Hybrid Azure Active Directory join for managed domains towords a classic Active directory setup.

Many companies have all kinds of dependencies towards there on prem environment but also wants to take a step closer to the cloud to get all of the possibilities the cloud has to offer.

Microsoft makes this possible through Azure Active Directory connector, this tool can create a mixed infrastructure called hybrid setup.

In this test lab we use the Hybrid setup to get our Windows 10 1903 devices activated. This environment doesn’t have any KMS server or MAK keys for activation. So a user with a Microsoft 365 E5 license will handle the activation of Windows 10.

Note: The activation will work on both Windows 10 PRO and ENT verisons. This activation are possible through an online service via the subscription. Deploying Windows 10 in your organization can now be accomplished with no keys and no reboots.

The Windows 10 PRO/ENT 1903 devices in this scenario are deployed and installed from a Microsoft Deployment Toolkit (MDT) with a Windows deployment service (WDS) technology and the computer object are domain joned to a on prem Active directory. All the servers and cliens are hosted from Oracle VirtualBox with a NAT network setup.

But first things first, we need to download the Azure Ad connector via Microsoft https://www.microsoft.com/en-us/download/details.aspx?id=47594 and install it on a Windows tool or management server.

  • Lets start the configuraion of the Hybrid Azure AD Join. Dobbel click on the Azure AD Connector and click configure.
  • Click on Configure device options and Click Next:
  • Click on Hybrid Azure AD join and click Next:
  • Now logon with a global Azure AD administrator to connect to ADD:
  • Choose Configure Hybrid Azure AD join and Click Next:
  • Choose Windows 10 or later domain-joined devices and Clic Next:

Note: In this lab there is no lagacy operation system like Windows 7 or 8.1 that needed to be synced, so therefor Supperted Windows downlevel domain joined devices are not selected.

  • Select the on prem domain forrest that needs to be connected to Azure ADD for a hybrid setup and add a Enterprise administrator for accessing the on prem domain and Click Next:
  • Now click Next :
  • Now the configuration is done:

Note: As mention in the completion text there are some other steps to be carried out before the configuration is Microsoft best practice. Click Learn more to see other recommendations from Microsoft.

Note: In this test lab Password hash synchronization (PHS) and Single sign on (SSO) is also a part of this configuration also. Password hash synchronization is for the domain users as they can use there on prem domain password in Azure AD services like Office 365. Single sign on is used for limiting the users for getting prompet when accessing cloud services from a corporate network.

  • To configure PHS and SSO start Azure Ad Connector again and now select Change user sign-in:
  • Now logon with a global Azure AD administrator to connect to ADD:
  • Select Password Hash Synchronization and Enable single sign-on and Click Next:
  • Now the configuration of PHS and SSO is done. To check that the configurations is running without errors under the Azure AD connect tab in Azure Active directory :
  • Also check that Windows 10 devices are synced from your On prem AD to your Azure Active directory and are marked Hybrid Azure AD join:

Note: Directly from the client you also can verify that its Azure AD Joined and see many more details like device, user, SSO and tenant state by running dsregcmd /Status from a Powershell or CMD promt. See picture below.

  • The last step is now to check that the Windows 10 cloud license is activated itself within the user login. Logon to your Windows 10 on prem domain joined client:
  • Click start and search for the Activation setting to see your copy of Windows is active.

This scenario has a condition of using a custom domain name in the cloud tenant that matches the on prem UPN for a successful sync of identities.

Note: If not the UPNs will as default be user@domain.onmicrosoft.com in the Azure Active directory regardless if the user sync from on prem AD comes with a custom UPN. (Domain name).

Windows 10 will not activate it self through the users cloud license until UPNs match on both On prem and Azure AD.

If its only for test purpose and you don’t have a custom domain name that you can use in the cloud then you can change your users local UPN to domain.onmicrosoft.com and then make a delte sync.

  • For creating a new UPN suffix login to your Domain controller and start Active directory Domain and Trust and right click on Active directory Domain and Trust and hit properties:
  • Now type in the domain.onmicrosoft.com adress and click Add:

  • Now change the users UPN with the domain.onmicrosoft.com:

Note: For multi users change a Powershell script can be used to change bundle of users fast.

Note: Importtent to remember to set all the needed AD attributes before sync – See https://docs.microsoft.com/en-us/office365/enterprise/prepare-for-directory-synchronization – for configure the required attributes.

  • Now make a AD/Azure AD sync with a Powershell script or command:
  • Start Synchronization service manager and check the synchronization is done with no errors:

Note: The cloud activation of Windows 10 will now work with the domain.onmicrosoft.com. Notice that users that are logged on to a Windows 10 client that had activation problems before UPN change must login again for the step to complete.

Happy deployment 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *