Azure AD Connect Sync Staging Mode

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we review azure 80 connect staging mode [Music] [Applause] [Music] hello everyone i'm travis and this is heraldo's azure 80 connectsync only allows one installation of the application per azure 80 tenant you can use sql clustering on the back end but that doesn't address high availability at the application in this video we're going to cover what azure 80 connect staging mode is and how to use it before that please subscribe share with a friend and let me know what you think in the comments below also if you'd like to learn more about azure 80 connect and synchronizing identities from windows 80 to azure 80 check out my course on hybrid identities at udemy.com the link is below let's get started there are three use cases for staging mode high availability testing configuration changes and migrating to a new server let's talk about high availability first you can use the database that comes with the azure ad connect application or you can use a sql backend the two reasons to use a sql backend is for sql clustering and to support more than 100 000 objects but clustering the database doesn't address the single point of failure with the azure 80 connect sync application there is no cluster option for that let's pause for a minute and consider the need for ha and azure 80 connect sync the synchronization process runs every 30 minutes by default with that it may be tempting to consider 80 connect as being able to withstand a short or even extended outage after all it's just changes that are synchronized however some settings such as password changes for password hash synchronization and password write backs happen more frequently almost in real time so an outage may not be that impactful unless you're the user trying to change their password staging mode allows us to create a second instance of the azure 80 connect sync application a staging mode instance of azure 80 connect sync imports directory objects from the source while in staging mode however it does not synchronize those objects to the destination azure 80 tenant the point is although we can't run 80 connect sync in active active mode we should have a hot standby to rapidly fail over if the primary becomes unavailable that's what staging mode gives us azure 80 connect sync staging is not limited to ha as mentioned at the beginning there are two other uses for staging mode staging mode processes the data from the source but doesn't complete the last step of synchronizing the changes to the destination this makes it a safe location to test changes such as advanced filters before rolling them into production you can make the synchronization changes on the staging server and use the cs export analyzer tool to view the changes before putting them into production also if you need to upgrade the server azure 80 connect sync is running on staging mode lets you pre-stage the application before flipping it into production using a staging server also provides a back-out plan if you run into problems the primary can be re-enabled if the new instance of azure av connectsync runs into problems there are a couple things to keep in mind when using a staging server you have to keep the primary and the staging server in sync with synchronization settings a change to the primary azure 80 connect sync server won't propagate to the staging server a staging server will not run password sync or password right backs you also want to keep staging mode servers in a different data center or azure region if used for high availability and the hardware for the production and staging server should match it's still doing the same work of reading from the source and applying the synchronization rules it's just not taking that last step of synchronizing those changes to azure ad for the lab coming up i have a new windows server vm for the staging instance this is joined to the same windows 80 domain as the existing azure 80 connect server let's get started with verifying our existing settings let's start by reviewing our existing production server settings before installing azure 80 connect and staging mode since the staging mode instance is the second azure 80 connect installation i'll assume you understand the requirements of azure av connect sync because you already installed it once you'll need to match the existing server specs so for example if the current version of azure 80 connectsync uses sql because there's over a hundred thousand objects you'll need sql for the staging server as well make sure both the production and the staging server on the same application version also here i'm on the existing server and i'll use the command get adsync global settings parameters and then i'll select the name and value and sort by name let's see what version we're on it's under microsoft.synchronize.server configuration version and here it shows i'm on 2.0.28.0 i suggest upgrading to the latest version if not already and i've already done that in this environment while we're on the existing production server let's get the existing configuration we'll need that to configure the staging server so let's go and open up azure 80 connect and from here we'll go to configure and then view or export current configuration and next this lists your current configuration at the top is the option to export settings let's do that this exports a synchronization policy json file that includes the date it was generated in the name the default save location is in program data app connect you can leave it there send it to a different location save it we'll need the file shortly close azure 80 connect and let's go back and copy that file we just exported we'll just copy that now let's go back to our new staging server and i'll just drop it on the desktop for now now we can install the new azure 80 connect application in staging mode but first we have to download and run the azure 80 connect installer if you haven't done that already here we are at the download site for azure 80 connect let's download and once done let's go into the download directory and run the install so we'll start by agreeing to the terms and next we're going to select customize select the option to import synchronization settings and we'll browse to that file we copied over i placed mine on the desktop you may have placed yours elsewhere wherever you put it select it click install this will add the synchronization service to the computer it may take a couple minutes to finish now maybe a good time to pause and come back once it's done welcome back now that it's finished we can run through some of the options there are not many available when you import the configuration user sign-in is the same as the source you can change that if needed let's go to next here we have to sign