A second look at Azure AD Connect Public Preview 2

Before viewing this post please refer back to my following articles if you require a base understanding of Microsoft Azure ADConnect and the features available.

  • I first posted on AADConnect and AADSync back in August last year.
  • I also presented on Cloud Identities at TechEd Melbourne and Sydney last year here.

This post will focus on what is new and what has changed.

As posted by Alex Simons (Azure AD Director) the Microsoft Azure ADConnect preview 2 was released earlier this year. I downloaded Azure AD Connect Public Preview Download from here. I started the installer and was presented with the screen to install the services. Note: I could have specified a SQL server if my Domain was large enough to warrant this (Microsoft recommends this for over 50,000 + users). I could specift a Service Account if that was a company requirement. I could also select import settings if I had a previous configuration that I wanted to apply to this ADSync server.  I left all options unselected and selected install.

1

The next option was to specifiy what I wanted to install, ADSync or SSO. I selected ADSync.

2

I then entered my Azure Global Admin credentials. The installer now creates and assigns a service account within Azure AD with the minimum permissions that it requires, which is a great improvement. I then entered my On-Premises credentials (this also creates a service account).

3

The following option allows for Group Based filtering.  I noted that you can only specify 1 group here which may suit some customers who do not wish to use OU based filtering. Microsoft added this option with the intention of pilot and evaluations of Azure AD and Office 365.  I selected ‘Synchronise all users and devices’.

4.1

Here I specify that a user is represented only once across all directories.

5

Here you can change your user attribute mappings.  This may be required if you are using for example Shibboleth for SSO or if you have some other customised requirements.

6

Optional features can be modified later, so don’t be overwhelmed by the amount of options.  You can re-run the wizard to make changes later if you need.

  • Exchange Hybrid- For an Exchange Hybrid migration to Office 365.
  • Azure AD attributes- if you only want to sync a smaller set of user attributes.
  • Password writeback- change a password in Azure AD and it writes back to On-Premises and verifies the On-Premises password policy.
  • User writeback- A user created in Azure AD is created in On-Premises AD.
  • Group writeback- Groups in Office 365 will be written back to your On-Premises Exchange forest.
  • Device Sync- Allows for Windows 10 computers enrolled with Intune or directly with Azure AD to sync to On-Premises AD. (we are seeing the start of managing a Windows-as-a-Service subscription model). This is called ‘Cloud registered Devices’. NOTE: This requires a 2012 R2 schema.
  • Directory extension- Use this if you want to sync a unique attribute to Azure AD, eg. a custom Linux attribute, or an Employee ID (currently limitations apply to certian values and characters).

7

The screenshot below is for Azure AD attributes.  So in my example I will not be using CRM so I remove the syncing of these attributes.

8

Below we have the option to remove attributes from being Synced.  Eg. An organisation may have extended their schema and used “extensionAttribute’s”. Perhaps these contain sensitive information, the administrator can simply uncheck these attributes so they are not synced.

9

Here we confirm which On-Premise destination we want to use for User writeback. Select the Users OU. Note: you can add/merge many domains to the one Azure AD subscription, so Write-Back destination is required. 

2

Here I ticked the box to start a sync after install.

11

Here you can see I have run the miisclient and can see that 60 objects have been synced automatically.

12

Here was can easily see errors. My user account had an error because AD and AAD had the exact same display name of aaron.whittaker. For this test environment I will ignore this error.

13

Next in Azure AD I create a new user called CloudUser1

14

Back on my Sync server I selected connectors at the top, then selected my Azure AD and run a ‘Full Synchronization’.

18

Below you can see the event for the CloudUser1 being synced to On-Premises.

16

Here we can verify that the user has been synced.  You can see I have applied an On-Premises group membership permission to a Cloud User.

3

To view my post on upgrading to AADConnect GA from Beta see my post here.

To get started refer to the following articles:

Post by Alex Simons

And follow these twitter handles:

@askariel  @Alex_A_Simons

To start planning for your business transformation you can deploy and test these features all from within your Microsoft Azure subscription.  If you don’t have a Microsoft Azure subscription you can take a trial here.

Aaron Whittaker
@AaronW2003

profile pic

Azure Active Directory and Windows 10: Microsoft’s Hybrid Vision

Azure Active Directory and Windows 10: Microsoft’s Hybrid Vision

As more and more companies make the transition from On-Premise to the Cloud, Microsoft believes that there will be a phase where companies run both data centers in parallel.  Microsoft believes that this Hybrid state will last for approximately 10 years.  Beyond these years most workloads will be in the cloud.

How can organisations manage users and devices from a single source of truth?  Microsoft has assisted with this Hybrid state allowing companies to administer cloud users, all with the assistance of Azure ADConnect. Today we are in a Cloud First era, if Cloud is not supported why not?

The days of imaging devices and adding them domains maybe coming to an end.  Companies will soon be able to manage Windows 10 (slated for first update) by simply joining them to Azure AD, with Azure AD Join.

This will be compatible with Microsoft Intune. Users will get a single sign on experience from their on premise applications, device and their cloud applications. This will be the start of large organisational process changes and is important as companies look to manage the plethora of mobile devices.  If your next device refresh is the same as your last one, it may be an outdated solution.

Let’s go for a test!  I installed Windows 10 build 10074 with Hyper-V on my laptop with 1.5 gig ram allocated (works, but definently needs resources), after installing I was presented with this screen

1

Here you can click Express or Custom, this just changes your Feedback and other experience related settings, then I got a loading screen

2

Then I selected “This Device Belongs to my Company”

4

I clicked continue make sure you read this screen first

5

Then I typed in my username and password

6

I got my password wrong first time, but this error gave me something interesting, my Azure AD branding that I configured at TechEd Australia last year came through.

8

Then I got this screen, after 10 minutes watching the circle I went got a coffee then played with my phone.

9

Then I got this log in screen

11

Logging in

10

Then this error.  Not sure if it was a VM, network or ram issue.

13

I selected Try Again and it worked immediately.  Please note the default PIN complexity requirements.  This pin may now automatically work across several different devices.

1415

But what does this mean and what has happen to my machine?  It is not on a domain, but if you check the sysinfo it says my logon server is \\AzureAD.

Edit:  I tested SSO for Office 365 and Azure as suggested by Alex Simons.  I could only get Azure SSO to work.  With Office 365 each time I tried to enter the URL it would redirect back to Office 365 login page.

I am sure in the coming months we will see more features and capabilities added.  Keep a look out for more on this topic at this year TechEd’s, Ignite and Build events around the world.

16

The key benefits and capabilities of Azure Active Directory and Windows 10:

  • Consistent user experience.
  • Single Sign on
  • Automatic Enrollment
  • Support modern form factors – devices that don’t have domain join functions.

This feature has huge potential so it is good to start planning any organisational transformations before Windows 10 goes GA.

Look at the following comment from Deniz regarding this new feature”Works great, well done, already started planning to decommission all onprem servers including ADs and work with AzureAD only with a fileserver vm in Azure.”

To get started refer to the following article:

Post by Alex Simons and Ariel Gordon

And follow these twitter handles

@aaronw2003  @Alex_A_Simons @askariel

To start planning for your business transformation you can deploy and test these features all from within your Microsoft Azure subscription and a VM.  If you don’t have an Microsoft Azure subscription you can take a trial here.

Aaron Whittaker @AaronW2003

profile pic

User Group Session next month

Next months User Group session will be on Microsoft’s HDInsight in Azure, presented by Microsoft.  If you are currently interested in Big Data, then this is the session for you.

Dates to be confirmed.  The technical level of this session will be 300.

Please add comments for any items that you wish you have covered in this session.

eg. Power BI for Office 365, data analytics, migration, DataZen, Hadoop.

MSFT-Love_thumb

Look forward to seeing you then.

Aaron @AaronW2003

Veeam Backup and Replication with Cloud Connect into Azure #ToTheCloud

Non sponsored article.

There is one company that always impresses me.  Veeam has  simple UI’s, cheap and clear pricing models and products that just work on first install.  This week I found with Cloud Connect, Veeam is always three steps ahead of its competitors.

veeam

What is Veeam Cloud Connect?  Veeam Cloud Connect establishes a SSL tunnel over the internet to Cloud Storage with no VPN required.

Why would I need Cloud Connect?  Firstly are you a customer, or are you a Veeam partner?

  • Customers have the ability to send their existing backups offsite to cheaper cloud storage and to remove the need for tapes.
  • Partners can license Veeam Cloud Connect connection through the Veeam Cloud Provider (VCP) program.  They will be able to build their own remote repositories designed to be multi-tenant and scalable.

Where is the remote repository?  It could be in a Partners datacenter, or Public Clouds.  This post will focus on transferring backup data to Azure storage.

Let’s Kick the Tires.

I went to the new Azure Portal at https://portal.azure.com/ I selected New, Everything, Searched for Veeam, and deployed Veeam Cloud Connect for Service Providers.  **Unfortunatly this failed for me.  I am using a MSDN Azure subscription.  To deploy this Cloud Service you require a pay-as-you-go subscription.

1

I started following this deployment guide by Sam Boutros to manually deploy it (cost many extra hours 1-2 days with trial and error).

I deployed a VM in Azure (destination storage location), I also added a TCP endpoint of 6180.  I did not add any extra storage to my Azure VM for this test.  Then I installed Veeam Backup & Replication 8.

2

All required prerequisites are installed by the installer.

3

I then applied the latest patch which Veeam alerts you to install.  The first load after a reboot takes a few mintues.  The Veeam services are on a delayed start to allow for MSSQLExpress to start.

33

Then I obtained a free 1 month trial Cloud Connect license from my friendly local Veeam sales team in Sydney.  Once you apply this license you receive a new button down on the bottom left called Cloud Connect Infrastructure.

license

Then I generated a new self signed certificate as I received an error when I attempted to install my public trusted certificate (pfx).

7

3.5

I copied my certificate Thumbprint details to a text file (you will need them later on the source)

cert thumb

I then created a new Cloud Gateway and changed my public IP address, and my port.

4 - Copy

I then created 2 new users.  I set a quota to the resource that the users is able to access.

5 6

On my local source server (Windows 2012 R2) I then installed Veeam Backup & Replication 8.  Again I applied the latest Veeam patch.  I then applied the same licenses.  I went to Backup Infrastructure and right licked on Managed Servers to add my server.

11

I selected a Hyper-V host

44

I entered my local hosts address

13

I entered credentials and the ports were left as default.

I had lot’s of trouble with this, I tried to use Windows 8.1/10 Hyper-V host and unfortunately this is not supported, also I had some firewall wall issues.  Links you may need to refer to are below if you encounter similar issues.

Enable file and printer sharing           Disable UAC        Veeam Requirements

On your source host you can diagnose the logs here C:\ProgramData\Veeam\Backup\Setup and the source files that are uploaded to the host are here C:\Windows\Veeam\Backup\Upload.  There is only 1 suggestion I make to Veeam here, a simple port testing pool built-in would be handy.  The tool uses a pool range of ports not a specified port.  This is so each Host (source) can send its traffic on a separate dedicated port.

15

18

19

2

Then once this agent was installed and configured it alerted me that my Windows 2012 R2 Hyper-V host required some Microsoft patches.  I downloaded them and applied them.

3

You will now note in the Veeam console I now have an additional option on the top left Service Providers.

4

Then I went here and added my Veeam Cloud Connect host/service from Azure.

5

I entered my user account and my Thumbprint from the certificate (Azure Cloud Connection VM earlier).

6

7

Now you can see that I have my Service Provider

final

Veeam even has De-duplication and a WAN accelerator built-in for free!

Let’s configure the WAN accelerator.  Select WAN Accelerators and Add, change any ports and streams if necessary.

wan

Select your WAN Cache.

wan2

Next.

wan3

Next.

wan4

Backup job– Let’s send backup data straight to the cloud.  Select Backup & Replication, Backup Job, Add your Virtual Server from your Host, Next.

back1

Change your Backup repository from the default to your newly connected Cloud Repository, I changed my Restore points to keep only 4 copies on disk, Next.

back2

Select your required schedule.

back3

Finish, and the job runs successfully.

back4

So we have added our Veeam Cloud Connect Service Provider.  We have installed Veeam Backup and Replication directly on my 1 Hyper-V host.  We can now send all backups directly to the cloud with transfer speed improvements up to 50 times faster with the WAN Accelerator.  Azure storage is cheaper than tapes.  We don’t have to worry about tapes, tape drives, tape libraries, tape schedules, and offsite storage facilities.  Data recovery will now be quicker.  So when someone asks you if you are in the cloud you can say “you are all in”.  A special thanks goes to Gnani Lavu from Veeam support in Sydney for his assistance.

