Data
Reader small image

You're reading from  Active Directory Administration Cookbook - Second Edition

Product typeBook
Published inJul 2022
PublisherPackt
ISBN-139781803242507
Edition2nd Edition
Concepts
Identity Management
Right arrow
Author (1)
Sander Berkouwer
Sander Berkouwer
author image
Sander Berkouwer

Sander Berkouwer calls himself an Active Directory aficionado; he's done everything with Active Directory and Azure AD, including decommissioning. He has been MCSA, MCSE, and MCITP-certified for ages, an MCT for the past 5 years and a Microsoft Most Valuable Professional (MVP) on Directory Services and Enterprise Mobility for over a decade. Sander is also decorated with Veeam Vanguard and VMware vExpert awards for his international cross-platform knowledge, experience and passion. As the CTO at SCCT, Sander leads a team of architects performing many projects, most of them identity-related, throughout Europe.
Read more about Sander Berkouwer

Right arrow

Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect)

The previous chapter discussed authentication in a hybrid world and touched upon Azure AD Connect. This chapter provides in-depth recipes for Azure AD Connect, as it is both Microsoft's recommended synchronization tool and the most used synchronization tool, used by 99% of all tenants worldwide.

The recipes in this chapter contain configuration items that are not available when Express Settings is used with Azure AD Connect. The Customize button is the key to the functionality outlined here.

The following recipes are covered in this chapter:

  • Choosing the right source anchor attribute for user objects
  • Configuring staging mode
  • Switching to a staging-mode server
  • Configuring domain and OU filtering
  • Configuring Azure AD app and attribute filtering
  • Configuring hybrid Azure AD join
  • Configuring device writeback
  • Configuring password writeback
  • Configuring group writeback...

Choosing the right source anchor attribute for user objects

This recipe shows how to choose the right source anchor attribute for user objects in Azure AD Connect.

Getting ready

To make a choice, you need to know the following characteristics of your organization:

  • Is your organization's current Active Directory environment a multi-forest environment?
  • Is your organization currently consolidating Active Directory domains and/or planning to acquire other organizations and configure these into the current hybrid identity environment in scope for synchronization by Azure AD Connect?
  • Does your organization already have a federation solution and use claims-based applications, either inside your organization or with cloud-based applications, systems, and/or services?
  • Does your organization currently use or plan to use a third-party solution that leverages the content of the mS-DS-ConsistencyGUID attribute?

How to do it...

Use the following flowchart...

Configuring staging mode

This recipe provides tips for configuring Azure AD Connect in staging mode.

Getting ready

To implement one or more staging-mode servers, you need to meet the same requirements as when implementing the actively synchronizing Azure AD Connect installation. In short, you need to do the following:

  • Sign in with an account that is a local administrator account on the server. As part of the process, credentials for the following accounts need to be specified:
    • An account in Active Directory that is a member of the Enterprise Admins group
    • An account in Azure AD that has the Global administrator or Hybrid Identity administrator role assigned
  • Ensure that the following are true of the Windows Server that you intend to configure as an Azure AD Connect staging-mode server:
    • Is able to communicate with the internet without having to pass proxies
    • Is running Windows Server 2016, or a newer version of Windows Server
    • Is domain-joined
    • Has Internet Explorer Enhanced...

Switching to a staging-mode server

This recipe shows how to switch the actively synchronizing Azure AD Connect installation and a staging-mode installation.

Getting ready

Sign in with an account that is a local administrator on the actively synchronizing Azure AD Connect installation. Also, sign in to the staging-mode installation that you want to switch to.

As part of the switch, you need to enter credentials for an account in Azure AD that has the Global administrator or Hybrid Identity administrator role assigned.

If the organization uses the Azure AD PIM feature, activate the Global administrator or Hybrid Identity administrator role in advance.

How to do it...

To switch the actively synchronizing Azure AD Connect installation and a staging-mode installation, perform these steps on the actively synchronizing Azure AD Connect installation, if this installation is still operable:

  1. Open Azure AD Connect from the desktop. The Microsoft Azure Active Directory...

Configuring domain and OU filtering

This recipe shows how to configure domain and Organizational Unit (OU) filtering in Azure AD Connect to filter a set of objects that are synchronized to Azure AD.

Getting ready

To configure the Domain and OU filtering functionality in Azure AD Connect, you need to know the following characteristics of your organization:

  • In which domains, OUs, and containers are the end users for my organization stored?
  • Where are the objects that the organization doesn't want to be synchronized to Azure AD?

To configure domain and OU filtering within Azure AD Connect, sign in with an account that is a local administrator on the server running Azure AD Connect. You sign in with an account that is a local administrator on the server. As part of the process, the credentials for the following accounts need to be specified:

  • An account in Active Directory that is a member of the Enterprise Admins group
  • An account in Azure AD that...

Configuring Azure AD app and attribute filtering

This recipe shows how to configure Azure AD app and attribute filtering in Azure AD Connect to filter a set of attributes for objects that are synchronized to Azure AD.

Getting ready

To configure the Azure AD app and attribute filtering feature in Azure AD Connect, you need to know the following characteristics of your organization:

  • What is the Office 365 functionality my organization is going to use?
  • Which attributes for my end users, groups, services, and devices am I allowed to synchronize to Azure AD in terms of regulatory compliance?

To configure the Azure AD app and attribute filtering feature within Azure AD Connect, sign in with an account that is a local administrator account on the server running Azure AD Connect. You sign in with an account that is a local administrator on the server. As part of the process, credentials for the following accounts need to be specified:

  • An account in Active Directory...

Configuring hybrid Azure AD join

This recipe shows how to configure hybrid Azure AD join to synchronize device properties for domain-joined devices from Active Directory to Azure AD.

Getting ready

To configure hybrid Azure AD join in Azure AD Connect, you need to know the following characteristics of your organization:

  • What are the operating systems in use in the organization? Which attributes for the devices am I allowed to synchronize?
  • Which Azure AD Connect installation is the non-staging-mode server? (Only applicable if the organization has multiple Azure AD Connect servers.)

To configure hybrid Azure AD join in Azure AD Connect, you need to sign in with an account that is a local administrator account on a server dedicated to Azure AD Connect.

As part of the process, the credentials for the following accounts need to be specified:

  • An account in Active Directory that is a member of the Enterprise Admins group
  • An account in Azure AD that...

Configuring device writeback

This recipe shows how to configure the Device writeback feature in Azure AD Connect.

Getting ready

To configure the Device writeback feature in Azure AD Connect, you need to know the following characteristics of your organization:

  • In which forest are we going to write device objects? (Only applicable if your organization has multiple forests in scope for Azure AD Connect.)
  • Which Azure AD Connect installation is the non-staging-mode server? (Only applicable if your organization has multiple Azure AD Connect servers.)

The Device writeback feature requires Azure AD Premium P1 licenses or a Microsoft license that includes the P1 license, such as Azure AD Premium P2, Enterprise Mobility + Security (EMS) E3, EMS A3, Microsoft 365 E3, Microsoft 365 E5, and Microsoft 365 Business Premium licenses.

To configure device writeback in Azure AD Connect, you need to sign in with a domain account that is configured as a local administrator account...

Configuring password writeback

As an addition to the Self-service Password Reset and Change Password functionality in Azure AD, this recipe shows how to configure the Password writeback feature in Azure AD Connect.

Getting ready

To configure the Password writeback feature in Azure AD Connect, you need to know the following about your organization:

  • Does my organization allow employees to reset their passwords from outside the organization?

To delegate permissions to Azure AD Connect service accounts, sign in with an account that is a member of the Enterprise Admins group in the Active Directory forest for which you are configuring password writeback to a Windows Server that has the Active Directory Users and Computers remote server administration tool installed.

To configure the Password writeback feature within Azure AD Connect, sign in with an account that is a local administrator account on a server dedicated to Azure AD Connect. As part of the process, credentials...

Configuring group writeback

This recipe shows how to enable the Group writeback feature in Azure AD Connect.

Getting ready

To configure group writeback in Azure AD Connect, you need to know the following characteristics of your organization:

  • In which OU are we going to write back group objects?
  • Which accepted domain name will be appended to Office 365 groups? (Only applicable if your organization has multiple Domain Name System (DNS) domain names and accepted domains.)

To configure the Group writeback feature in Azure AD Connect, you need to sign in with an account that is a local administrator account on a server dedicated to Azure AD Connect. As part of the process, credentials for the following accounts need to be specified:

  • An account in Active Directory that is a member of the Enterprise Admins group
  • An account in Azure AD that has the Global administrator or Hybrid Identity administrator role assigned

If the organization uses the Azure...

Changing passwords for Azure AD Connect service accounts

This recipe shows how to manually change passwords for your Azure AD Connect service account(s).

Getting ready

To reconfigure Azure AD Connect, you need to sign in with an account that is a local administrator account on a server dedicated to Azure AD Connect. As part of the following steps, you need to enter credentials for these accounts:

  • An account in Azure AD that has the Global administrator role assigned
  • An account in Active Directory that is a member of the Domain Admins group, for each domain in which Seamless SSO is configured (only applicable when Seamless SSO is configured)

If the organization uses the Azure AD PIM feature, activate the Global administrator role in advance.

Azure AD Connect needs to be initially configured.

How to do it...

Perform the steps outlined next to change passwords for the following Azure AD Connect service accounts:

  1. The AD Connector account—...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 16 of 18
Next Chapter
You have been reading a chapter from
Active Directory Administration Cookbook - Second Edition
Published in: Jul 2022Publisher: PacktISBN-13: 9781803242507
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Sander Berkouwer

Sander Berkouwer calls himself an Active Directory aficionado; he's done everything with Active Directory and Azure AD, including decommissioning. He has been MCSA, MCSE, and MCITP-certified for ages, an MCT for the past 5 years and a Microsoft Most Valuable Professional (MVP) on Directory Services and Enterprise Mobility for over a decade. Sander is also decorated with Veeam Vanguard and VMware vExpert awards for his international cross-platform knowledge, experience and passion. As the CTO at SCCT, Sander leads a team of architects performing many projects, most of them identity-related, throughout Europe.
Read more about Sander Berkouwer

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages