Synchronization terms and processes
In this section, we'll discuss and implement the practical use of the synchronization terms and procedures. We'll combine theory directly with practical use. For this reason, we'll install, configure, and run the processes immediately in the Azure AD Connect tool. To use the guidance, you should deploy a virtual machine with the domain controller role enabled.
Build the virtual machine on Azure or your local virtualization platform. An excellent option is to follow the guide at https://docs.microsoft.com/en-us/office365/enterprise/base-configuration-dev-test-environment with the usage of your free trial Azure or MSDN subscription. We provide you with a complete scripting solution in the code package of the book, or you can follow the instructions in Chapter 7, Deploying Solutions on Azure AD and ADFS.
We use the same domain name you used in Chapter 1, Building and Managing Azure Active Directory. In our case, we use the domain name inovitlabs.ch. So, change the scripts for your environment.
Now that we have our primary test environment in place, we can start the preparation and installation of the Azure AD Connect on the Domain Controller. We use this scenario to reduce the costs of your test environment. Be aware that we'll extend the test environment in the coming chapters to demonstrate the functionalities we discuss in this book.
Are you ready? Let's prepare the domain:
- Log in with the domain administrator credentials and run the following script to create the demo organizational unit structure:
New-ADOrganizationalUnit -Name "Managed Business Objects" -Path "DC=INOVITLABS,DC=CH"
New-ADOrganizationalUnit -Name "Users" -Path "OU=Managed Business Objects,DC=INOVITLABS,DC=CH"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Managed Business Objects,DC=INOVITLABS,DC=CH"
New-ADOrganizationalUnit -Name "Devices" -Path "OU=Managed Business Objects,DC=INOVITLABS,DC=CH"
New-ADOrganizationalUnit -Name "Managed Service Objects" -Path "DC=INOVITLABS,DC=CH"
New-ADOrganizationalUnit -Name "AAD" -Path "OU=Managed Service Objects,DC=INOVITLABS,DC=CH"
New-ADOrganizationalUnit -Name "Users" -Path "OU=AAD,OU=Managed Service Objects,DC=INOVITLABS,DC=CH"
The following diagram shows the expected result:
- Enable the Active Directory recycle bin feature:
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=inovitlabs,DC=ch' –Scope ForestOrConfigurationSet –Target 'inovitlabs.ch'
- Create the group-managed service account (gMSA) to run the Azure AD Connect service. Replace the computer name with the one you choose for your test environment:
Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount -Name svcaadconnect -DNSHostname INOLABSADS01 -PrincipalsAllowedToRetrieveManagedPassword INOLABSADS01$
- Create the service account for the Active Directory Management Agent that will be used to connect and do the synchronization operations:
New-ADUser -Name "svcaadcadma" -SamAccountName svcaadcadma -UserPrincipalName svcaadcadma@inovitlabs.ch -path "OU=Users,OU=AAD,OU=Managed Service Objects,DC=inovitlabs,DC=ch" -AccountPassword (ConvertTo-SecureString "Pass@word1" -AsPlainText -Force) -Enabled $True
The Active Directory Management Agent account needs to be configured with the correct permissions on the domain level.
- Configure the permissions to configure the svcaadcadma Azure AD Connect with the Active Directory user's and computer's console (dsa.msc). Don't forget to enable the advanced features under the view option where you can see the Security tabs:
- Replicate Directory Changes
- Replicate Directory Changes All
The following screenshot shows the expected result:
Now that we've finished the preparation tasks in our test environment, let's run through the following sections for the theoretical explanations and the practical execution. For every task, we'll use the same credentials in an evaluated PowerShell session.