Microsoft 365 | Planning and configuring directory synchronization




View Post: 234 người truy cập bài viết
Tags :

Lab: Configuring directory synchronization

Exercise 1: Preparing for directory synchronization

Task 1: Configure UPN

  1. Sign in to the LON-DC1 virtual machine as ADATUM\Administrator with a password of Pa55w.rd.
  2. On the Start screen, select Windows Administrative Tools, and then double-click Active Directory Domains and Trusts.
  3. In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts, and then select Properties.
  4. In the UPN Suffixes tab, in the Alternative UPN suffixes: box, type Adatumyyxxxxx.hostdomain.com, replacing yyxxxxx with your unique Adatum number, and then select Add.
  5. Select OK.
  6. On the Start screen, right-click Windows PowerShell, and then select Run as administrator.
  7. At the Windows PowerShell prompt, type the following command, replacing yyxxxxx with your unique Adatum number, and then press Enter:

Get-ADUser -Filter * -Properties SamAccountName | foreach { Set-ADUser $_ -UserPrincipalName ($_.SamAccountName + “@Adatumyyxxxxx.hostdomain.com” )}

Task 2: Prepare problem user accounts

  1. On the LON-DC1, in the Windows PowerShell prompt, type the following command, and then press Enter:

CD C:\labfiles\

  1. At the Windows PowerShell prompt, type the following command, and then press Enter:

Set-ExecutionPolicy Unrestricted

  1. To confirm the execution policy change, type Yes and press Enter.
  2. At the Windows PowerShell prompt, type the following command, and then press Enter:

.\CreateProblemUsers.ps1

Note: Wait until the script has completed before proceeding to the next step.

  1. This Windows PowerShell script will make the following changes in AD DS:
    • Klemen Sic. Add the “@” character to the beginning of “adatum” for the UserPrincipalName attribute.
    • Lara Raisic. Replace the existing string with “[email protected]” for the EmailAddress attribute.
    • Logan Boyle. Replace the existing string with “[email protected]” for the EmailAddress attribute.
    • Lara Raisic. Replace the existing string with “[email protected]” for the emailAddress attribute.
    • Logan Boyle. Replace the existing string with “[email protected]” for the emailAddress attribute.
    • Holly Spencer. Replace the existing string with “Holly @adatum.com” for the EmailAddress attribute.
    • Maj Hojski. Replace the existing string with ” ” for the emailAddress attribute.

Task 3: Run the IdFix tool and fix identified issues

  1. On LON-CL1, open Microsoft Edge, and then connect to https://www.microsoft.com/en-us/download/details.aspx?id=36832
  2. On the IdFix Directory Synchronization Error Remediation Tool page, select Download and select Save.
  3. Wait for the download to complete, and then select Open folder.
  4. In the Downloads folder, right-click IdFix.zip, and then select Extract All…
  5. In the Extract Compressed (Zipped) Folders dialog box, in the destination box, type C:\Deployment Tools\IdFix, and then select Extract.
  6. In File Explorer, in the C:\Deployment Tools\IdFix folder, right-click IdFix, and then select Run as administrator.
  7. In the User Account Control dialog box, enter Administrator as the User name and Pa55w.rd as the Password, then select Yes.
  8. In the IdFix Privacy Statement message box, select OK.
  9. Select Query. You should see several errors.
  10. Select the ERROR column to sort the character errors to the top of the list.

Note: Ignore topleveldomain errors, which cannot be fixed by the IdFix tool.

  1. In the Klemen Sic row, in the ACTION column, select EDIT.
  2. In the Holly Spencer row, in the ACTION column, select EDIT.
  3. In the Maj Hojski row, in the ACTION column, select EDIT
  4. On the toolbar, select Apply.
  5. In the Apply Pending dialog box, select Yes; note the COMPLETE status in the ACTION column indicating successful writes.
  6. Switch to File Explorer, and in the C:\Deployment Tools\IdFix folder, double-click Verbose <date> <time>.txt to view the updated transactions in the transaction log.
  7. Switch back to the IdFix tool.
  8. On the toolbar, select Query.
  9. In the UPDATE column, select the Logan Boyle error, and replace the string with [email protected], and then in the ACTION column, select EDIT.
  10. In the UPDATE column, select the Maj Hojski error, and replace the string with [email protected], and then in the ACTION column, select EDIT.
  11. On the toolbar, select Apply.
  12. In the Apply Pending box, select Yes.
  13. On the toolbar, select Query and verify that errors are corrected.

Note: Where there are format and duplicate errors for distinguished names, the UPDATE column either contains the same string as the VALUE column, or the UPDATE column entry is blank; in either case, this means that IdFix cannot suggest a remediation for the error. You can either fix these errors outside IdFix, or manually remediate them within IdFix. You can also export the results and use Windows PowerShell to remediate a large number of errors.

Result: After completing this exercise, you will have resolved issues in AD DS identified by the IdFix tool.

Exercise 2: Configuring directory synchronization

Task 1: Download and install Azure AD Connect

  1. Sign in to the LON-DS1 as ADATUM\Administrator with a password of Pa55w.rd. If the Networks pane appears, select Yes.
  2. On the Start menu, select Server Manager, then select Local Server.
  3. Beside the text IE Enhanced Security Configuration, select on the hyperlink On.

If the hyperlink text is Off, go to step 5.

  1. In Internet Explorer Enhanced Security Configuration, below Administrators, select Off and select OK.
  2. Start Internet Explorer from the taskbar.
  3. If a Windows Internet Explorer 10 dialog box appears, select Use recommended security and compatibility settings, and then select OK.
  4. In the Address box, type https://www.microsoft.com/en-us/download/details.aspx?id=47594, and then press Enter.
  5. On the Microsoft Azure Active Directory Connect download page, select Download.
  6. In the Internet Explorer notification bar, select Save as, browse to C:\Labfiles, and then select Save. If the LabFiles folder does not exist, create it.
  7. When the download has completed, in the Internet Explorer notification bar, select Open folder.
  8. In File Explorer, right-click AzureADConnect.msi, and then select Install.
  9. In the Security Warning dialog, select Run.
  10. In the Welcome to the Microsoft Azure AD Connect Setup Wizard page, select I agree to the license terms and privacy notice, and then select Continue.
  11. On the Express Settings page, select Customize.
  12. Leave the Microsoft Azure Active Directory Connect wizard open for the next task.

Task 2: Run the Azure AD Connect tool with custom settings

  1. On the Install required components page, leave all the checkboxes unchecked and select Install.
  2. On the User Sign-in page, select Password Hash Synchronization, and then select Next.
  3. On the Connect to Azure AD page, enter the following credentials, replacing yyxxxxx with your unique Adatum number, and then select Next:
  4. On the Connect your directories page, select Add Directory.
  5. In the AD Forest account dialog, select Create new account, enter the following credentials, and then select OK:
    • User name: ADATUM\Administrator
    • Password: Pa55w.rd
  6. Select Next.
  7. On the Azure AD sign-in configuration page, check the box next to Continue without matching all UPN suffixes to verified domains and select Next.
  8. On the Domain and OU filtering page, select Sync selected domains and OUs, expand Adatum.com, clear all check boxes for the child containers except for the IT checkbox, and then select Next.
  9. On the Uniquely identifying your users page, select Next.
  10. On the Filter users and devices page, verify that Synchronize all users and devices is selected, and then select Next.
  11. On the Optional features page, leave the default options, and then select Next.
  12. On the Ready to configure page, review the features that will be installed. Ensure that Start the synchronization process when configuration completes is selected, and then select Install.

Note: The installation process will take approximately 10 minutes to complete.

  1. Once the installation completes, on the Configuration complete page, select Exit.
  2. On the Start screen, sign out of LON-DS1, and then sign back in as Adatum\Administrator with password Pa55w.rd.

Note: Because Adatum\Administrator was used to install Azure AD Connect, it will be automatically added to the ADSyncAdmins group, and you need to sign out for the Kerberos token to be updated. Otherwise, if you use a different user account to install Azure AD Connect, you will need to manually add the Azure AD Connect admin to the local ADSyncAdmins group on LON-DS1.

Task 3: Configure synchronization service filtering for organizational units

  1. On LON-DS1, select Start, open Azure AD Connect folder, and then select Synchronization Service.
  2. In Synchronization Service Manager, select the Connectors tab.
  3. In the Connectors tab, double-click Adatum.com.
  4. In the Properties dialog box, select Configure Directory Partitions.
  5. Select Containers.
  6. In the Credentials dialog box, enter the following credentials, and then select OK:
    • User name: Administrator
    • Password: Pa55w.rd
    • Domain: Adatum.com

Note: While this account is not the one used for directory synchronization, you use the account credentials temporarily to access AD DS for configuring filtering.

  1. In the Select Containers dialog box, select the Research checkbox, verify that IT is selected, and then select OK.
  2. Select OK to close the Properties dialog window.

Task 4: Configure synchronization service filtering for object attribute

On LON-DS1, open the Start screen, open Azure AD Connect folder, and then select Synchronization Rules Editor.

In Synchronization Rules Editor, select Add new rule.

On the Create inbound synchronization rule dialog window, in the Name box, type In from AD – User DoNotSyncFilter

For Connected System, select Adatum.com.

For Connected System Object Type, select user.

For Metaverse Object Type, select person.

For Link Type, select Join.

For Precedence, enter 50.

Select Next.

In the Create inbound synchronization rule dialog box, on the Scoping filter tab, select Add group, and then select Add clause.

In Add scoping filters:

For Attribute, select msDS-cloudExtensionAttribute15.

For Operator, select EQUAL.

For Value, type NoSync,

Select Next.

On the Add join rules, select Next.

On the Add transformations page, select Add transformation.

For FlowType, select Constant.

For Target Attribute, select cloudFiltered.

In the Source text box, type True.

To save the rule, select Add, and then close Synchronization Rules Editor window.

Open Windows PowerShell from the Start menu. In Windows PowerShell, type the following command, and then press Enter. The initial synchronization can take several minutes to complete. Leave the Windows PowerShell window open.

Start-ADSyncSyncCycle -PolicyType Initial

Task 5: Verify that synchronization was successful

Ensure that you are signed in to the LON-DS1 as ADATUM\Administrator with a password of Pa55w.rd.

On the Start screen, open Azure AD Connect folder, and then select Synchronization Service.

In Synchronization Service Manager on LON-DS1, select Operations.

In the Connector Operations list, select the line at the top of the list, and then review the Start TimeEnd Time, and the Status.

Verify the connector has a Start Time and End Time that aligns with the last time synchronization was initiated in the previous task.

On the taskbar, right-click Windows PowerShell, and then select Run as Administrator.

At the Windows PowerShell prompt, type the following command, then press Enter:

Install-Module MSOnline

For each of the prompts in Windows PowerShell, enter Yes.

At the Windows PowerShell prompt, type the following commands, and then press Enter after each one:

Import-Module MSOnline
Connect-MsolService

In the Enter Credentials dialog box, enter the following credentials, replacing yyxxxxx with your unique Adatum number, and then select OK:

User name: [email protected]

Password: The password you created in Module 1

At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolCompanyInformation | fl LastDirSyncTime

Verify the LastDirSyncTime aligns with the last time synchronization was initiated in the previous task.

On the Start screen, open Internet Explorer, and then type https://portal.office.com/admin/default.aspx in the address bar.

On the Sign-in page, sign in by using the following credentials, replacing yyxxxxx with your unique Adatum number:

User name: [email protected]

Password: The password you created in Module 1

On the Microsoft 365 admin center page, in the left navigation menu, expand Health, then select Directory Sync Status.

On the Directory Sync Status page, verify that the Last directory sync was less than one hour ago.

On the left navigation menu, expand Users then select Active users.

In the Active users list, note that your on-premises accounts from the selected OUs now have a status of Synced with Active Directory.

Result: After completing this exercise, you will have installed Azure AD Connect with customized settings. Upon completion of the installation, you will have started directory synchronization to Office 365 and have verified that synchronization was successful.

Exercise 3: Managing Active Directory users and groups

Task 1: Create a new user and group account

  1. On LON-DC1, in Server Manager, select Tools, and then select Active Directory Users and Computers.
  2. In the console tree, expand Adatum.com, right-click Research, select New, and then select User.
  3. In the First name box, type Perry.
  4. In the Lastname box, type Brill.
  5. In the User logon name box, type Perry, select your lab domain UPN (Adatumyyxxxxx.hostdomain.com, where yyxxxxx is your unique Adatum number, not Adatum.com), and then select Next.
  6. In the Password and Confirm password boxes, type the password you created in Module 1, clear the User must change password at next logon checkbox, select Next, and then select Finish.
  7. In the Research OU user list, double-click the Perry Brill user.
  8. In the Properties dialog box, in the E-mail box, type [email protected], replacing yyxxxxx with your unique Adatum number, and then select OK.
  9. In the console tree, right-click the Research OU, select New, and then select Group.
  10. In the New Object – Group window, in the Group name: box, type Project Team, select Universal, select Distribution, and then select OK.
  11. In the Research OU, double-click the Project Team group.
  12. In the Properties dialog window, in the E-mail box, type [email protected], replacing yyxxxxx with your unique Adatum number.
  13. On the Members tab, select Add.
  14. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select, type the following names, and then select Check Names:
    • Arturs Priede
    • August Towle
    • Cai Chu
  15. Select OK twice.

