Category: Azure

Upgrade An Azure-Hosted Service By Moving A VIP To A New Cloud Service

Last Friday I talked about how you could reserve and manipulate cloud service VIPs. In this post I’m going to show you how to “upgrade” a service by moving to a new installation of that service running in a new cloud service – this can be done by moving the VIP of the original cloud service to the new cloud service.

Have you wondered how you will upgrade your WS2012 R2 VMs to WS2016 in Azure? The answer is that you won’t. You will have to migrate services to new VMs. Here’s a way to do that migration. This process will keep the original installation running while the new service is being built. Once ready, the VIP (the public IP of the original service) is migrated to the newer cloud service. If all goes well, you remove the old cloud service. If all sucks, you migrate the VIP back to the original cloud service.

In my lab I have two cloud services:

  • OldWeb: This runs a WS2012 R2 VM with IIS
  • NewWeb2016: This runs a WS2016 VM with IIS

image

image

Let’s say I have a site called http://www.joeelway.com. The A records for joeelway.com and http://www.joeelway.com will point to this VIP of the OldWeb cloud service; this is what allows a browser to connect to that site. If I don’t have a reserved VIP then I can create one easily enough with:

New-AzureReservedIP -ReservedIPName "WebsiteVIP" -Location "North Europe" -ServiceName "OldWeb"

This will reserve the existing IPv4 address that is used by OldWeb with the cloud service. This is a non-disruptive change that simply fixes the existing IP address with the cloud service. I can continue to browse to the website using the same VIP as when it was dynamic.

image

image

Now I can build up a new web application using the NewWeb2016 cloud service. This has zero impact on the OldWeb cloud service, running side-by-side but using a different (probably dynamic) VIP:

image

The A records for the joeelway.com domain continue to point at the reserved VIP for OldWeb, so users are still going to the old service.

And then we plan a switchover, with all of the necessary data copy/replication/synchronisation, change controls, reviews, communications, etc. How do I make the change? It’s simple; we run two cmdlets to change the reserved IP association.

The first cmdlet will remove the association of the reserved VIP from the OldWeb cloud service. This forces the old service to get a new dynamic VIP:

Remove-AzureReservedIPAssociation -ReservedIPName "WebsiteVIP" -ServiceName “OldWeb”

This cmdlet takes a few minutes to run so plan for the associated outage that will be caused. The A records for the joeelway.com domain continue to point at the reserved VIP, which is no longer associated with a service. If you browse to the VIP the connection will time out:

image

We want to avoid such a time out experience for the site’s users so we will very quickly associate the VIP with the new cloud service to minimise downtime (scripting is perfect for this!):

Set-AzureReservedIPAssociation -ReservedIPName "WebsiteVIP" -ServiceName "NewWeb2016"

The A records continue to resolve to the reserved VIP, and now the VIP is associated to the new cloud service:

image

If all goes well, you can decommission the old cloud service (VMs, etc), but you can leave them running for a little while as a rollback plan:

  1. Remove the VIP association from the new cloud service
  2. Set the VIP association with the old cloud service

You have to admit that, even if you are a PowerShell hater, this is a nice way to switch clients to a new version of a service.

How to Reserve The VIP Of An Azure Cloud Service

Microsoft announced earlier this year that we would have the ability to reserve the public IP address (virtual IP or VIP) of a cloud service in Azure. I’d love that:

  • VIPs are non-reserved by default, so if your cloud service is suspended (maybe all VMs are shutdown) then you get a different VIP afterwards. That causes mayhem with traditional DNS.
  • I’ve been using CNAMEs to resolve my domain name to the cloud service’s domain name to abstract the dynamic nature of VIPs. Unfortunately, compliant implementations of CNAME do not support machine names, e.g. www.aidanfinn.com.

What I needed was a reserved VIP. Every now and then I looked for the way to implement this new feature, but I only just found it now.

Fire up Azure PowerShell (make sure it’s up to date) and then log into your subscription using Add-AzureAccount.

Find your service name using Get-AzureService.

