Azure Active Directory Connect (AADC) Part 1 — Password Hash Synchronization (PHS)

It has been a while since I last set up a testing environment to try out all the features brought out by Azure AD Connect. Since I am preparing for Microsoft SC-300 Identity and Access Administrator Associate, I want to note down the whole learning journey from the beginning to the end. If you/your company wants to start using AAD for the hybrid convenience or you are just very interested in learning how each AAD authentication model works, please keep reading this series of articles.

“Active Directory Domain Services stores passwords in the form of a hash value representation of the actual user password. A hash value is a result of a one-way mathematical function (the hashing algorithm). There is no method to revert the result of a one-way function to the plain text version of a password.”

— Quoted from Implement manage password hash synchronization (PHS) — Learn | Microsoft Docs

First things first, we have many prerequisite steps before we could start jumping into the AADC PHS configuration user interface.

Prerequisite Steps

** If you are using Azure VM for both Domain Controller and AADC agent, please check this site on how to create Azure VMs from scratch.

Windows Server 2016/2019 as Domain Controller

  • Create a Windows Server 2016/2019 (better to have at least 2 vCPU, 4GB of memory) and promote it to be Domain Controller. For more information on how to complete this, please check this site.
  • Create at least one Windows AD user with Domain Admins and Enterprise Admins role. If possible, create another Windows AD user with Domain Users role just to test out the synchronization later.
  • Add custom domain name you own to Windows AD Domains and Trusts and change user’s UPN accordingly. To know more about changing UPN suffix in Windows AD, please check this site for reference.
  • Note down the private IP address of the Domain Controller as we would need to use it for DNS resolution.
  • On Azure, head to the virtual network this Domain Controller is located in and find the setting for DNS. After you get to the page, select “Custom” and put down the private IP address you noted down in the previous step.
  • Once the DNS servers are set, all servers within the virtual network would need to be restarted. Otherwise, those would not get the latest network settings.

Windows Server 2016/2019 as AADC Agent

  • Create a Windows Server 2016/2019 (better to have at least 2 vCPU, 4GB of memory)
  • Join the domain you just created in the other Windows Server. For detailed steps, please check this site.
  • Download and install AADC.

Download Microsoft Azure Active Directory Connect from Official Microsoft Download Center

Create an AAD and an AAD Global Administrator

  • Follow the steps after this section and this section of the article and at the end, you should be seeing at least one user with the role of AAD Global Administrator in your newly created AAD tenant.

Associate Custom Domain Name with the Newly Created AAD Tenant

Configure AADC to Synchronize Windows AD to AAD via PHS

  • Once you agree the terms on the first page of the AADC installation user interface, you could select “Use express settings”
  • Put down the AAD Global Administrator credential
  • Put down Windows AD Enterprise Administrator credential
  • Check “Continue with matching all UPN suffixes to verified domains” as our internal domain name is not verified on AAD and it should not be.
  • Start the synchronization process
  • Test using Windows AD user credential to log in AAD from an InPrivate browser
  • Once done, you should be seeing all Windows AD users in selected scope being synchronized to AAD. Also, you would see a Windows AD account “On-Premises Directory Synchronization Service Account” being created. This account is perform synchronization actions in both environments.
  • Check Azure AD Connect section, you should see “Password Hash Sync” showing “Enabled”

That should cover a very basic scenario for AADC with PHS! If anything goes south or does not work as expected, we could use AAD PowerShell commands for general troubleshooting. Please refer to this site for getting a better idea on this!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan

Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!