Set up Active directory synchronization for Microsoft 365
Syncing On Premise AD & Office 365 through AD connect
This session we will discuss about the steps how to synchronize ADDS to Office 365.
On Premises
ADDS
Cloud User which we wanted to sync users to Office 365
Steps:
Login to your Office 365 Subscription
Below link:
Download Microsoft Azure Active Directory Connect
Install AD Connect to On Premises Windows Server
Administrator user office 365:-
Now installing Started
Agree the license and continue process
Here I am selecting customize installation process
Now need to install required components
Click to install
Installation started
Have selected password hash
Converting passwords into unreadable strings of characters that are designed to be impossible to convert
Click to next step
Admin user and password required and click next
Again required admin user credentials
Verification
Select domain and click to add directory
Now enter on premises admin username and password
Active directory added click to next
Now need to create UPN Suffixes
User Principal Name (UPN)? In Microsoft Active Directory, a User Principal Name (UPN) is a username and domain in an email address format. In a UPN, the username is followed by a separator “at sign” (@) followed by the active directory’s internet domain. An example UPN is shariq@querypanel.co.
Go server manager
Click to active directory domain and trust
Click on domain and trust go to properties
UPN Suffixes click to add domain and apply
After creating upn suffixes getting multiple domains
Select domain suffixes
If you can check here office 365 domain is verified
Here selecting the 365 cloud user from OU click to next
User identification click to next
Optional features click to next
Now click to install
Configuration completed
Click to exit and checking the synchronization status
Synchronization status office 365
Synchronization status page
Open Synchronization service manager
Start powershell for force to sync on premises to 365 normal 30 minutes auto sync
FSMO Roles: FSMO roles is a feature in Active Directory
FSMO roles is dependent on Replication.
Flexible single master operation is a method active directory method for replication active directory tasks.
Microsoft introduced flexible single master operation (FSMO) roles in 2003.
Introduced because if Primary DC is down no changes could be made until it will up again.
Once we have install active directory it’s automatic available to Active directory.
FSMO roles give the confidence that Active directory working perfectly
FSMO having 5 Roles:
1: SCHEMA Master.
2: Domain Naming.
3: PDC Emulator.
4: RID Master.
5: Infrastructure Master.
Note: Before starting it need to understand Replication.
Replication type:
a. intrasite replication
b. intersite replication
a. intrasite replication –it’s replicate 24*7 – its also called as live replicate
b. intersite replication — replication between domain to domain call as intersite replication – replicate time between 1 tree to another tree is 180 Minutes.
intersite replication taking maxmix 180 Minutes to replicate between each other.
Fsmo role: divided into two categories:
1. forest wide fsmo roles
a) schema master – perform the Read write copy and user login operations of active directory ,Managing attributes, its try to avoids conflict between trust domain users
Example: if we create same user 2 both domain and tree it will automatic delete 1 user from domain between 180 Minutes.
b) Domain Naming – responsible to take care of not to create any same name domain and child domain, managing domain creating modification or deletion.
2. Domain wide fsmo roles
a) PDC Emulator – if password changed it will replicate to pdc – Password Authentication/Failure control by PDC Emulator.
DFS is a method or a process to increase the consistency of Shared file server.
DFS in a Windows Server Infrastructure & DFS Replication
It’s difficult to recall all file server in Infrastructure so, Microsoft implemented Distributed file server.
DFS is a technology to manage multiple shared files from single server but actually DFS picked the data from original location.
Distributed File System- (DFS) – DFS is a Windows Server feature which allows System Administrators to create a single namespace to provide a replicated sharing infrastructure across the network.
Here I am going to explain how to install DFS in your Infrastructure.
Select which wins server you wanted to become Primary File shared server.
Go to windows server
Open windows server manager.
Click to add roles and features
Installation will be on Role Based feature-based installation
—Steps
Install Distributed File System from server Manager
Start DFS from tools
Create new Namespace server
Again, create new namespace server inside created namespace server
Create new folder inside namespace
Add folder target for replication jobs
—
Select DFS Replication and Namespace
Once selected click too next
DFS is ROLES based installation.
And roles added make all default installation.
(We need to Install DFS Roles on all File Server which will be associate with Main File Server.
Like example: I am having Primary Server I need to associate all my file server will associate with Primary server with the help of DFS ACTUALLY file server will be on his original location but they act like hosted with primary server.
