowerShell you Windows Server 2012 R2 VM to make a DC fast! .................................................. 7
Step 5: Create Organizational Units and Test Users in Windows Server AD ..................................26
Create Organizational Units...................................................................................................................26
Create Test Users ...................................................................................................................................27
Summary ......................................................................................................................................................44
Test Lab Guide: Creating a Microsoft Azure
AD and Windows Server AD Environment
using Azure AD Sync
Microsoft Azure AD and Windows Server AD
In This Guide
Whether you already have Microsoft Azure and an available domain controller, or not, this guide
contains instructions for setting up a test lab for Azure AD Sync between Microsoft Azure and
Windows Server Active Directory. This Test Lab Guide is partially based on the existing Test
Lab Guide: Creating a Microsoft Azure AD and Windows Server AD Environment. This
guide is also a reference article for SMB Common Identities, an article to help small and
medium sized business understand all of the common identity scenarios that will enable identity
integration with Microsoft Azure and Windows Server Active Directory. Once a common identity
is established, then Microsoft Azure, acting as an identity hub, can facilitate seamless sign-on
with SaaS applications along with various other capabilities such as mobile scenarios and using
Intune.
NOTE: If your small or medium sized business is going to have only Cloud Identities i.e. you will
not maintain servers on-premises and will only use Microsoft Azure Active Directory, then this
Test Lab Guide does not have a use case. This Test Lab Guide is ONLY to provide guidance in
simplifying synchronization of an on-premises Active Directory Domain Controller with Microsoft
Azure Active Directory.
4
Test Lab Guide Specific Requirements
There are no additional hardware requirements. There is one additional requirement, which is to
use Azure AD Sync. There are also few specific things that this test lab will require. The table
below provides a list of these requirements.
The following table provides a summary of the required items for this test lab guide.
Requirement Comment
A Mobile Phone that can receive text Required for Microsoft Azure verification.
messages
Windows Server 2012 R2 installation files This includes .NET 4.5 which is required by
Azure AD Sync. This is installed as a Feature
in the Server 2012 R2 Server Manager.
5
Steps for Creating a Microsoft Azure AD and
Windows Server AD Environment Test Lab
There are eight steps to follow when setting up the Creating a Microsoft Azure AD and Windows
Server AD Environment Test Lab Guide.
Step 1: Set Up the Configuring the Windows Server 2012 Base Configuration Test Lab for
Public Cloud Technologies - The Base Configuration is the core of all Test Lab Guide
scenarios. This test lab guide has been modified so that the base configuration can be used
with cloud technologies.
Step 2: Sign-up for a Microsoft Azure 30-Day Trial – In this step we sign up for our Microsoft
Azure trial.
Step 3: Create a Microsoft Azure AD Tenant – In this step we create our Microsoft Azure
Active Directory tenant.
Step 4: Prepare the Microsoft Azure AD Tenant for Synchronization – In this step we
configure our tenant so that it can synchronize with our on-premises Active Directory.
Step 5: Create Organizational Units and Test Users in Windows Server AD – In this step, we
create the on-premises AD structure that we are going to synchronize with our Microsoft
Azure AD tenant.
Step 6: Download and Install Azure AD Sync – In this step we download, install, and do an
initial configure of the software that will be used to synchronize our directories.
Step 7: Configure Azure AD Sync to specific Organizational Units – In this step, we
customize Microsoft Azure AD Syncto only synchronize certain users from our on-premises
AD.
Step 8: Run Azure AD Sync and Verify Results – In this step we run the tool and verify the
results.
This test lab can be setup with just one DC1 either on-premises or within Azure Active
Directory. No other machines from the base configuration are required. If you already have
an on-premises Domain Controller or else Microsoft Azure and a Domain Controller in Azure
Active Directory, then you can skip the relevant sections below. Assuming you have Azure
Active Directory setup in your tenant and also a Domain Controller, then you could skip to
Step 4 to prepare the Azure AD Tenant for synchronization.
6
Step 1: Set Up the Configuring the Windows
Server 2012 R2 Base Configuration Test Lab
for Hybrid Identities Synchronization
Set up the Base Configuration test lab based on the instructions in Windows Server 2012 R2 Test
Lab Guide. The TechNet article Configuring the Windows Server 2012 Base Configuration Test
Lab for Public Cloud Technologies further describes the overall setup. For the purposes of this
Test Lab Guide, the APP1 server will not be used. But it can be built for other Test Lab Guides on
TechNet. You ONLY need a DC1 built for this scenario.
NOTE: If you already have a Domain Controller setup on-premises, then there is no need to
complete this step. OR, if you have a base Windows Server 2012 R2 server in Hyper-V or built in
your Azure Portal. This example lab was setup with a Domain Controller running in Hyper-V on a
Windows 8.1 host along with an MSDN subscription to Microsoft Azure. Below are the
PowerShell commands that will elevate your Windows Server to a Domain controller quicker than
you can click it!
Note: for a testing lab you can use contoso.com or else a domain name you have
registered and own. If so, either one will be the name to use throughout the document
whenever you see <On-premises Domain Name>
The command above comes from the Windows Server 2012R2 Test Lab Guide. That document
will also have you create a test user as well. Any user accounts necessary to set up Azure AD
Synchronization are fully described in the steps below.
7
Step 2: Sign-up for a Microsoft Azure 30-Day
Trial
The first thing we are going to do after setting up the Base Configuration for Cloud Technologies
is to sign-up for a Microsoft Azure 30 Free Trial. You will need a Microsoft account, a mobile
phone and a credit card to complete this step.* The free trial accounts do have account limits so
the charge card will not be charged. Unless, of course you do not heed the warnings and go over
the limits, then you will incur costs. So watch the warnings in the Microsoft Azure Portal.
* NOTE: if you have used the same mobile phone to set up other tenants or trials, the mobile
verification may fail. This is for security. If that does happen, contact the support on that same
page and they will fix this to allow the same mobile number to be reused
Signing up for Azure involves the following steps below.
3. On the free trial page, click Try it now. You will be asked to sign-in with your Microsoft
account.
8
4. After signing in, you will see the sign-up page. Verify the information in section 1, About
you
5. In section 2, enter your mobile phone number and click Send Text Message. Wait for
the message to be sent to your phone.
9
6. Enter the code that was sent to your phone and click Verify Code.
7. Next enter your valid credit card information in section 3 as shown below.
8. Read the Microsoft Azure Agreement, Offer Details, and Privacy Statement then place
two checks in the boxes and click Sign Up. This will take you to a screen that provides a
summary of your subscription. At the top click Portal.
10
9. This will take you to the Microsoft Azure Portal. You will be presented with the Microsoft
Azure Tour wizard. If you haven’t taken the tour before it is short and worth walking
through. Otherwise you can close it.
11
Step 3: Create a Microsoft Azure AD Tenant
Now that we have a Microsoft Azure subscription, we are going to create a Microsoft Azure Active
Directory Tenant. This will be the cloud directory that we synchronize our on-premises AD
directory with.
4. At the bottom, click New. This will bring up a pop up menu, where you will select
Directory on the right-most column.
12
5. Click Custom Create. Then fill out the fields below in the Add directory dialog box. For
the name, use a unique name that you would like to use for your lab. If the new is not
unique, the interface will let you know! The green check mark lets you know when it is
unique.
13
5. Ensure Create new directory is selected and then enter the Name, Domain Name, and
select a country or region from the drop-down. Click the check mark in the lower right
hand corner.
6. The directory should now be created and will appear at the top of the “active directory”
page in the Azure Portal.
14
the first thing we had to do was verify the domain. If you choose to take the same approach, then
use the following steps to verify your domain.
NOTE: This is NOT required to do this lab. Although in our example, we did purchase a domain
name and set it up. If you have or do purchase a Domain Name at a Registrar, the detailed steps
are included at Verify a domain at any domain name registrar on MSDN. The example steps used
in the validation of this lab are outlined below. Once your new domain name is verified, then
further bellow you will set it to be the primary domain name to be used.
5. At the bottom of the “Domains” page, click Add. This will bring up the add domain
wizard.
6. Enter your registered <domain name> in the box and click add.
Important
Do not place a check in the single sign-on box. This TLG does not demonstrate
single sign-on.
7. You should see a notice that the domain was successfully added. Click the right arrow.
This will bring up a Verify the domain screen.
8. Microsoft Azure AD uses a DNS record that you create at your domain name registrar to
confirm that you own the domain. At this point, you need to add the value in the
Destination or Points to Address to a DNS record at your domain name registrar. For
example, if you use godaddy.com you would sign in there and add the DNS record to
your domain. Use the steps outlined here to assist with this.
15
9. This may take a little while but once it is verified you will see the status change to verified.
16
4. At the top, click on Domains, this will bring up the domains screen.
5. At the bottom of the screen, click Change Primary. This will bring up a change primary
screen.
6. Make sure that your domain is selected under the New Primary Domain heading and
click the check mark.
17
4. At the top, click on Users, this will bring up the users screen. There should be only one
account in here, the Microsoft account you used to sign-up for your Azure subscription.
5. At the bottom, click Add User. This will bring up the add user wizard.
6. Enter a user name for the user and then click the arrow in the lower right.
7. Enter the first name, last name, display name, and select Global Administrator from the
drop-down. Click the right arrow.
18
8. Click the create button to create the user and get a temporary password.
19
8. This will create the account and assign it a temporary password. Use the icon next to the
temporary password to copy it to the clipboard.
NOTE: by default this password will only work for a month. For this lab, that is
appropriate, but in a Production environment, the account should be set to “password
does not expire”.
20
10. This will bring up a pop-up asking whether or not to allow Internet Explorer access to the
clipboard. Click allow access. Click the check mark.
11. Now, in the portal, at the top, click the user account you are logged in as and select sign
out from the drop-down.
21
12. This will sign you out and you will see a screen that says you have been signed out.
Click Sign In Using Your Organizational Account.
13. Now sign-in to the portal with the newly created administrator account using the
password we copied to the clipboard. The Organizational Account consists of your
user name, the @ symbol, and the primary domain name for your te nant. Example:
mzbowe@smbaadsync.com.
22
14. Once signed in, you will be prompted to change your password. Go ahead and set the
password to one of your choosing. This password will be required again when we setup
the Azure AD Sync tool so don’t forget it! Click submit.
23
15. Microsoft Azure will now attempt to log you on. You will see a screen that says you do
not have a Microsoft Azure subscription associated with this account. This is correct as
our subscription is associated with our Microsoft account. At this point, just close Internet
Explorer because the password has been changed.
24
Activate Microsoft Azure AD Tenant for
Synchronization
Finally, we need to flip the switch that allows us to synchronize with this directory in Microsoft
Azure. Use the following procedure to activate this Microsoft Azure AD tenant.
25
Step 5: Create Organizational Units and Test
Users in Windows Server AD
Now that we have Microsoft Azure AD set up, we need to create the Organizational Unit structure
in our on-premises AD environment and populate the OU’s with a couple of users. This step
consists of the following.
Create Organizational Units
Create Test Users
26
1. On DC1 (Or whatever DC you are using), open Active Directory Users and Computers
2. Right-click on <On-premises Domain Name> (or the name of your forest) and select New
and then select Organizational Unit.
3. In the name box, enter AADSYNC_USERS and click Ok.
4. Right-click on AADSYNC_USERS and select New and then select Organizational Unit.
5. In the name box, enter Engineering and click Ok.
6. Right-click on AADSYNC_USERS and select New and then select Organizational Unit.
7. In the name box, enter Sales and click Ok.
8. The OU structure should now look like this
27
Step 6: Download and Install Azure AD Sync
Now that we have prepared Microsoft Azure AD and created our test OU structure and populated
it with users, we can download and install the Azure AD Sync tool. The following section consists
of the following:
System Requirements
You need an account with local administrator privileges on your computer to install AADSync.
Additionally, an Azure Account needs to be created in your AAD Tenant that has the Global
Administrator Role selected.
AADSync requires a SQL Server database to store identity data. By default a SQL Server
Express LocalDB (a light version of SQL Server Express) is installed and the service account for
the service is created on the local machine.
These are both the minimum and the supported Operating Systems: Windows Server 2008,
Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2.
SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000
objects. If you need to manager a higher volume of directory objects, you need to point the
installation process to a different version of SQL Server.
28
2. Enter the following and then click Next.
First Name: AD Connector
Last Name: Account
Full Name AD Connector Account
User logon name: adconn
3. Enter a password for the user, remove the check from User must change password at
next logon and place a check in Password never expires.
4. Click Finish.
5. In the users OU, right-click on the new AD Connector Account and select properties.
6. In the properties, at the top, click Member Of and click Add.
7. In the Select Groups box, enter domain admins and click Check Names. This will
resolve with an underline. Click Ok.
8. Click Apply. Click Ok. Close Active Directory Users and Computers.
1. You can download the Azure AD Sync tool from Microsoft Azure AD Sync tool – 64 bit.
2. Once the download is complete, navigate to the file that was downloaded and double-
click on Azure AD Sync.exe. You may get a security warning asking if you want to run
this file. Click Run.
3. On the Welcome screen, click Next.
29
4. On the License Terms screen, review the terms, click the I agree to the license terms
check box, and then click Install in the lower right of the window.
5. It will now start installing the components. This may take a few minutes.
6. In the Connect to Azure AD window, enter the Username and Password for your
Global Administrator account, and then click Next.