Then run the following cmdlet, substituting your choice of label for the VIP, region, and service name:

New-AzureReservedIP -ReservedIPName "MyVIP01" -Location "North Europe" -ServiceName “MyCloudService”

This cmdlet won’t change the VIP of the cloud service; instead it reserves the existing VIP on your cloud service, which is a non-disruptive action. You can query the results in the GUI or by running Get-AzureReservedIP:

image

image

To test, I shutdown all the VMs in the cloud service; this puts the cloud service into a suspended state. Normally the VIP is released when a cloud service is suspended. But when I started up the cloud service (starting 1 VM) the same VIP returned. Yay!

Keep in mind that there is a price plan for reserved VIP addresses. You get the first 5 reserved VIPs for free (subject to change). There is a charge for additional VIPs. And if you don’t use a reserved VIP (you reserve it and leave the cloud service suspended) then there’s a charge for the VIP.

Which leads us to the obvious follow-up question: how do I remove a reserved VIP? It’s not quite a logical undo. First you need to undo the association of the VIP reservation with the cloud service. Note that the following is not Remove-AzureReservedIP (that cost me 10 minutes):

Remove-AzureReservedIPAssociation -ReservedIPName "MyVIP01" -ServiceName “MyCloudService”

Note: I’ve noticed that this cmdlet takes a couple of minutes to run.

If you have the Azure portal open you might see it refresh and change the VIP of your cloud service – what you’ve done is remove the association of the VIP with that cloud service; the VIP is still reserved.

That opens up an interesting scenario. Let’s say I have an application called App1 running in CloudService1, and I’d like to build a new version of the application in CloudService2 and switch users over without them noticing.

  1. Reserve the VIP on CloudService1
  2. Set up DNS records for App1 to the reserved VIP
  3. Time passes by … until we want to migrate users …
  4. Remove the VIP association from CloudServcie1; the VIP is still reserved, but now unused
  5. Set the VIP association with CloudService2

And all of a sudden, people start using App1 on CloudService2 without changing DNS records … nice!

When you want to completely remove a VIP reservation, first make sure that you remove any cloud association with Remove-AzureReservedIPAssociation, and then run:

Remove-AzureReservedIP -ReservedIPName "MyVIP01"

Microsoft GAs The Last Vital Piece For VM Hosting

Microsoft announced that Azure Backup for Azure IaaS virtual machines (VMs) was released to generally availability yesterday. Personally, I think this removes a substantial roadblock from deploying VMs in Azure for most businesses (forget the legal stuff for a moment).

No Backup – Really?

I’ve mentioned many times that I once worked in the hosting business. My first job was as a senior engineer with what was then a large Irish-owned company. We ran three services:

  • Websites: for a few Euros a month, you could get a plan that allowed 10+ websites. We also offered SQL Server and MySQL databases.
  • Physical servers: Starting from a few hundred Euros, you got one or more physical servers
  • Virtual machines: I deployed the VMware (yeah, VMware) farm running on HP blades and EVA, and customers got their own VNET with one or more VMs

The official line on websites was that there was no backup of websites or databases. You lose it, you LOST it. In reality we retained 1 daily backup to cover our own butts. Physical servers were not backed up unless a customer paid extra for it, and they got an Ahsay agent and paid for storage used. The same went for VMware VMs – pay for the agent + storage and you could get a simple form of cloud backup.

Backup-less Azure

Until very recently there was no backup of Azure VMs. How could that be? This line says a lot about how Microsoft thinks:

Treat your servers like cattle, not pets

When Azure VMs originally launched in beta, the VMs were stateless, much like containers. If you rebooted the VM it reset itself. You were supposed to write your applications so that they used Azure storage accounts or Azure SQL databases. There was no DC or SQL Server VM in the cloud – that aws silly because no one deploys or uses stateful machines anymore. Therefore you shouldn’t care if a VM dies, gets corrupted, or is accidentally removed – you just deploy a new one and carry on.

Except …

Almost no one deploys servers like that.

