1. Configuring Custom Domain Settings in Active Directory
Now that we’ve explored user identities and user profiles and have gotten an understanding of getting into Azure Active Directory, I want to begin moving us in the direction of connecting our on-premises Active Directory. adds active Directory domain services with Azure ads. Okay. Now, in order to do that, there are some considerations. First off, we need to consider what our domain name is: an Active Directory. In my little lab environment here, my domain name is Examlabpractice.com. I can go into my DomainController and click Start, then Server Manager, and then Tools, and then Active Directory users and computers. And you can clearly see what my domain name is here. I’ll zoom in on that for you. It’s examlabpractice.com. Okay. And I have a DNS database that would need to be accessible over the Internet in order to register that name in my Azure ad. So here’s the thing: When we connect our on-premises domain to our Azure account, we’re aiming for what’s known as “seamless SSO.” Seamless. SSO stands for single sign-on. seamless single sign-on And the goal there is to make it so that when your users log on to the on-premises domain, they’re also going to automatically get logged on to the cloud, right? That’s what we’re trying to get at here. But in order to do that, we need to make sure that we have access to use this name out in the cloud, okay? So in order to do that, first off, we have to have a DNS server that is accessible from the Internet. We’re going to say that my DNS server is here. I’m going to click Tools, and then I’m going to go to Group Policy, sorry, DNS. and then we’ll zoom in on that for you. Here’s my DNS server. And I have a database called forward lookup zones. Okay? Now, if I had another DNS name here that I wanted to make available, I could create another DNS database, okay? I’ll make another database, not to turn this into a server class and dive into the concepts of DNS right now, but to create a small database in which I can create DNS records. And I’m going to give this little database a name: ABC Corp.com. just a random company name. Abccorp.com. Click. Next. Next. And then we’ll click “finish.” We’ve now got a database called ABC Corp. But here’s the problem: Currently, if you wanted any of your users to also be known as ABCORP.COM, you would have to tell Active Directory that because, right now, Active Directory is only going to allow this name to be associated with your users, okay? For example, if I open Back, go to Active Directory users and computers, and double-click on a user like Jane Doe, then go to the Account tabhere, I’ll notice that Jane Doe’s email address is Jane [email protected]. By the way, they call that a UPN, or upper principal name, which is basically like an email address, okay? Jane [email protected]. If I drop that, there is no way for me to put ABC Corp. in there, even though I’ve created a DNS database for it. There’s no way for me to do that. So let me show you how to do that, actually. Okay, so I’m going to go back into Server Manager here. I’m going to go to Tools, and I’m going to open up this tool called Active Directory Domains and Trust. So let’s open that tool up, and inside that tool I can actually specify additional domain names. So let’s zoom in on that. All right. I’ll also right-click active directory domains and trust. I’m also going to look at properties. And right here I can add an additional UPN that Active Directory will allow my users to be associated with. So I could go right here and say ABC Corp. I can add that. I can close out of that by clicking OK. Let’s return to activeDirectory users and computers. Let’s double-click on Jane Doe, go back to Account, and notice that now I can drop that down, and Jane Doe could be known as ABC Corporate.com. Okay? So I can have both of these names if I want. And if you start getting into Exchange Online, where you’re wanting to have all your email hosted in the Microsoft 365 services, which of course is part of the Office subscription, then the great thing about that is that when I link my on-premise environment with my AD environment in the cloud, it will already be set up and ready to go. Okay? So this is what’s got to happen on the ActiveDirectory side in order to have names registered, OK? Keep in mind that your DNS server is going to get checked from the cloud. So you do have to make sure that you have what we call an Internet-facing DNS server. That means it’s a DNS server. That is the cloud that Microsoft 365 is going to query to verify that you actually do have that name. that you do own that name. Okay, which I’m going to talk more about coming up in this next little lesson that gives you an idea of what’s going to happen on the premises side in order to make all that work.
2. Configuring Custom Domain Settings in AzureAD
Okay, so here we are on Admin.dot.Microsoft.com, also known as Portal.dot.Microsoft.com, also known as the Microsoft 365 Admin Center. OK, so this is where I’m going to go, and I’m going to add a custom domain. You saw me in the previous segment. I worked on the adds side of things to get the DNS ready for my on-premises active directory. But now I’ve actually got to tell the cloud about it so that I can link all this together. OK? In order to do that, I’m going to click “Show All.” I’m going to drop down the settings, and I’m going to click Domains, okay? From Domains. Now I’m going to add a new domain, and in order to add a domain, I’m going to type that new domain in. Okay? Now here’s the thing: If you own the name and you’re rehosting it through somebody like GoDaddy, Microsoft has an agreement with GoDaddy. So you can actually put in a name. Like the examlab.practice.com name, it is hosted through GoDaddy. And so GoDaddy is all I have to do there—just put my GoDaddy credentials in, and it will do everything I need. I didn’t have to do anything special in order to do that. However, if I were hosting my DNS on a Microsoft server like I showed you in the last lecture, then I could put the name here. We’ll call it ABC Corp. Now keep in mind I don’t really own that name, but we’re going to pretend like I do and that my server has been set up with DNS, and I want to show you what would have to happen in order to get this all to work. So I’m going to say, “Use this domain.” It’s processing. It says, “Okay, here’s the deal.” If you own the name, verify that you actually own the name. So there are two ways that I can verify that I actually own a domain name. OK? One way is to create this record called a “text record” in my DNS server, which is just a generic record; you can put anything you want in a text record in the real world, and whatever people query against that record, it’s going to display whatever. If you want, you could put someone’s phone number in there. Now in this case, though, what they’re doing is they’re saying, “Hey, if you really own this record, this name ABC.com, then create a text record with this value right here.” Okay? Now once you do that, what will happen is that when you click “Verify” down at the bottom, it’s going to query that DNS server for that name and verify the records there. If the record is there, then it says, “Okay, you must really own the name because you were able to create the record.” Okay? So it’s almost like one of those one-time passwords that they would text your phone or send you via email or whatever. Now, alternatively, you could do this with an MX record as well. Okay? An MX record is a mail exchange record. So you can do the same thing. You could create a MX record on the DNS server with this value here. And then it would check that it’s important if you’re taking the exam that you know those two main ways to verify your identity. Keep in mind, though, that the third way is that Microsoft has partnered up with GoDaddy and companies like that. You could then enter your credentials. If this was a GoDaddy DNS address, it would prompt me for that. Okay, what you want to remember for the exam is that you can create a text record or an MX record. Okay? So now what I’m going to do is go back and create this record in my DNS server. I’m back over here now on my DNS server, and I’m going to zoom in for you here. And we’re looking at the ABC Corp. database right here. So all I would need to do is right-click this. Then I’d click on more new records. I’m going to scroll down and find the text record right here. Okay. Click create. And you’re actually not going to put anything for the record name right here. You’re going to leave that blank and type in the code that they gave us. And the code they gave me was Ms, which is lowercase MS 463-73-7721. So then I would click, “Okay, done.” And I’ve completed this record. and that’s pretty much it on the server side. You’ve got that in there? As long as this is Eden, a server that is Internet-facing, meaning it can be hit from the Internet, at that point it would be able to verify that name. So jumping back over to the Microsoft 365 portal, we can see here that this is the record that I created, and I could then click Verify, and it would be able to verify it. Okay, granted, again, I don’t really own that name. I do own the name “examlabpractice.com,” but that, of course, was already registered when I initially set up this cloud tenant. So I click Verify, and it really would be able to verify, though it is going to throw an error because, again, I don’t really own that name. But that gives you guys an idea of what you’ve got to do on the AD side, the on-premises side, and then what you’ve got to do on the cloud side in order to get your DNS names registered.
