6 hours 59 minutes
Welcome back to the M s 3 65 Security Administration course.
I'm your starter, Jim Daniels. And this video we're going to continue on with module to
identity and access.
Listen to identity synchronization,
but we're going to delve into the world of Azure A D connect.
I'm a big advocate of as Brady Connect. I've been using a sense it was Dar sink. It is the best way.
And do you recommend away
to extend your warm premises
identity and directory services
into as ready
In this lesson,
we're going to specifically learn tips for planning a synchronization
with as around a directory,
we're gonna learn pastor authentication or P t A with as radio connect
some of the different considerations. And gosh is with azure 80 connect
and monitoring as your a D connects health.
One of the favorite phrases of my dad, my granddad from my teachers my father mall was do it right the first time
I even find myself repeatedly saying that my Children,
when I give them tasks and chores,
do it right the first time.
If you tell you the time to plan
measure twice cut once
you're gonna have a much better result.
directory synchronisation into as Radi
as a long term commitment.
we have a synchronization checklist.
out of directory preparation.
Second one, we're gonna look at those u P and stuff Exes.
we're gonna do some chemistry. 65 readiness checks
and forth. We're going to run the M s for 65 idee fixe tool.
Some of the questions that you're gonna want to ask yourself is Well, I was routine.
you wanna have a good idea of how you want things to function in Azure 80
Also the azure 80 connect
You wanna know
what server are you? Install that one
fell over. Do you need two of them? Do you staging server?
How are you gonna filter the stuff?
Are you gonna sink all users?
Are you going to
not seeing certain? Oh, use
How is that gonna work?
Configuration. Are you gonna do any of the advanced config options?
Finally. Look at your domain.
Do you have one force? Multiple forced.
Do you have multi tenants?
Do you have more than 13 65 domain?
All of these questions come into play earlier on when you plan your journey
into that Dr directory.
You will also look at how azure a D connect will configure authentication for your users. There are two main options.
One is password hash.
This is where hashes or sink
from on premises out of directory to azure. 80
users have the same password, both on premises and in azure i d.
The password is never sent as radi
or stored in azure. A day in clear text against the hash.
Authentication takes place in Azure 80
just like it sounds like pass through
accounts are copied in ST into as right of directory,
password hashes or not present in as Radi.
We've passed through authentication you can afford on premise. User account states such as a log one hours
authentication takes place at a warm premises software agent.
So think of passed through I d Modern a DFS,
I said. You can do it with as Radi connect
You're not sending a hash of a passport into azure ago,
just like with a DFS, you put the objects there and then Al Jenks exist. However,
Death Indication goes back to in one premises Asian
for multi four scenarios within as Radi. Connect
all of the forced need to be reachable by the single
as ready connects over
the end goal of each user's to represent one time in as raiding
the as Radi Connect station servers can be deployed for fell over if you want
requirements for the actual as radi, connect
for your warm from 80.
Need to have a schemo
and forest functional level of 2000 and three. Force.
You need to have a domain controller
of 2008 or two plus if you want to use password right back,
read only domain control is not supported
as the source for azar 80 Connect
as already connect itself
has to be installed on any domain joint server
If you're going to use the A T. F s,
you need to have Server 2012 or two. Plus,
it's not recommended to install one of the main controller.
That should be for obvious reasons.
Sequel server DB 2012 plus
war Secrets over 2012 Express
the experiences of local database that supports up to 100,000 objects. So if you're near that 100,000 object threshold or over, you're gonna have to actually get a sequel. Server
2000 plus database, not express
to set up and use as ready connect. You're gonna need to be a global admin for the as radi tenant
as well as a enterprise admin for on premises 80 Glove. Weidman's do not have the right to set up as ready connect. They need to be a enterprise. Admin
don that framework for 51 and beyond power show three and beyond
and TLS 1.2
Four user objects as they go from your own premises 80 into
as your 80 is UPM When they're initially ST
they're sent with a u p n So you're one premise
a D Objects need a u p N value
this value wants sink into as Radi
has to be manually updated in azure a. D. If you have dated in one pre, maybe it will not automatically update the U P in value
blank values. Sometimes a required attribute is no
that usually won't want upload. It won't synchronize into the cloud.
It will care duplicates. You'd only have one user. One display name has to be each this by name has to be unique. Each u p and has to be unique. Each SMTP address has to be unique.
The I D fix is a
that searches and remediation your one premises out of directory issues and give us your environment ready for as Radi connect,
it's recommended to use that tool until you have no more
issues that need to be fixed
before you actually run. As Radi Connect, save herself the headache and the time and trouble.
Use idee fixe to set up As Radi Connect.
You have a couple different options. You have expressed settings for single 80 force
and password hash authentication,
and you have customers settings. If you're using multiple lady force, you got to use customer settings.
If you're using custom, sign in options such as a DFS or other federation. If you're using a non Microsoft identity provider, if you are using
anything other than out of directory domain services, you need to use customers settings. If you're using synchronization filtering,
you got to use custom, not settings.
If you would go. Oh, we're using express settings and we have the ability to actually set
domains and no use within the right of the right order. We won't sink or not sink in as Radi
as your 80 connect authentication model has authentication take place in Aseritis directory.
Is it a
password hash or be passed through?
Probably already know this. Just think about what passed through means.
Whenever you see passed through
one of exam or doing with Microsoft,
the verb is the Now
ask your authentication. It passes through to authenticate. So with that being said,
the answer would be password hash
that has a half
of the local one friend
80 password. Not a password,
but a hash, and it compares against the two so it does the authentication in as rifle directory.
If you have passport, hash and your own premises, out of directory goes completely down. Users can still authenticate to M S 3 65 services through as writing a directory
as your 80 connect. Health is a great and simple monitoring tool
that basically provides you health update. It gives you a snapshot
of your as radi environment.
It's a azure 80 premium feature.
The agent. There's a health Asian that's installed when domain control was or federation servers
a global admin account is required to install and configure as radi. Connect health,
and you need to have TCP Port for 43 open on the far wall to allow communication from the health agent. So the recap This lesson
when you do as you're 80 connect, you need careful planning, and you need to re mediate your on premises directory issues prior
to implementing, installing as radio connect
password hash passed through or to authentication options within. As your 80 connect
as your 80 connect. Health is a tool that monitors on premises
and as your 80 synchronization services and infrastructure. Thank you for joining me on this lesson about as your a d connect.
I would be seeing you for the next video. Thank you.