Hybrid Azure AD Join Devices | Managed Domains

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone welcome back to our series of Azure Active Directory and in this video I'm going to talk about hybrid I showed 80 joined devices for managed domain so in the last video I have discussed about Azure ad join devices and the agenda of this video will be knowing how you should configure or apply different settings if you want to enable the feature of hybrid azure ad join for your environment what are the changes that you have to do on a a D connect and then we'll talk about the task which is already created on a Windows 10 machine and when it gets enabled how it gets the device registered to Azure Active Directory and what are the logs that you can refer to in order to troubleshoot if a particular machine is not getting hybrid as your ad joined so let's start off by knowing what is a hybrid I've already joined machine in a nutshell if a machine is joined to your on frame 80 as well as as your ad that machine is called as hybrid as your ad joined and they will be a device object with the reference to this particular machine that will be created in your local ad as well as a sure ad that means when you domain Joe in a machine a device object is created in your on-prem ad in the computer's container that you should move to different o use so that you can apply different policies in the similar way whenever a machine is getting joined or registered to Azure Active Directory there is a device object that is created an azure active directory as well now the fundamental behind hybrid azure ad join devices for managed domain is that your on-prem object should be synced to Azure Active Directory and since your object will hold the status of hybrid azure ad join you can implement conditional access policies as I said before this is the first fundamental behind device based conditional access now whatever I have said in this slide don't worry do watch the entire video you'll come to know everything how it works and what is the relation between a device object which is there on pram and what is the relation between the device object that exists in Azure Active Directory moving on in knowing what is required for a managed domain the very first thing that you should have is either pass-through or password sync with seamless SSO this is the very first prerequisite which you have to make sure is implemented in your environment second most important thing is that your Active Directory forest functional level or domain functional level must be at least 2008 r2 now hybrid azure ad join devices are being categorized in two types the first one is Windows current devices which is Windows 10 2016 and 2019 and windows down level devices which are the older version of Windows now the difference between these two type of devices is that the Windows current devices gets registered in machine context' whereas the windows down level devices gets registered in user context now what do I mean by this that when I will show you the task which is created on a window stand machine I'll show you an option where it says run this with highest privilege that actually means that the tasks on a Windows 10 machine runs with NT service privilege now let's talk about more details which are required for a managed domain to implement hybridize already join feature the very first thing is that your AAA reconnect should be at least one point one point eight one nine version this is the first prerequisite from setup perspective which has to be there and the reason behind this is the console itself will give you the option to configure hybridize your ad join initially it was a manual process that has to be done where you were normally creating SCP service connection point in the configuration partition of your ad and Microsoft was also avoiding you a script that you can actually initiate and we'll get the SCP registered for you but now all that process has been embedded in the console of a ad connect itself which I will be showing you in the lab demo the second thing which is the most important which has to be in place without which hybrid Azure ad joint will not work and that is all the machines which are there on Prem must be able to contact these four endpoints so that the hybrid Azure ad joint process gets completed if any of these endpoints is not available you'll get error 3:04 and this is the use case which I will be showing in the lab as well third and the most important thing is all the computer objects that means all the oh you in your on-prem environment wherein you have placed computer objects should be in sync scope and whenever we enable this feature of hybrid I already join through a ad Connect as I said before in a nutshell or under the hood what it actually does it creates an SCP which will be used by all the client machines to know which tenant they have to contract to get the device registered now let's move on with the lab part and I'll switch to my machine where I have installed a anyconnect and there I will be configuring the settings which are required for ad Connect setup as well as I'll show you the group policy object that I have created so that all the four URLs are available in the trusted sites zone of a computer object now if you will read Microsoft articles it will for seamless SSO it will ask you to get them added and the user context in the local intranet zone but if you read the device that windows down level device configuration it will show you some different information but what I have done is I have directly added all these four URLs in my default domain policy for the computer configuration but I would recommend you if you are doing this in your production environment or test environment you create a new group policy object and don't change the default domain policy so now what I'm going to do is I'm going to switch to my machine where I have a ad connect installed and I'm going to initiate this configuration wizard now the very first thing that we will do is we'll click on configure and then we'll you select this option of configure device options once this option is selected I'm going to click on next and as you can see I'm getting two options now the first one is hybrid I already join and the other one is device right back that means from this console itself you can enable both the feature of device right back as well as hybrid as your knee joint I'm just going to click on next and it is asking me to enter my global admin credential and I've just entered that as of now it's just verifying that whether I am a global admin of this particular directory or not once it has verified then it will give us the option to configure hybrid I already join and as you can see the very first option is already selected I'll click on next and I'll keep both the options selected because I'm going to enable this for Windows 10 as well as down level devices now I'm going to click on next now as you can see here it is clearly mentioned what is the purpose of service connection point the service connection point is used by your devices to discover your eyes or a deterrent information that's the actual purpose of SCP my forest is concepts were calm but as you can see it's actually asking me to give my enterprise admin credential now the reason behind this is since this SCP is getting added in the configuration partition that's why it requires an enterprise admin credential now I'm going to click on next and then again I'll get one more prompt where I will be clicking on configure now there's this process which has been embedded in a ad connect initially it was a manual process but the article is Nach start Microsoft comm and I will be sharing that article link in the description section so as of now we have completed the configuration that is required from a ad Connect perspective but as I said before that all those four links must be accessible and for your windows down level devices that should be available in the local intranet zone so I'll quickly show you the location where I have created that change and now it is available for all the machines so this is my default domain policy and I'll click on edit and I'll go to policies and for computer configuration and then I'll go to admin templates and from here I'm going to select Windows components and now I'm going to select Internet Explorer than Internet control panel settings security page and as you can see there is an option of site disown assignment now the moment I'll click on show all these four URLs are getting listed with value one if you are value to hear all these URLs will be available in the trusted sites zone instead of local intranet zone there is one more thing quickly which I would like to show you is how you can go ahead and check the SCP for that just connect to your configuration partition of your Erie go to the service container and then there will be a container name - device registration configuration this is the actual SCP which will let the client know which tenant they have to contact to get the device registered now we have covered almost everything when it comes to configuring a ad Connect and getting the gpo of light as I said before you have to make sure that those four endpoints are accessible you have to take care of network configuration I'll show you more over everything but what is done from a client perspective how client response to that particular task which is already created and what is all the process that happens under the hood whenever a device tries to get registered to Azure Active Directory now the next thing that I'm going to talk about will be the client itself so on a Windows 10 machine there is a task created already and which is available under Microsoft Windows and the task is named as workplace join now what it actually does it runs des Red CMD dot exe with system context so that the machine can get registered itself now this is something which is by default enabled but the moment you will domain join a machine this task will get enabled on that particular machine so for that what I will do is I'll switch to my machine which is as of now not domain joined but if I go to task scheduler and if I go to Microsoft than Windows you see there is a task named as well place join which is showing us disabled the hostname of this machine as core and as of now this is not joined to any domain so while we proceed with showcasing you how exactly everything works firstly we will domain join this machine and then let you know what other other process that happens under the hood the next thing that you have to make sure is to review the logs which are available in Event Viewer for that you have to go to Microsoft Windows user device registration so if I go back to my client machine and I go to Event Viewer as you can see I'm getting them off this option of Microsoft I'll go to Windows and now I will navigate to a folder named as user device registration and as you can see this is that folder there are certain logs which are already created here because this machine husband he started multiple times but will clear all this and then I'll show you everything from scratch now let's come back to our deck and understand what will exactly happen when you domain join a machine and when this task will get enable what will the process and how everything is related to one another so if your machine is not domain joint as I've shown before this task is disabled by default but the moment you domain join your machine and if your machine has access to these endpoints what actually happens that apart from getting domain joined your machine creates a certificate and that certificate is saved in the user certificate attribute of the computer object but in cases where these endpoints are not accessible this certificate will not be created and the user certificate attribute will not be populated for your computer object now the question comes why I am focusing or why I am emphasizing so much on this user certificate attribute because if this user certificate attribute is not populated your computer object will not be synched to Azure Active Directory that means you're failing at the prerequisite part itself now the question comes why exactly all this happens because if you will navigate to synchronization a rule editor on your aad connect and check for this rule named as in from AD computer join you'll find a condition over there that will say that tout filtered attribute has to be set to true if user certificate value is null now what does this mean that device objects that don't have user certificate attribute populated will not be synced to Azure Active Directory as I said before that this is the first use case which I will be showing you guys so for that I'm going to switch to my client machine which is as of now not connected to internet and why I'm saying this because I have disabled the internet connection on this but the fact is that this machine can contact my domain controller that means what if I try to domain join this machine I will be able to you that the must at the moment this machine is domain joined this task gets enabled and you can see different set of logs an event viewer and the expected behavior here will be that I will get event ID three zero four wherein it will say device registration has failed without even restarting the machine so now what I'm going to do is I'm going to domain join this machine but before I domain join this machine what I would like to show you is something on my 80 and that is if I open users and computers as you can see that there is no computer object getting listed here now the expected behavior is the moment I will join this machine to my local domain there will be a computer object created here but that should not have a user certificate populated so what I'm going to do is I'm going to join this machine to my domain and then we'll just check whether the user certificate attribute is populated or not but let's wait to get a prompt here so that I can show you the moment this machine is domain joined these tasks will get enabled by default so as you can see my machine is now domain joined I'm going to click on OK and I'll again click on ok I'll go back to task scheduler and I'll just refresh this and as you can see it's already enabled and it's ready now one more thing that I would like to show you and that is something which I was referring in the deck as well that this task will always be initiated in system context which is run with the highest privileges now if we go back to Event Viewer and if I try to refresh as you can see it is giving me error messages and let me check if I can show you the event IDs I'm getting 3 0 4 that means the device registration service was no being accessible as of now there is a particular endpoint which responds some set of information to the client machine on behalf of which your client machine generates the certificate and saves that certificate in the user certificate attribute now if I switch to my 80 and if i refresh this what I'll see is an attribute editor user certificate is not populated that means if I run a sync cycle right now this object will get imported but it will not be single to Azure Active Directory and why it will be like this let me just show you that rule in the console as well so if I run synchronization rule editor and if I select device object type connector should be local ad attribute should be cloud filtered and as you can see that this is the rule which is saying the same set of information which I have already shown you guys that if user certificate attribute is not populated then that machine should not be sent to ash or Active Directory that's this was the condition which I have shown you in the deck now the last thing that I would like to cover here and that is now what we will do is we'll make Internet available on that particular client machine and we remove that from domain and will again domain join it and let see whether the user certificate is getting populated or not so what I'll do is I'll pause this video I'll remove the machine from domain I'll make sure that the Internet and all those end points are available and then I'll resume the video okay so now my machine has been restarted I have changed the hostname so that there should be no stale entry as well as internet connection is also available on the same machine now the next step is to domain join this machine and then see whether the user certificate attribute is getting populated in my ad or not if the user certificate attribute will get populated what we'll do is we'll run a full sink or a sink in short so that this object can be synced to Azure Active Directory and then we'll restart this device just to see whether it is getting hybrid Azure ad joint or not so as of now the computer name is hybrid EAD and now what I'm going to do is I'm going to switch to my ad and then I'm going to refresh this and let's see whether the user certificate attribute is populated or not as you can see the user certificate attribute is populated on this particular machine now there is one more thing which I would like to show you guys and that is if I copied this value and if I save this to a notepad as let's say I'll just name this file as file dot hex for example let's say file dot hex and I'll save this and I'll go back to my C Drive just to see whether that file is saved or not so as you can see this is the file which I have just created now there is a command you know which you can run and that is cert util - decode hex so what I'll do is I'll open command prompt with admin privilege and then I'm going to navigate to this particular location I'll copy this command and I will select the file which is cert dot sorry which is file dot hex and I want this to be converted to certificate dot cert and I'll do enter and as you can see that there is a file which is created dot cert but I'm sorry it should be CER and if I go back now this is the file which has just been converted and as you can see it's a self signed certificate which is created by the device object itself it was created by itself and then it has issued to the same device ID itself now why I'm saying device ID here because the moment this particular object will be synced to Azure Active Directory I will login to portal Dodger comm and I will navigate to this particular computer object and I will show you that the device ID will be same as what is