Azure AD Sync: Difference between revisions

From SambaWiki
(Make notes on having this work in Samba)
Line 79: Line 79:


==Azure AD Connect==
==Azure AD Connect==

===Azure AD Connect - Prerequisites for the installation===
* Azure AD Connect must be installed on a domain-joined machine running Windows Server 2016 or later - note that Windows Server 2022 is not yet supported. You can deploy Azure AD Connect on Windows Server 2016, but because Windows Server 2016 has extended support, a paid support program may be required if you need assistance with this configuration. It is recommended that you use a domain-joined computer running Windows Server 2019.
* The minimum required version for .NET Framework is 4.6.2, and newer versions of .NET are also supported.
* Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials prior to 2019 (Windows Server Essentials 2019 is supported). The server must be running Windows Server Standard or later.
* A full GUI must be installed on the Azure AD Connect server. Installation of Azure AD Connect on Windows Server Core is not supported.

===Component requirements===
* Azure AD Connect depends on Microsoft PowerShell 5.0 and .NET Framework 4.5.1, and the server must have this version or a later version installed.
* Enabling TLS 1.2 for Azure AD Connect


===Blocking issues===
===Blocking issues===

Revision as of 14:34, 16 March 2023

Azure AD Connect cloud sync - Agent installation and configuration

Requirements:

  • samba4 AD-DC (tested with 4.12.11)
  • samba-tool domain functionalprep --function-level=2012_R2 run successfully
  • samba-tool domain schemaupgrade --schema=2012_R2 run successfully
  • Windows Server 2016 in english language. If, for example, an attempt is made to install the agent on a German-language system, the process terminates when the services are started.
  • .NET-Framework Version 4.7.1
  • aad-connect user, member of the Enterprise Admin group. (You will need it for the configuration wizard to connect to the local Active Directory).

Install the Agent:

  • Sign in to the server you'll use with enterprise admin permissions
  • Sign in to the Azure portal, and then go to Azure Active Directory
  • In the left menu, select Azure AD Connect
  • Select Manage cloud sync > Review all agents
  • Download the Azure AD Connect provisioning agent from the Azure portal

1.png


With agent version 1.1.281.0+, by default, when you run the agent configuration wizard, you are prompted to setup Group Managed Service Account (GMSA). In this scenario you can skip the GMSA installation:

  • Run the agent installer as Administrator to install the new agent binaries. Close the agent configuration wizard which opens up automatically after the installation is successful.
  • Use the 'Run' menu item to open the registry editor (regedit.exe)
  • Locate the key folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent
  • Right-click and select "New -> DWORD Value"
  • Provide the name: UseCredentials
  • Double-click on the Value Name and enter the value data as 1.

2.png



  • After this operation, start the configuration wizard to enter data to Microsoft 365 and for the connection to the local Active Directory (aad-connect user)

7.png


Verify Agent Installation on Azure portal:

  • Sign in to the Azure portal
  • Select Azure Active Directory > Azure AD Connect. In the center, select Manage cloud sync.

3.png


  • Select Review all agents

4.png


On the On-premises provisioning agents screen, you see the agents you installed. Verify that the agent in question is there and is marked 'active'

5.png


Verify Agent Installation on the local server:

  • Open Services as Administrator by either navigating to it or by going to Start > Run > Services.msc.

Make sure Microsoft Azure AD Connect Agent Updater and Microsoft Azure AD Connect Provisioning Agent are there and their status is 'Running'.

6.png


After you install the Azure AD Connect provisioning agent, you need to log in to the Azure portal and configure it.

Supported Samba Versions for Password sync

Azure AD Connect cloud sync

See https://bugzilla.samba.org/show_bug.cgi?id=10635 for details of the Samba versions that support password hash sync with the "cloud sync" tool.

Blocking issues

At a technical level, the issue is that the tool would request the user's password via their GUID, and this was previously not a method that other tools had used, nor was used by normal operations in Active Directory, so was unsupported.

Azure AD Connect

Azure AD Connect - Prerequisites for the installation

  • Azure AD Connect must be installed on a domain-joined machine running Windows Server 2016 or later - note that Windows Server 2022 is not yet supported. You can deploy Azure AD Connect on Windows Server 2016, but because Windows Server 2016 has extended support, a paid support program may be required if you need assistance with this configuration. It is recommended that you use a domain-joined computer running Windows Server 2019.
  • The minimum required version for .NET Framework is 4.6.2, and newer versions of .NET are also supported.
  • Azure AD Connect cannot be installed on Small Business Server or Windows Server Essentials prior to 2019 (Windows Server Essentials 2019 is supported). The server must be running Windows Server Standard or later.
  • A full GUI must be installed on the Azure AD Connect server. Installation of Azure AD Connect on Windows Server Core is not supported.

Component requirements

  • Azure AD Connect depends on Microsoft PowerShell 5.0 and .NET Framework 4.5.1, and the server must have this version or a later version installed.
  • Enabling TLS 1.2 for Azure AD Connect

Blocking issues

It appears that the primary blocking issue in this tools is that the user account is not an administrator, and current released Samba versions require that both GET_ALL_CHANGES rights and domain administrator privileges.