Plan Directory Synchronization (part 3)
Plan Azure AD Connect Topologies
- Evaluate consolidating your forests- Generally, more overhead is required to maintain multiple forests, but if your organization needs separate forests, you have to simplify your on-premises environment.
- Use only in your primary logon forest- You should deploy Microsoft 365 only in your primary loon forest for your initial roll out of Microsoft 365.
Although multi-forest hybrid deployment prerequisites are virtually identical to the hybrid deployment ones for a single-forest organization, they have following exceptions:
- Autodiscover- If you have shared domains across multiple Exchange forests, then, both mail routing as well as Autodiscover endpoints should be configured ad work properly between the Exchange forests before configuring your multi-forest hybrid deployment.
- Certificates- A digital certificate is needed by all hybrid deployments by trusted third-party Certificate Authority (CA) and as a single digital certificate cannot be used for multiple AD forests, each forest have to use a Globally trusted dedicated CA-issued certificate for secure mail transport to function correctly in a hybrid deployment. The certificate used for hybrid deployment must differ in at least one of the following properties:
- Common Name (CN)- It is a part of the certificate subject which must match the host being authenticated and is typically the external hostname for the Client Access Server in the AD forest (like mail.contoso.com). It is recommended that the CN should be used as the differentiating property between AD certificates used in multi-forest hybrid deployments.
- Issuer- It is the third-party CA that verifies the organization information and issued the certificate like VeriSign or Go Daddy i.e. one forest can have a certificate issued by VeriSign and the other one can have a certificate issued by Go Daddy. For this situation you have to ensure that you identify when the certs expire so that some of your services don't become untrusted.
Plan Azure AD Connect Pass-through Authentication
- Run the Azure AD Connect Setup Wizard
- On the User Sign-in page, select the Pass-through authentication option
You should also make sure that all the ports needed for Azure AD pass-through authentication are available as follows:
Port |
Description |
80 |
Enables
outbound HTTP traffic for security validation such as SSL certificate
revocation lists. |
443 |
Enables
user authentication against Azure AD. |
8080/443 |
Enables
the Connector bootstrap sequence and Connector automatic update. |
9090 |
Enables
Connector registration (required only for the Connector registration
process). |
9091 |
Enables
Connector trust certificate automatic renewal. |
9352, 5671 |
Enables
communication between the Connector and the Azure AD service for incoming
requests. |
9350 |
[Optional]
enables better performance for incoming requests. |
10100-10120 |
Enables
responses from the connector back to Azure AD. |
Plan Azure AD Connect Password Hash Synchronization
How password hash synchronization works?
First of all, Azure AD Connect sync extracts your password hash from the on-premises AD instance to synchronize your passwords that are generally synchronized on a per-user basis and in chronological order. The password hash synchronization process runs every 2 minutes and its frequency cannot be modified. Whenever a password is synchronized, it overwrites the existing cloud password.
If an on-premises password is changed, the updated password is synchronized in a matter of minutes and if an error occurs during synchronization, the error occurs in your event viewer. However, if a user is already signed in, then this synchronization have no impact on the user but when the cloud service requires you to authenticate again you will have to provide your new password.
A user have to enter their corporate credentials a second time to authenticate to Azure AD whether they are signed in to their corporate network or not; but if the user selects the Keep Me Signed In (KMSI) check box during sign-in, then a session cookie is set that bypasses authentication for 180 days. You can also reduce password prompts by turning on seamless SSO where users can be signed in automatically whenever they are on their corporate devices connected to your corporate network.
Comments
Post a Comment