mentioned in this particular certificate so now without any delay let's just run a sync cycle so that this object should get synced to Azure Active Directory but before that let me just switch to portal as well and see if there is any object getting created with this name or not and as you can see there is no option available here which says hybrid that means this object is still not sent to Azure Active Directory now what I'm going to do is I'm going to initiate a sync cycle and there is a reason why I am doing this from PowerShell because I don't have to manually go ahead on every connector and then run the respective process I've just initiated a delta sync on my 880 connect server now the moment this sync cycle would get finished a device object will be sent to Azure Active Directory with hybrid azure ad join status but now the question comes that how come you know this device is communicating what the device object which exists in Azure Active Directory now there is a logic behind that and that I will be showcasing you on portal itself that for all the machines which are hybrid as already joined they're actually Singh object type but there is one more attribute that gets populated on that and that's what we called this particular attribute which is named asked last logon activity or activity whatever you want to remember or whatever you want to refer to so now what I'm going to do is I'll go back to my machine and I'll restart that but before that let's just verify if that object is sent to Azure Active Directory or not if that object is already sync then we won't face any issues because the moment will restart our machine that will get hybrid already joined by default and as you can see this object has been single to Azure Active Directory now if I go back to portal and if i refresh this a new object is getting listed here as hybrid as your ad joint and the activity time is not populated because our machine which we have hybrid Azure ad joint is yet not restarted so what I'll do is I'll restart this machine and resume the video so now as you can see that my machine is domain joined I'm getting an option of sign-in with other user and what I'm going to do is I'm going to sign in with my own Prem account so that the PRT should be available on my machine and that is something which we will be checking by the command output of des Red CMD is forward slash status so now I'm sign-in to my machine and I'll open command from just to check whether I have got the Fiat e or not and then things will be in place because that just proves that the machine is hybrid already join from client prospective as well and we'll also quickly check the logs which are generated on behalf of this particular request as you can see that I'm getting as your ad PRT and you can see this machine is now hybrid Archer ad joint now let's go back to event viewer on the same machine and let's see now that below we are getting any 3:04 or any errors or not because as I said before that 3:04 will only come when the discovery fails itself so what I'm going to show you now is which endpoints are accessed by a particular machine to get it registered in Azure Active Directory so for that I'll go back to the same folder of user device registration and I'll click on admin and as you can see this was the last attempt wherein it failed because of network connectivity but now if I will try to open any other log apart from this let's see what happens that as you can see with the restart the automatic registration was triggered and then I'll quickly show you the discovery your response which a particular client machine receives this is something which I have shown you I think in Azure ad joint video as well now the fundamental here is that the endpoints are same but the way of machine is getting joined to Azure Active Directory is something that is defining the status of that particular machine now there was one more thing which I had first and which was showing you guys the device ID should match with the certificate which is saved in user certificate attribute in your on-prem so I've just refreshed the portal and I'll show you the device ID which is exactly same to what we are getting in the certificate for our computer object so the portal is refreshed now and you as you can see it is not showing me the activity as well which was initially n/a but if I click on my device you see this it starts with 2 3 B and ends up with C 355 now if I go back to my ad and check that certificate as you can see that it is 2 3 B 3 5 5 so this so this is the entire process that happens when you try to configure hybridize your ad joint and I have covered this Windows 10 you can configure this for Windows 7 and since this was a lengthy video I'm sure that you guys will have multiple questions please feel free to ask them in the comment section now let's talk about a quick summary of what all we have discussed we have discussed about all the settings that you have to configure for hybrid I already joined if you are using a managed domain we have discussed about the task which is created and which gets enabled the moment your machine is domain join we have discussed about the generic error which comes when your machine is not able to contact any of these endpoints and the last thing that I have discussed is the logs itself that you can refer that will give you more insights why a particular machine has not been able to join to hype to Azure Active Directory with hybrid as already joined state in the next video I'm going to talk about hybrid as already joined machines wherein you have a federated domain if you guys have learned something new please feel free to subscribe if you have any feedback where your suggestion feel free to reach me at learn concepts work at gmail.com thank you so much thanks for your time
Info
Channel: Concepts Work
Views: 47,577
Rating: undefined out of 5
Keywords: Azure Active Directory, Azure Active Directory Devices, Hybrid Azure AD Joined Devices, Device Management
Id: 2uwSSIxoEnU
Channel Id: undefined
Length: 30min 23sec (1823 seconds)
Published: Sun Aug 18 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.