Installing and Running Azure Active Directory Sync AADSync Beta 3

Created by Aaron Whittaker.  Not to be reproduced without prior permission.

Ingredients Required: AADSync MicrosoftAzureActiveDirectoryConnect.msi installer from the BETA program (using version 3.7.1224), Domain Controller, Office 365 subscription, Azure, 2 Windows 2012 R2 domain joined servers, Public trusted certificate and a valid domain.

Time: A few hours.

My deployment is not complete and requires further work or your input.  I will mention that my virtual machines are running in another Azure subscription (which is a supported configuration see my TechNet article on the topic here).  I will investigate if something is blocking here (endpoints inbound and outbound.) 

The first time I tried this exercise I did not have a public trusted certificate.  I tried a Self Signed certificate but it did not work (Azure documentation says that it should).  So I purchased a domain, so I could a valid public certificate.

My existing environment consisted of a DC and a DirSync server.  I simply turned off the DirSync server and created a new server called AADSync and a WebAppProxy.  This normally leaves the sync’ed users populated in your Azure AD.  This was not an issue for me as the new DirSync server will take over, or I could have manually removed the now ‘In Cloud’ users.  I installed DirSync just via running the new AADSync DirectorySyncTool.exe installer (just using the default SQLExpress) and just configured and installed DirSync.  This was because I didnt have the certificate.

I ran the MicrosoftAzureActiveDirectoryConnect.msi installer on my server named AADSync.  The installer is only 976kb so it downloading all files as required.

Installing DirSync

1

The installer now installs the pre-requirements if required which is a nice feature!

  • .NET 3.5
  • SQL Express LocalDB
  • Azure Active Directory Sync Services
  • Sign-in Assistant
  • AAD Connector
  • Azure Active Directory module for Windows PowerShell

2 3

After going away and making an Azure subscription for my Office 365 tenant, here I entered my Office 365 public domain verified administrator account adminuser@brisbanecloud.net

4

Here I chose Customize.

5

I selected single AD forest.

6

I selected Single Sign On.

7

Entered my local Domain Admin credentials.

8.1

Error: Here is where I ran into my first issue.  I only had a .cer file, once I made a self signed .pxf I still could not proceed.  

I pressed back several times and proceeded with Express settings.

9 10 express 11 12

After this new Installer I was able to go in and configure DirSync as described in my previous post here.  The DirSync configuration wizard ran as normal and as expected.  The location to administer dirsync changes is in the location shown below.  This is still no DirSync app showing on the desktop or under programs.

21 22

 Installing SSO

Here are the steps for SSO configuration.

I went away and purchased brisbanecloud.net, then created a free public trusted certificate.  Then I re-ran the Azure AD Connect Preview shortcut located on my desktop for a second time.  Here you can see that my Office 365 credentials (now also Azure creds) were required.  If you go into the installer and press back a few times as you can see it saves your settings (only for that install session).  I selected Continue, entered my Active Directory credentials, next.

4223

Here I browse and select my Public Trusted certificate.  It must be in PFX format.  I enter my password.  From the drop down I select the URL.

Error: Subject name must have www.  I went and renamed my pfx file and reloaded it to fix this issue.

I selected next, then I added my AADSync server which will become my ADFS federation server, next

34 after pfx password  36

Then I selected my Web Application Proxy server,

Error: Here I had to enable PSRemoting on the WebAppPrxy server via PowerShell.

Then I selected next.

373839

Then I entered my same Domain Admin credentials (Enterprise admin was required), next.  Then I selected Create a group Managed Service Account for me and next.

40 41

Then from the drop down I had this error.

Error:  The domain needed www. in it.

I went to Azure as it mentions ‘Azure’ in the error and verified http://www.brisbanecloud.net under domains in Active Directory (WAAD) as shown below.

43 44

Back on the installer there was no update to my latest change.  I went and removed the domain from Azure and then added http://www.brisbanecloud.net within Office 365 domains.  Immediately after a press of previous and then next on the installer, I was able to see the correct address of www.brisbanecloud.net.

45

After reviewing the options I also selected Configure password hash.  The installer started and things looked good.

46 47

Then I received another error.

Error: Can’t remotely install Active Directory PowerShell.

After getting the same error a few times, I ran the following on WebAppProxy, DC, and AADSync servers.

Administrative PowerShell: set-WSManQuickConfig

Administrative PowerShell: winrm QuickConfig

Administrative PowerShell: enable-psremoting -force 

48 error 49 powershell commands

Then I selected retry to attempt the install again.

Error:  An error occurred while executing the ‘Convert-MsolDomainToFederated’ command. Microsoft.Online.Administration.Automation.DomainNotRootException —> Microsoft.Online.Identity.Federation.Powershell.FederationException  ……  The task ‘Create AAD Trust’ has failed.

So them I though I will just run this command manually with an Administrative PowerShell.

PS C:\> Convert-MsolDomainFederated -DomainName brisbanecloud.net

50 51

Then I got a new error

Error: This was a credential issue since the user account is now syncing.  I needed to change the credentials so I closed it and went to re-run the installer again (as there was no back button).

52

So I re-ran the Azure AD Connect (Preview)

Error: An error occurred while executing the ‘Update-MsolFederatedDomain’

I thought I should try to manually run this command in PowerShell.

PS C:\> Update-MsolFederatedDomain -domainname:brisbanecloud.net

Successfully updated ‘brisbanecloud.net’ domain.

As you can see below I am still getting an issue.  I have not had another chance to try a different workaround as yet 95% completed…

62

 

Thoughts and Comments

Thanks

@AaronW2003

Advertisements

Can’t attach existing VHD to a new Virtual Machine?

Can’t attach existing generation 1 VHD to a new Virtual Machine? Hyper-v 2012 R2 will not let you add a W2k8r2 vhd to a generation 2 Virtual Machine.  It must still be a generation 1 Virtual Machine.

If your existing generation 1 VHD is Windows 2012 it will let you create a VM that is generation 2.  When you go to turn it on it will power on, but not boot correctly.

Hyper-V 2012 R2 can not be tricked and this will not work..

Aaron

Missed TechEd? Get the best content condensed from the Virtualization Stream.

At TechEd last week there were 4 sessions on Hyper-V 2012 R2.  This jam packed User Group session will condense these into 1 session.  Giving you the best parts in the shortest time. This weeks session will demo the great new features in R2 and also 3 different migration scenarios and strategies.    We will also talk about zero downtime upgrades, HA considerations, and utilize the copy clusters feature.  There will be prizes on offer.

Register here

August Session~ Hyper-V 2012 R and SCCM 2012 R2 Preview Release

Chris Crampton Infrastructure SME from Technology Effect will be providing an overview and discussion on the new features and enhancements in the Windows Server 2012 R2 Hyper-V and System Center 2012 R2 Preview Release. The presentation will include demos showing off the new Hyper-V 2012 R2 features.

There will be prizes/giveaways and pizza.
The lifts close at 6:00 pm so please call Aaron on 0490074501, if you are late.

Register here