3. Performing an Active Directory Cleanup
Okay? So as we move closer to being able to connect our on-premises Active Directory to Azure AD, there are some things you need to understand. First off, Active Directory allows certain things that Azure AD does not allow. And if you’re going to synchronise user and group information out to the cloud so that you can do seamless SSO, you’ve got to fix some things. You’ve got to make sure things are clean. So what we’re going to do is I’m going to show you how to do an Active Directory clean up to fix issues, okay? First, we must identify some issues. All right? So I’m going to go to Tools, Active Directory users, and Computers. We’ll pull that up, and we’ll zoom in on that. And I’m going to create a couple of users here. We’re going to create what we’re going to do—we’re going to create a couple of users whose names have spaces in them, okay? Now a space is an invalid character. You’ll notice that Jane Doe here has a space, but that’s not in her username. If you click on Jane Doe right here, you’ll notice that there is no space there. We’re going to create a couple of users that do have a space. We’re going to put them in the Atlanta O you. So we’re going to create a user. I’m going to call this user Jimmy Smith. Maybe this is John Smith’s brother. Okay. So his username is going to be called Jimmy Smith. And notice I put a space there—that’s not allowed in an Azure ad. They will not allow that. If you try to synchronise Azure AD with an account like this, it will just not synchronise that user. So we’re going to cause a problem. We’re going to create that user here; just give it a password, okay? And then notice that it was able to create it. If I click on the Account tab, you’ll notice that that tab will show that the user has a space in his name. You’ll notice my directory is moving a little slowly. This virtual machine doesn’t have a tonne of memory, so it goes a little bit slowly. But here it is, right here. If I click on the Account tab, you’ll see the spaces there. So we’ve now got a user that would be a problem. It’s not going to stop all syncing in Azure AD, but it would stop this one user from this one user from I’m now going to go, and I’m going to download a tool that’s going to scan Active Directory for these problems. Now granted, this is just one user. He’s easy enough to fix. But imagine if you had tens of thousands of users and there were all sorts of problems, maybe invalid characters and things like that, that Active Directory has allowed over the years. and Azure ads will not be permitted. So Microsoft created a little tool that can help us. So here I am on Google. The tool is called the ID fix tool. So I’m going to say “download, ID fix, okay.” And then here it is, right here. Actually, that’s just an article. This is the download page. We’re going to click the download page right here, and that’s going to bring us to this tool, where we can actually download it, and we’ll copy it across to that domain controller. Okay, so here it is. I’m going to click “download.” It’s going to give me the option to download the tool when it pops up, and then I’m going to save the tool. So we’ll just say save as. And we’ll send it to our domain controller, Nycdc-one-c-dollar. We’re just going to save it right there on the C ar. We’re jAnd now it has been officially downloaded it.We’re going to jump over to the domain controller now. All right? We’re going to open up File Explorer. We’ll go to our C drive. And then there is the tool right there, in a little zip file. We’re going to copy the exe file that’s inside the zip file. Let me zoom in for you. Copy that over to our desktop. Okay, so now the ID-fixing tool is on our desktop, and we can run that tool by double clicking on it. OK. It’s going to give you a little message here about Microsoft’s privacy statement. That’s fine. We’ll click “okay” to that. Okay. And this is what the tool looks like. It’s very basic. Okay? very, very basic. zooming in on it. OK, I’m going to tell it to do a query. It’s going to query ActiveDirectory and look for problems. And hello there! Jimmy Smith, that user I just created, has a problem. He’s got an invalid character. So what I can do is go to action and say “edit.” And that’s going to allow us to edit that user and fix it. So we’re going to apply that change. Are you sure? Yes, it’s complete. And then I’m going to accept the change. Click yes. And of course, guys, again, if I had tens of thousands of users, you’d see a lot more users here. You can go one at a time and just make sure it’s not going to break anything major. Right? Okay, so that’s been fixed. Now I’m going to close out of the tool, and we’ll go back into Active Directory and see which users and computers there are. There’s Jimmy Smith. Notice that he still has his face in his display name. That’s not a problem. The display name is not a problem. It’s the account name that’s the problem. So let’s go to the account and look there. It fixed. Okay, so this ID-fixing tool is a very handy tool. It can certainly clean things up in Active Directory and smooth out any kinks before you begin an Azure ad connect.
4. Performing Azure AD Connect
So now that we’ve got our custom domain set up and we’ve got Active Directory cleaned up, we are officially ready to start installing Azure Ad Connect and synchronising our on-premises Active Directory with Azure Ad. Okay, so here I am on my domain controller right now, and I’m over here opening up the Active Directory Users and Computers tool here.
Once we take a look at this tool, one thing that I want to look at here is this. Now, it is true that we could synchronise our entire domain. Perhaps we have thousands of users or something else we want to synchronise in the cloud. However, Microsoft recommends that you pilot this first. Now, when I say “pilot,” what I mean is you should move some users into the cloud and make sure everything works okay before you start moving your production over. Okay? So what I’m going to do is form an organisational unit called Pilot. These are going to be the user accounts that are going to get moved into the cloud. Users’ groups, whatever. Okay? So I’m going to move some users, in that we’re going to move these users here: Jane Doe, Billy Williams, Alex Rogers, and Joe Norman. We’re going to test them out.
We’re going to move them into that Pilot O. And we’ll have a group here as well. Maybe these are our people. Who better to pilot this than the It people, right? Because your IT people are the ones who are probably going to have to fix problems if something goes wrong, right? So we’re just going to create a group. We’re going to put these people in the It group, and then we’ll go from there. Okay, so here we go. We’re adding these users here into the group. Okay, those users, I believe everyone is safe. and we’ll click. Okay. Okay, so we have our group and our organizational unit. Even though the cloud does not have organisational units, it’s still going to store attribute information about them. And there’s a way to actually specify information based on omens, but we’re not going to get into that right now.
The main thing is that when I go to install Azure AD Connect, which is going to synchronise my on-premises domain with the cloud, I’m going to need to specify exactly what I want to synchronize. And I don’t want to synchronise the entire domain right now. I’m just going to synchronise these users. Now keep in mind that later down the road, I can walk back and synchronise everybody all at once. Okay? All right, so now what we’re going to do is we’re going to jump right over and we’re going to take a look at the Windows 10 computer. We’re going to download the tools we need on that Windows 10 computer. I’m not going to do it on this domain control because the domain control has a lot of restrictions on it for downloading software. We’re going to do it on Windows 10. Then we’ll move it onto the domain. Okay? So we’re going to do that right now. Okay, so here I am on PortalAzure.com, and I’ve logged on, all right? And I’m going to click on the little menu bar here. We’re going to go to Azure Active Directory.
Okay, so Azure Active Directory. And then I want to zoom in on something for you here. We’re going to zoom in on this, and we’re going to take a look at Azure Active Directory Connect. So we’re going to click that blade. All right. Once we get in there, notice that it says we can download the tool. So right now, synchronisation has not started. We have not yet begun to synchronise with our on-premises directory. So right now, the Azure ad and the Ad DS don’t know each other. They have no connection with each other whatsoever. But that’s all going to change once I get this tool installed. OK? So we’re going to click to download the Azure Ad Connect tool. Zoom out for a second there. While that’s loading, here’s the tool right here. I’m going to click to download it. It’s going to ask and say, “Okay, it’s downloading.”
All right? As a result, it downloaded fairly quickly. It’s almost done. And we’re going to transfer that to that domain controller. We’re going to run Azure AD Connect. Now, keep in mind that you do not have to install Azure AD Connect on a domain controller. In fact, it is recommended in the real world that you install Azure AD Connect on a dedicated server, okay? If you wanted to install it on a domain controller, you could, but it’s recommended that it be installed on a dedicated server. I’m going to put it on my domain controller, though, because I don’t have a bunch of servers at my disposal in this little lab environment that I’ve got. But I’m going to copy this tool. Okay, let me zoom in. And we’re just going to connect over to our domain controller, NYCDC. one C-dollar sign, and that’s the C-drive over there. We’re just going to paste it right on the C drive so that I can get to it. Okay? So now that it’s over there, we’re going to jump back over to the domain controller, and we will go ahead and start to install it. Okay, so here we are. We’re on the domain controller. All right, I’m going to open up File Explorer, and I’ve either installed it or copied it onto the C drive here. Okay, so there it is. I’m going to go ahead and install that. So we’re going to click “install.” All right? It says it’s installing Azure Ad Connect now. All right, we’ll zoom out.
