Welcome to Langenile

[email protected]
Contact Us

Monthly Archives: September 2022

  1. Home / 2022  / 
  2. September
Sep 15, 2022
AD FS– Planning Identity Synchronization

If you are using the Azure AD Connect installation wizard to configure AD FS, there are additional requirements that must be met:

  • If you are using Azure AD Connect to configure AD FS, the federation and web application proxy (WAP) servers must already have TLS/SSL certificates installed and the servers must be accessible via WinRM.
  • AD FS server hosts must be Windows Server 2012 R2 or later.
  • The AD FS farm servers must be domain-joined. The AD FS web application proxy servers must not be domain-joined.
  • AD FS also has specific name resolution requirements. The internal DNS domain must use A records for the federation server farm (external DNS can use A records or CNAME records).

Further information

While it is not covered by the MS-100 exam, per se, it’s important to note that externally, DNS will point to the AD FS WAP servers using the name deployed on the SSL/TLS certificate (such as sts.contoso.com or adfs.contoso.com). However, the AD FS WAP servers need to resolve the AD FS farm name to the internal farm servers, not to themselves. This is frequently accomplished by configuring a host’s file on the AD FS WAP servers.

Accounts and security

To successfully configure Azure AD Connect, you must have access to privileged accounts:

  • You must have either an Azure AD Global Administrator or Hybrid Identity Administrator account to configure synchronization. These credentials are used to create a service account in Azure AD that’s used to provision and synchronize objects.
  • If you use the Express setup option or upgrade from the legacy DirSync product, the installation account must be a member of Enterprise Admins in the local Active Directory.
  • If you are configuring Azure AD Connect with a service account, the account must have the following permissions delegated:
    • Write permissions to Active Directory (if any hybrid writeback features are enabled, such as Exchange hybrid writeback, password writeback, group writeback, or device writeback)
    • If password hash synchronization is deployed, the service account must be delegated the special permissions called Replicating Directory Changes and Replicating Directory Changes All to read the password data from Active Directory

Connectivity

Azure AD Connect needs to be able to communicate with both on-premises directories as well as Azure AD:

  • Azure AD Connect must be able to resolve DNS for both internet and intranet locations.
  • Azure AD Connect must be able to communicate with the root domain of all configured forests.
  • If your network requires a proxy to connect to the internet, you must update the .NET Framework’s machine.config file with the appropriate proxy server address and port. If your proxy server requires authentication, you must use a custom installation and specify a domain-member service account.

If your environment meets the minimum requirements for deploying Azure AD Connect, you can download the components and begin the installation. You can download the most recent version of Azure AD Connect from https://aka.ms/aadconnect.

More Details