A second look at Azure AD Connect Public Preview 2

Before viewing this post please refer back to my following articles if you require a base understanding of Microsoft Azure ADConnect and the features available.

  • I first posted on AADConnect and AADSync back in August last year.
  • I also presented on Cloud Identities at TechEd Melbourne and Sydney last year here.

This post will focus on what is new and what has changed.

As posted by Alex Simons (Azure AD Director) the Microsoft Azure ADConnect preview 2 was released earlier this year. I downloaded Azure AD Connect Public Preview Download from here. I started the installer and was presented with the screen to install the services. Note: I could have specified a SQL server if my Domain was large enough to warrant this (Microsoft recommends this for over 50,000 + users). I could specift a Service Account if that was a company requirement. I could also select import settings if I had a previous configuration that I wanted to apply to this ADSync server.  I left all options unselected and selected install.

1

The next option was to specifiy what I wanted to install, ADSync or SSO. I selected ADSync.

2

I then entered my Azure Global Admin credentials. The installer now creates and assigns a service account within Azure AD with the minimum permissions that it requires, which is a great improvement. I then entered my On-Premises credentials (this also creates a service account).

3

The following option allows for Group Based filtering.  I noted that you can only specify 1 group here which may suit some customers who do not wish to use OU based filtering. Microsoft added this option with the intention of pilot and evaluations of Azure AD and Office 365.  I selected ‘Synchronise all users and devices’.

4.1

Here I specify that a user is represented only once across all directories.

5

Here you can change your user attribute mappings.  This may be required if you are using for example Shibboleth for SSO or if you have some other customised requirements.

6

Optional features can be modified later, so don’t be overwhelmed by the amount of options.  You can re-run the wizard to make changes later if you need.

  • Exchange Hybrid- For an Exchange Hybrid migration to Office 365.
  • Azure AD attributes- if you only want to sync a smaller set of user attributes.
  • Password writeback- change a password in Azure AD and it writes back to On-Premises and verifies the On-Premises password policy.
  • User writeback- A user created in Azure AD is created in On-Premises AD.
  • Group writeback- Groups in Office 365 will be written back to your On-Premises Exchange forest.
  • Device Sync- Allows for Windows 10 computers enrolled with Intune or directly with Azure AD to sync to On-Premises AD. (we are seeing the start of managing a Windows-as-a-Service subscription model). This is called ‘Cloud registered Devices’. NOTE: This requires a 2012 R2 schema.
  • Directory extension- Use this if you want to sync a unique attribute to Azure AD, eg. a custom Linux attribute, or an Employee ID (currently limitations apply to certian values and characters).

7

The screenshot below is for Azure AD attributes.  So in my example I will not be using CRM so I remove the syncing of these attributes.

8

Below we have the option to remove attributes from being Synced.  Eg. An organisation may have extended their schema and used “extensionAttribute’s”. Perhaps these contain sensitive information, the administrator can simply uncheck these attributes so they are not synced.

9

Here we confirm which On-Premise destination we want to use for User writeback. Select the Users OU. Note: you can add/merge many domains to the one Azure AD subscription, so Write-Back destination is required. 

2

Here I ticked the box to start a sync after install.

11

Here you can see I have run the miisclient and can see that 60 objects have been synced automatically.

12

Here was can easily see errors. My user account had an error because AD and AAD had the exact same display name of aaron.whittaker. For this test environment I will ignore this error.

13

Next in Azure AD I create a new user called CloudUser1

14

Back on my Sync server I selected connectors at the top, then selected my Azure AD and run a ‘Full Synchronization’.

18

Below you can see the event for the CloudUser1 being synced to On-Premises.

16

Here we can verify that the user has been synced.  You can see I have applied an On-Premises group membership permission to a Cloud User.

3

To view my post on upgrading to AADConnect GA from Beta see my post here.

To get started refer to the following articles:

Post by Alex Simons

And follow these twitter handles:

@askariel  @Alex_A_Simons

To start planning for your business transformation you can deploy and test these features all from within your Microsoft Azure subscription.  If you don’t have a Microsoft Azure subscription you can take a trial here.

Aaron Whittaker
@AaronW2003

profile pic

Advertisements

Azure Active Directory and Windows 10: Microsoft’s Hybrid Vision

Azure Active Directory and Windows 10: Microsoft’s Hybrid Vision

As more and more companies make the transition from On-Premise to the Cloud, Microsoft believes that there will be a phase where companies run both data centers in parallel.  Microsoft believes that this Hybrid state will last for approximately 10 years.  Beyond these years most workloads will be in the cloud.

How can organisations manage users and devices from a single source of truth?  Microsoft has assisted with this Hybrid state allowing companies to administer cloud users, all with the assistance of Azure ADConnect. Today we are in a Cloud First era, if Cloud is not supported why not?

The days of imaging devices and adding them domains maybe coming to an end.  Companies will soon be able to manage Windows 10 (slated for first update) by simply joining them to Azure AD, with Azure AD Join.

This will be compatible with Microsoft Intune. Users will get a single sign on experience from their on premise applications, device and their cloud applications. This will be the start of large organisational process changes and is important as companies look to manage the plethora of mobile devices.  If your next device refresh is the same as your last one, it may be an outdated solution.

Let’s go for a test!  I installed Windows 10 build 10074 with Hyper-V on my laptop with 1.5 gig ram allocated (works, but definently needs resources), after installing I was presented with this screen

1

Here you can click Express or Custom, this just changes your Feedback and other experience related settings, then I got a loading screen

2

Then I selected “This Device Belongs to my Company”

4

I clicked continue make sure you read this screen first

5

Then I typed in my username and password

6

I got my password wrong first time, but this error gave me something interesting, my Azure AD branding that I configured at TechEd Australia last year came through.

8

Then I got this screen, after 10 minutes watching the circle I went got a coffee then played with my phone.

9

Then I got this log in screen

11

Logging in

10

Then this error.  Not sure if it was a VM, network or ram issue.

13

I selected Try Again and it worked immediately.  Please note the default PIN complexity requirements.  This pin may now automatically work across several different devices.

1415

But what does this mean and what has happen to my machine?  It is not on a domain, but if you check the sysinfo it says my logon server is \\AzureAD.

Edit:  I tested SSO for Office 365 and Azure as suggested by Alex Simons.  I could only get Azure SSO to work.  With Office 365 each time I tried to enter the URL it would redirect back to Office 365 login page.

I am sure in the coming months we will see more features and capabilities added.  Keep a look out for more on this topic at this year TechEd’s, Ignite and Build events around the world.

16

The key benefits and capabilities of Azure Active Directory and Windows 10:

  • Consistent user experience.
  • Single Sign on
  • Automatic Enrollment
  • Support modern form factors – devices that don’t have domain join functions.

This feature has huge potential so it is good to start planning any organisational transformations before Windows 10 goes GA.

Look at the following comment from Deniz regarding this new feature”Works great, well done, already started planning to decommission all onprem servers including ADs and work with AzureAD only with a fileserver vm in Azure.”

To get started refer to the following article:

Post by Alex Simons and Ariel Gordon

And follow these twitter handles

@aaronw2003  @Alex_A_Simons @askariel

To start planning for your business transformation you can deploy and test these features all from within your Microsoft Azure subscription and a VM.  If you don’t have an Microsoft Azure subscription you can take a trial here.

Aaron Whittaker @AaronW2003

profile pic

User Group Session next month

Next months User Group session will be on Microsoft’s HDInsight in Azure, presented by Microsoft.  If you are currently interested in Big Data, then this is the session for you.

Dates to be confirmed.  The technical level of this session will be 300.

Please add comments for any items that you wish you have covered in this session.

eg. Power BI for Office 365, data analytics, migration, DataZen, Hadoop.

MSFT-Love_thumb

Look forward to seeing you then.

Aaron @AaronW2003

Veeam Backup and Replication with Cloud Connect into Azure #ToTheCloud

Non sponsored article.

There is one company that always impresses me.  Veeam has  simple UI’s, cheap and clear pricing models and products that just work on first install.  This week I found with Cloud Connect, Veeam is always three steps ahead of its competitors.

veeam

What is Veeam Cloud Connect?  Veeam Cloud Connect establishes a SSL tunnel over the internet to Cloud Storage with no VPN required.

Why would I need Cloud Connect?  Firstly are you a customer, or are you a Veeam partner?

  • Customers have the ability to send their existing backups offsite to cheaper cloud storage and to remove the need for tapes.
  • Partners can license Veeam Cloud Connect connection through the Veeam Cloud Provider (VCP) program.  They will be able to build their own remote repositories designed to be multi-tenant and scalable.

Where is the remote repository?  It could be in a Partners datacenter, or Public Clouds.  This post will focus on transferring backup data to Azure storage.

Let’s Kick the Tires.

I went to the new Azure Portal at https://portal.azure.com/ I selected New, Everything, Searched for Veeam, and deployed Veeam Cloud Connect for Service Providers.  **Unfortunatly this failed for me.  I am using a MSDN Azure subscription.  To deploy this Cloud Service you require a pay-as-you-go subscription.

1

I started following this deployment guide by Sam Boutros to manually deploy it (cost many extra hours 1-2 days with trial and error).

I deployed a VM in Azure (destination storage location), I also added a TCP endpoint of 6180.  I did not add any extra storage to my Azure VM for this test.  Then I installed Veeam Backup & Replication 8.

2

All required prerequisites are installed by the installer.

3

I then applied the latest patch which Veeam alerts you to install.  The first load after a reboot takes a few mintues.  The Veeam services are on a delayed start to allow for MSSQLExpress to start.

33

Then I obtained a free 1 month trial Cloud Connect license from my friendly local Veeam sales team in Sydney.  Once you apply this license you receive a new button down on the bottom left called Cloud Connect Infrastructure.

license

Then I generated a new self signed certificate as I received an error when I attempted to install my public trusted certificate (pfx).

7

3.5

I copied my certificate Thumbprint details to a text file (you will need them later on the source)

cert thumb

I then created a new Cloud Gateway and changed my public IP address, and my port.

4 - Copy

I then created 2 new users.  I set a quota to the resource that the users is able to access.

5 6

On my local source server (Windows 2012 R2) I then installed Veeam Backup & Replication 8.  Again I applied the latest Veeam patch.  I then applied the same licenses.  I went to Backup Infrastructure and right licked on Managed Servers to add my server.

11

I selected a Hyper-V host

44

I entered my local hosts address

13

I entered credentials and the ports were left as default.

I had lot’s of trouble with this, I tried to use Windows 8.1/10 Hyper-V host and unfortunately this is not supported, also I had some firewall wall issues.  Links you may need to refer to are below if you encounter similar issues.

Enable file and printer sharing           Disable UAC        Veeam Requirements

On your source host you can diagnose the logs here C:\ProgramData\Veeam\Backup\Setup and the source files that are uploaded to the host are here C:\Windows\Veeam\Backup\Upload.  There is only 1 suggestion I make to Veeam here, a simple port testing pool built-in would be handy.  The tool uses a pool range of ports not a specified port.  This is so each Host (source) can send its traffic on a separate dedicated port.

15

18

19

2

Then once this agent was installed and configured it alerted me that my Windows 2012 R2 Hyper-V host required some Microsoft patches.  I downloaded them and applied them.

3

You will now note in the Veeam console I now have an additional option on the top left Service Providers.

4

Then I went here and added my Veeam Cloud Connect host/service from Azure.

5

I entered my user account and my Thumbprint from the certificate (Azure Cloud Connection VM earlier).

6

7

Now you can see that I have my Service Provider

final

Veeam even has De-duplication and a WAN accelerator built-in for free!

Let’s configure the WAN accelerator.  Select WAN Accelerators and Add, change any ports and streams if necessary.

wan

Select your WAN Cache.

wan2

Next.

wan3

Next.

wan4

Backup job– Let’s send backup data straight to the cloud.  Select Backup & Replication, Backup Job, Add your Virtual Server from your Host, Next.

back1

Change your Backup repository from the default to your newly connected Cloud Repository, I changed my Restore points to keep only 4 copies on disk, Next.

back2

Select your required schedule.

back3

Finish, and the job runs successfully.

back4

So we have added our Veeam Cloud Connect Service Provider.  We have installed Veeam Backup and Replication directly on my 1 Hyper-V host.  We can now send all backups directly to the cloud with transfer speed improvements up to 50 times faster with the WAN Accelerator.  Azure storage is cheaper than tapes.  We don’t have to worry about tapes, tape drives, tape libraries, tape schedules, and offsite storage facilities.  Data recovery will now be quicker.  So when someone asks you if you are in the cloud you can say “you are all in”.  A special thanks goes to Gnani Lavu from Veeam support in Sydney for his assistance.

I also expect more great news to come from the Veeam KickON in Russia this coming week so follow these on Twitter @Veeam_APAC @Veeam @VMDoug @Chas_clarke

Comments appreciated.

profile picAaron Whittaker @AaronW2003

January User Group: Empowering your People Everywhere with Enterprise Mobility

January Session Wednesday 28th- Empowering your People Everywhere with Enterprise Mobility

Enterprise Mobility is about connecting people with your resources, regardless of where they are, or what computing device they are using. Staff, contractors, suppliers and customers can all securely access the same enterprise mobility framework to gain access to only the information you intend for them.

Come along to learn more about how Enterprise Mobility can boost productivity, streamline processes and automate provisioning of information to your users. Experteq is a Microsoft partner specialising in Enterprise Mobility. Experteq has delivered many Enterprise Mobility solutions to Fortune 100 and Government organisations and utilizing Microsoft technology will demonstrate:

  • Enrolling a new user and managing the user lifecycle:
    • Automate the process of on-boarding and off-boarding Staff, Contractors, Suppliers and Customers
    • Automate the provisioning of services and resources to a user
    • Manage a user’s access privileges throughout their access to organisations
    • Provide self-service tools for users to reduce the load on IT support staff
  • Manage the proliferation of personal computing devices by:
    • Facilitating access to your business systems and data
    • Protecting the corporate information and data being consumed on these devices
    • Allow BYO computing device with little management overhead

Great prizes on offer!

Register Here

Presented by Experteq and Microsoft experteq

Intune Discovery: Kicking the Tires

The Intune cloud-based management service is a solution that helps you to manage your computers and mobile devices and to secure your company’s information.

With the proliferation of BYOD and BYOID’s, I wanted to “kick the tires” so here we go for a discovery.  Cooking time: 1 day.

My Microsoft ID’s had already been synced from On premise AD via AADSync.  See my previous post on this topic here.

I subscribed for a 30 Intune trial here which is for 30 days for 30 test licenses.

Then to utalise the Intune console I had to update my Silverlight version on my Microsoft Surface 3.  I logged in and I was presented with this console.  The Dashboard provides shortcuts to the initial tasks which are required.  I selected Add users.

1

I select several users and applied the Intune license as shown below.

2.1

Then I created a Group with all my licensed users.

6.2

Next we need to create a policy that we wish to push out to the users BYOD (Group).

3

4

I selected Computer Management, Windows Firewall Settings, Create and Deploy a Custom Policy.

38

It prompted me to deploy the policy.

7

Then I applied the Policy to a group

8

Then I downloaded my Client Software and attempted to apply it to my MSDN Windows 10 running in Azure.

9

13

It appeared to install but unfortunately Intune is not compatible with Windows 10 yet.  I received an error in the console and the agent was not running on the OS.  See this compatibility list here.

14

15

After I successfully loaded the agent on a Windows 8.1 machine in Azure, I loaded my firewall to see my Policy changes had applied.

fw

Then I decided to scan using the Intune Endpoint Protection.  All of the definitions are defined within my Intune portal.

27

Next I wanted to remotely push some software.  I downloaded and run the Intune Software Publisher plugin.

16

Then I ran the wizard.

17

I selected SpotifySetup.exe and also selected a Spotify Icon.

18

19

I left everything else as default.

20

21

Then I selected upload.

22

I then applied the Software All Users.

31

Here is a summary of all my deployed software.

34

Back on the Windows 8.1 machine I opened the Intune Center tool from the right hand corner near the clock.

23 - Copy

Then I selected Get Applications from the Company Portal.  Here I had to authenicate (only the first time).  It even allowed me to reset my expired password.  Here you can see my Azure Active Directory Premium portal customisations have loaded.

2829

I selected YES to the primary user of this computer.

30

Here you can see that Spotify was advertised on the main portal page.

39

If I select All Apps, Spotify is also advertised inside here and ready to install.

40

I selected Spotify and Install.

41

It now displays as installing.

42

Next I wanted to apply a minimum in Microsoft patches to my non domain devices.  This would be useful for a company that wants to ensure that a minimum level of patches are running on all machines that access their corporate data.  I approved all patches to All Devices back in the Intune console under groups.

46

Then back on the Windows 8.1 machine I  immediately prompted to install the newly approved patches.

Then I decided that I wanted to manage BYO mobile devices as well.  So i went to admin within the console, I selected Set Mobile Device Management Authority.

47

48

Then I Added a Device Enrollment Manager.

49

This is where I stopped.  I did not have a spare mobile device that I wished to wipe.

The Administrators Console dashboard has great visibility into the fleet’s health.  You can see the 1 error, this is my failed Windows 10 installation.  Clicking on each alert takes you straight to the reported area.

50

So as you can see there are a lot of great management features within Intune.  It has certainly come a long way in the last few years.  There are many features and perhaps your company will find this tool suitable for only 1 or 2 specific tasks, rather than using every feature that is available.  This is a very feature rich tool which does everything except refill your coffee cup.

profile picAaron Whittaker @AaronW2003

Ignoring VM’s with Stop Start Automation tasks in Azure

Thanks for yesterdays positive comments/questions and retweets.  To follow up after yesterdays post on creating Automated tasks in Azure we will modify the scripts and see what has happened.

Firstly to answer a question, yes you can ignore certain servers if they need to remain on or off.  The only issue I see is if a server is created and to be ignored by this script you will need to update the script each time another server is added to your Azure subscription.

Can you just use group memberships? @Simonster

Let’s change my scripts so Win10Az remains on or off, and must be stopped/started manually (normally).  So go back to Automation, stop script, author, draft, edit, change this line from

Get-AzureVM | where{$_.status -like ‘Stopped*’ } | Start-AzureVM

to

Get-AzureVM | where{$_.status -like ‘Stopped*’ -and $_.Name -ne ‘Win10Az’} | Start-AzureVM

This is highlighted in the screen grab below.

11

I ran the stop script and confirmed that only my BenWin10 server powered off.

I then added a similar line of code for my starting script, which you can see below.  I also selected the Start button on this screen.

12

Then once the start script had finished (90 seconds) I went back to my Virtual Machines view and as below you could see that only BenWin10 was starting up.  Win10Az was ignored when either script ran.

13

 

One last point, below is a screen shot of my scripts dashboard, from here you can easily see when the servers were on or off.  This is a great view to ensure your script is working as excepted.

14

Thanks

profile pic Aaron Whittaker @AaronW2003