I have been spending a lot of time building Azure environments lately. I have found that it is a great way to provide some extra redundancy for client networks and when you use 3-Year reserved VMs, the redundancy is not cost prohibitive.
However, since I usually use the Azure portal to build the VMs instead of Powershell, I have found that the OS Disk, NICs and Data Disks usually get some funky names. I am a huge fan of a nice clean Azure install, so I prefer to change them to match the rest of the environment’s naming conventions. Usually this means I have to do some manual swapping etc.
Thanks to some scripts created by Charbel Nemnom (his blog is https://charbelnemnom.com), renaming some of the things created by Azure is a whole lot easier.
Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures pre-requisites and components required for the connection, including sync and sign-on. Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. Here is a guide on how to synchronize your on-premises AD with Azure Active Directory using the Azure AD Connect tool, and how to use the built-in AAD Connect troubleshooting tool. Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are: AD DS Connector account used to read/write information to Windows Server Active Directory, and ADSync service account used to run the synchronization service and access the SQL database, and Azure AD Connector account used to write information to Azure AD.
Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:
- Password hash synchronization: A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
- Pass-through authentication: A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.
- Federation integration: Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
- Synchronization: Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
- Health Monitoring: Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
You may also encounter issues adding the directories with the service account. You can still add the on-premise environment (directory) even without having the right permission tied to the service account. But you may find in the “Synchronization Service Manager“, the following error “permission issues with error code 8344: insufficient access rights to perform the operation”.
To resolve this issue, please provide the necessary permission to the service account on the AD Connect Server by adding the service account into the Administrators Group (Built-in OU). It is recommended to let Azure AD Connect or you can specify a synchronization account with the correct permission. I pre-provisioned one and this is absolutely fine!
Most times, this isn’t sufficient, you will have to add the service account as a member of the Administrator’s group in Active Directory. – You cannot use your Enterprise or Domain administrator account for your AD Forest account.
This resolved my import issue. Please proceed to the Azure Synchronization Service Manager server and rerun the synchronization and check the Sync status whether it is completed without error.
Note: If you are using Password Hash Sync (PHS), you may want to use PowerShell script to configure the required permission or by enabling inheritance for the specific users. To resolve this issue, perform the following steps
- Run Active Directory Inheritance script to get a list of users on which inheritance is blocked. Once you’ve the list pls make sure that you allow inheritance on those users/groups.
- To allow inheritance, Make sure Advance Features are enabled in View then go to user properties –> Security –> Advanced –> Select the check box “to include inheritable permissions from this object’s parent”