Okay, here’s the Azure ad. Connect wizard. Okay, so let me zoom in on this. We’re going to go ahead and accept their licence agreement here, all right? And I’m going to hit “continue.” Guests are going to ask me if I would like to do an express install here. So I could choose to do an express install, and it would just synchronise everything. I don’t want to do an express install right now, so I’m going to choose customise and then click Install because that’s going to let me customise some of the settings, okay, which I’ll go through and explain the settings to you here in just a second. Okay. I’m going to pause the video for a second while that is synchronising because it is going to take a few minutes to download everything that it needs because it’s actually installing some files and synchronising something from Microsoft’s website before I can actually get the ball rolling on all this. Okay, so we’re going to pause, and we’ll start right back. Okay, so the wizard has gotten done installing here, and now we are officially at the section where we’re actually going to connect AzureID and Active Directory together. Okay, let’s take a look at these options real quick. All right, so there are a few options we’ve got for synchronizing.
We can do what’s called “password hash synchronization,” where it’s going to synchronise the password hashes, which are the encrypted versions of your password. And those will be sent to Microsoft’s cloud. And this is going to help us achieve seamless SSO in that when somebody logs on on premises, it’s going to synchronise to the cloud. Another cool feature is that if someone is on the outside and wants to access the Microsoft 365 services, they can use the same password that we have on Prem. Another advantage of password hash synchronisation is that even if Active Directory on premises is not accessible from the outside world, they can still access all of their cloud services. Hash synchronisation is the one that Microsoft recommends that everybody use.
Now of course, if you are in a situation where maybe it’s against compliance rules for you guys to synchronizeon premise with the cloud and make it where Microsoft has your password hashes, well then you would need Togo with one of these other options, okay? Because this one is going to mean that Microsoft has a copy of your password hashes. And if that’s a compliance problem, then maybe that’s a problem. I actually did some work with a hospital in Texas one time, and that was the situation they were in as they were moving into the cloud. But for HIPAA compliance and all that, they couldn’t have their password synchronised to the cloud. So you have a couple of other options for passing authentication through. This is going to install an agent on your server on premises, your Azure Ad Connect server. And what will happen is when people are on the inside trying to go out to the cloud, it’ll do Seamless SSO so they can log on and, on premise, it will synchronise them. They can immediately start accessing cloud resources—OneDrive, SharePoint Online, all that.
If they are on the outside and log into their account, the same account that they have on premises is the same account that they have outside, the Azure Ad service will talk to the pass-through authentication PTA and authenticate them on the inside. The disadvantage of this one is, and you’ll notice that this is the case with all of them, If you lose connectivity with your on-premises environment, the person on the outside cannot log on. So if you had somebody who was trying to log onto the Microsoft 365 account from the outside and check email and all that, they wouldn’t be able to if for some reason the on-premises domain was down again. That will be the case with all of these hash synchronizations—the ones that will allow you to connect to the internet even if your on-premises domain is unavailable.
OK Federation Services This is an older solution. PTA is newer; ADFS is older. You have to set up an Act Directory Federated server, and this is going to involve you having to have multiple servers. The disadvantage of this one is that it must be fault-tolerant. You’re going to need two on-premises ADFS servers (Active Directory Federated Servers), and you’re going to have to have what are called proxies in your DMZ. This one’s got a lot of setup, but there’s a benefit. This one right here can support multifactor authentication and third-party multifactor authentication, whereas these others only support Microsoft multifactor authentication. However, the same rule applies. If you go this route, you set up these servers on premises. If somebody on the outside is trying to authenticate to the cloud and the domain is not accessible, they will not be able to authenticate; they will not be able to log on. Ping Federate:
We don’t talk about that in this class. is a third-party solution. Basically, in a nutshell, what it is is that Ping Federated is a third-party company that Microsoft has to deal with. You can have them host your Federated services for you. Okay? But this isn’t something we get in, nor is it something you need to worry about test-wise, okay? Or you could just say do not worry about any of this and just move on with the wizard, and you could come back and configure this at a later time. One thing I’d like to emphasise is that nothing I do here is set in stone. I can run this wizard again if I want later down the road, okay? So if you don’t like something or didn’t choose the right setting, you can always run it again. You can always change your synchronisation options. I’m going to do hash synchronization. I’m also going to do single sign-on because I want it to auto-authenticate on-premises with the outside world. Okay, now we’re going to click “Next.” At this point, it’s going to ask me for my global administrator in Azure. So I’m going to put that in. All right. It’s going to also verify that I put in the correct credentials.
As you can see, it is checking. Okay, it’s verified. Now it’s going to check everything on premises, make sure Active Directory on premises is set up properly, and make sure I have the privileges to do this. So I’m going to add a directory. It says, “Okay,” so you’re going to set up an account that’s going to synchronise on-premises with Azure AD. Okay, so it’s saying that, hey, I could create my own service account to do this, or I could let the wizard do it. It is recommended that you let the wizard do it because the wizard will ensure that it only has the rights to synchronize. It has no other rights, whereas if I were to do it, I might give out too many privileges by making it an administrator. So it’s recommended that you let it create an account. Then you’ll enter your domain name and the administrator that you want to use.
Okay, so I’ll put the administrator in here. All right, it’s verifying, and it says, “Okay, everything looks good.” Active Directory is verified. All right, so I’m going to click Next. It is inspecting the directory schema to ensure that everything is in order. Now it is going to tell me that, hey, it found that I don’t really own this website, abccorp.com. So it’s just warning me that I cannot assign users to that. If you remember my previous lesson, I showed you about custom domains. That’s fine. I’m not going to use that domain anyway, so I’m going to leave it alone. It’s going to use the user principal name as the username and convention, which is the email address and base name that we talked about earlier. Okay, so I’m going to say “continue.” Then I’m going to click next. Now it’s asking me if I want to synchronise everything. So I’m going to say no. I don’t want to synchronise everything. I just want to synchronise the pilot. Remember those users.
So we’re just going to synchronise the pilot. Okay. All right. From there, I could choose some other attributes. I don’t get into those. This course does not cover any of these characteristics. But I’m going to go ahead and click Next. I’m just taking the defaults on that. And then from there, I can further filter by selecting specific groups that I would like to have synchronized. You can nest groups in Active Directory, but notice here that it says nested groups are not supported and will be ignored. In other words, if you have groups, insider groups, it will not synchronise everything. Right here, I’m just basically saying, “Synchronize everybody that’s in that with you.” Now, if I were to hit “synchronise selected,” then I could specify a group and just say, “Synchronize the people that are in this one group.” This is just another way to filter. But I don’t want to do that. I’m synchronising everybody that’s in the pilot. Ou.
So I’m going to go ahead and hit Next. Okay? At that point, if I was going to do an Exchange hybrid where I was going to synchronise my Microsoft on-premises Exchange environment with the cloud, I would select to do these two things. I don’t have Exchange on premises in this environment, so I wouldn’t do that. You can filter Active Directory attributes that you would like to synchronize. I’ll do the password immediately. What that’s going to do is make it so that when I change my password in the cloud, it’s going to synchronise back down to on-prem. On-premises is going to synchronise with the cloud. You can also do group write back, but that feature is not available at the moment, nor is device write back just yet. So there are a few things that have to happen before I can set those up.
Okay, if I wanted to synchronise something else, what are called extension attributes? These are things like additional attributes. Let’s say that we had a situation where we created some custom attributes, like an employee ID number or something, that were stored in all of our user accounts, and we wanted those to synchronise as well. We could select this and create some custom attributes. I’m not going to do that in this. I’m just going to click “Next.” And at that point, it’s checking a few things, and it says, “Okay, you’re going to enable single sign-on.” You’re going to need a domain account to support single sign-on. In other words, it’s got to have an account that can check authentication with your domain controllers to make sure that when somebody logs on on premises, it can authenticate to the cloud automatically.
So I have to have an account that has the privileges to enable this feature. So I’m going to say, “Okay, that’s fine.” I’m going to enable it by using my own credentials. So exam lab practice is administrator, and I’ll enter the password. And there we go. It says, “Okay, you’ve got the right credentials.” In other words, the account that I put in had enough power to turn this feature on for my domain. So I’m going to click Next. It says, “Okay, it’s checking for the components, making sure everything is in order.” And then, once this is done, I’m going to be ready to pull the trigger, and Active Directory is going to start synchronizing. Okay? So here we go. And with that, it’s now officially synchronized. Alright? So I’m going to let that synchronize. And as we get further into this, we’re going to be looking at how we can also check the health of synchronisation in our next little lesson. We’re going to look and see and make sure that things actually did synchronize.
5. Verifying Azure AD Connect Health
Okay, so if you watched the last lesson, you saw me run Azure Ad Connect. And I’d like to show you guys now that my user accounts have been synchronized. As you can see, I’m here in the portal dot of Azure.com, under the Azure ad, looking at my users. And then there are the users who have been synchronized. Notice that it says “under source.” It tells you that some of the users are Windows Server ads and some are Azure ads. So the ones that say Azure AD, those are cloud-only accounts, okay? They’re just out in the clouds.
But the ones that say Windows Server ad, obviously, those are officially synchronising between the two environments, the Onprem ad and the Azure ad. Okay? Now the next thing I want to show you is a little something called Azure Ad Connect Health. This is a way for you to check your synchronisation and make sure that your on-premises environment is synchronising properly with the outside world. So I’ll go over here to this little menu bar here, and then back over here to Azure Ad. And you’ll notice I can go to Azure Ad Connect. So I’m going to click that, and I want you to notice that it says the sync status is now enabled. Now, if you remember from my previous lesson, I showed you that this was not turned on by default.
We actually had to download the tool and install it, which we did. And notice that it’s telling you that password hash synchronisation is being used. I’m not using Federation right now. Okay? I do have Seamless SSO going, but if I scroll down, what I want to show you is this right here, health and analytics. Okay, so let’s click on this. This is Azure AD Connect Health. Okay? So right here, first things first: We’ve got Azure Ad Connect installed on our server. And when you install that on your server, you’re already monitoring synchronisation health. But if you would like a domain controller to report its health information, then you can install the AD agent right here on a domain controller. If you are using a Federated server, an ADFS server, and you would like it to send its health analytics to the cloud, you can install this guy right here, which is the Azure Ad Connect health agent for 8DFS, which is active, and Federated Services. Okay, I’m going to jump over now. We’ll check our syncerrors to see if we have any. Hopefully, we don’t. Okay, perfect. This is what you want to see. You don’t want to see any errors.
If you did have errors, you could export those and try to troubleshoot. And then there are sync services. This is telling me if I’m healthy or not. As you can see, sync services are healthy. Okay, looking down here, if I had ADFS, I could see this ad for Services. This is telling me if there are any problems with synchronizing with my Active Directory services and the health there. You have to install the health agent on the domain controller to get that, though. And then you’d have to install the health agent on the ADFS server to get the statistics for that. Okay, but all in all, as you’ve seen, I’m healthy, which is a good thing. And of course, you also have settings here if you want to configure some of the settings. You’ll notice that it says, “Use Auto Update.” automatically update your installed Azure 80 Connect Health Agent when the latest version comes out.
So essentially, what will happen is that whenever there’s a new version, it’ll update that new version for you. Okay. I’ve also got a troubleshooter down here where I could try to do some troubleshooting if I was having problems. But all in all, as you can see, Azure and Connect Health are pretty straightforward. It will attempt to assist you in troubleshooting any synchronisation issues that may have occurred between on-premises and Azure ads.