Search This Blog
Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts

Friday, March 20, 2015

Synchronize Directory to Azure Using Microsoft Azure Active Directory Sync Services (AAD Sync)

 

We have been busy with recent project on Enterprise Mobility Suite (EMS) and the first tool that we are going to use is using Directory Synchronization tool. We used to use DirSync to synchronizes users, password, security groups, distribution lists, contacts, etc. However DirSync tool has been replaced by AAD Sync (Azure Active Directory Sync Services)

Here is a quick directory synchronization tool comparison:

Tools Description
DirSync support for single forest syncronization
AAD Sync support single and multi forest synchronization
Password write
AAD Connect Includes AAD Sync
Will assist to setup ADFS
Will assist to setup Web Application Proxy

In this articles, we are going to deploy AAD Sync

[Download AAD Sync]

To download – [Last update Feb 2015] – Click here

[Installation]

  • Define the location to install the Azure AD Sync

aadir1

  • Click on Install . It will install few components such as SQL Express, Synchronization Services. This will take a while

image

  • Enter the Azure AD Account which has global administrator right and click Next. Remember to “Activate” Directory Synchronization in Azure.

image

  • Enter your domain admin authentication and forest name. It will install AD connector services

image

Define the user matching attribute

image

  • On Optional features page, select an additional features that AAD Sync perform. Example
      • Exchange Hybrid Deployment
      • Password Synchronization
      • Password write back
      • Azure AD App and attribute filtering

image

  • Click Configure and wait for AAD Sync tool to perform the changes

image

Just wait for a while and it will start to sync directory to Azure. To check the result, go to Azure Management Portal and able to view on-premise user and group has sync to Azure Directory.

It is still a simple tool and work exactly like DirSync

For other tool, please check out

Posted by Lai Yoong Seng at 9:17 PM
Labels: ,

Sunday, September 14, 2014

Azure Active Directory :- Access Panel Portal

 

The Access Panel is a web based portal that allows an end user with an organization account in Azure Active Directory to view and launch cloud based application to which they have been granted access by the Azure AD administrator.

Before access to portal, you’re require to install “Access Panel Extension” and at this moment only available for

  • Internet Explorer 8 or later
  • Google Chrome
  • Firefox browser

To access the portal, enter the url

https://myapps.microsoft.com

You can view the different of Access Panel Portal video from below.

Azure Active Directory (Free)

Note:- Click [ ] to view in full screen mode

Different:-

  • Only can view Application & User Profile
  • User Profile limited to change password
  • No Company Branding Page

Azure Active Directory Premium

Note:- Click [ ] to view in full screen mode

Different:-

  • Able to View Application, Group, Approval and User Profile
  • User Profile able to change password, set multi factor authentication settings
  • Company Branding page
Posted by Lai Yoong Seng at 10:32 AM
Labels: ,

Friday, September 12, 2014

Video Azure Active Directory : Cloud App Discovery

 

Cloud App Discovery is currently under preview. It come handy when you would like to understand your organization application usage. Once identify application used, the app able to tell you that it is part of the supported SaaS application and you can decide to integrate with Azure Active Directory.

In order for this app to discover, you’re require to install an agent into your desktop/laptop. Then Microsoft Azure AD receives and analyzes logs. Finally it will display the result on the dashboard. Below is the video that I’ve captured based on my user app usage.

Note:- Click on [ ] to view in full screen mode.

An interactive Dashboard which provides an executive summary including:

  1. The total number of cloud applications discovered
  2. The total number of users using these cloud applications

  3. Top 10 applications discovered that can be pivoted by:

    1. Number of web requests to the application
    2. Total volume of data uploaded and downloaded.
    3. Number of unique users.
  4. Usage trends over a selectable duration of time for the top 5 applications discovered.
Posted by Lai Yoong Seng at 10:55 AM
Labels: ,

Video:- Azure Active Directory : Multi Factor Authentication and Company Branding Page

 

This video showing the beauty of Azure Active Directory after enabled multi- factor authentication before granted access to portal and displaying company branding web page after detected AAD user account.

MFA is added as the second security authentication besides than using password. In this video, it is showing using MFA Mobile Apps which has installed on Android phone. Enjoy the demo!

Note:- Click on [ ] - Full Screen before click play.

Posted by Lai Yoong Seng at 1:00 AM
Labels: ,

Saturday, May 31, 2014

Create an Additional Domain Controller Using Install From Media (IFM)

 

Do you ever wait for a long period when setup an additional domain controller especially in branch environment and wait for it to replicate AD database? You may need to wait a bit longer especially when you have limited Internet connectivity.

Well, we do and we even tested to deploy a virtualized domain controller in branch and it only has 128K bandwidth. The connection was crawling like turtle speed and it took very long to replicate entire active directory database.

To solve this problem, we decided to use IFM (Install from media). To start with, make sure your existing domain controller

  • running at least Windows Server 2012
  • DNS
  • Global catalog

Use command prompt and type

ntdsutil
activate instance NTDS
ifm
create sysvol full C:\backup\ifm

image

This process will store active directory database, registry and sysvol into C:\Backup\IFM

image

Once complete, transfer the entire folder in C:\backup to your branch virtualized domain controller. Now you have successful created an IFM using ntdsutil.

Next step is setup an additional domain controller at branch.