)
Check the features leave as default and click too next
Now click to install
Once installation done click to tools
Now close wizard after installation done
Now click to tools and select dfs
Once DFS Wizard open click to namespace primary file server and create new namespace
Enter the host namespace server so, primary server will be hosting browse primary server
Once select server name click to next
Time the Shared file name edit permission setting click to custom permission add users and apply
Now select domain based namespace
And click to create namespace
Once done close wizard
Now adding the file server to primary server inside the created namespace
Right click on created namespace and add new namespace server
Browse file server machine name and assign permission and click to ok
Click ok Wizard
Namespace server having two now
So, now need the target folder right click and click new target folder
File Server Directory
Click to folder right click and select to folder target
Browse the target folder and select that
Once selected click okay
Replication job verification click yes
Once replication wizard change the replication name or leave as default
Now click to next
Primary member
Topology
Click to next
Now click to create replication job
Created successfully
Replication one server to another server
Now here I am checking and sharing File Server using Secondary Server (Because I don’t want to share my Primary server’s name to Infrastructure users).
Here: I am having all data to my primary server but just using to replicate and hide my primary server details to users.
Start DFS in Secondary server
Assign user permission
Domain based name space
Now click to create
Namespace created close the wizard
Right click to created namespace and create new namespace to created server
Browse server
So now here NEW namespace server creating behalf of bdc server
Namespace server status
Namespace servers
Now creating the folder
Browse the shared folder and select that
Selected folder
Click okay
Created folders
Now select the folder and add the replication target
Select the folder target
Now click okay
Now replication job will be created
Once replication started here configure it
Again, click to next
Select the primary server
Select full mesh
Schedule bandwidth
create replication job
Created replication job
Directory Structure
using DFS useful for even security complete hide the Directory Structure
Domai:Domain is a Group of Resource specfic by the name. Domain is a method to organize a group with a name. Domain is a resource management process which can be assign by the name and associated with the Internet Protocal IP Adress.
Domain is the address of Website like public domain and private domain example: hotmail.com/gmail.com — it’s a domain but it’s associated with IP Address.
kinds of domain: Public Domain availability to everyone Example google.com/facebook.com and etc.
Private Domain only authorized users. querypanel.local abc.local or etc
:
Workgroup: workgroup is a method to arrange self contained computers system in any network. workgroup is not connected to any server. workgroup pc is not under centralize management system not having the any security policies.
WORKGROUP Domain collection of self contained computers A workgroup primarily uses a pee to peer networking architecture in which each computer is self-contained, with its user account permissions, memory, and importance. Furthermore, the security of these systems is questionable.
no centralized control over the devices in the workgroup.
Domain group: Domain group is a process to manage Centralize pc and server. a domain controller is used to manage all connected pc server in the domain Group.
Centralize control to all devices over the domain group.
Difference Between work group and domain group:
Workgroup: all system and pc / servers is in the peer connection but there is not any centralize management.
workgroup is also knows as a Individual management system or self control system.
example workgroup: in every pc/server need to assign policies individually. less secure workgroup infrastructure.
Domain: in Domain group a centralize server managing all connected devices like server, pc, printers, switches and etc. Domain Group can set the centralize policies and security and assign the roles as per the profile and requirement.
example: if Domain Admin allow to use the resource then it can be use otherwise they haven’t having access.
Mostly in Offices Infrastructure having Domain Group authentications because we can apply the policies according the IT Protocol.
Antivirus: Antivirus is a software to protect you from unwanted thread.
Example: you can say Antivirus protect individual level protection method it’s protect you according to your Configuration of Antivirus. Antivirus software is the process to detect the virus remove the virus or quarantine virus.
Antivirus: Antivirus is a method to protect your pc from unwanted threat. an antivirus is a individual pc protector. qulity of antivirus dependent on the categories. kinds of antivirus protection: browser surfing protection. software protection disallow unwanted threat safe browsing.
Firewall: A network Security method to keep you safe from non authorize access and packets will receive only authorize and filter access. Firewalls typically work on the network layer and transport layer, some are also capable of working as high as the application layer.
Firewall is a defense system of any network Firewall. Firewall is a security method of any network firewall. firewall always keep you safe Firewall keep prevent from hackers and non authorize access internal and external.
A firewall performs the task of inspecting network activity, looking for cyber threats by comparing data against an extensive catalog of known threats. They can also detect abnormal activity, which may signal a potential threat
Firewall is a two way protection security method or protocol, Firewall used to protect internal threat and external threat.
TYPES OF Firewall protection Hardware device and software. hardware firewall A hardware firewall acts as a gatekeeper and antivirus solution for your server. It sits directly behind the router and can be configured to analyze incoming traffic, filtering out specific threats as they come across the device.
Hardware Firewall Network protection dependent how do you configure your firewall. which security policies you have applied.
Example: I am using PfSense firewall. Linux Kernel Firewall. have configure according to Infrastructure. so, allow traffic disallow traffic. some of the customized good firewall having option to protect IT infrastructure to use Proxy Server.
Firewall is the Gatekeeper of any Network. it’s filter network traffic incoming and outgoing network traffic. Firewall is protector of entire network associated with them.
Firewall: Firewall is used to protect your internal Network from unwanted thread. Firewall is the protector of your internal Network from outside thread. firewall is a two way protection method.
Hardware Firewall protect the entire firewall. implemented on the Router Level to protect the entire network.
firewall only allow authentic traffic and block unwanted traffic.
What can firewall do? Focus on security decision. stop hackers to enter your network and pc. firewall allow which program can access internet. Authentication managed by firewall rules
every operating system having inbuilt software firewall. example: if you are surfing internet you have visited so many sites and application from that site you will not get any thread or any virus software’s.
in simple language you can say a firewall is a protector of your workplace infrastructure in every pc having default windows firewall protector.
one more example: in infrastructure in one pc having virus and thread, so in this scenario firewall will also can deal with internal thread or virus that’s why firewall is a two way protector.
types of firewall.
Hardware: in workplace or home network if you are having hardware firewall enable then hardware firewall will uniquely identify all pc connected and assign network address and cross check browsing
Software Firewall: Software firewall protect the individual computer or single computer.
Microsoft split the responsibilities of a DC into 5 separate roles that together make a full AD system.
FSMO stands for Flexible Single Master Operations. Microsoft Active Directory is by far the most widely used domain authentication service across the globe ever since it was released in 1999 (in Windows Server 2000). Over the decades Microsoft has made many advancements in its Active Directory to transform it into the secure system we are using today.
One of these updates included the introduction of a Single Master Model. In this model- only one domain controller could make the required changes in a domain, while the other DCs would only complete authentication requests.
This model created a single point of failure, which means if the master or primary domain controller goes down, there is no way to make changes to the domain until the master DC is back up.
To remediate this issue, Microsoft separated the responsibilities of a DC into multiple roles. The administrators could then assign these roles to multiple domain controllers, and if one of the DCs would go down, the other DCs could take over the missing role and business continuity would remain intact.
This concept is named the Flexible Single Master Operation or FSMO for short, and the roles are known as FSMO roles.
FSMO stands for Flexible Single Master Operations. Microsoft Active Directory is by far the most widely used domain authentication service across the globe ever since it was released in 1999 (in Windows Server 2000). Over the decades Microsoft has made many advancements in its Active Directory to transform it into the secure system we are using today.
One of these updates included the introduction of a Single Master Model. In this model- only one domain controller could make the required changes in a domain, while the other DCs would only complete authentication requests.
This model created a single point of failure, which means if the master or primary domain controller goes down, there is no way to make changes to the domain until the master DC is back up.
To remediate this issue, Microsoft separated the responsibilities of a DC into multiple roles. The administrators could then assign these roles to multiple domain controllers, and if one of the DCs would go down, the other DCs could take over the missing role and business continuity would remain intact.
This concept is named the Flexible Single Master Operation or FSMO for short, and the roles are known as FSMO roles.
FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and permissions without interruption (with standard caveats, like the network staying up).
Schema Master The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes – things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.
Domain Naming Master The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another. It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles, this one is most likely to live on the same DC with another role.
RID Master The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs.
PDC Emulator The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.
Infrastructure Master The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them. If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).
//
Flexible Single Master Operation (also known as FSMO or FSMO Roles).
Primary Server FSMO Roles
Netdom query fsmo
Secondary server will also getting same roles but secondary server not having complete authority like Primary DC
If Primary Server having issues need to seize the fsmo roles after that Backup DC will retain complete authority
So, here I used to power off Primary Server
Primary DC is not active (Server Down)
Now type in PowerShell
But still, I will get all 5 FSMO roles
In secondary server I am getting all 5 Roles
Type
In Backup DC
Ntdsutil
PS C:\Users\administrator.VRE> ntdsutil
Just type only roles and press enter
Type connections
Now need to connect to in backup Domain Controller like—
Connect to server bdc.vre.local
Now quit from connection press type q and enter
Here we need to seize all fsmo roles from primary server
Primary server is not running but fsmo roles with primary server need to seize the roles and allocate to secondary server
netdom query fsmo
fsmo maintenance: Seize infrastructure master
And press
Yes
fsmo maintenance: Seize naming master
fsmo maintenance: Seize PDC
Seize RID master
Seize schema master
Now type quit
And quite from fsmo maintenance
So, after seize all 5 roles from Primary DC and assign to Secondary dc
If you can check after seize all roles
Now Backup domain having all fsmo roles
netdom query fsmo
Go to Active Directory users and computers
Right click on domain and click on operation masters