Getting Ready for Microsoft Cloud Identity - AAD Connect
The process to deploy AADConnect is a well-trodden path and there is lots of installation guidance out there. This post is going to go into to a little more detail on deployment considerations and the options you are presented with during the installation.
Build Number - AADConnect is regularly updated with new features. At the time of writing this post I am working with build 1.1.557.0. To see the latest version of AAD Connect look here.
Server Specs - The hardware requirements for the AADConnect server are documented here. AADConnect can be deployed on a virtual server (including Azure IaaS) providing the ability to re-size the VM should the need arise.
Database Choice - For a majority of customers this isn't relevant but is good to know as who knows what will happen in the future. AADConnect by default installs a free version of SQL (SQLExpress) and as long as the total number of AD Objects stays below 100,000 objects then you don't have anything to think about. But if your close too or exceed 100,000 AD objects then you will need to purchase and deploy a full SQL Server instance (or use an existing one). The AADConnect "custom" installation provides and option to "Use an existing SQL Server" which will allow you to use a full SQL instance.
The Installation of AADConnect is a simple one. You download the latest version from here, run it and now we'll walk through the key options.
User sign in - asks you to select an Authentication type. As you may remember I have a previous post that walks through the options and how they work.
- Password Synchronisation - Select this option to synchronise a "hash of hash" of users passwords to Azure AD (You can also select the "Enable single sign on" checkbox with this option).
- Pass-through Authentication - Select this option to authenticate users with your on-premises AD (You can also select the "Enable single sign on" checkbox with this option).
- Federation with AD FS - Select this option to authenticate users with your on-premises AD FS Farm (The wizard will assist with the set up the AD FS farm or utilise an existing one).
Azure AD Sign-in configuration - shows the Active Directory UPN domains and domains that you have registered in Azure AD. You are required to select an attribute to use as the username. I would personally recommend that you stick with UPN as it is the most user friendly option (as UPN can match email address in many cases). If you note from the diagram you will see that I have a domain that is showing as "Not Added". This is because I have used additional UPN suffixes to change what UPNs users will have (instead of using the implicit UPN of dudders.com)
Domain and OU filtering - This is where you configure what objects are in scope of synchronisation to Azure AD. As I have mentioned in a number of previous posts only do so if there is a clear security\policy reason to do so. Typically customers only filter things like service, disabled accounts as there is generally no value to having them in Azure AD.
Uniquely identifying your users - This page is trying to answer 2 questions.
- Do I have to deal with duplicate users across multiple directories, if so then how do I match them? (Avoiding issues/duplicates in Azure AD)
- What do you want the Source Anchor (the attribute that links the on-premises AD object to the Azure AD Object) to be?
Hopefully you don't have duplicate users across directories but if you do then select the attribute that will best allow a match to occur. On the Source Anchor attribute, unless you have a very specific reason for not doing so I would recommend that you remain with the Default option "Let Azure manage the source anchor for me" This is actually using an attribute called msDS-ConsistencyGuid which is the best future proof option. See my previous ramblings on source anchor (ImmutableID) considerations here.
Optional features - Please review these features as they contain workload specific features. So depending on what licensing you have and what services you are looking to use in the Microsoft Cloud you may need to enable features here. A common example being "Exchange Hybrid Deployment". AADConnect plays a pivotal part in all of these features.
That's the primary options covered. On the last page it provides a summary of the configuration and you can decide whether to start syncing straight away. Note the "enable staging mode" option. This is the checkbox you would enable if this server is the "staging server" which I covered briefly here.