Deploying Azure AD Connect with AD FS farm and Web Application Proxy server

Before installing Azure AD Connect, the following things are needed for me to complete this deployment

  • An office 365 E3 trial subscription
  • Two domain names azureoffice365.com and lyncpro.org.Added and verified this domains in office 365 portal.
  • An office 365 account with global administrator permission.
  • An on premise user account with Enterprise Administrator permission.
  • An AD FS service account.
  • A SSL Certificate from Public CA (SAN certificate) matches the federation service name.
  • Internal DNS records for the AD FS federation service name (fs.azureoffice365.com).
  • External DNS record for the AD FS federation service name (fs.azureoffice365.com).
  • One public IP address.
  • A domain joined computer with Windows server 2012 R2 operating system for Azure AD Connect server.
  • Two domain joined computers with Windows Server 2012 R2 operting systems to create AD FS Farm
  • A non-domain computer with Windows Server 2012 R2 operating system located in DMZ.
  • One Windows 2008 R2 domain controller in Azure.loc domain.
  • One Exchange 2010 server (Hub and CAS role installed)
  • One Exchange 2010 mailbox server.
  • One KempLoad loadbalancer

Steps followed to deploy Azure AD Connect  with AD FS Farm and Web Application Proxy server.

Download the Azure AD Connect software from https://www.microsoft.com/en-us/download/details.aspx?id=47594.

Double click AzureADConnect.msi and click Install.

clip_image001

Click Run

clip_image002

Wait for the installation to complete

clip_image003

After installing Microsoft Azure AD Connect, in the welcome page accept the license agreement and click Continueclip_image004

On the Express Settings page Click Customize

clip_image005

Click Install on the Install required components page

clip_image006

Wait for the required components to install

clip_image007

Choose Federation with AD FS in the User sign-in section

Click Next

clip_image008

Enter Office365 global administrator credentials in Connect to Azure AD page and click Next

clip_image009

Enter on premise enterprise administrator credentials in the Connect your directories page

Click Add Directory

clip_image010

Click Next

clip_image011

Ensure UPNs suffixes in user names should match one of the verified custom domains in Azure AD

In our case lyncpro.org and azureoffice365.com UPN suffix are verified.

Click Next

clip_image012

Choose Sync all domains and OUs in the Domain and OU filtering page

Click next

clip_image013

Leave the default options in the Uniquely identifying your users page and click Next

clip_image014

Leave the default option in the next page and click next

clip_image015

Select Exchange hybrid deployment in the Optional features.

Click Next

clip_image016

Select Configure a new Windows Server 2012 R2 AD FS farm in the AD FS farm page

Specify the location of the pfx file.

Select the subject of the AD FS service.

Click  Next

clip_image017

Add the AD FS servers

Click Next

clip_image018

Click Next by not spefifying Web Application Proxy Servers in the next page ( We will add later)

clip_image019

Enter Domain Administrator credentials to perform installation of federation services

Click Next

clip_image020

Enter AD FS service account

Click Next on AD FS service account page.

clip_image021

In the Azure AD Domain page select domain in the drop down list

In this scenario azureoffice365.com is selected.

Click Next

clip_image022

Selected domain will be converted into a federated domain.

Click Next

clip_image023

Click install on the Ready to configure page

clip_image024

Wait for the configuration to complete

clip_image025

Now the installation is completed

Click verify to check the intranet DNS records required for AD FS farm.

clip_image026

Now the federation service name is verified.

clip_image027

Connect to office 365 using Microsoft Azure Active Directory Module for Windows PowerShell

Execute the command Convert-MsolDomainToFederated –DomainName AzureADDomain to convert other domains to a federated domain.

In this scenario lyncpro.org also converted as a federated domain using Convert-MsolDomainToFederated command

Type get-Msoldomain to list the federated domains.

image

 

Deploy Web Application server using Azure AD Connect wizard.

To deploy WP server, double click Azure AD Connect wizard

Click Configure

clip_image028_thumb1_thumb

Select Deploy Web Application Proxy (currently none configured)

Click Next

clip_image029_thumb1_thumb

Enter Office 365 global administrator credentials

Click Next

clip_image030_thumb1_thumb

 

clip_image031_thumb1_thumb

Enter password of pfx file In the prompt box.

Click OK

clip_image032_thumb1_thumb

Click Next

clip_image033_thumb1_thumb

Before proceeding next step please

  • Ensure the winrm (Windows Remote Management / WS-Management) service is running on the targer WAP server
  • Execute the command Enable-PSRemoting –force in azure AD Connect server
  • Execute the command Set-Item WSMan:\localhost\Client\TrustedHosts –Value ind-chn-wap101.azure.loc -Force –Concatenate in azure AD Connect server

Enter the Web Application Proxy server name now.

Click Next

clip_image034_thumb1_thumb

Enter domain administrator credentials

Click Next

clip_image035_thumb1_thumb

Verify WAP server is added.

Click Next

clip_image036_thumb1_thumb

Enter AD FS administrator credentials to configure Proxy trust

Click Next

clip_image037_thumb1_thumb

Wait for component check

clip_image038_thumb1_thumb

Click Configure on the next page

clip_image039_thumb1_thumb

Now the installation is completed

Click Verify to check federation service intranet and extranet DNS records

clip_image040_thumb1_thumb

Intranet configuration is verified

Missed to create CNAME record for extranet name resolution thus received an error message.

Then created a CNAME record fs.azureoffice365.com in public DNS portal.

clip_image041_thumb1_thumb

Now AD FS Extranet confguration is successfully verified.

image

In the browser page type https://fs.azureoffice365.com/adfs/ls/idpinitiatedsignon.aspx to access the AD FS web page.

clip_image043_thumb1_thumb

Sign in to AD FS web page with organizational account

clip_image044_thumb1_thumb

Now we successfully sign in to AD FS web portal.

clip_image045_thumb1_thumb

Assign Office 365 licences to the synced user objects

Here i have assigned licences to users test6@azureoffice365.com,Test7@lyncpro.og  and Test9@lyncpro.org.

image

Sign in to office 365 portal https://portal.office.com 

Type Email address of office 365 user. Here account test6@azureoffice365.com is used

image

Place the cursor in the password field. We will be redirected to our organization AD FS web portal.

image

In the AD FS web portal type the on premise user account and password

Click Sign in

image

Now we are redirected to office 365 portal and view our subscribed features.Please refer the below picture.

image

Thanks for reading.

Leave a Reply

%d bloggers like this: