Synchronize Users from Windows Server 2019 Active Directory to Azure AD

This tutorial shows you how to migrate user accounts from Windows Server 2019 Active Directory to Azure Active Directory Domain Services via Azure Active Directory Connect.

KEEP IN MIND

• A virtual Active Directory in Windows Server 2019 test environment was created using VMware Workstation to perform the migration process.
• Please note that, for this tutorial, freely available Microsoft Azure subscription is used.
• The tutorial is divided into 5 main sections

1. 1. 1. Create a tenant
      2. Add the domain name
      3. Create a global user
      4. Download Azure AD Connect
      5. Install Azure AD Connect and initiate synchronization

POST CONFIGURATION TASKS

Windows Server 2019 Active Directory is configured to prepare for the synchronization process.

Link to create Active Directory in Windows Server 2019:

https://techencyclopedia.wordpress.com/2020/02/16/how-to-install-active-directory-in-windows-server-2019-step-by-step-guide/

Couple of test users are created in Active Directory for synchronization

01 CREATE A TENANT

To make the project more organized, a new tenant is created to configure the Azure Active Directory users. A tenant represents an organization in Azure Active Directory.

Choose the Azure Active Directory resource from the Microsoft Azure Portal.

Alternatively, you can search from the search bar located at the top of the screen.

Click the + Create a tenant to create a new tenant

Configure the Basics tab

For the tenant type, Azure Active Directory is chosen

Configure the Configuration tab

Provide the Organization name

Provide the Initial domain name (This will be changed later on)

Provide the Country or Region (The Datacenter location will be based on this input)

Review and Create the tenant

After, reviewing the new tenant information, click create to finalize

After creating the new tenant, switch from the default tenant to the new one.

Go to the Azure Active Directory Overview

Click on Switch tenant

Switch to the new tenant

Confirm that you are connected to the new tenant before proceeding forward.

02 ADD THE DOMAIN NAME

The domain is added to the Azure Active Directory. This should be the same domain name that configured the user accounts in on premises Active Directory Domain Services.

Click on + Add Custom domain to add the domain

To verify the domain name there will be a delay since to propagate DNS records it will take up to 72 hours. However, please note that most of the times it will take less than 72 hours.

To complete the domain name verification process, create following 2 DNS records in the domain name registrar (GoDaddy)

• TXT
• MX

TXT record is added to the GoDaddy (add the MX record as well before clicking the verify button)

After verifying the domain name make it the primary domain name.

Click on the newly added verified domain name

Click on the Make primary 

03 CREATE A GLOBAL USER 

As for the next step, you have to create a user account in Azure Active Directory and provide the Global Administrator privileges. Global Administrator possess all the permissions to manage all aspects of Azure AD and Microsoft services that use Azure AD identities.

Go to users in Azure Active Directory

Click on + New user to start creating a new user process

Choose the Create user option

Insert the details under Identity section

Add the User name and make sure the correct domain name is selected.

Configure the password options

In this case, new password is given instead of allowing to generate a password

Groups and roles section is configured

For the role, Global administrator is chosen from the directory roles menu

After changing the role it will look like this

Complete the rest of the configuration

Block sign in option should be ‘no’ and it is selected by default

After completing the user configuration click create to finalize

After the new global user is created using the credentials log back in to the Azure portal. You will have to change the given password and provide phone authentication details to continue. 

Enter the user name to sign in

Enter the previously given Password

Next screen will prompt you to Update your password

After logging in authentication phone details should be given

Now you are logged in as the newly created User with Global Administrator privileges

Search for Azure Active Directory resource to make further configurations

04 DOWNLOAD AZURE AD CONNECT

After logging back in as the global administrator, go to the Azure Active Directory and download Microsoft Azure Active Directory Connect.

Click on Azure AD Connect to proceed

Click on Download Azure AD Connect to go to the Microsoft Download page

Click on Download button to continue

Read the system requirements and install instructions prior to installing the Azure Active Directory Connect. The System Requirements will provide the information of the supported Operating Systems.

The System Requirements

05 INSTALL AZURE AD CONNECT AND INITIATE SYNCHRONIZATION 

Azure AD Connect is installed in the on-premises Windows Server 2019 Active Directory Domain Controller to initiate the synchronization process.

Log in to Windows Server 2019 (Install and configure AD in Windows server 2019)

(Active Directory user should have Enterprise domain administrator privileges)

Double click on downloaded Azure AD Connect setup file to install Azure AD Connect

Agree to the license terms and privacy notice to continue with the instillation

In this case, Express settings are used

Enter the Azure AD global user credentials

Browser window will prompt to sign in to the account using the password

Complete the phone authentication process

Enter the credentials to connect to the on-premises Active Directory

Tick to start the synchronization process right away after completing the installation

Sign in to Azure to check that on-premises Active Directory users are synchronized to the Azure Active Directory. 

