Azure AD Premium Implementation

It has been a while since I last blogged about anything.  Well, you know there is work, life, family, and etc.  The habit of writing about your project experience is the last thing on your mind when you go through above throughout the day, weeks, months, and an entire year in my case.  However, I have been working on Microsoft Cloud based identify management solution called Azure Active Directory Premium and have been tasked to implement this in my company.  It is quite intriguing and fascinating which is leading me to open up my dusty notebook and write up some more about my experience working on implementing this innovative solution.

Incase you don’t know what Azure AD Premium is; it is a part of the Microsoft Enterprise Mobility (EMS).  The Azure AD Premium feature set was developed to support four scenarios: Your directory in the cloud, centrally managed identities and access, monitoring and protect access to cloud applications, and empower end users.  Let’s get into the weeds of what this solution will deliver for us.

OVERVIEW:

Like many other companies out there, we are also exploring the possibilities of getting into the cloud business.  We host majority of our environment on premise but it doesn’t hurt to explore some features of Office 365 Cloud and where better to start then to implement Azure AD Premium.  The three key objects we are trying to accomplish from this are:

• Self-Service Password Reset Portal
• Multi-factor Authentication (MFA)
• Single Sign On (SSO)

Now, no one is talking about moving everything to the cloud, but instead we are building a foundation to move to the cloud in the future and there is indeed an IF and WHEN.  Overall, it will be a Hybrid Azure AD Premium build out and will serve the purpose for both on premise and cloud accounts, access, authentication, and applications.

ARCHITECTURE:

From architecture standpoint, it is VERY important to understand what is the business driven driver here.  You can start off with speaking with the stake holders and obtain their perspective on how they would utilize this solution.  This will help you determine the final architecture of the solution before you present it back to the stake holders and upper management.  In our case,  we will be presenting a hybrid model where both on premise and cloud will be in coexistence with one another.  The architecture would similar to this:

 

Hybrid Environment

 

Final Architecture

 

IMPLEMENTATION:

Since I will not be covering a lot of operational steps such as getting the right licenses in place or identifying pilot users and such, I will mention some of the these steps during implementation stage because we will be needing proper licenses to implement anything related to Premium environment.  See some of the keys stages of implementation:

• Upgrade your existing DirSync (Directory Sync) to Azure AD Connect.  Make sure password write back policy is enabled during the upgrade process
  • https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-dirsync-upgrade-get-started/
• Have your licenses in order in Office 365 portal.  In our case, we purchased EMS (Enterprise Mobility Suite) which will provide us capabilities of Azure AD Premium, MFA, and Rights Management Services for future Exchange Online mailboxes
• Have the designated administrator be part of Global Admin group in Office 365 portal
• Access Azure AD Portal through https://manage.windowsazure.com with your global admin account
• Customize the Azure AD Premium application login page.  See the link for great instruction from MS on how to do it
  • https://azure.microsoft.com/en-us/documentation/articles/active-directory-add-company-branding/
  • One point I would make is that if you have ADFS in your environment and you are federating your primary domain such companyxyz.com with ADFS then you will need to customize your ADFS login page with that of Azure AD Premium customization
• Build Self-Service Password Reset portal
  • Follow this post by Microsoft to get this step accomplished.  it isn’t just turning on the feature but a lot of decision making that needs to go into place before this feature and its subsets are enabled
  • https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords/
• Configure Multi-Factor Authentication
  • MFA is designed to provide that added layer of security for the applications that are moving to the cloud for Single Sign On purpose.  You can utilize MFA to generate a second layer of authentication.  To see the methods of authentications, please read this article
  • https://support.office.com/en-us/article/Plan-for-multi-factor-authentication-for-Office-365-Deployments-043807b2-21db-4d5c-b430-c8a6dee0e6ba
• Azure Single Sign On
  • In my perspective, the thing that I’m most excited about is the implementation of a Single Sign On solution through cloud services
  • Our plan is to migrate our SSO capabilities for various applications from on premise ADFS farm / environment to Azure SSO
  • There is a lot of technical planning that goes behind it but from my experience architecting application move to Azure cloud is that you would want to confirm if your application support SAML 2.0
    • There are two types of initiation when it comes to SAML 2.0 (SP and IDP)
      • In IDP Initiated SSO (Unsolicited Web SSO) the Federation process is initiated by the IDP sending an unsolicited SAML Response to the SP
      • In SP-Initiated, the SP generates an AuthnRequest that is sent to the IDP as the first step in the Federation process and the IDP then responds with a SAML Response
  • https://azure.microsoft.com/en-us/documentation/videos/overview-of-single-sign-on/

CONCLUSION:

In closing, if your company is planning on doing Azure AD Premium Implementation with all of the capabilities I mentioned above, you will really like the results and best part about it is that there is so much more you can integrate with it and explore as Microsoft is always releasing latest and greatest updates to improve their platform.

Advertisement

University Project / Virtualization / SAN Implementation

Welcome back!  I’m hoping that you enjoyed my previous post about the VMware project I did for the SMB.  This new post will be somewhat similar but with the addition of scale computing SAN.

OVERVIEW:

This project belonged to a university in St. Paul, MN.  I was hired to provide consulting and Infrastructure support.  Little that you know, the consulting company working on the project needed my assistance to design the new virtual architecture from legacy system.  After performing initial assessment, and approval from IT steering committee, we started working on the project.  Once again, this project also has a backup and DR part to it which I will not discuss since I had no part in it.  My initial approach would have been Veeam for backup and DR, but they decided to go with an enterprise solution.

