Just wondering what the simplest way to get started with Entra Cloud sync? In this “no-BS” video Michael Mardahl jumps right into the demo and shows you how.
I would also advise to start with two new servers for this. phone if it is just PoC, and yes. dont have overlapning OU’s sync between the old and new sync types (Connect sync / Cloud sync) /Michael
1. Initial Setup and Choices: The video begins with an explanation of downloading and installing the Cloud sync installer on a domain controller, recommending a separate server for production environments. The presenter discusses the choice between HR-driven provisioning and on-premises application provisioning, emphasizing the benefits of HR-driven provisioning, which includes Azure AD Connect Cloud sync. 2. Authentication and Service Account Creation: The user must authenticate (preferably with a Global admin or hybrid admin account) to proceed with the setup. The video highlights the creation of a Group Managed Service Account (gMSA) for secure and efficient operation, advising against custom account creation unless necessary due to complex organizational structures. 3. Domain and High Availability Considerations: The presenter advises that the installation can be done in disjoint domains without needing trusts, recommending the installation of multiple agents in each domain to ensure high availability. 4. Cloud Configuration and Agent Monitoring: Once the on-premises setup is complete, the video shifts to cloud configuration in the Entra portal. Here, the presenter demonstrates how to monitor the installed agents and set up the Cloud sync configuration, including choosing domains and enabling password hash synchronization. 5. Scoping, Attribute Mapping, and Synchronization: The final part involves setting up a scoping filter using organizational units or distinguished names for targeted synchronization. The video guides through attribute mapping customization and concludes with enabling the configuration, explaining how synchronization occurs every 10 minutes and can also be triggered on-demand for specific users.
Nice. Thanks. But I don't get the big picture. In a trustless disconnected forest and single AAD tenant setup: How would I handle devices (for Compliance / CA)? I mean I won't be able to join them (right away) as those will still need a lot of on prem services in their respective domain. And I guess I certainly don't want them as registered devices in my tenant for the time being? Thanks
To elaborate further on your question - on-prem access is not an issue with your devices fully joined to Entra ID. If you have issues, you need to solve those specifically - in general, there are little to no known blockers for on-prem access. For password sign-ins it "just works" and for Windows Hello for Business you can take a look at the Cloud Kerberos trust model for WHfB.
I have applied a scoping filter for the single OU that I need to sync for two AD security groups. This all saves properly. However, when I go to enable the configuration, I get an overview of what changes will occur and the scoping filters section at the bottom shows clearly "All Users" even though my configuration has defined scoping filters setup. In your demo, I can see that your configuration review shows the scope filters you applied using your custom OU. Is this a known bug? I am using the latest agent version installed on my on-prem DC. Thanks for any suggestions.
The best practice is using dedicated servers. but as always - it depends😉 Hopefully, they will support Server core in the future, so we have lightweight management on-prem, and all the heavy lifting in the cloud. 😎
@@MSEndpointMgr You said that the best practice is "dedicated servers". What needs to be installed on the dedicated servers for it to work? Do they also need to be Domain Controllers?
So I have users already existing in my azure Ad then I setup a new on prem ad then went ahead to install and configure cloud sync but when I try to provision, I get the azuredirectoryserviceattributevaluemustbeunique error. This is because of the proxyaddress and objectid. How do I resolve this serious
Attribute matching can be tricky. you need to learn about hard and soft matching when your are trying to do what you are doing. Please watch this video to learn about the concepts. th-cam.com/video/ome8-oVLDfc/w-d-xo.html
Can I use both cloud sync and AD connect ?
Yes, they can co-exist side by side, just make sure they are configured appropriately so they don't sync the same objects.
personally I created a new server to start with a fresh infrastructure
I would also advise to start with two new servers for this. phone if it is just PoC, and yes. dont have overlapning OU’s sync between the old and new sync types (Connect sync / Cloud sync)
/Michael
1. Initial Setup and Choices: The video begins with an explanation of downloading and installing the Cloud sync installer on a domain controller, recommending a separate server for production environments. The presenter discusses the choice between HR-driven provisioning and on-premises application provisioning, emphasizing the benefits of HR-driven provisioning, which includes Azure AD Connect Cloud sync.
2. Authentication and Service Account Creation: The user must authenticate (preferably with a Global admin or hybrid admin account) to proceed with the setup. The video highlights the creation of a Group Managed Service Account (gMSA) for secure and efficient operation, advising against custom account creation unless necessary due to complex organizational structures.
3. Domain and High Availability Considerations: The presenter advises that the installation can be done in disjoint domains without needing trusts, recommending the installation of multiple agents in each domain to ensure high availability.
4. Cloud Configuration and Agent Monitoring: Once the on-premises setup is complete, the video shifts to cloud configuration in the Entra portal. Here, the presenter demonstrates how to monitor the installed agents and set up the Cloud sync configuration, including choosing domains and enabling password hash synchronization.
5. Scoping, Attribute Mapping, and Synchronization: The final part involves setting up a scoping filter using organizational units or distinguished names for targeted synchronization. The video guides through attribute mapping customization and concludes with enabling the configuration, explaining how synchronization occurs every 10 minutes and can also be triggered on-demand for specific users.
Thanks for adding in this highlights.
Thanks very much for your video. i resolve my problem with one of my domain syncing to my M365 domain.
We are happy to hear that. Thanks for watching :)
I’m getting cloud sync configuration error when I’m in the portal. Any suggestions?
very good video thank you for the effort I appreciate😀😀😀😀😀
Thank you!
Nice. Thanks.
But I don't get the big picture. In a trustless disconnected forest and single AAD tenant setup: How would I handle devices (for Compliance / CA)?
I mean I won't be able to join them (right away) as those will still need a lot of on prem services in their respective domain. And I guess I certainly don't want them as registered devices in my tenant for the time being?
Thanks
your devices should live only en Entra ID. The sync engine here is for the identity and groups.
To elaborate further on your question - on-prem access is not an issue with your devices fully joined to Entra ID.
If you have issues, you need to solve those specifically - in general, there are little to no known blockers for on-prem access.
For password sign-ins it "just works" and for Windows Hello for Business you can take a look at the Cloud Kerberos trust model for WHfB.
I have applied a scoping filter for the single OU that I need to sync for two AD security groups. This all saves properly. However, when I go to enable the configuration, I get an overview of what changes will occur and the scoping filters section at the bottom shows clearly "All Users" even though my configuration has defined scoping filters setup. In your demo, I can see that your configuration review shows the scope filters you applied using your custom OU. Is this a known bug? I am using the latest agent version installed on my on-prem DC. Thanks for any suggestions.
Sorry Shep, I have never seen that.
I would make a support request.
Hey, how do you add the custom domain to on prem before you do the sync?
Hi there. You can see this guide on the topic. lazyadmin.nl/it/add-a-domain-to-the-active-directory/
They say this can be installed directly on DCs as a "Supported" method, but in your experience, what is the best practice?
The best practice is using dedicated servers. but as always - it depends😉
Hopefully, they will support Server core in the future, so we have lightweight management on-prem, and all the heavy lifting in the cloud. 😎
@@MSEndpointMgr You said that the best practice is "dedicated servers". What needs to be installed on the dedicated servers for it to work? Do they also need to be Domain Controllers?
So I have users already existing in my azure Ad then I setup a new on prem ad then went ahead to install and configure cloud sync but when I try to provision, I get the azuredirectoryserviceattributevaluemustbeunique error. This is because of the proxyaddress and objectid. How do I resolve this serious
Attribute matching can be tricky. you need to learn about hard and soft matching when your are trying to do what you are doing.
Please watch this video to learn about the concepts. th-cam.com/video/ome8-oVLDfc/w-d-xo.html