Task 2: Move a user out of the scope of synchronization

Switch to LON-DS1.

On LON-DS1, at the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolUser -Search Vera

Verify that the user Vera Pace is listed in Office 365.

On LON-DC1, in Active Directory Users and Computers, move Vera Pace from the Research OU to the Sales OU, by right-clicking Vera Pace in the Research OU user list, and then clicking Move and selecting Sales OU. Select OK.

Task 3: Move a user into the scope of synchronization

  1. On LON-DC1, ensure that the Active Directory Users and Computers is opened.
  2. In the console tree, if needed expand Adatum.com, and then select Marketing.
  3. Right-click Ada Russell, and select Move.
  4. In the Move dialog box, expand Adatum.com, select Research, and then select OK.

Task 4: Change group membership

In the console tree of Active Directory Users and Computers, select Research.

In the right pane, double-click Research.

In the Research Properties dialog box, select the Members tab.

Select the following three users, and then select Remove. In the confirmation dialog box, select Yes.

Claire Roberson

Connie Vaughn

Esther Wiggins

Select OK.

Task 5: Force synchronization

On LON-DS1, from the taskbar, right-click the Windows PowerShell shortcut, and then select Run as administrator.

Note: If a User Account Control dialog box appears, select Yes.

At the Windows PowerShell prompt, type the following, and then press Enter:

Start-ADSyncSyncCycle -PolicyType Delta

Note: The Delta switch is used here so that only the updates are synchronized.

Wait until synchronization has completed before proceeding to the next task.

Task 6: Validate the results of directory synchronization

To verify the new user you created, on LON-CL1, open the Office 365 Admin Center in Microsoft Edge by typing https://portal.office.com/adminportal/home in the address bar.

Sign in using the following credentials, replacing yyxxxxx with your unique Adatum number:

User name: [email protected]

Password: The password you created in Module 1

In the Office 365 Admin Center, in the left navigation, select Users, and then select Active users.

In the Active Users list, select Perry Brill.

Next to Contact information select Edit.

Verify that the message This user is synchronized with your local Active Directory appears and close the dialog.

Next to Product licenses section, select Edit.

On the Product licenses page, in the Location drop-down menu, select United Kingdom, and then select on the icon next to Office 365 E5.

Select Save, and then select Close twice.

Repeat the steps 4-9 to assign Office 365 license for user Ada Russell.

To verify that you have created the new group, in Office 365 admin center, in the left navigation, select Groups, and then select Groups.

In the Groups list, verify that the Project Team appears.

Note: You might need to wait up to 10 minutes before the group appears. Refresh the list until you see the object.

In the Groups list, select the Project Team group.

Note: In the right pane, notice that Edit Members is unavailable. This is because group membership is maintained by Active Directory. To view the membership, you can also use Windows PowerShell.

On LON-DS1, in Windows PowerShell, type the following command, and then press Enter:

Get-MsolGroup

Verify that you see Research and Project Team groups. Copy the ObjectID value for these two groups.

To verify that you updated the group membership in AD DS, type the following command at the Windows PowerShell prompt, and then press Enter:

Get-MsolGroupMember -GroupObjectId <ObjectID for Research group>

Verify the membership of the group does not contain the users removed in AD DS. The users who were removed from the group are:

Claire Roberson

Connie Vaughn

Esther Wiggins

To verify that you have moved the user, Vera Pace, out of the scope of synchronization, type the following command at the Windows PowerShell prompt, and then press Enter:

Get-MsolUser -Search Vera

At the Windows PowerShell prompt, type the following command, and then press Enter:

Get-MsolAccountSku

Note: The number of Consumed Units is now less than before.

Leave the virtual machines running for the next lab.

Result: After completing this exercise, you will have identified how managing user and group accounts has changed with directory synchronization.

5 1 vote
Article Rating
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Administrator
Admin
2 years ago
Article Rating :
     

Microsoft 365 | Planning and configuring directory synchronization