I can envision some companies, like an Ebay or an Amazon running stateless application or web servers. But in my years of working in large and small/medium businesses, I’ve never seen stateless machines, and I’ve never encountered anyone with a need for those style of applications – the web server/database server configuration still dominates AFAIK.

So this is why Azure never had a backup service for VMs. A few years ago, Microsoft changed Azure VMs to be stateful (Hyper-V) virtual machines that we are familiar with and started to push this as a viable alternative to traditional machine deployments. I asked the question: what happens if I accidentally delete a VM – and I got the old answer:

Prepare your CV/résumé.

Mark Minasi quoted me at TechEd North America in one of his cloud Q&A’s with Mark Russinovich 2 years ago – actually he messed up the question a little and Russinovich gave a non-answer. The point was: how could I possibly deploy a critical VM into Azure if I could not back it up.

Use DPM!

Yeah, Microsoft last year blogged that customers should use System Center Data Protection Manager to protect VMs in Azure. You’d install an agent into the guest OS (you have no access to Azure hosts and there is no backup API) and backup files, folders, databases to DPM running in another VM. The only problem with this would be the cost:

  • You’d need to deploy an Azure VM for DPM.
  • You would have to use Page Blobs & Disks instead of Block Blobs, doubling the cost of Azure storage required.
  • The cost of System Center SMLs would have been horrific. A Datacenter SML ($3,607 on Open NL) would cover up to 8 Azure virtual machines.

Not to mention that you could not simply restore a VM:

  • Create a new VM
  • Install applications, e.g. SQL Server
  • Install the DPM agent
  • Restore files/folders/databases
  • Pray to your god and any others you can think of

Azure Backup

Azure has a backup service called Azure Backup. This was launched as a hybrid cloud service, enabling you to backup machines (PCs, servers) to the cloud using an agent (MARS). You can also install the MARS agent onto an on-premises DPM server to forward all/subset of your backup data to the cloud for off-site storage. Azure Backup uses Block Blob storage (LRS or GRS) so it’s really affordable.

Earlier this year, Microsoft launched a preview of Azure Backup for Azure IaaS VMs. With this service you can protect Azure VMs (Windows or Linux) using a very simple VM backup mechanism:

  1. Create a backup policy – when to backup and how long to retain data
  2. Register VMs – installs an extension to consistently backup running VMs
  3. Protect VMs: Associate registered VMs with a policy
  4. Monitor backups

The preview wasn’t perfect. In the first week or so, registration was hit and miss. Backup of large VMs was quite slow too. But the restore process worked – this blog exists today only because I was able to restore the Azure VM that it runs on from an Azure backup – every other restore method I had for the MySQL database failed.

Generally Available

Microsoft made Azure Backup for IaaS VMs generally available yesterday. This means that now you can, in a supported, simple, and reliable manner, backup your Windows/Linux VMs that are running in Azure, and if you lose one, you can easily restore it from backup.

A number of improvements were included in the GA release:

  • A set of PowerShell based cmdlets have been released – update your Azure PowerShell module!
  • You can restore a VM with an Azure VM configuration of your choice to a storage account of your choice.
  • The time required to register a VM or back it up has been reduced.
  • Azure Backup is in all regions that support Azure VMs.
  • There is improved logging for auditing purposes.
  • Notification emails can be sent to administrators or an email address of your choosing.
  • Errors include troubleshooting information and links to documentation.
  • A default policy is included in every backup vault
  • You can create simple or complex retention policies (similar to hybrid cloud backup in MARS agent) that can keep data up to 99 years.

Summary

With this release, Microsoft now has solved my biggest concern with running production workloads in Azure VMs – now we can backup and restore stateful machines that have huge value to the business.

Technorati Tags: ,,

Old School Thinking Wrecks A Company (@iDMobileIreland) Launch

You’d think that a start-up mobile telecoms company would understand the cloud, right? Today in Ireland, a new virtual mobile telecoms company, iD Ireland, launched their business, promising to give 4G as standard and to offer cheaper and more tailored plans to customers with generous data allocations. That sounds like the sort of thing that I’d want to check out, and it got coverage in every news outlet in Ireland.

So I, like many others, tried to browse their site. And 5 minutes later, the page actually loaded. I bet that most people thought “That’s sh1te” long before the page loaded, closed the browser tab and forgot about iD, thus ruining the potential of their launch. What a waste of great publicity and PR!

So what went wrong there? Old schoolers, that’s what. “Let’s put up 2 web servers and sure that’ll be grand. If we need more then we can build more servers”. You know the sort – you might even be that kind of person.

You know how I would have built such a web presence? I’d have deployed a set of load balanced web sites in Azure. And then I would have enabled auto-scaling. I’d have a minimum number of sites to keep the regular load operating nicely, and enough peak potential to meet the demand one would get after launching a mobile company and successfully getting coverage in every news outlet in the country. And the beauty is – I’d pay for just what is active.

But no; the IT old schoolers won out and the shareholders lost out. Isn’t that how it often happens?

Technorati Tags: ,,

MVP Whitepaper – Cloud Consistency with Azure Resource Manager

MVPs Kristian Nese and Flemming Riis have written a whitepaper on Azure resource groups. This white paper will prep you to use Azure Resource Manager (ARM) in Azure now, and in Azure Stack in the future.

I’ve recently started dipping my toe in these waters. Honestly, this is large scale stuff, but it’s interesting how much control it can give you.

The paper is a substantial piece of work (currently clocking in at 51 pages) and it looks like updates will come in the future. Thanks Flemming and Kristian!

Thinking About Or Using Azure? Then Give This A Vote

Microsoft has some of the dumbest boundaries between the licensing deployments of their cloud products. If you deploy direct-billing (MOSP, and this includes MSDN) Azure then you cannot switch your services to Open licensing. If you are in syndicated Office 365 then you cannot switch to volume licensing. Basically, the Microsoft imaginary cloud boundaries that I know of are as follows:

  • Syndicated
  • CSP
  • Open
  • Enterprise Agreement
  • MOSP/direct-billing

Whatever you deploy in one plan is stuck there. And that sucks, considering that:

  • Customers will develop something on direct-billing or MSDN, like it, and then want to go “production”, and then hit the Microsoft licensing barrier.
  • Customers do move up/down/across the various forms of Microsoft licensing.

What can be done? I’ve heard stories that if you bought a big enough EA, then you could open a support call with Microsoft billing to move all of your deployment to that agreement. I’ve also read that customers in direct-billing could do the same to move to volume licensing.

Do you, like me, think that this sucks? I sure do – this should be something that is easy, and not dependent on a “favour”. If you agree then vote here, like I just did.

Technorati Tags: ,

Microsoft Modifies The Azure Backup Announcement

Yesterday I posted an “Aidan Smash” article about the messed up Azure Backup Announcement. Microsoft had originally stated in their announcement of improvements that were coming to Azure Backup. Let’s remind ourselves what Microsoft said:

image_thumb[1] Why did I take a screenshot of the text instead of copying/pasting it? I’ve learned that when Microsoft makes a controversial announcement, or something that is just plain dumb, that text can change without any notice.

Controversy? Yes; Microsoft pretty much stated that the requests for feature improvements in Azure Backup that would make the product marketable to the breadth market (that will actually use Azure Backup) was going to be restricted to System Center customers that paid extra for OMS Add-On for Azure (not the breadth market).

That sounded pretty stupid. I reached out for a correction but did not get one within the 24 hours before I posted my rant. So it seemed that someone had made yet another dumb packing/pricing decision with a Microsoft online service.

24 hours later, the announcement was changed by Microsoft:

image

Note that the post does not say the following anymore:

… we are now announcing new Azure Backup services that are available today to OMS customers.

In fact, all mention of OMS in this section and the bullet points has been removed. Queue cautious celebration!

How do I read this (as a person that does not have access to OMS Add-On and cannot verify what OMS customers have access to)?

  • The new features will not be restricted to OMS Add-On customers
  • The new features are not available yet

This is much better. Now if only the author had bothered to communicate clearly in the first place – I’m guessing they were made walk the plank.

[Update]

Microsoft confirmed that the improvements to Azure Backup will be coming to everyone. These features will be coming before the end of the calendar year. I look forward to trying them out, and hopefully selling them.

Cannot Verify A DNS Domain In Azure Because You Used .LOCAL or .INTERNAL

A lot of companies have used a non-public domain name for their Active Directory. This meant that they didn’t have to buy an public domain name (but they probably did eventually for email), they had company politics issues, or they wanted to separate public from private (making resolution of external services easier). But this causes a problem when you are trying to federate or sync with Azure Active Directory, and I’ll explain a way to solve that issue here.

The Issue

When we connect a legacy Windows Server AD (LAD) to AAD we need to have both domain names matching. So if the company has an AD called joeelway.internal then they cannot sync or federate that domain to an Azure AD called joeelway.com (the public DNS domain for the company) or joeelwayazure.onmicrosoft.com (a default domain name for an Azure subscription). This is because is we have a user, Barbara, then her UPNs would mismatch:

  • barbara@joeelway.internal VS barbara@joeelway.com OR
  • barbara@joeelway.internal VS barbara@joeelwayazure.onmicrosoft.com

Solution

Method one is extreme and disruptive:

  • Rename the domain and deal with any consequences (eek!)
  • Configure internal DNS to resolve names of company-owned external services
  • Re-educate people about their UPNs if they’ve been using UPN to log in

I think we can agree that method 1 is too disruptive. There is a softer approach that you can use:

  • Configure an additional DNS suffix for your domain
  • Change the UPN of users to use the new DNS suffix
  • Re-educate people about their UPNs if they’ve been using UPN to log in

Adding a suffix is easy:

  1. Launch AD Domains and Trusts
  2. Right-click on Active Directory Domains And Trusts (not the domain name) and select Properties
  3. Enter the desired domain name in Alternative UPS Suffixes and click Add

image

Next you’ll change the UPN of the users. You can do this in AD Users and Computers (very slowly) or Google some PowerShell to do it near instantly at scale.

image #

Users will now have a single UPN for LAD (Azure, Office 365, etc), AAD, (hopefully) their email, and any third party SaaS if you federate your AAD.

A Demo Lab

I bought joeelway.com for my demo lab so I can show the real world solution in classes. If you’re just experimenting, learning, or doing a quick demo, then you can use the Azure default domain name. The default domain name is based on the name of your Azure subscription, for example joeelwayazure.onmicrosoft.com. Use this domain name as the additional suffix in your LAD, and set the UPNs to use this, e.g. barbara@joeelway.onmicrosoft.com; use this UPN for logging into cloud services.

Technorati Tags: ,,

An Open Letter To Scott Guthrie About Azure Backup

Oh baby, it’s one of those posts where Aidan Smash! I think Azure Backup has amazing potential to OWN the online backup market, but thanks to the leadership of that group, Azure Backup is irrelevant. Read on to find out why.

[Update]

Microsoft modified the below announcement and details were confirmed to me. Read here to learn more.

What’s Online Backup and What is the Market?

We all know what on-premises backup is:

  • Something like DPM, Veeam, Altaro, Commvault, ArcServe, etc runs a job to backup files, folders, system state, VMs, or whatever
  • Data is sent to a disk and/or tape archive
  • We restore data from there when it’s corrupted or lost

An old saying in IT goes: you don’t have a backup if you don’t have 3 copies. In IT we know that we should keep off-site copies of data. In the old days, Iron Mountain would pick up a bag of tapes and courier them off to some place. If we needed to go back more than a week, then we’d have to call those tapes in (cost + delay) and that sucked. Plus tapes are fragile.

Some folks implemented site-to-site replication of backup (DPM, Veeam, etc) to counter this. Data is sent off to another location so the data is available no matter what happens to the primary site. But … there’s a cost to keeping an archive.

This is where online backup is meant to come into play. A hosting company can offer huge amounts of cheap storage. An agent is deployed to required machines (roaming user devices, servers, hosts, VMs) and does an online backup. Data might be proxied/stored locally with a short retention period, and stored in the cloud with a long retention period. There’s lots of variations in the offerings so don’t get caught up in the details here.

