In order to test some of the scenarios with authentication on premise and in the cloud, I need to be able to synchronize accounts, devices, and groups. I do not have an overly complex implementation, but I need the right tool to do the job.
Microsoft has two tools that can accomplish this task: Azure AD Connect and Azure AD Connect Cloud Sync. Both have their pros and cons, but for my needs, only Azure AD Connect can do the job.
Learn has an excellent article posted at What is Azure AD Connect cloud sync? Although cloud sync is appealing for its simplicity and my love of all things highly available, regular old Azure AD Connect it is. Why? Cloud sync lacks support for devices, pass through authentication, and various writeback features I hope to tinker with later. Check out the chart and really read through it.
My 4th server is ADSYNC01. Although installing Azure AD Connect on the domain controller is possible, I think I prefer to just let domain controllers be domain controllers. I don’t want added software on the DC. Azure AD Connect will install SQL express as well as make other changes that are not appealing to me. Would it be ok for a lab…yeah. Go look at Home Lab 3: Windows Server 2022 since I used that to quickly deploy this little server.
Azure AD Connect can be downloaded from Microsoft. In this case, I am going to install it on ADSYNC01 next. You will get a warning about elevating privileges, and do you want this app to make changes on your device? Yes.
Check that you agree to terms and privacy and click Continue.
I really want Express Settings, but I am getting a warning about my choice not to use a routable domain name.
Entering my AD global admin credentials to connect the cloud side of the Metaverse database.
Entering the enterprise admin credentials for the domain side of the Metaverse database.
Oops. That’s no good. I have wirelesshobo.test as my domain on premise. In the M365, I have my onmicrosoft.com tenant and my routable domain, scottstancil.com. Pause here, we will come back to this in a couple steps.
Let’s add scottstancil.com to the list of valid UPN’s in Active Directory Domains and Trust. Right click on Active Directory Domains and Trusts and select Properties. Add scottstancil.com and select OK.
Jane Doe has a new option for UPN if you review the account in Active Directory Users and Computers (ADUC).
Clicking Previous then Next back on Azure Active Directory Connect screenshot shown below — effectively refreshes the sign-in configuration. Notice that scottstancil.com is verified. Is that good enough? Will we have significant issues later? Maybe. Checking Continue without matching all UPN suffixes to verified domains and Next.
Ok, stop.
UNCHECK Start the synchronization process when configuration completes.
I chose the Express installation, but I want to make some changes at this point.
Click Install if we unchecked the start option. Sit back and watch the blue bar move from the left to the right repeatedly. It is soothing and reassuring.
Post install, this is what I am left with…I didn’t turn on the AD Recycle Bin? I’ll come back to that in another post. Also, sync is not running yet. Click Exit.
Let’s do some post install management of what we want synced. Double click on the Azure AD Connect shortcut on the desktop. Click Configure.
For now, I want to look through the synchronization options. Select Customize synchronization options and click Next.
Enter Azure AD global admin or hybrid identity administrator creds, Next.
Follow the defaults here for AD and the Wirelesshobo.Test Forest. Next.
For this implementation, I want to only synchronize my custom Wirelesshobo Computers, Groups, and Users. Select Sync selected domains and OUs and then select just the OU information.
Something to think about. If I don’t synchronize across groups, what happens to group members? For example, Jane Doe is part of Domain Users, but I am not synchronizing the Organizational Unit containing the Domain Users group. Does the user’s object still show membership in the group?
I want to prep for bidirectional password management, so selecting Password hash synchronization and Password writeback.
Leave Start the synchronization process when configuration completes unchecked. Click Configure.
Configuration completes with an expected warning. Exit.
When I set Azure AD Sync up, I like to check the first synchronization process manually. At this point we are going to follow six basic steps, checking what is synchronized during this process.
- Full Import of selected AD OU objects into the sync server’s Metaverse database.
- Full Import of related Azure AD data.
- Full Synchronization of AD OU objects with Azure AD changes.
- Full Synchronization of Azure AD objects with AD OU changes.
- Export to Active Directory new data, if any.
- Export to Azure AD new data/updates, if any.
Select Connectors in the sub-menu and right click on the Active Directory connector. Click on Run.
Select Full Import and OK.
After a few seconds, you can review the Synchronization statistics in the lower left to determine if there was anything you don’t like. Fix what is synchronizing undesirably and run this step again. If nothing raises any red flags, close the dialog and let’s move on.
Repeat the Full Import for the Windows Azure Active Directory connector.
Well, we don’t have anything initially synchronized, so it isn’t surprising that this has zero entries synchronized.
Full Synchronization on Active Directory Domain Services. Review the changes in the connect server’s database by looking at the Synchronization Statistics in the lower left.
Full Synchronization and review for Windows Azure Active Directory.
Just a random check of one of the connectors without Flow Updates. This is in reference to there being no change between what is synchronized and what is in the Metaverse database on the sync server.
If there were no significant issues/red flags on the Import and Synchronization steps, it is time to Export for Active Directory.
Again, nothing was imported or synchronized from Azure AD to that should be written to Active Directory at this point.
The export to Azure AD contains 3 accounts from the selected OU’s in Active Directory.
At this point, I don’t want to go through GUI configuration again to enable automatic synchronization. Looking at the ADSyncScheduler, we see that the next automatic sync will be an Initial (Full) sync similar to the manual one we just ran. Also, SyncCycleEnabled is set to False, so switch it to True.
Start-ADSyncSyncCycle kicks off the synchronization process, performing a full sync at this point.
PS C:\Users\administrator.WIRELESSHOBO> Get-ADSyncScheduler
AllowedSyncCycleInterval : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval :
NextSyncCyclePolicyType : Initial
NextSyncCycleStartTimeInUTC : 5/17/2023 10:52:10 PM
PurgeRunHistoryInterval : 7.00:00:00
SyncCycleEnabled : False
MaintenanceEnabled : True
StagingModeEnabled : False
SchedulerSuspended : False
SyncCycleInProgress : False
PS C:\Users\administrator.WIRELESSHOBO> Set-ADSyncScheduler -SyncCycleEnabled $True
PS C:\Users\administrator.WIRELESSHOBO> Get-ADSyncScheduler
AllowedSyncCycleInterval : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval :
NextSyncCyclePolicyType : Initial
NextSyncCycleStartTimeInUTC : 5/17/2023 10:52:10 PM
PurgeRunHistoryInterval : 7.00:00:00
SyncCycleEnabled : True
MaintenanceEnabled : True
StagingModeEnabled : False
SchedulerSuspended : False
SyncCycleInProgress : False
PS C:\Users\administrator.WIRELESSHOBO> Start-ADSyncSyncCycle
Result
------
Success
Notice the NextSyncCyclePolicyType is now set to Delta. When Start-ADSyncSyncCycle is run subsequently, it will be a Delta sync. Same sync process, but only the updates to either side occur going forward.
PS C:\Users\administrator.WIRELESSHOBO> Get-ADSyncScheduler
AllowedSyncCycleInterval : 00:30:00
CurrentlyEffectiveSyncCycleInterval : 00:30:00
CustomizedSyncCycleInterval :
NextSyncCyclePolicyType : Delta
NextSyncCycleStartTimeInUTC : 5/17/2023 11:48:48 PM
PurgeRunHistoryInterval : 7.00:00:00
SyncCycleEnabled : True
MaintenanceEnabled : True
StagingModeEnabled : False
SchedulerSuspended : False
SyncCycleInProgress : True
PS C:\Users\administrator.WIRELESSHOBO> Start-ADSyncSyncCycle
Result
------
SuccessIf you load up the Synchronization Service Manager going forward, every 30 minutes a delta sync will occur. You can monitor and review what happened from this interface.
From this point, let’s see what users are synchronized. Oh no…I shouldn’t synchronize accounts with that level of privilege. I will move those accounts outside of the OU I am synchronizing.
If you create a new OU, it is likely the new OU will be included in synchronization. Run the Azure AD Connect configuration and double check that the OU is excluded.
Another issue I see on the Jane Doe account is that it is synchronized with the tenant’s domain name. While that will work, I want Jane to utilize the @scottstancil.com UPN login I added for synchronization purposes. If an account is synchronized from on-premises with a domain that isn’t represented in Azure AD, the account gets the tenant domain.
Corrected the account’s User logon name — User Principal Name.
After I moved those accounts out of the synchronization OU, I still have a cleanup step. Out of scope for this article, but you need the MSOnline module or newer AzureAD modules installed. The next sync will simply move the whadomainadmin and whentadmin to the recycle bin where they could be recovered. I want them GONE.
PS C:\Users\sstan> Remove-MsolUser -UserPrincipalName whdomadmin@wirelesshobo42.onmicrosoft.com -RemoveFromRecycleBin
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y
PS C:\Users\sstan> Remove-MsolUser -UserPrincipalName whentadmin@wirelesshobo42.onmicrosoft.com -RemoveFromRecycleBin
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): yMy two on-premises admin accounts are gone, and Jane Doe’s UPN is corrected.
I login with Jane’s account at https://portal.office.com and register for MFA. This objective is complete for the night, but I would like to return to Azure AD Sync for some interesting areas in the Synchronization Service in a future post.
Wireless Hobo 