I also expect more great news to come from the Veeam KickON in Russia this coming week so follow these on Twitter @Veeam_APAC @Veeam @VMDoug @Chas_clarke

Comments appreciated.

profile picAaron Whittaker @AaronW2003

January User Group: Empowering your People Everywhere with Enterprise Mobility

January Session Wednesday 28th- Empowering your People Everywhere with Enterprise Mobility

Enterprise Mobility is about connecting people with your resources, regardless of where they are, or what computing device they are using. Staff, contractors, suppliers and customers can all securely access the same enterprise mobility framework to gain access to only the information you intend for them.

Come along to learn more about how Enterprise Mobility can boost productivity, streamline processes and automate provisioning of information to your users. Experteq is a Microsoft partner specialising in Enterprise Mobility. Experteq has delivered many Enterprise Mobility solutions to Fortune 100 and Government organisations and utilizing Microsoft technology will demonstrate:

  • Enrolling a new user and managing the user lifecycle:
    • Automate the process of on-boarding and off-boarding Staff, Contractors, Suppliers and Customers
    • Automate the provisioning of services and resources to a user
    • Manage a user’s access privileges throughout their access to organisations
    • Provide self-service tools for users to reduce the load on IT support staff
  • Manage the proliferation of personal computing devices by:
    • Facilitating access to your business systems and data
    • Protecting the corporate information and data being consumed on these devices
    • Allow BYO computing device with little management overhead

Great prizes on offer!

Register Here

Presented by Experteq and Microsoft experteq

Intune Discovery: Kicking the Tires

The Intune cloud-based management service is a solution that helps you to manage your computers and mobile devices and to secure your company’s information.

With the proliferation of BYOD and BYOID’s, I wanted to “kick the tires” so here we go for a discovery.  Cooking time: 1 day.

My Microsoft ID’s had already been synced from On premise AD via AADSync.  See my previous post on this topic here.

I subscribed for a 30 Intune trial here which is for 30 days for 30 test licenses.

Then to utalise the Intune console I had to update my Silverlight version on my Microsoft Surface 3.  I logged in and I was presented with this console.  The Dashboard provides shortcuts to the initial tasks which are required.  I selected Add users.

1

I select several users and applied the Intune license as shown below.

2.1

Then I created a Group with all my licensed users.

6.2

Next we need to create a policy that we wish to push out to the users BYOD (Group).

3

4

I selected Computer Management, Windows Firewall Settings, Create and Deploy a Custom Policy.

38

It prompted me to deploy the policy.

7

Then I applied the Policy to a group

8

Then I downloaded my Client Software and attempted to apply it to my MSDN Windows 10 running in Azure.

9

13

It appeared to install but unfortunately Intune is not compatible with Windows 10 yet.  I received an error in the console and the agent was not running on the OS.  See this compatibility list here.

14

15

After I successfully loaded the agent on a Windows 8.1 machine in Azure, I loaded my firewall to see my Policy changes had applied.

fw

Then I decided to scan using the Intune Endpoint Protection.  All of the definitions are defined within my Intune portal.

27

Next I wanted to remotely push some software.  I downloaded and run the Intune Software Publisher plugin.

16

Then I ran the wizard.

17

I selected SpotifySetup.exe and also selected a Spotify Icon.

18

19

I left everything else as default.

20

21

Then I selected upload.

22

I then applied the Software All Users.

31

Here is a summary of all my deployed software.

34

Back on the Windows 8.1 machine I opened the Intune Center tool from the right hand corner near the clock.

23 - Copy

Then I selected Get Applications from the Company Portal.  Here I had to authenicate (only the first time).  It even allowed me to reset my expired password.  Here you can see my Azure Active Directory Premium portal customisations have loaded.

2829

I selected YES to the primary user of this computer.

30

Here you can see that Spotify was advertised on the main portal page.

39

If I select All Apps, Spotify is also advertised inside here and ready to install.

40

I selected Spotify and Install.

41

It now displays as installing.

42

Next I wanted to apply a minimum in Microsoft patches to my non domain devices.  This would be useful for a company that wants to ensure that a minimum level of patches are running on all machines that access their corporate data.  I approved all patches to All Devices back in the Intune console under groups.

46

Then back on the Windows 8.1 machine I  immediately prompted to install the newly approved patches.

Then I decided that I wanted to manage BYO mobile devices as well.  So i went to admin within the console, I selected Set Mobile Device Management Authority.

47

48

Then I Added a Device Enrollment Manager.

49

This is where I stopped.  I did not have a spare mobile device that I wished to wipe.

The Administrators Console dashboard has great visibility into the fleet’s health.  You can see the 1 error, this is my failed Windows 10 installation.  Clicking on each alert takes you straight to the reported area.

50

So as you can see there are a lot of great management features within Intune.  It has certainly come a long way in the last few years.  There are many features and perhaps your company will find this tool suitable for only 1 or 2 specific tasks, rather than using every feature that is available.  This is a very feature rich tool which does everything except refill your coffee cup.

profile picAaron Whittaker @AaronW2003

Ignoring VM’s with Stop Start Automation tasks in Azure

Thanks for yesterdays positive comments/questions and retweets.  To follow up after yesterdays post on creating Automated tasks in Azure we will modify the scripts and see what has happened.

Firstly to answer a question, yes you can ignore certain servers if they need to remain on or off.  The only issue I see is if a server is created and to be ignored by this script you will need to update the script each time another server is added to your Azure subscription.

Can you just use group memberships? @Simonster

Let’s change my scripts so Win10Az remains on or off, and must be stopped/started manually (normally).  So go back to Automation, stop script, author, draft, edit, change this line from

Get-AzureVM | where{$_.status -like ‘Stopped*’ } | Start-AzureVM

to

Get-AzureVM | where{$_.status -like ‘Stopped*’ -and $_.Name -ne ‘Win10Az’} | Start-AzureVM

This is highlighted in the screen grab below.

11

I ran the stop script and confirmed that only my BenWin10 server powered off.

I then added a similar line of code for my starting script, which you can see below.  I also selected the Start button on this screen.

12

Then once the start script had finished (90 seconds) I went back to my Virtual Machines view and as below you could see that only BenWin10 was starting up.  Win10Az was ignored when either script ran.

13

 

One last point, below is a screen shot of my scripts dashboard, from here you can easily see when the servers were on or off.  This is a great view to ensure your script is working as excepted.

14

Thanks

profile pic Aaron Whittaker @AaronW2003

 

Reducing your monthly Azure spend through Automation tasks

Azure has an Azure automation engine to allow you to author and run automated tasks with little scripting experience required.  These tasks are in a Runbook (PowerShell workflows).  This allows you to talk to VM’s at the infrastructure level and also inside VM’s operating systems including Linux VM’s.  At the time of writing there were 119 templates to use.

Let’s get some extra value out of having VM’s in Azure.  Let’s automatically turn off our dev/test vm’s at the end of each day.  This will save money by having the servers powered off overnight.

Within the Runbook automation gallery, filter by VM lifecycle management.  Select Azure automation workflow to schedule stopping of all Azure Virtual Machines.

1

Select the tick button to Import

Go and create credentials under assets.

Go and edit imported task and select Author, modify your credentials to the new credentials that you added, add your subscription name (find this under VM’s tab, or subscriptions at the top), and change the script to ‘not stop’ any VM’s that need to remain on (this can be done through several types of filters).

Publish

Below you can see that the script has now appeared under published.  You can see that my customizations have been saved.

2

Now select Start and Yes, after 20-30 seconds (depending how many servers you have) assuming your job runs successfully, go to the Virtual Machines tab refresh your browser.  You will see my BenWin10 VM has stopped.

3

Then I created a schedule for this to occur every night at 7:30 pm.  Select the task and then select schedule, “link to a new schedule”.  Be sure to adjust for time zones/daylight savings if necessary.

Now go and replicate the same steps to create a task to turn the servers back on each morning.  I utilised the “Azure Automation Workflow to Schedule starting of all Azure Virtual Machines” script.

4

Set my Schedule

5

Select Start to confirm that the Virtual Machines turn on as expected.

6

After 20-30 seconds assuming your job runs successfully, go to the Virtual Machines tab refresh your browser.  You will see your servers have successfully turned back on.

If you want to confirm things are working as expected, just check on the dashboard.

7

 

Refer to this blog for updates HERE

Refer to this @MSAU #LevelUpAzure video to watch a recorded demo with Rick Claus @RicksterCDN, Joe Levy HERE

 

profile pic Aaron Whittaker @AaronW2003

@MSAU Azure Active Directory password Write-Back is GA.

