← Back to Dashboard

Design 49: Hybrid Identity (AD Connect)

Summary

This design implements Hybrid Identity. It syncs On-Premises Active Directory users to Azure AD (Entra ID).

Topology: The AD Connect Server runs in the Hub VNet (or On-Prem). It connects to the Internet to reach Entra ID.

1. Key Design Decisions (ADR)

ADR-01: Sync Method

  • Decision: Password Hash Sync (PHS).
  • Rationale: Simplest and most robust. Users can login to Azure even if On-Prem is down.

ADR-02: Server Placement

  • Decision: Hub VNet.
  • Rationale: Close to the Domain Controllers in the Hub (Design 34).

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  On-Prem     |           |        HUB VNet          |           |  Azure       |
|  AD DS       |           |      (Sync Engine)       |           |  Entra ID    |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (HTTPS)                        |
+------+-------+                        v                                v
|  VPN Tunnel  |           +------------+-------------+           +------+-------+
|              |---------->| AD Connect           |---------->|  User DB     |
+--------------+           | Server               |           |  (Cloud)     |
                           +--------------------------+           +--------------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Domain Controller     |                                           |
|   +-----------------------+                                           |
|   | AD Connect Server     |                                           |
|   | (VM)                  |                                           |
|   | -> Outbound 443       |                                           |
|   +-----------------------+                                           |
+---------------|-------------------------------------------------------+
                |
                | (Staging Mode)
                v
+-----------------------------------------------------------------------+
| SECONDARY REGION (West US) - DR Site                                  |
|                                                                       |
|   +-----------------------+                                           |
|   | AD Connect (Staging)  |                                           |
|   | (Standby)             |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

  • AD Connect: The bridge. It reads AD, writes to Entra ID.

5. Strategy: High Availability (HA)

  • Staging Server: You can run a second server in "Staging Mode". It syncs but doesn't export. If Primary fails, you flip Staging to Active.

6. Strategy: Disaster Recovery (DR)

  • Implementation: Staging Server in DR Region.
  • Process: If East US fails, promote West US Staging server.

7. Strategy: Backup

  • Config: Export the AD Connect configuration (JSON).

8. Strategy: Security

  • Account: Use a Least Privilege service account.
  • Filtering: Only sync necessary OUs (e.g., don't sync Service Accounts).

9. Well-Architected Framework Analysis

  • Reliability: High.
  • Security: High.
  • Cost Optimization: High. Free tool. You pay for the VM.
  • Operational Excellence: High.
  • Performance Efficiency: N/A.

10. Detailed Traffic Flow

1. Change: Admin creates user "Alice" on-prem.

2. Cycle: AD Connect wakes up (every 30 mins).

3. Read: Reads Alice from AD.

4. Hash: Hashes the password hash (extra security).

5. Push: Pushes Alice + Hash to Entra ID via HTTPS.

6. Login: Alice logs into Azure Portal. Entra ID verifies hash.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Deploy AD Connect Server

1. Deploy VM: Windows Server 2019/2022 in vnet-hub.

* Name: vm-adc-01.

* Size: Standard_D2s_v3.

2. Join Domain: Join this VM to your On-Prem AD Domain (via VPN/ExpressRoute).

3. Login: Login as a Domain Admin.

Phase 2: Install Azure AD Connect

1. Download: Open Edge on the VM, search "Download Azure AD Connect", download the MSI.

2. Run Installer.

3. Welcome: Agree to license -> Continue.

4. Express Settings: Click Use express settings (Simplest).

5. Connect to Azure AD:

* Enter Global Administrator credentials for your Azure Tenant (e.g., admin@contoso.onmicrosoft.com).

6. Connect to AD DS:

* Enter Enterprise Administrator credentials for your On-Prem Domain (e.g., CONTOSO\admin).

7. Azure AD Sign-in configuration:

* The tool will verify domains. If you don't have a custom domain verified (like contoso.com), it will warn you. For labs, ignore and continue (users will be user@contoso.onmicrosoft.com).

8. Configure:

* Ensure Start the synchronization process when configuration completes is checked.

* *Note: Password Hash Synchronization is enabled by default in Express.*

9. Install.

Phase 3: Verify Sync

1. Wait 5-10 minutes.

2. Go to Azure Portal -> Microsoft Entra ID -> Users.

3. Filter: Look for users where On-premises sync enabled is Yes.

4. Test Login:

* Open an Incognito window.

* Login to portal.azure.com as one of the synced users.

* Use the *same password* as On-Prem.

* It should work.

Phase 4: Configure Staging (DR) - Optional

1. Deploy a second VM vm-adc-02 in West US (or same region).

2. Run Installer.

3. Select Staging Mode during configuration.

4. This server will read AD but *not* export to Azure. It is a hot standby.