Hi,

We have a local domain controller which is windows 2012 R2 and we have two servers which is loaded with our company ERP application which is already joined to above domain controller. Our client machines which are using our ERP application also joined our domain controller. Now I would like to move our two ERP servers to Azure and our users (client machines) also will be connected to our local AD and same time they will use our ERP in azure after migration. But our ERP servers will be working under domain only. In this case, how can I setup that local AD and local machine with ERP will be in Azure with domain connectivity which is mandatory. Can anyone help for this. 

We have a few namespaces live onhttp://accesscontrol.windows.net  for authentication. This entire domain seems to be removed from the DNS servers / is seemingly down already while it is supposed to be going down in November 2018.

You can see an example when you visit https://start.mijnhva.nland click the login with Microsoft or login with Google button.

Please fix this!

Hi,

 I know it's possible to collaborate using Azure B2B with partners who do not have an Azure AD, as Azure simply fires up an Azure tenant and AD domain in the background, transparently to the user. What I'm not sure about is how control of this tenant is achieved, for example:

  I own "SmallTownToys" and I have 10 staff and I want to partner with SupplierX. SupplierX sends 10 guest email invitations to my staff using their email addresses "@SmallTownToys.com". We don't have ADFS in place and we haven't registered our domain name in Azure. 

1. Is there a single Azure AD for @SmallTownToys.com containing my 10 staff or are there multiple Azure ADs?

2. As the owner of @SmallTownToys.com, if I want to control or add/remove accounts from the Azure AD, how do I go about managing it? By default, in this model, I don't think I'll have access to modify the Azure AD.

Thanks 

We originally had Azure AD Connect working just fine, just a couple weeks ago things were humming along just fine. Over the last week things have gotten progressively worse starting with the service refusing to start due to login issues. After uninstalling and reinstalling the system worked again for a couple days, then it failed again. Reinstalling again gave us another 24 hours. Now we have no capability to sync and the service won't install or run.

Also tried manually uninstalling and reinstalling but found the same result. It even appears that SQL 2012 is being skipped by the installer.

Server 2016 running in a virtual environment. Server is a domain controller. Installing user is a domain administrator.

[16:53:51.341] [  1] [INFO ]
[16:53:51.341] [  1] [INFO ] ================================================================================
[16:53:51.341] [  1] [INFO ] Application starting
[16:53:51.341] [  1] [INFO ] ================================================================================
[16:53:51.341] [  1] [INFO ] Start Time (Local): Wed, 05 Sep 2018 16:53:51 GMT
[16:53:51.341] [  1] [INFO ] Start Time (UTC): Wed, 05 Sep 2018 20:53:51 GMT
[16:53:51.356] [  1] [INFO ] Application Version: 1.1.880.0
[16:53:51.356] [  1] [INFO ] Application Build Date: 2018-07-20 22:37:14Z
[16:53:53.450] [  1] [INFO ] Telemetry session identifier: {c4b98cfa-ef9c-4d9b-bf3f-6865c64b53f9}
[16:53:53.450] [  1] [INFO ] Telemetry device identifier: os1qvPdGZhQumkjaRgIoH0TtrpCCAagQgbrn0FMQ/Fc=
[16:53:53.450] [  1] [INFO ] Application Build Identifier: AD-IAM-HybridSync master (3f67a493d)
[16:53:53.513] [  1] [INFO ] machine.config path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.
[16:53:53.513] [  1] [INFO ] Default Proxy [ProxyAddress]: <Unspecified>
[16:53:53.513] [  1] [INFO ] Default Proxy [UseSystemDefault]: Unspecified
[16:53:53.513] [  1] [INFO ] Default Proxy [BypassOnLocal]: Unspecified
[16:53:53.513] [  1] [INFO ] Default Proxy [Enabled]: True
[16:53:53.513] [  1] [INFO ] Default Proxy [AutoDetect]: Unspecified
[16:53:53.544] [  1] [VERB ] Scheduler wizard mutex wait timeout: 00:00:05
[16:53:53.544] [  1] [INFO ] AADConnect changes ALLOWED: Successfully acquired the configuration change mutex.
[16:53:53.591] [  1] [INFO ] RootPageViewModel.GetInitialPages: Beginning detection for creating initial pages.
[16:53:53.591] [  1] [INFO ] Checking if machine version is 6.1.7601 or higher
[16:53:53.622] [  1] [INFO ] The current operating system version is 10.0.14393, the requirement is 6.1.7601.
[16:53:53.622] [  1] [INFO ] Password Hash Sync supported: 'True'
[16:53:53.638] [  1] [INFO ] DetectInstalledComponents stage: The installed OS SKU is 7
[16:53:53.638] [  1] [INFO ] DetectInstalledComponents stage: Checking install context.
[16:53:53.638] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Visual C++ 2013 Redistributable Package
[16:53:53.653] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:53.653] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {20400cf0-de7c-327e-9ae4-f0f38d9085f8}: verified product code {a749d8e6-b613-3be3-8f5f-045c84eba29b}.
[16:53:53.653] [  1] [VERB ] Package=Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005, Version=12.0.21005, ProductCode=a749d8e6-b613-3be3-8f5f-045c84eba29b, UpgradeCode=20400cf0-de7c-327e-9ae4-f0f38d9085f8
[16:53:53.653] [  1] [INFO ] Determining installation action for Microsoft Visual C++ 2013 Redistributable Package (20400cf0-de7c-327e-9ae4-f0f38d9085f8)
[16:53:53.653] [  1] [INFO ] Product Microsoft Visual C++ 2013 Redistributable Package (version 12.0.21005) is installed.
[16:53:53.653] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Directory Sync Tool
[16:53:53.653] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:53.653] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[16:53:53.653] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[16:53:53.653] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: verified product code {7fc37298-c8d4-4d4c-9d9a-dbbdc8011c68}.
[16:53:53.653] [  1] [VERB ] Package=Microsoft Azure AD Connect synchronization services, Version=1.1.819.0, ProductCode=7fc37298-c8d4-4d4c-9d9a-dbbdc8011c68, UpgradeCode=545334d7-13cd-4bab-8da1-2775fa8cf7c2
[16:53:53.669] [  1] [INFO ] Determining installation action for Microsoft Directory Sync Tool UpgradeCodes {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}, {dc9e604e-37b0-4efc-b429-21721cf49d0d}
[16:53:53.669] [  1] [INFO ] DirectorySyncComponent: Product Microsoft Directory Sync Tool is not installed.
[16:53:53.669] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Sync Engine
[16:53:53.669] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:53.669] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {545334d7-13cd-4bab-8da1-2775fa8cf7c2}: verified product code {7fc37298-c8d4-4d4c-9d9a-dbbdc8011c68}.
[16:53:53.669] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {dc9e604e-37b0-4efc-b429-21721cf49d0d}: no registered products found.
[16:53:53.669] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {bef7e7d9-2ac2-44b9-abfc-3335222b92a7}: no registered products found.
[16:53:53.669] [  1] [VERB ] Package=Microsoft Azure AD Connect synchronization services, Version=1.1.819.0, ProductCode=7fc37298-c8d4-4d4c-9d9a-dbbdc8011c68, UpgradeCode=545334d7-13cd-4bab-8da1-2775fa8cf7c2
[16:53:53.669] [  1] [INFO ] Determining installation action for Azure AD Sync Engine (545334d7-13cd-4bab-8da1-2775fa8cf7c2)
[16:53:54.028] [  1] [VERB ] Check product code installed: {4e67cad2-d71b-4f06-a7ae-bb49c566bb93}
[16:53:54.028] [  1] [INFO ] GetProductInfoProperty({4e67cad2-d71b-4f06-a7ae-bb49c566bb93}, VersionString): unknown product
[16:53:54.028] [  1] [INFO ] AzureADSyncEngineComponent: Product Azure AD Sync Engine (version 1.1.819.0) is installed, needs to be upgraded to version 1.1.880.0.
[16:53:54.028] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Synchronization Agent
[16:53:54.028] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:54.028] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {3cd653e3-5195-4ff2-9d6c-db3dacc82c25}: no registered products found.
[16:53:54.028] [  1] [INFO ] Determining installation action for Azure AD Connect Synchronization Agent (3cd653e3-5195-4ff2-9d6c-db3dacc82c25)
[16:53:54.028] [  1] [INFO ] Product Azure AD Connect Synchronization Agent is not installed.
[16:53:54.028] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure AD Connect Health agent for sync
[16:53:54.028] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:54.028] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {114fb294-8aa6-43db-9e5c-4ede5e32886f}: no registered products found.
[16:53:54.028] [  1] [INFO ] Determining installation action for Azure AD Connect Health agent for sync (114fb294-8aa6-43db-9e5c-4ede5e32886f)
[16:53:54.028] [  1] [INFO ] Product Azure AD Connect Health agent for sync is not installed.
[16:53:54.028] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[16:53:54.028] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:54.028] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {0c06f9df-c56b-42c4-a41b-f5f64d01a35c}: no registered products found.
[16:53:54.028] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (0c06f9df-c56b-42c4-a41b-f5f64d01a35c)
[16:53:54.028] [  1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[16:53:54.028] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Command Line Utilities
[16:53:54.028] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:54.028] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {52446750-c08e-49ef-8c2e-1e0662791e7b}: no registered products found.
[16:53:54.028] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Command Line Utilities (52446750-c08e-49ef-8c2e-1e0662791e7b)
[16:53:54.028] [  1] [INFO ] Product Microsoft SQL Server 2012 Command Line Utilities is not installed.
[16:53:54.028] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Express LocalDB
[16:53:54.028] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:54.028] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {c3593f78-0f11-4d8d-8d82-55460308e261}: no registered products found.
[16:53:54.028] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Express LocalDB (c3593f78-0f11-4d8d-8d82-55460308e261)
[16:53:54.028] [  1] [INFO ] Product Microsoft SQL Server 2012 Express LocalDB is not installed.
[16:53:54.028] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft SQL Server 2012 Native Client
[16:53:54.028] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:54.028] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {1d2d1fa0-e158-4798-98c6-a296f55414f9}: no registered products found.
[16:53:54.028] [  1] [INFO ] Determining installation action for Microsoft SQL Server 2012 Native Client (1d2d1fa0-e158-4798-98c6-a296f55414f9)
[16:53:54.028] [  1] [INFO ] Product Microsoft SQL Server 2012 Native Client is not installed.
[16:53:54.028] [  1] [INFO ] Performing direct lookup of upgrade codes for: Microsoft Azure AD Connect Authentication Agent
[16:53:54.028] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:54.028] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {fb3feca7-5190-43e7-8d4b-5eec88ed9455}: no registered products found.
[16:53:54.028] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connect Authentication Agent (fb3feca7-5190-43e7-8d4b-5eec88ed9455)
[16:53:54.028] [  1] [INFO ] Product Microsoft Azure AD Connect Authentication Agent is not installed.
[16:53:54.028] [  1] [INFO ] Determining installation action for Microsoft Azure AD Connection Tool.
[16:53:54.044] [  1] [WARN ] Failed to read DisplayName registry key: An error occurred while executing the 'Get-ItemProperty' command. Cannot find path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftAzureADConnectionTool' because it does not exist.
[16:53:54.044] [  1] [INFO ] Product Microsoft Azure AD Connection Tool is not installed.
[16:53:54.044] [  1] [INFO ] Performing direct lookup of upgrade codes for: Azure Active Directory Connect
[16:53:54.044] [  1] [VERB ] Getting list of installed packages by upgrade code
[16:53:54.044] [  1] [INFO ] GetInstalledPackagesByUpgradeCode {d61eb959-f2d1-4170-be64-4dc367f451ea}: verified product code {e369ca42-bb0d-4776-84f1-4618da3c3ce1}.
[16:53:54.044] [  1] [VERB ] Package=Microsoft Azure AD Connect, Version=1.1.880.0, ProductCode=e369ca42-bb0d-4776-84f1-4618da3c3ce1, UpgradeCode=d61eb959-f2d1-4170-be64-4dc367f451ea
[16:53:54.044] [  1] [INFO ] Determining installation action for Azure Active Directory Connect (d61eb959-f2d1-4170-be64-4dc367f451ea)
[16:53:54.044] [  1] [INFO ] Product Azure Active Directory Connect (version 1.1.880.0) is installed.
[16:53:54.356] [  1] [INFO ] ServiceControllerProvider: GetServiceStartMode(seclogon) is 'Manual'.
[16:53:54.356] [  1] [INFO ] ServiceControllerProvider: verifying EventLog is in state (Running)
[16:53:54.372] [  1] [INFO ] ServiceControllerProvider: current service status: Running
[16:53:54.372] [  1] [INFO ] DetectInstalledComponents stage: Sync engine upgrade required.
[16:53:54.372] [  1] [WARN ] MicrosoftOnlinePersistedStateProvider.Backup: unable to locate the persisted state file for backup.  Path: C:\ProgramData\AADConnect\PersistedState.xml
[16:53:54.403] [  1] [INFO ] CallExportSyncConfig: launching ExportSyncConfig.exe.
[16:53:54.888] [  1] [INFO ] ServiceControllerProvider: verifying ADSync is in state (Running)
[16:53:54.888] [  1] [ERROR] Caught an exception while creating the initial page set on the root page.
Exception Data (Raw): System.InvalidOperationException: Service ADSync was not found on computer '.'. ---> System.ComponentModel.Win32Exception: The specified service does not exist as an installed service
   --- End of inner exception stack trace ---
   at System.ServiceProcess.ServiceController.GenerateNames()
   at System.ServiceProcess.ServiceController.get_ServiceName()
   at System.ServiceProcess.ServiceController.GenerateStatus()
   at System.ServiceProcess.ServiceController.get_Status()
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.IsServiceInState(String serviceName, ServiceControllerStatus desiredStatus)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.DetectInstalledComponents.Execute(String& message, GlobalContext globalWizardContext, Boolean& isPasswordSyncSupported)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.RootPageViewModel.GetInitialPagesCore()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.RootPageViewModel.GetInitialPages()
[16:57:45.833] [  1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20180905-165351.log

