close

Active Directory

Active Directory

Microsoft Improves Azure Active Directory Proxy Service and Adds Work Folders Support

download

Microsoft this week announced various Azure Active Directory improvements.

One of those improvements concerns Azure AD Application Proxy on-boarding enhancements. Microsoft made it easier for organizations to use the service to connect remote end users to company-hosted Web applications.

Organizations can use Azure AD Application Proxy as a cloud-based substitute for maintaining a demilitarized zone on premises when permitting single sign-on access to Web apps. The benefits of using Azure AD Application Proxy, according to Microsoft, are that it doesn’t require setting up inbound connections through a firewall and organizations get to use Azure-based security analytics tools. Azure AD Application Proxy is a feature that’s available with Azure Active Directory Premium subscriptions.

Proxy Improvements
The onboarding process to set up Azure AD Application Proxy has now been improved such that only two outbound ports are required, namely Port 443 and Port 80. Microsoft also simplified matters by only requiring connections via two domains, namely “*.msappproxy.net and *.servicebus.windows.net.” The latest connector update needs to be used to get those benefits, according to Microsoft’s announcement

Lastly, Microsoft added a new “Long” 180-second timeout option to the Azure AD Application Proxy service. The Long option can be used for those Web apps that take longer than the default 85-second period to respond.

Work Folders Integration
In another announcement, Microsoft announced this week that the Windows Work Folders role now works with the Azure AD Application Proxy service. It provides a means for end users to access their work files remotely via single sign-on without opening connections through a firewall.

To use Work Folders with the Azure AD Application Proxy service, organizations need to be running Windows Server 2012 R2 or Windows Server 2016. In addition, local Active Directory accounts need to be synchronized to Azure Active Directory using Azure Active Directory Connect.

Windows 10 version 1703 clients can be used to access Work Folders under this scheme, as well as Android and iOS clients. Microsoft described a few of the client nuances in this announcement.

Workday Provisioning
Microsoft also announced this week that it has launched a preview of a new capability that will make it easier for organizations using Workday software-as-a-service (SaaS) applications to move the provisioning information over to Azure Active Directory or Windows Server Active Directory. Workday is a provider of SaaS applications for finance and human resource needs.

The preview is called “Workday Inbound Provisioning to Azure Active Directory” and is available for use by Azure AD Premium P1 subscribers. It uses a “new thin client that is deployed alongside Azure AD Connect” to synchronize the Workday information to Active Directory on premises or Azure Active Directory.

read more
Active DirectoryAzure AD

FSMO Roles

image1

Active directory is a multi-master enabled database. It provides the flexibility to allow changes to occur at any of the domain controllers. Flexibility comes with added responsibility. There is a need to prevent conflicting updates from being made across multiple domain controllers.

This is made possible with the Flexible Single Master Operations roles (FSMO). Vital updates like schema updates, inclusion of new domains can be done only at a particular domain controller. There are 5 FSMO roles with 3 having domain level application and 2 having forest level application.

 

  • Schema master– It controls all the schema updates and modifications. The changes made to this domain controller are then replicated to other domain controllers. The first server in the forest is the Schema master.

 

  • Domain Naming master– It controls the addition and removal of domains. The first domain controller is the Domain Naming master.

 

  • Infrastructure master– It is responsible for updating the SID during cross referencing of objects. It updates the SID by comparing its data against the Global Catalog data which is always up to date. This role should not be installed on a global catalog server.

 

  • Relative ID (RID) Master– The security identifier for an object consists of a domain SID and a relative ID (RID). The RID is unique for each object inside a domain. The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain.

 

  • PDC Emulator– While migrating from NT4 domains to Windows 2000 domains, this Domain controller behaves like a NT4 domain. It is also responsible for keeping the time synchronized across all DCs.

So how does Active Directory confirm the identity of the user requesting for access to a resource? How does a client query a server for a particular resource? The answers to these questions are through the support of standard interfaces and protocols like Domain Name System (DNS), Kerberos, and Lightweight Directory Access Protocol (LDAP).

FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and permissions without interruption (with standard caveats, like the network staying up).

 

read more
1 2 3
Page 1 of 3