MS-100 Plan Identity Sync using AD Connect

May 25th, 2019 | Posted by admin in Exchange

Design directory synchronization

Understand your current Infrastructure and Plan for Synchronizing Identities to Azure AD using AD Connect. If you have more than 5000 employees and an On-Premise AD, then go for Azure AD connect with ADFS servers.

Things like Attribute Filtering, AD Connect Staging Server for High Availability, HA for ADFS and WAP server and the Writeback options considered based on your requirement.

If you have multi forest environment, then deploy one AD Connect Server and Synchronize the Object from all the forest and have the settings like below

Implement directory synchronization with directory services, federation services, and Azure endpoints

Prerequisites for Implementing Directory Synchronization:

  • Azure AD Subscription
  • Enterprise Admin in On-Premise AD & Global Admin in Azure AD
  • Outbound Connectivity to Azure IP addresses
  • Windows 2008 R2 or later for Password Hash Sync and Password writeback
  • SQL Server Instance
  • Certificate that has the federation service name
  • DNS Record for ADFS federation service name – both for internal and public.
  • Add the federation service name in intranet zone for Windows Integrated Authentication to work for browser application from Intranet.
  • Add the Federated Domain UPN Suffix

Tips: For the intranet DNS record, ensure that you use A records and not CNAME records. This is required for windows authentication to work correctly from your domain joined machine.

The minimum requirements for computers running AD FS or Web Application Servers is the following:

  • CPU: Dual core 1.6 GHz or higher
  • MEMORY: 2 GB or higher

Implementing ADFS / Federated Identity

  • Install the ADFS Server Role
  • Configure the ADFS server Role
    • Certification should match the ADFS Federation Service Name
    • WID / SQL can be used based on your requirement
    • ADFS service account
  • Install and Configure the WAP Proxy
    • Configure the SSL certification
    • Make sure WAP server is able to resolve the ADFS service name –
    • Public DNS record of ADFS service name to be point to WAP server
  • Configure Federation Trust with Office 365
    • Connect to Microsoft Online Service connect-msolservice
    • Set the MSOL ADFS context server Set-MsolADFSContext –Computer ADFSServerName.SuperHybridCloud.Com
    • Convert the domain to Federated Domain – Convert-MsolDomainToFederated –DomainName
    • Verify the federation – Get-MsolFederationProperty –DomainName
    • Enable the idpinitatedSignOn Page for further verification – Set-AdfsProperties -EnableIdPInitiatedSignonPage $true

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply