Configure & Manage Synchronized Identities (part 1 of 4)
To read part 2, please click here
Configure Azure AD Connect Prerequisites
If you want to install Azure AD Connect, then, you will require following-
Azure AD
- An Azure AD tenant is available with an Azure free trial and you can use either The Azure Portal or The Office Portal to manage Azure AD Connect.
- You have to add and verify the domain you want to use in Azure AD.
- By default, an Azure AD tenant allows 50k objects and when you verify your domain, the limit is automatically increased to 300k objects. However, if you require more than 500k objects, then must possess a license like Office 365, Azure AD Basic, Azure AD Premium, or Enterprise Mobility and Security.
On-premises AD
- Windows 2003 or later must be AD schema version and forest functional level and as long as their requirements are met, domain controllers can run any version.
- If you are using password writeback feature, then the Domain Controllers should be on Windows Server 2008 R2 or later.
- The domain controller used by Azure AD must be writable as RODC (Read-Only Domain Controller) is not supported and Azure AD does not follow any write redirects.
- Use of on-premises forests/domains having "dotted" NetBios names is not supported.
- It is recommended to enable the AD Recycle Bin.
Azure AD Connect Server
It must be treated as Tier 0 component and as it contains critical identity data, you must ensure that administrative access to this server is properly secured.
SQL Server used by Azure AD Connect
- Azure AD Connect requires an SQL Server database to store identity data containing SQL Server 2012 Express LocalDB by default which has a 10GB size limit that allows you to manage 100,000 objects approximately. However, if you want to manage a higher volume of directory objects, then, you have to point the installation wizard to a different installation of SQL Server.
- If you are using different installation of SQL Server, then, you have to fulfill the following requirements:
- Although Azure AD Connect supports all versions of Microsoft SQL Server from 2012 to SQL Server 2019, it does not support Microsoft Azure SQL Database as a database.
- A case-insensitive SQL collation identified as CI in their name must be used as case-sensitive collation identified by CS are not supported.
- You can only have one sync engine per SQL instance and sharing of an SQL instance with FIM/MIM Sync, DirSync, or Azure AD Sync is not supported.
Accounts
- An Azure AD Administrator account for the Azure AD tenant you want to integrate with must be a school or organization account and cannot be a Microsoft account.
- If you want want to use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your on-premises AD.
- The custom settings installation path offers you more options.
Connectivity
- The Azure AD Connect server requires DNS resolution for both intranet and internet which is capable of resolving names of both to your on-premises AD and the Azure AD endpoints.
- If you have firewalls on your intranet and you want to open ports between the Azure AD Connect servers and your domain controllers, then you have to look for Azure AD Connect ports for more information.
To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
Comments
Post a Comment