Go to Azure Active Directory > All users

By default the sync process is scheduled to run every 30 minutes. You might want to use sync powershell commands to manually run the process.

Azure AD Connect sync: Scheduler

Read more at:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler

The scheduler is by default run every 30 minutes. In some cases, you might want to run a sync cycle in between the scheduled cycles or you need to run a different type.

To see your current configuration settings, go to PowerShell and run

Get-ADSyncScheduler

If you need to manually run a sync cycle, then from PowerShell run

Start-ADSyncSyncCycle -PolicyType Delta

To initiate a full sync cycle, run

Start-ADSyncSyncCycle -PolicyType Initial

TROUBLESHOOTING

CANNOT DELETE USERS ACCOUNTS

If you get an error that can’t manage or remove objects that were synchronized through the Azure Active Directory Sync tool it can be two reasons.

This issue may occur if one or more of the following conditions are true:

• The on-premises AD DS is no longer available. Therefore, you can’t manage or delete the object from the on-premises environment.
• You deleted an object from the on-premises AD DS. However, the object wasn’t deleted from your cloud service organization. This is unexpected behavior.

Read more at following article

https://docs.microsoft.com/en-au/troubleshoot/azure/active-directory/cannot-manage-objects

Create Azure Active Directory and Azure Active Directory Domain Services

KEEP IN MIND

• It is recommended to create a Resource Group and configure the rest of the resources under that for easier management.
• The tutorial is divided into 4 main sections

1. 1. Create a resource group
   2. Create Virtual Networks Resource
   3. Create Azure Active Directory
   4. Create Azure AD Domain Services

TUTORIAL

01 Create a Resource Group

Firstly, a resource group is created.

Go to the Azure portal and click on the ‘Resource Groups’ icon. Alternatively, you can search in Azure search bar as well, if needed.

Click on the add plus sign and create a new Azure Resource Group

Enter the Project details such as subscription type (in this case it is free) and the resource group name

Furthermore, in the resource details section, choose an appropriate region.

Confirm the configurations and create the resource group

02 Create Virtual Networks Resource

Go to Azure portal and select and create a ‘Virtual Networks’ resource

Add a new Virtual Network

 

The ‘Create Virtual Network’ windows will open which has 5 different tabs. Configure the tabs to create new virtual network.

Basics

Fill the project and instance details.

Project details

• For ‘Subscription’ free ‘Azure subscription 1’ is selected
• For ‘Resource Group’ RG1 is selected. (If it was not created earlier, an option is given to create a new Resource Group).

Instance details

• The name of the Virtual Network is provided (You have to provide an appropriate name)
• Region: (US) East (It is ideal to choose the nearby region)

 

IP Addresses

• IP address space is given
• A new subnet also created with subnet name and IP address range

Review + Create

Finally, you can Review the configuration and create the Azure Virtual Network.

03 Create Azure Active Directory

In the Microsoft Azure portal, ‘Azure Active Directory’ resource is chosen.

Azure Active Directory (Azure AD)

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in:

What is Azure Active Directory?

Read following article in Microsoft website to learn about A AD:

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

Create a domain

In a corporate environment, you have to configure the Domain Name. A domain can be bought from a Internet domain registrar like GoDaddy.

Go to ‘Custom Domain Names’ and select the domain name. (In this case, the default available domain name if chosen. If needed you can add your own domain).

Furthermore, make sure the desired domain is the primary domain (the tick sign will tell you) if multiple domain names are listed.

Create Users

Create the user accounts in ‘Users’ section for the Azure Active Directory

Create a ‘New user’

04 Create Azure AD Domain Services

There are five tabs to configure to create Azure AD Domain Services

Azure Active Directory Domain Services (Azure AD DS)

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

MORE AT: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview

Basics

Configure the Basics tab to provide Project details

• Subscription is chosen (in this case, it is the subscription 1 which is free)
• Resource group name given (This must be configured and if you need you can create a new resource group or provide a previously created one)

• The previously configured ‘domain name’ is provided.
• The ‘Forest type’ configured in this scenario is ‘User’. (forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment.)

Forest type | User vs Resource 

User forest

By default, a managed domain is created as a user forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment.

User accounts can directly authenticate against the managed domain, such as to sign in to a domain-joined VM. A user forest works when the password hashes can be synchronized and users aren’t using exclusive sign-in methods like smart card authentication.

Resource forest

In an Azure AD DS resource forest, users authenticate over a one-way forest trust from their on-premises AD DS. With this approach, the user objects and password hashes aren’t synchronized to Azure AD DS. The user objects and credentials only exist in the on-premises AD DS.

This approach lets enterprises host resources and application platforms in Azure that depend on classic authentication such LDAPS, Kerberos, or NTLM, but any authentication issues or concerns are removed. Azure AD DS resource forests are currently in preview.

Resource forests also provide the capability to lift-and-shift your applications one component at a time. Many legacy on-premises applications are multi-tiered, often using a web server or front end and many database-related components. These tiers make it hard to lift-and-shift the entire application to the cloud in one step. With resource forests, you can lift your application to the cloud in phased approach, which makes it easier to move your application to Azure.

 

Networking

• New virtual network is created or previously created one is provided. (This must be configured)
• The subnet is provided. (This must be configured)

Administration

You can manage the membership of the AAD DC (Azure Active Directory Domain Controllers) Administrators group

 

Synchronization 

To change synchronization from “all” to “scoped”, the managed domain needs to be deleted and re-created.

Review + create

Review the configured Azure AD Domain Services and click ‘Create’ to proceed

Finalize after the confirmation since you cannot change following after creating Azure AD Domain Services

• DNS name
• Subscription
• Resource group
• Virtual network
• Subnet
• Synchronization
• Forest type

The deployment is completed

 

Create Windows Server 2019 Datacenter Virtual Machine Using Microsoft Azure

KEEP IN MIND

• In this tutorial, Windows Server 2019 datacenter is installed in an Azure virtual machine and accessed via RDP.
• Furthermore, Microsoft Azure free subscription is used to execute the tutorial. The Azure free account includes access to a number of Azure products that are free for 12 months, $280 credit to spend for the first 30 days of sign-up and access to more than 25 products that are always free. READ MORE AT: https://azure.microsoft.com/en-au/free/free-account-faq/
• If you possess paid subscription to Microsoft 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Microsoft Azure Active Directory.

INTRODUCTION

What is Microsoft Azure?

Microsoft Azure (formerly known as Windows Azure) is a public cloud computing platform—with solutions including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) that can be used for services such as analytics, virtual computing, storage, networking, and much more.

History

Azure was announced in October 2008, started with codename “Project Red Dog” and released on February 1, 2010, as Windows Azure before being renamed to Microsoft Azure on March 25, 2014.

Azure regions

A region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network.

60+ regions worldwide, available in 140 countries

https://azure.microsoft.com/en-us/global-infrastructure/regions/

 

What is Azure Resource Manager?

The Azure Resource Manager, introduced in 2014, enables users to create groups of related services so that closely coupled resources can be deployed, managed, and monitored together.

What is Azure resource?

In Azure, the term resource refers to an entity managed by Azure. For example, virtual machines, virtual networks, and storage accounts are all referred to as Azure resources.

What is Resource Group?

A resource group is a container that holds related resources for an Azure solution.

 

OVERVIEW OF AZURE VIRTUAL MACHINES

Azure virtual machines can be used in various ways. Some examples are:

• Development and test – Azure VMs offer a quick and easy way to create a computer with specific configurations required to code and test an application.
• Applications in the cloud – Because demand for your application can fluctuate, it might make economic sense to run it on a VM in Azure. You pay for extra VMs when you need them and shut them down when you don’t.
• Extended datacenter – Virtual machines in an Azure virtual network can easily be connected to your organization’s network.

 

Requirements to create an Azure virtual machine

READ MORE AT:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview

TUTORIAL

Go to Microsoft Azure portal and select ‘virtual machines’ resource

Configure the tabs to create new virtual machine

Basics

Enter the project and instance details along with administrator account information

Project details

• Subscription: Azure subscription 1
• Resource Group: RG1

Instance details

• Virtual machine name: VM1
• Region: (US) East US [You have several options to choose from the menu as the region]
• Availability Options: No infrastructure redundancy required
• Image: Windows Server 2019 Datacenter
• Size: Standard

• Administrator account details should be given with a strong password to create one
• Inbound port rules are configured to access the Azure virtual machine

HTTP (80), HTTPS (443), SSH (22), RDP (3389)

Disks

Configure disks for storage of the Azure Virtual Machine (VM) that you are going to create

 

Networking

Configure the network interface of the virtual machine

Network interface

• A Virtual network is created (This is a required configuration)
• A subnet is also configured within the virtual network (This is a required configuration)
• The public IP address is used to communicate with the Azure Virtual Network from outside, remotely (This is not a must requirement)

 

 

Management

Configure the management settings

Azure Security Center

• Basic security plan is already enabled by Azure Security Center

Monitoring

• For monitoring purposes ‘Diagnostics storage account’ is created

• If Auto-shutdown is enabled, the Azure Virtual Machine will be shut down daily.
• Backups can be enabled if needed to protect the Azure Virtual Machine from accidental deletion.

 

Review + create

Review the configurations and create the Azure Virtual Machine

 

Connect to the Azure Virtual Machine

Go to Virtual machines

Select the virtual machine that you have installed

 

Select ‘Connect’

 

Download the RDP file to connect with RDP

 

Press ‘Connect’ to initiate the Remote Desktop Connection

 

Enter the credentials that you have provided for the user account when creating the Azure Virtual Machine

 

Now you can access and configure the newly installed Windows Server 2019