To prepare your AD environment, you can use the IdFix tool, which you can download from http://bit.ly/1VnsvVn. It performs the discovery and remediation of identity objects and their attributes in an on-premises AD environment in preparation for synchronization to Azure AD. IdFix is provided for AD administrators that plan to use Azure AD Connect with the Azure AD/Office 365 services. You can use the tool for every synchronization scenario:
To test the IdFix utility, we'll create some incorrect test users with the following script:
New-ADUser -Name "James Meyers" -GivenName J. -Surname Meyers -SamAccountName jmeyers -UserPrincipalName james.meyers@local -path "OU=Users,OU=Managed Business Objects,DC=inovitlabs,DC=ch" -AccountPassword (ConvertTo-SecureString "Pass@word1" -AsPlainText -Force) -Enabled $True
New-ADUser -Name "Adrian Gilbert" -GivenName Adrian -Surname Gilbert -SamAccountName adrian.gilbert -UserPrincipalName "adrian.gilbert @inovitlabs.ch" -path "OU=Users,OU=Managed Business Objects,DC=inovitlabs,DC=ch" -AccountPassword (ConvertTo-SecureString "Pass@word1" -AsPlainText -Force) -Enabled $True
New-ADUser -Name "Wilma Chavez" -GivenName Wilma -Surname Chavez -SamAccountName wilma.chavez -UserPrincipalName "wilma.chavezĀ°@inovitlabs.ch" -path "OU=Users,OU=Managed Business Objects,DC=inovitlabs,DC=ch" -AccountPassword (ConvertTo-SecureString "Pass@word1" -AsPlainText -Force) -Enabled $True
The following screenshot shows the expected result:
Now we can run the IdFix tool to check the local AD for a user that will build errors in a synchronization:
After you test the IdFix tool, delete the created test user accounts.
With the next steps we will start the installation of the Azure AD Connect tool:
- Run the Azure AD Connect installation. Download the actual version of the tool from https://www.microsoft.com/en-us/download/details.aspx?id=47594 and start the installation with the Domain Administrator credentials.
- Choose the custom installation option so that we can view all the essential configuration steps. I always use the custom option and not the Express option.
- Use the gMSA created in the previous steps to configure the Azure AD Connect service:
- At this time, we don't set any User sign-in option:
In the next section, we'll discuss the source anchor decision process, so click Next and wait for the next lab part.