Make sure you have install Active Directory Domain Services roles and then configure DC using Server Manager.

image

Click “Promote this server to a domain controller”

image

Select “Add a domain controller to an existing domain”

image

Select the site that you’ve created and enter Directory Service Restore Mode password”

image

image

IMPORTANT

Select Install from media , define the path which consist your backup ntds and select replicate from nearest DC

image

Then Define the path of new active directory database to another path (normally another disk). For more info, you can check out “Best Practice on Virtualizing Domain Controller post

image

image

Click Install to start the installation

image

Verification

Verify that you can access the following snap-in:-

  • Active Directory User and Computer
  • Active Directory Sites and Services
  • Active Directory Domain and Trust

image

Lastly initiate force replication to sync with primary domain controller to get the latest active directory database.

image

Well, that’s all for now.

As a conclusion, by using IFM it can you a lot of time and also your network bandwidth. Give it a try if you do have multi site branch Active directory deployment.

Posted by Lai Yoong Seng at 11:32 AM
Labels: ,

Saturday, January 22, 2011

Frustrated with time not sync on Domain Controller running in Virtual Machine

 

Well, I'm not sure if you’ve encounter the same problem as mine but here is my problem that i always face when running Domain Controller in Virtual Machine.

Scenario:

a) DC Time always not sync and sometimes -out of sync-

b) Then, all the VM and Hyper V host follow the DC time due to the server is joined to domain.

Even, best practice we always recommend to uncheck time synchronization for Integration Component on DC VM to prevent time issue. However time is still out of sync (that’s what i called it”), especially to Hyper V.

I always manually change the time but finally i give up. Here is the step which i just took

Solution: Connect to External NTP server to get the updated time.

1. Download the Fix from Microsoft site:- http://support.microsoft.com/kb/816042 and apply on DC VM.

2. On this NTP Server, change the value as highlighted below

image

After:- ( i key in according to my time zone). You can refer to

Asia NTP Server :- http://www.pool.ntp.org/zone/asia

Other Country:- http://support.microsoft.com/kb/262680

image

3. Open command prompt and execute the following command:-

net stop w32time
net start w32time

Voila !..I guess this step is applicable to Domain controller running in Physical server as well.

Well, no harm to try…

Posted by Lai Yoong Seng at 12:35 AM
Labels: ,

Friday, July 3, 2009

ADMT 3.1 issue

You may facing the same issue when using ADMT 3.1 to perform inter-forest migration.
For more details, pls :-
Click this Link
Posted by Lai Yoong Seng at 9:21 AM
Labels: ,

Tuesday, June 23, 2009

Inter-forest migration (Win2k3 to Win2k8)

Hi,

Just finished performed Inter-forest migration from Win2k3 to Win2k8 domain controller.

On this Migration, i have achieved:-
a) Group account migration
b) User account and password migration
c) Computer account migration.

Most of the time, i've performed a lot of configuration on the source dc and target dc.Just a little interaction on the the workstation.
Now all XP and Vista workstation has successful migrated to new domain without a lot of interaction. (everything is automated from target dc)

It is not an easy and straight forward tasks. You need to do some troubleshooting in order to successfully perform inter-forest migration.

If you want to perform this tasks, my advise is perform the migration after office hour. Some issue you need to consideration in order to make it successful...
Posted by Lai Yoong Seng at 2:52 PM
Labels: , ,

Monday, June 15, 2009

Migration of Domain Controller and Infrastructure service

Hi,

Finally with the simulation of migration of below products,
a) Windows Server 2000 to Windows Server 2008
b) Windows Server 2003 to Windows Server 2008
c) Windows Server 2008 to Windows Server 2008 R2 RC

It is my 1st project under Microsoft IT Pro Momentum program.

I have completed live migration of Windows Server 2000 to Windows Server 2008 in the production environment. All Infrastructure services is up and running after the migration.

My next project will be migration
a) Windows Server 2000 (DC & Infra) to Windows Server 2008 R2
b) Windows Server 2003 (DC & Infra) to Windows Server 2008 R2

R2 here i come....
Posted by Lai Yoong Seng at 1:38 PM
Labels: ,

Saturday, June 13, 2009

Deploy Read Only Domain Controller

Hi,

To reduce the attack and tighten the security on the branch environment, Microsoft has introduce RODC.In order to deploy RODC, the forest functional level must at least Win2k3.

It is suitable to deploy RODC if you do not need application aware directory services at the branch.

Only certain accounts are pre-populate to the RODC and we can use Delegation Control Wizard to assign right to local administrator for managing the RODC.

Not only RODC, we can also deploy read only DNS and GC.

In my environment, i have tested Windows Server 2008 and Windows Server 2008 R2 RC. Both OS work fine for RODC. If your schema is in Win2k8, you need to use Adprep32 to upgrade the forest and domain before deploy Win2k8 R2 as a new domain.

Finally, bear in mind that RODC only support one way replication. We can use Password Replication Policy to define which account to allow or deny replicate to the RODC.

So far, i've deployed multiple Branch office deployment by using Active Directory and the having the concept RODC really improve the security in the branch environment.

Cheer for Microsoft hardwork to improve the security !
Posted by Lai Yoong Seng at 4:30 PM
Labels: ,
Subscribe to: Posts (Atom)