Alex and the Azure AD team have been hard at work for the last year creating AADConnect.  AD password write-back is now GA which is great news.

Generally available (GA) as of today (11-12-14):

  • Password write-back in Azure AD Sync: Users can now change their passwords in the cloud and have the change flow all the way back to your on-premises AD.
  • The Azure AD App Proxy: This proxy makes it easy to give your employees secure access to on-premises applications like SharePoint and Exchange/OWA from the cloud without having to muck around with your DMZ.

http://blogs.technet.com/b/ad/archive/2014/12/11/wrapping-up-the-year-with-a-boat-load-of-azure-ad-news.aspx

Aaron @aaronw2003

Azure RemoteApp going GA next week

With Azure RemoteApp, you can enable your users to access corporate applications from anywhere and on a variety of devices, scale up or down to meet the dynamic business needs.  Azure RemoteApp will be generally available on December 11, 2014. Any Azure RemoteApp instances created during the current public preview period will continue to function as they do today. These instances will automatically transition to a 30-day free trial on December 11, 2014.

@aaronw2003 #tothecloud

remoteapp

Networking 101 for Disaster Recovery to @MSAU @Azure using Site Recovery

Definitely worth a read before implementing any DR to Microsoft Azure plan.

http://blogs.technet.com/b/virtualization/archive/2014/09/09/networking-101-for-disaster-recovery-to-microsoft-azure-using-site-recovery.aspx

http://azure.microsoft.com/blog/2014/09/04/networking-infrastructure-setup-for-microsoft-azure-as-a-disaster-recovery-site/

Installing and Running Azure Active Directory Sync AADSync Beta 3

Created by Aaron Whittaker.  Not to be reproduced without prior permission.

Ingredients Required: AADSync MicrosoftAzureActiveDirectoryConnect.msi installer from the BETA program (using version 3.7.1224), Domain Controller, Office 365 subscription, Azure, 2 Windows 2012 R2 domain joined servers, Public trusted certificate and a valid domain.

Time: A few hours.

My deployment is not complete and requires further work or your input.  I will mention that my virtual machines are running in another Azure subscription (which is a supported configuration see my TechNet article on the topic here).  I will investigate if something is blocking here (endpoints inbound and outbound.) 

The first time I tried this exercise I did not have a public trusted certificate.  I tried a Self Signed certificate but it did not work (Azure documentation says that it should).  So I purchased a domain, so I could a valid public certificate.

My existing environment consisted of a DC and a DirSync server.  I simply turned off the DirSync server and created a new server called AADSync and a WebAppProxy.  This normally leaves the sync’ed users populated in your Azure AD.  This was not an issue for me as the new DirSync server will take over, or I could have manually removed the now ‘In Cloud’ users.  I installed DirSync just via running the new AADSync DirectorySyncTool.exe installer (just using the default SQLExpress) and just configured and installed DirSync.  This was because I didnt have the certificate.

I ran the MicrosoftAzureActiveDirectoryConnect.msi installer on my server named AADSync.  The installer is only 976kb so it downloading all files as required.

Installing DirSync

1

The installer now installs the pre-requirements if required which is a nice feature!

  • .NET 3.5
  • SQL Express LocalDB
  • Azure Active Directory Sync Services
  • Sign-in Assistant
  • AAD Connector
  • Azure Active Directory module for Windows PowerShell

2 3

After going away and making an Azure subscription for my Office 365 tenant, here I entered my Office 365 public domain verified administrator account adminuser@brisbanecloud.net

4

Here I chose Customize.

5

I selected single AD forest.

6

I selected Single Sign On.

7

Entered my local Domain Admin credentials.

8.1

Error: Here is where I ran into my first issue.  I only had a .cer file, once I made a self signed .pxf I still could not proceed.  

I pressed back several times and proceeded with Express settings.

9 10 express 11 12

After this new Installer I was able to go in and configure DirSync as described in my previous post here.  The DirSync configuration wizard ran as normal and as expected.  The location to administer dirsync changes is in the location shown below.  This is still no DirSync app showing on the desktop or under programs.

21 22

 Installing SSO

Here are the steps for SSO configuration.

I went away and purchased brisbanecloud.net, then created a free public trusted certificate.  Then I re-ran the Azure AD Connect Preview shortcut located on my desktop for a second time.  Here you can see that my Office 365 credentials (now also Azure creds) were required.  If you go into the installer and press back a few times as you can see it saves your settings (only for that install session).  I selected Continue, entered my Active Directory credentials, next.

4223

Here I browse and select my Public Trusted certificate.  It must be in PFX format.  I enter my password.  From the drop down I select the URL.

Error: Subject name must have www.  I went and renamed my pfx file and reloaded it to fix this issue.

I selected next, then I added my AADSync server which will become my ADFS federation server, next

34 after pfx password  36

Then I selected my Web Application Proxy server,

Error: Here I had to enable PSRemoting on the WebAppPrxy server via PowerShell.

Then I selected next.

373839

Then I entered my same Domain Admin credentials (Enterprise admin was required), next.  Then I selected Create a group Managed Service Account for me and next.

40 41

Then from the drop down I had this error.

Error:  The domain needed www. in it.

I went to Azure as it mentions ‘Azure’ in the error and verified http://www.brisbanecloud.net under domains in Active Directory (WAAD) as shown below.

43 44

Back on the installer there was no update to my latest change.  I went and removed the domain from Azure and then added http://www.brisbanecloud.net within Office 365 domains.  Immediately after a press of previous and then next on the installer, I was able to see the correct address of www.brisbanecloud.net.

45

After reviewing the options I also selected Configure password hash.  The installer started and things looked good.

46 47

Then I received another error.

Error: Can’t remotely install Active Directory PowerShell.

After getting the same error a few times, I ran the following on WebAppProxy, DC, and AADSync servers.

Administrative PowerShell: set-WSManQuickConfig

Administrative PowerShell: winrm QuickConfig

Administrative PowerShell: enable-psremoting -force 

48 error 49 powershell commands

Then I selected retry to attempt the install again.

Error:  An error occurred while executing the ‘Convert-MsolDomainToFederated’ command. Microsoft.Online.Administration.Automation.DomainNotRootException —> Microsoft.Online.Identity.Federation.Powershell.FederationException  ……  The task ‘Create AAD Trust’ has failed.

So them I though I will just run this command manually with an Administrative PowerShell.

PS C:\> Convert-MsolDomainFederated -DomainName brisbanecloud.net

50 51

Then I got a new error

Error: This was a credential issue since the user account is now syncing.  I needed to change the credentials so I closed it and went to re-run the installer again (as there was no back button).

52

So I re-ran the Azure AD Connect (Preview)

Error: An error occurred while executing the ‘Update-MsolFederatedDomain’

I thought I should try to manually run this command in PowerShell.

PS C:\> Update-MsolFederatedDomain -domainname:brisbanecloud.net

Successfully updated ‘brisbanecloud.net’ domain.

As you can see below I am still getting an issue.  I have not had another chance to try a different workaround as yet 95% completed…

62

 

Thoughts and Comments

Thanks

@AaronW2003

September Session- Cloud Security within Azure

September Thursday 4th- Cloud Security within Azure

See what can be achieved with cloud security in Azure, and how Deep Security can help customers address the security challenges of cloud adopting.  Topics will include:

  • The latest news in cloud security
  • The shared security model and what you’re responsible for
  • How traditional security mechanisms fail to work in cloud environments
  • How Deep Security addresses cloud security while still maintaining the benefits of cloud
  • How to automate/scale security in the cloud.

There will be giveaways to include Trend Micro Titanium Internet Security NFR, USB chargers, and USB keys. Trend will also be sponsoring pizza.

Presented by TrendMicro trendmicro

Register Here

Azure and Office 365- One big ecosystem

Here is my recent article “Azure and Office 365- One big ecosystem” published in the @MSAU Microsoft TechNet newsletter.

http://view.email.microsoftemail.com/?j=fe8e1679766605757d&m=fef71d77716705&ls=fe2a117774600d7d771677&l=febd1c787360037c&s=fe3213777462057d731570&jb=ff971371&ju=fe5f11797160047c7612&r=0

 

Thanks

Aaron

How to reset your Azure Windows local credentials without logging in.

I have only just come across this great feature that you can use.  When creating Microsoft Azure VM’s you now have the option to install a VM Agent.  This agent allows you to reset your Remote Desktop settings and your Local admin credentials should you forget them.  For more details check here! http://msdn.microsoft.com/en-us/library/dn606311.aspx

Aaron