Hello,

I'am trying to implement Azure AD Domain Services but I find two doubts:

- Is it possible tom implement +1 Azure AD Domain Services in the same tenant?

- If I have AD Federation Services (on-premise), is it possible to implement Azure AD DS? Is it necessary syncr passwords?

thanks!

Hi - We've got people from a external organisation who we want to be able to use our service desk system to take incidents and requests. our service desk system is a cloud system (Service-now) - we've invited the users with B2B access, and granted the groups that we'd normally grant to an internal user for access to the system.   I can see in service-now they have the right roles and groups. I'm not sure however that Service-now would be able to authenticate them properly- how will it know what password to use to authenticate them?

Hi all,

Is there any scenario supported by Microsoft where a single 2016 server could provide RD services for 4-5 users and have their user credentials sync between it and 365?

Client has an E3 subscription (non-profit/charity).

Server is being provided by 3rd party with SPLA licensing.

I'm assuming installing AD services and running it as a domain controller isn't supported with an RDS role, and therefore we can't use Azure AD Connect, but is there a free Azure AD service with an E3 subscription that would allow joining the server to AAD and authenticate RDS users against 365?

The alternative is to run the server in workgroup mode with RDS and manage 2 sets of credentials.

Thanks,

David

I am trying to use Azure AD and openid in an AspNet Core website I'm building. The site is part of a larger project which will implement some Azure Functions to handle telemetry gathered from a smartphone while riding a motorcycle, as part of a crash monitoring application. Azure AD, open ID, etc., are new to me, so I'm not sure I'm even using the right terminology here, so bear with me.

What I'd like to do as a first step is to use Easy Auth to register new users on the site. The current VS 2017 (15.8) template implements Azure AD (at least) by default, and I've confirmed that it works: I can log into the site using my Microsoft Windows credentials.

Where I'm having a problem is understanding how that authentication fits into registering, and then authenticating, a user onto my site. In other words, I want the login process to check to see if a user is registered with my site (user info to be stored in a SqlServer database). In all the AspNet websites I've written heretofore, that's been implicitly done, because I've been authenticating users against the site database. Now that I'm authenticating against other sources (e.g., Microsoft, Google, Facebook), I'm unclear how to implement the site-specific stuff.

I've tried inserting site-specific authentication when the OpenID service is configured during startup (from Startup.cs):

          services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
            {
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    // Instead of using the default validation (validating against a single issuer value, as we do in
                    // line of business apps), we inject our own multitenant validation logic
                    ValidateIssuer = false,

                    // If the app is meant to be accessed by entire organizations, add your issuer validation logic here.
                    //IssuerValidator = (issuer, securityToken, validationParameters) => {
                    //    if (myIssuerValidationLogic(issuer)) return issuer;
                    //}
                };

                options.Events = new OpenIdConnectEvents
                {
                    OnTicketReceived = context =>
                    {
                        // If your authentication logic is based on users then add your logic here
                        return Task.CompletedTask;
                    },

                    OnAuthenticationFailed = context =>
                    {
                        context.Response.Redirect("/Error");
                        context.HandleResponse(); // Suppress the exception
                        return Task.CompletedTask;
                    },

                    OnTokenValidated = context =>
                    {
                        // throwing an exception here when the user is not in the site database
                        // just causes the authentication request to be repeated, endlessly

                    }
                };
            });

When a user is not registered locally, do I just return a redirect to a page that allows them to register?

Related to this, I'd also like to allow some level of anonymous access, directing anonymous users to a page describing the site, how to register, etc. I'm not sure how to do that, either. Is there a way to inject specific claims into the authorization, and then control access to controller actions based on claims?

Sorry about the vague questions here. But, as I mentioned, I'm new to Azure AD, open id, easy auth and, for that matter, AspNet Core 2.0 :)

- Mark

Hi,

I need to add Graph API Permissions like "Directory.Read .All","User.Read.All" in custom RBACs.

For more reference: https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference

I have been asked to build a backup domain controller in an offsite location for the purposes of DR.  I'm wondering if there is a way to do this using Azure.  We currently use it for daily off site backups.

This is a 30 person company with one File/Print/DC server.  I have both local backups and backups to Azure.  But other then the local backup I have no bare metal backup nor do I have AD replication offsite.  Can somebody point me toward the best way to accomplish this?  I know you can do a bare metal backup to Azure it it is very confusing as to how you do it.  I also think I can stand up a VM to use as a replication for AD, but I can't find a way to do it.  Is there someone at Azure that I can arrange a pre-sales call to explain this?

Jim Θ¿Θ¬

Hi,

I want to pass the pipeline trigger date for stored procedure through ADFv2. But i'm getting "Activity SP_RecordSplit failed: ProcedureSP_RecordSplithas no parameters and arguments were supplied." error. Could anyone please help me to fix this issue. A variable @slicetime is passed in the stored procedure.

Below attached the code I'm used on the adf.

Thanks.

Hi All!

I had been trying to configure the password reset using the password writeback but I hadnt get luck.

I had successfully sync two AD forest to my Azure tenant



I am using AR\aadsync as the service account to sync between AD Azure an AD onprem

I had granted the proper permission to that service account

But when the user try to change his password they got these errors:

By the way, I already have below permissions set at Domain level for AD MA account:

• Reset Password
• Change Password
• Write lockoutTime
• Write pwdLastSet

And the user that trying to change his password has not check the option password never expire.

Any ideas? 

Thanks in advance.

Cheers,

Javier.