30
7. If the step above fails, exit the dialog box. Click the start menu and type
DirectorySyncTool. You will see the requirement as noted below
8. Now log off of DC1 and log back on. The reason for this is that the account you installed
the Azure AD Sync tool with was added to newly created security groups and we want to
refresh your security token.
Warning
This step is only required when installing the Azure AD Sync tool on a domain
controller. If it is installed on a member server, you do not have to log off and
then back on prior to running the configuration wizard.
31
Configure Microsoft Azure Active Directory Sync
Now, log back on to DC1 and we will begin with the initial configuration of the Azure AD Sync
tool. This will be a simple configuration and the next step will walk us through the advanced
configuration of scoping our OUs. Use the following procedure to run the Azure AD Sync
Configuration Wizard.
3. On the Azure AD Credentials screen, enter the username and password of the global
administrator account you created for your tenant. Click Next.
32
4. On the AD DS Credential window, enter your Active Directory Forest, Username and
Password for the adconn Service Account created above. Click Add Forest and then
click Next. For this lab, the Domain admin as shown below can be used, but as a Best
Practice, a dedicated service account should be specified for this with domain admin
rights.
33
5. On the User Matching window below, most SMB organizations will just click Next. If
other options need to be considered, see the article Matching across forests for more
information on the options shown below.
The sourceAnchor attribute is an attribute which is not changing during the lifetime of a user object. In
single-forest and environments and where the account is never moved between forests, then objectGUID is a
good candidate. If the user is moved between forests or domains, then an alternative attribute must be
selected.
The userPrincipalName attribute is the user’s login ID in Azure AD. By default the userPrincipalName
attribute in ADDS is used. If this attribute is not routable or not suitable as the login ID a different attribute,
such as mail, can be selected during the install.
34
8. On the Optional Features windows, leave the defaults and click Next. Note the little blue
information icons which will also go to that specific page to learn more
35
9. This will begin the Configuration. Once the configuration is complete, click Next.
36
10. On the Finished screen, deselect the check mark out of Synchronize now and click
Finish.
37
1. Look for the shortcut on the desktop for “Synchronization Service”.
Shortcut Tip: click the Start menu and type miisclient, then select it.
2. In the Synchronization Service Manager tool, first click the Connectors button beneath
the menu, and then double-click on the “Active Directory Domain Servers” Connector to
bring up the Active Directory Connector properties again.
3. On the left, click Configure Directory Partitions. This will bring up the Configure
Directory Partitions section.
4. Click the Containers button. You will be prompted for the Password for the User Name
account. Any account can be used below as it is just reading the directory.
Administrator or adconn can be used for this lab.
38
5. Now the containers screen will come up. The easiest way to configure this is to deselect
the check box from the root of the tree. In this example below, DC=contoso,DC=com.
This will remove all of the checks. Now place a check mark in just the
AADSYNC_USERS container. This will check that container and all child containers. In
our case, this includes the Engineering and Sales containers.
6. Click OK. Click OK again. The Active Directory Connector properties should have closed
and we have successfully set the scope. In the next section we will run synchs and verify
our results.
7.Since we deselected Synchronize now at the end of the Azure AD Sync tool, it created
a “disabled” task in Task Schedule. You will need to enable this for synchronization to
occur. From the Start menu, start typing Task Scheduler until it appears in the menu
and then select it.
8.Click on Tasks Scheduler Library on the left window, and then right click on Azure AD
Sync Scheduler in the middle pane and select Enable.
39
9.From the Actions pane on the right, select Run to force a synchronization so that the
results will appear below. After that, the synchronization will repeat e very 3 hours.
40
Verify the password has been synchronized.
Now we will verify that the password has been synchronized. To do this we will log on to
http://myapps.microsoft.com with Lola Jacobson’s account. This will show her the applications
that she has access to and she will also be able to view attributes associated with her account.
This site uses cloud authentication against your instance of Microsoft Azure AD.
41
2. Log in as Lola Jacobson @ your domain. You should see the applications screen similar
to the one below.
42
3. Now, at the top, click profile. You should see the attributes and have the ability to
change your password.
Warning
The attributes actually will say N/A since we did not configure any of these.
43
4. You can now close Internet Explorer.
Summary
This ends the Test Lab Guide: Setting up Azure Active Directory and Azure AD Sync. We have
successfully synchronized our on-premises Active Directory with Microsoft Azure AD using Azure
Active Directory Sync. This test lab guide will be used as the basis for additional test lab guides
in the future that take advantage of using a Hybrid environment.
44