Step by Step Azure Active Directory (Azure AD) Connect Cloud Provisioning

Recently a new option for AD sync is in preview Azure AD Connect cloud provisioning, Azure AD Connect Cloud Provisioning can run in a tenant already using Azure AD Connect Sync, Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment. This is currently not possible with AD connect. and many organizations are struggling with this.

Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud.

• Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.

The common scenarios include merger & acquisition, where the acquired company’s AD forests are isolated from the parent company’s AD forests and companies that have historically had multiple AD forests.

Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.

Here I have a sample of 3 the same used accounts but different domain, now with the Azure Active Directory (Azure AD) Connect Cloud Provisioning they are synced into a single AAD.

If there is a firewall between your servers and Azure AD, configure the following items:

Ensure that agents can make outbound requests to Azure AD over the following ports:

Port number and How it’s used

• 80  Downloads the certificate revocation lists (CRLs) while validating the SSL certificate
• 443 Handles all outbound communication with the service
• 8080(optional) Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure AD portal.

Also the Following URL’s need to be unblocked.

• exception for:
  • *.msappproxy.net
  • *.servicebus.windows.net
  • login.windows.net
  • login.microsoftonline.com
  • mscrl.microsoft.com
  • crl.microsoft.com
  • ocsp.msocsp.com
  • http://www.microsoft.com
  • or if you can’t manage URL you need to allow the Azure IP address (see https://www.microsoft.com/download/details.aspx?id=41653) But this could be a big list.

You can test access using the test portal  https://aadap-portcheck.connectorporttest.msappproxy.net/

Now that I know that all the ports are open we can start with the deployment.

Go to the Azure portal and open the Active directory Blade.

https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect

When clicking the Provisioning link the new window opens with the download Agent in the ribbon.

Now that we have downloaded the Agent we can start the installation, Keep in mind if you don’t have installed the latest .NET version you need to install this and it will take a kernel reboot.

A quick setup and our next step is the Configuration.

Us a service account for the Sync, and keep in mind that your domain settings are correct else all the accounts got synced with the *.onmicrosoft.com

My local Active directory domain.

In this demo I use the Administrator but don’t use this account in you production site. Create a proper account for this.

Now that the AD is connected we can kick off the sync and move on to the next steps/

The Agent is creating two services on the sync server.

In the Azure portal you can see the sync status. I did already do a couple of installs so no panic if your layout is different.

Now we are checking if the Agent is running and use review all agents as default there is an extra step to take

 

In previews you can always give feedback so when the product is GA there is a good chance that the menu’s will change.

As you can see it is active, If it is not active check the Services on the on-premises server where you installed the Agent

You can also your external public IP

You can also check the services state:

• Microsoft Azure AD Connect Agent Updater (in charge of updating to the latest agent version)
• Microsoft Azure AD Connect Provisioning Agent (in charge of the synchronization)

Our next step is configuring the Azure AD Connect cloud provisioning, using password hash and setup a notification email.

Now that the configuration is complete we are ready for production

we save this config and check the agent health status.

For testing you can use the Cloud applications portal. https://myapps.microsoft.com

When logging in you will see the apps that are assigned to that user.

Configuration changes are synced every 2 minutes while the provisioning interval is every 40 minutes.

All agent activities are logged into the Applications and Services Logs\Microsoft\AzureADConnect\ProvisioningAgent\Admin

AgentUpdater for any agent updated activities (you will see there if there has been an update) or ProvisioningAgent for any provisioning activities.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Ready For Microsoft Ignite #RDmi #Azure #Fun #Cloud #Sessions #MSIgnite #MVPBuzz #Linkedin

Ignite is almost there. The benefit of being an MVP is that whole week We already had pre-ignite sessions and warmed up for Ignite. these are exiting times a lot of new content will be there and when Microsoft is showing the products we can blog about this with out breaking our NDA.

Already some teasers Windows Admin Center would be named a lot. As this is the webbased tool to manage your servers. In Azure or on prem.

Storage is also a big Thing. and migration to Azure and or from of moving your old servers to Azure. this is also a big topic.

As moving to the cloud is nice and easy ( well not always) the client is there also Intune – Autopilot – Rdmi – The modern workplace

As last year Microsoft announced the new RDmi and at Inspire there where also some sessions about RDmi .

https://robertsmit.wordpress.com/2018/01/17/part2-ultimate-step-to-remote-desktop-services-html5-quickstart-deployment-rds-vdi-rdp-rdmi/

Above are some examples of the HTML5 Client that you already can use in the current RDS environment.

There will be a lot off content passing this week. Thanks for reading my blog and following me on twitter.

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Step by Step Azure File Sync – on-premises file servers to #Azure Files Storage Sync Service #AFS #Cloud #MSIgnite

Finally Azure File Sync is there in public preview, for the last months I had the pleasure to work with the Azure File Sync team and tested the product and thought about some great ideas where Azure File Sync (AFS) could be useful. And I guess you all have Ideas where you could use AFS. Placing your File server somewhere and get your files to the cloud.  Our use a Azure Data Box ADB https://azure.microsoft.com/nl-nl/updates/azure-data-box-preview/

With Azure File Sync (preview), shares can be replicated on-premises or in Azure and accessed through SMB or NFS shares on Windows Server. Azure File Sync is useful for scenarios in which data needs to be accessed and modified far away from an Azure datacenter, such as in a branch office scenario. Data may be replicated between multiple Windows Server endpoints, such as between multiple branch offices.

Azure File Sync is a multi-master sync solution, it makes it easy to solve global access problems introduced by having a single point of access on-premises, or in Azure by replicating data between Azure File shares and servers anywhere in the world. With Azure File Sync, we’ve introduced a very simple concept, the Sync Group, to help you manage the locations that should be kept in sync with each other. Every Sync Group has one cloud endpoint, which represents an Azure File share, and one or more server endpoints, which represents a path on a Windows Server. That’s it! Everything within a Sync Group will be automatically kept in sync!

Azure File Sync enables organizations to:
• Centralize file services in Azure storage
• Cache data in multiple locations for fast, local performance
• Eliminate local backup and DR

The Azure File Sync agent is supported on Windows Server 2016 and Windows Server 2012 R2 and consists of three main components:

• FileSyncSvc.exe: The background Windows service responsible for monitoring changes on Server Endpoints and initiating sync sessions to Azure.
• StorageSync.sys: The Azure File Sync file system filter, responsible for tiering cold files to Azure Files (when cloud tiering is enabled).
• PowerShell management cmdlets: PowerShell cmdlets for interacting with the Microsoft.StorageSync Azure Resource Provider. The cmdlets can be found at the following locations (by default):

• %ProgramFiles%\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll
• %ProgramFiles%\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll

The Azure File Sync agent also includes a preview version of the Work Folders server feature which has been updated to support Azure File Sync. This preview version of Work Folders does not have a UI and must be managed via PowerShell: https://docs.microsoft.com/en-us/powershell/module/syncshare/?view=win10-ps

To learn more about Work Folders, please refer to the overview: https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview
To learn more about Azure File Sync, please refer to the planning guide: https://docs.microsoft.com/azure/storage/files/storage-sync-files-planning

But In the Preview I’m a bit Confused, what is the name of the product this Azure File Sync Or Storage Sync Service So looking it up in the Azure Store and in the quick list the name is not the Same.

So when created the Azure File Sync <> you need to look under Storage Sync Services

Now that said how to built a Replica to Azure and back to my other Data Center ?

 

 

So what do we need for this scenario, We need two File servers and a storage account in Azure.

I created on a file server mvpafs01 with an extra disk that is hosted my onprem files. on the other server MVPAFS02 the share is in a different location.

Azure File Sync extends on premises files servers into Azure providing cloud benefits while maintaining performance and compatibility.

Azure File Sync provides:

• Multi-site access – provide write access to the same data across Windows Servers and Azure Files
• Cloud Tiering – store only recently accessed data on local servers
• Integrates with Azure backup – no need to back up your data on premises
• Rapid DR – restore file metadata immediately and recall data as needed

Open your Azure subscription and look into the store for Azure File Sync.

 

Create the Azure File Sync components

First we make a New Storage Account, this storage account will hold the on premise files

When the Storage account is created we create a file share on this storage account.

Currently the share has a maximum of 5TB !

Max size of a file share  5 TB

Max size of a file in a file share 1 TB

Max number of files in a file share Only limit is the 5 TB total capacity of the file share

Max IOPS per share 1000

Max number of files in a file share Only limit is the 5 TB total capacity of the file share

In this a limit of 4TB is more than enough to hold my files.

Now that the Azure File Sync is created we can configure the Azure File Sync.

First we create a sync group in this group we can sync the files from one to many.

If you didn’t create the Storage account and the File share you will need to create this first.

Create a sync Group

A Sync Group contains a list of endpoints that define where a set of files sync to. Servers and Azure File Shares can participate in syncing the same set of files when they are listed in the same Sync Group.

At the moment only one Azure File Share can participate in a Sync Group and it must be in the same region as this Storage Sync Service. Below you can create the Sync Group and its first and only Cloud Endpoint in one step. In the future you will be able to add more Cloud Endpoints. You can add Server Endpoints after this step completes.

After creating this Sync Group and its first Cloud Endpoint, the next step is adding one or more Server Endpoints to the Sync Group.

 

Next step is preparing the on premise file server and install the Agent and add the Azure PowerShell modules.

To register a server:

• Download the Azure Storage Sync agent and install it on all servers you want to sync.
• After finishing the agent install, use the server registration utility that opens to register the server to this Storage Sync Service.

 

 

When finishing the download of the right files we start the installation of the Agent.

1. Download and run the StorageSyncAgent.msi.
2. Follow the instructions to complete the installation.
3. At the conclusion of the Azure File Sync agent installation, the Server Registration UI will auto-start.
4. Follow the instructions to register the server with your Storage Sync Service.

Before we start the Agent we need to disable the enhanced security ( for admins only)

 

The installation of the Agent is simple and Quick unless the Azure Modules are not on the Server.

 

Now that the Agent is installed we can register this server in Azure File Sync (AFS)

I did not have the Azure PowerShell modules on this server So I need to install the modules first

https://go.microsoft.com/fwlink/?linkid=856959

You can check the version with the Powershell command lets

Get-Module PowerShellGet -list | Select-Object Name,Version,Path

# Install the Azure Resource Manager modules from the PowerShell Gallery

Install-Module AzureRM

This can take sometime but you don’t need a reboot for this.

just login to your azure subscription where the Azure File Sync (AFS) is installed

Pick the right subscription and Resource Group with the Storage Sync Service.

The next step after the registration of the server is creating an endpoint this End point is linking the File share to the Sync service

 

Creating an Endpoint is the final step but remember as soon as this is in place the Sync services on the on premise server starts the initial sync!

Creating the Azure File Sync (AFS) Endpoint

A Server Endpoint integrates a subfolder of a volume from a Registered Server as a location to sync. The following considerations apply:

• Servers must be registered to the Storage Sync Service that contains this Sync Group before you can add a location on them here.
• A specific location on the server can only sync with one Sync Group. Syncing the same location or even a part of it – with a different Sync Group doesn’t work.
• Make sure that the path you specify for this server is correct and not the root of a volume before hitting Create.

• Cloud Tiering: A switch to enable or disable cloud tiering, which enables infrequently used or accessed files to be tiered to Azure Files.
• Volume Free Space: the amount of free space to reserve on the volume on which the Server Endpoint resides. For example, if the Volume Free Space is set to 50% on a volume with a single Server Endpoint, roughly half the amount of data will be tiered to Azure Files. Note that regardless of whether cloud tiering is enabled, your Azure File share always has a complete copy of the data in the Sync Group.

Data traffic on the File server in this case it is just with one CPU. The upload speed is around the 300Mbps with almost 100% CPU

After checking the same upload with 4 Cores and the upload is more than doubled so keep this in mind when uploading the files. Unless your line is the throttle neck

Perfect the files are synced and ready for cloud usage.

But I also want these files in my other datacenter, I could just copy those files and in a few days I run robocopy with the delta’s but I can also use a second endpoint in Azure File Sync (AFS) and keep all files in sync.

The first step is the same as any server to register install the Azure File Sync (AFS)  Agent with the Powershell Modules

 

Connect with the same Azure subscription

As you can see the server is online and registered.

 

As this server doesn’t have a second disk I place all the files on a different share

But after filling in the share name and applied it the server gets very busy but there are no files in the folder.

Check this : all the files are cached in the System volume information folder under HFS. After the caching it placed all the files in the right folder.

Just keep in mind that this is the process and your Monitoring agents could alarm you for this. 

After the initial sync I have two file servers and a Azure Storage account with the same files. I can Edit files on 3 point and still it got synced.

The synced files on the Second server and as you can see that the System files are gone and placed in the share.

Hope this blog gives you the start on using the Azure File Sync (AFS) it is very useful as you could sync file between subscriptions or regions or just between your data centers.

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Http://nl.linkedin.com/in/robertsmit

Google Me : https://www.google.nl

Bing Me : http://tinyurl.com/j6ny39w

LMGTFY : http://lmgtfy.com/?q=robert+smit+mvp+blog