into the azure 80 tenant with the global admin account next we'll add the enterprise admin account this step will set up a service account on the local forest you can add your enterprise admin account and it'll create a new service account for you or if you have an existing service account you can specify that here let's create a new one we'll select our forest and go to next this last step is important the second check box enable staging mode is what we want for this server this will import data from the source but not export it to azure id that is after all what makes this a staging server you don't want multiple azure 80 connect sync servers exporting data to azure ad that could be bad don't do it once ready and you've triple checked that staging mode is enabled click install this could take a few minutes this is a good point to pause and resume once finished once finished you should get the confirmation complete message and the third message indicates settings were successfully imported from the export file that looks good now exit and let's verify the configuration we'll use the azure 80 connect configuration documenter to compare and verify the configuration i'll have a link to this page below download the latest copy of the application and extract the zip file and i'll extract it to the downloads folder this application works by comparing two sets of configuration the source or production in the staging or pilot if we go into the extracted file data there's an example for contoso under that are pilot and production directories and under each one of these directories is a set of configuration files we need to create a similar file structure for our environment so let's go back to data and under data create a new directory for your company seraltos for this example and under that we'll add two new directories one called pilot and one called production next let's get the configuration from the staging server and put that into the pilot folder open up powershell we're going to run the command get adsync server configuration specify the path to the output folder the cerralto's pilot folder for this example that completed let's go back to that folder now under pilot we have three folders with configuration settings from the staging server we need to get the same data from our production server next go back to the production server and go to powershell we'll run the same command again get adsync server configuration but this time i'll specify a path in the documents folder let's go to the output directory now we have the three configuration folders let's copy them and move them to the staging server with the azure 80 connect documenter application so here we are back on our staging server under the azure 80 connectsync documenter data seraltos and let's go back to production we need to paste those three configuration folders in this location then to be clear all we're doing is we're taking the same configuration from two installs of azure 80 connect placing our staging configuration in the pilot directory and the production configuration into the production folder now that we have the production and staging configuration in the documentation tool next we need to update the command file that runs the comparison with our organization file path so let's go back to the azure 80 connect sync documenter directory make a copy of the azure 80 connect sync documenter contoso.cmd file you might have to go to view and file extensions so we'll copy this we'll paste it right back and change the name to indicate your organization name right click and edit and at the top it indicates the relative path where it's going to look for our pilot and production folders so we'll just change this from contoso to your organization name save that you can close it next let's open up a command prompt navigate to the documenter directory once in the directory run the command file we just updated this will generate a report that will compare the production and staging environment once finished we should have a new report folder in the documenter directory there it is open up the html file we can scroll through and look for variations between the two you'll see them in red this is a great reference but it's a fairly lengthy list of settings to show only the differences between production and pilot let's go back to the top and check the box to only show changes this will show only differences between the two configurations a lot of the items we're looking at now are like dates and user accounts even the staging mode setting is listed most of these make sense that they would be different review and update any settings on the staging server that should be the same as production you'll need to re-export the config on the staging server and run the report again to verify the changes that's great now our staging server is configured with the same settings as the production server if you make any changes to the production server the same will need to be done on the staging server they won't keep in sync with settings changes now that our staging server is in sync we can let it sit until it's needed if there is a failure on the primary or we want to migrate servers we can initiate a cutover once the production instance is offline if it's a controlled failover meaning the production version is up and running start by going into azure 80 connect on the production server here we are back on the production server go to tasks and configure staging mode walk through the steps to configure the production server as a staging server once finished there'll be two staging servers and neither are synchronizing to azure id let's fix that by going back to the new staging server we'll open up azure 80 connect go to configure we'll configure staging mode sign in as a global admin and uncheck enable staging mode go to next and follow the steps to disable staging mode on a new server with that we've created a staging server verified synchronization settings match and switch the active azure 80 connect server to the new server i hope this helps you deploy and configure an azure 80 connect staging server please don't forget to like and subscribe and thanks for watching

Info

Channel: Travis Roberts

Views: 1,381

Rating: undefined out of 5

Keywords: Staging mode, Staging Server, Azure AD Connect Staging, AD Connect Staging, Azure AD, AD Connect, AD Connect Sync, Azure AD Connect, Azure Active Directory Connect, Cloud Sync, Azure Active Directory, Identity Management, Hybrid Identity, Access Management, ID Synchronization, User Account Synchronization to Azure, Azure Certification, Hybrid Azure AD, Azure AD Connect Health, Azure AD Connect Configuration Documenter, configuration documenter

Id: gPLOz1C78As

Channel Id: undefined

Length: 16min 28sec (988 seconds)

Published: Mon Oct 18 2021