The Challenge with Online Backup

It’s simple: Price. The dominant service in Ireland (based on reseller-friendly Ahsay) costs anywhere from €0.30 to €1.00 per GB stored per month. So when Microsoft came along with Azure and offered a cheaper alternative you’d think that they’d wipe the floor with the competition, right?

What’s Wrong with Azure Online Backup?

I break up AB into three offerings, to try clarify the mess that Azure Marketing/Branding has created:

  • Azure Backup for IaaS/VMs: Backs up VMs running in Azure to block blob storage
  • DPM + Azure Backup: DPM backs up Hyper-V, files/folders, SQL Server, SharePoint, Exchange, etc, and an AB agent on the DPM server forwards selected data to Azure block blob storage
  • Azure Backup: An agent (called MARS) is installed on each machine that will be backed up, and it can only support files and folders, only files and folders, and nothing but files and folders, and if you ask about anything other than files and folders then you are a complete moron that should walk onto the street and ask to be hit in the head with a baseball bat (it might improve your IQ)

The market for Azure Backup is not the large enterprise. It’s SMEs … as I said it was quite some time ago with Azure Site Recovery (the ASR team has since acknowledged that I was correct). When Azure first went on sale via Open licensing (SMEs) I talked to Microsoft partners about this. The price then was around €0.25 per GB, which then dropped to €0.149/GB and now sits at as little as €0.0.17/GB (approx – I’m too lazy to Google it) plus “instance” charge. So Azure Backup completely took over the Irish market, right? Uh, not so fast, my friend! Anyone selling the incumbent is still selling the incumbent, and that’s because the AB leadership continues to ignore overwhelming feedback. Instead, they focus on scenarios for System Center customers, and although “sales” of System Center to SMEs might be green on the scorecard, that’s because of some “clever tricks” that various news sites have alluded to and the occasional large customer that refuses to buy Select/EA. In the real world, SMEs do not use System Center, so focusing on System Center customers is ignoring the huge breadth market that currently uses online backup solutions that cost much more than AB.

Note: Any Redmond-ites that think SMEs are  just single-server companies are free to step off of their ivory tower and visit the real world outside of insulated and misinformed bubble.

What feature blockers are there to using AB?

  • Centralised management: There is no centralised management for AB. All management is done on a per-machine basis – which sucks. Customers hate this, and the resellers that are the IT department of those customers detest it because it’s unmanageable.
  • Backup support: Ab only does files and folders. Customers always ask about SQL Server, Exchange, Hyper-V and more. The Microsoft answer is: Use DPM. However, SMEs cannot afford DPM because it’s hidden in System Center licensing.
  • Pricing complexity: Have you met instances? Go on – google the pricing for Azure Backup and see what you think. We’ve actually lost Azure deals because of this BS that was introduced on April Fool’s Day.

We kept hearing that the AB team was going to fix all of this. And then yesterday, I read a post about Operations Management Suite (OMS) Add-On for System Center. There you will find this piece of text:

image

 

Here’s what you need to know first: The OMS Add-On can only be bought by System Center customers: 1 Std Add-On for 1 Std SML, 1 DC Add-On for 1 DC SML. And the new features of AB are only available to OMS Add-On customers:

  • Adding DPM technology to the AB agent: I don’t have OMS and I tested the latest agent that I can download. I still can only backup files and folders. It appears that this new agent for AB to solve the issue that AB can only backup files and folders, is only available to customers with DPM licensing. Some genius thought that to solve the lack of DPM, you need to buy DPM, to use a backup agent that isn’t DPM. Friggin’ Einstein, right? Give that person a job running the economy for Greece or Zimbabwe!
  • Centralised management: Only available to DPM customers, the sort that don’t do much online backup, while ignoring the breadth market that will and does backup to the cloud with more expensive alternative vendors that do offer what those customers need.

It’s quite clear that the AB group either doesn’t understand the feedback and/or refuses to listen.

A Request for Scott Guthrie

Scott, I know you’re a smart man. Why do you and how can you tolerate this continued failure? I know you could sell a lot more Azure storage if you opened up Azure Backup to the SME market with improved backup support and centralised management. I could probably have half of the Irish market switched over by now if someone in Microsoft was actually acting on the feedback that they’ve been getting since last summer. Ireland is a tiny market in the grand scheme of things, but the nature of our market is the same across the entire EU and I doubt the USA is much different. That’s a lot of money you’re leaving on the table for competition to take.

I know that someone in Microsoft (probably Dublin) will complain about “that loud MVP” again, and I’ll have the usual conversations. But I know I’m right and I’ve repeatedly given the feedback via forum, direct emails to relevant PMs, and Lync conversations. Give us the product we need, and we’ll sell the heck out of it to people that will use it. So, Scott, I’m imploring you to make the necessary changes. Stop focusing Azure Backup on System Center customers; it’s a waste of dev/test time. Focus on SMEs and resellers and you will take over the online backup market in a year with customers that are actually adopting or using Azure.

My Early Experiences with Azure AD Connect

I deployed the generally available release of AADConnect to synchronise our Active Directory with Azure AD (Office 365) 24 hours after it was made available. Here’s my early experience.

The download link for Azure AD Connect is quite hard to find! You can download AADConnect from here. The getting started guide/instructions are here.

What is Azure AD Connect?

AADConnect is the new unified way for setting up a connection between your on-premises (“legacy”) Active Directory with Azure AD. The tool is extremely easy to use. For most SMEs, you will:

  1. Create your domain in Azure AD and validate it (operation with your DNS registrar)
  2. Set up an in-cloud service account for Azure AD with global admin rights on the directory
  3. Create a service account in your on-premises AD with Enterprise Admin rights
  4. Install AAD Connect
  5. Run the Express Settings configuration, enter your domain details, and supply the required credentials when prompted

It’s not far from Next > Next > Next. That’s what I did at work to get a directory synchronization using AD Sync.

You can do a customized installation allowing you to:

  • Tweak the configuration
  • Deploy and configure ADFS

image

How I Set It Up At Work

The configuration is actually pretty simple. We have 2 AD sites in our single domain:

  • On-premises
  • In Azure

All the usual AD engineering was done with AD sites, including site links, etc.

The DCs in Azure are Basic machines in an availability set (keeping them in different fault/maintenance domains or zones in Azure). The first one is a Basic A1, which is more than enough for a normal DC. The second machine is where I have installed AAConnect; I have found this needs a bit more RAM so this machine is a Basic A2 (enough for our small company). This in-Azure DC is the one that synchronises with Azure AD.

image

My Experience

I actually set up AADConnect while it was still in preview (2nd release). I didn’t do the express installation – which was a mistake because I wasn’t really sure what I was doing! We had previously been using O365 in a limited way with accounts that were created in the cloud; these accounts were failing to synchronize.

I upgraded AADConnect from preview to GA and the issue persisted – the upgrade ran perfectly, though and I blame me for the sync issue. I then decided to uninstall AADConnect so I could completely reconfigure the synchronization. The uninstall worked perfectly (which did not happen with the first preview release) and I reinstalled and reconfigured it with the express installation. A few minutes later, every account, except one, was showing as “Synced with Active Directory”.

image

The one remaining one was one of the original in-cloud users. That has a sync-generic-failure warning in Synchronization Service Manager (the AAD Sync GUI (C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe) which betrays some of it’s heritage. The stack trace shows an error of “The object located by DN is a phantom”. A metaverse search doesn’t find the user account … so AADSync doesn’t find the user in on-prem AD, but the user is in AAD. However, I can see the user in on-prem AD. Quite odd!

Anyway, other than that 1 user account, I think AADConnect is superb. It’s a huge step forward from DirSync, which is complex to set up, and I found it to be a house of cards. This product looks much better so far, offering an easy setup for most customers, and easy to access and detailed logs.

[Update]

That one account eventually did sort itself out over the weekend. I have no idea how – it just synchronised and I cannot complain about that! Password write-back is working fine too.

Technorati Tags: ,