This architecture included the cluster consists of following physical devices and the final configuration and will be running VMware vSphere (See the Visio Below):

• (2) Fujitsu RX200S6 – Dual Quad Core 24GB RAM, 2x146GB SAS 15K Drives 6x1GBe NICs, Dual Power Supply
• (2) Cisco 3750 Catalyst switches
• (5) S1 Scale Nodes (1TB each), 4 x 1GBe Connectivity, 4 x 1GBe SAN MGMT Snapshots, Thin Provisioning, Remote Replication
• VMware vSphere Essential Plus with vCenter Plus, and licensing for 3 vSphere 5 Hosts

Illustrated below is the original rack layout. All items are utilizing UPS power redundant power systems and are racked accordingly

ARCHITECTURE:

In this architecture, I used (2) Fujitsu RX200S6 as the primary and secondary host to built the base of the environment.  Since we are dealing with a larger environment than my previous post on SMB client, I made sure that our licensing feature for the Hypervisor provided us with high availability for the virtual machines hence not all my eggs in one basket.  Once the ESXi hosts were up and configured, I implemented the switches and most importantly the SAN infrastructure to allocate the current VM’s and the future growth.  I decided to go with Scale Computing SAN.  I originally suggested Fujitsu SAN but the client already had purchased scale product to accommodate their already existing 2 scale nodes.  I decided to work with what they had instead of purchasing a new product.  We purchased 3 more nodes for future growth.

The LUN’s and Volumes carved out of the SAN were allocated for their current VM structure.  The client was provided proper documentation on allocating more space on their scale device for future purpose including adding more nodes.  They say that a picture is worth a thousand word.  I have my infrastructure Visio’s listed below with step by step process.

VMware vSphere 5 ESXi Host Settings:

 

VMware vSphere 5 ESXi to Switch Configuration:

GRANULAR ENVIRONMENT INFRASTRUCTURE:

CONCLUSION:

In closing, after wrapping up my part of the project, we successfully replaced and converted their older hardware infrastructure consists of 18 physical servers down to 2 physical hosts and 12 guest VM’s.  With the addition of VMware Essentials Plus licensing model, I was able to setup proper high availability (HA), vMotion, and DRS.  We also added refurbished Cisco managed switches, and added 3 more scale nodes.

If you haven’t worked with scale computing and KVM hypervisor, please let me know and I can describe the process in writing.  Feel free to reach out to me with any questions.  In the meantime, I will work on updating the site with more projects that I have worked on.  I have a feeling that maybe it’s time I can go over a backup and DR project.  Maybe in the next post!!

http://www.scalecomputing.com/

Thank you for visiting the site again.

To be continue ……

Small Manufacturing Business / Server / Network Infrastructure Design

OVERVIEW:

Couple of months ago, I was brought in to work on a project for a manufacturing company, that was looking into refreshing their server and network infrastructure including backup & DR.  Upon assessing their environment, I realized that the company is running on legacy based Windows 2000 domain and forest.  Now if you are IT professional yourself, you can imagine that upgrading a non-supported legacy domain can be a tedious and time consuming process and not to forget a Project Management nightmare.  The term Project Milestones can be easily overlooked if the project isn’t assessed and scoped out properly.  The clients current environment consisted of mainly physical infrastructure.  I decided to virtualize the environment with the hybrid approach of building and configuring new Domain Controllers, File Servers, SQL Server, and P2V in-house proprietary legacy applications.

Since I’m a virtualization focused Infrastructure Engineer, my object was to minimize the hardware and maintenance cost for the client by suggesting top of the line VMware virtualization architecture.  I will be using VMware Essentials licensing model since the environment is quite simple and does not require advance features such as vMotion, HA, DRS, and Hot-Add.

This architecture included the following solutions in the final configuration and will be running VMware vSphere (See the Visio Below):

• (1) Dell PowerEdge R720 rack server including: 2 x E5-2630 (Six-core processors), dual power supplies, 8 x 8GB RAM (total 64GB), 4 x 1GB NIC, 2 x 400GB SSD (MCL) HDD, 6 x 300GB 15K RPM SAS HDD, DVD, PERC H710P Integrated RAID Controller, iDRAC7 Enterprise, running ESXi 5.5 U2
• (1) Dell PowerEdge R220 rack server including: Intel Xeon E3-1200 V3 Product Family, single power supplies, 4GB RAM (total 64GB), 2 x 1GB NIC, 2 x 500GB HDD, DVD, PERC H310 Integrated RAID Controller, iDRAC7 Enterprise, running Windows 2012 Standard
• (2) 3Com 3CR17571-91 4500 PWR Gigabit Switch
• (1) NetGear ProSafe Plus JGS524Ev2 – Switch – Unmanaged – 24 X 10/100/100
• (1) Quantum LTO-4 Half Height Model C Drive
• (1) Tripp-Lite Smart-Pro Rackmount AVR 120V USB DB9 SNMP 2URM  UPS
• (1) APC SMC1500-2U Smart-UPS C 1440VA Rackmount 2U with LCD

    ARCHITECTURE:

In this design, I used Dell PowerEdge 720 rack server as the main host server for the environment.  I don’t ever like putting all my eggs in one basket, but it is a smaller environment and a single powerful host can accommodate the need of the business with proper backup and DR solution in place.  I built out the Dell host server with the ESXi 5.5 U2 hypervisor.  Once the hypervisor configuration was finished, I allocated 3 new VM’s for DC, FS, SQL, and CAD server.  The company in-house propriety application is running on a physical server which I decided to not upgrade since it requires their application vendor participation.

The client also invested in a separate server for their onsite tape backup.  I built out the backup server with Backup Exec 2012 and configured it to backup file and CAD server data and not the VM’s.  In order to accommodate the backup of virtual data from physical server into Quantum tape drive, I allocate another vSwitch in my vCenter instance which will pass through the traffic properly between the VM’s and physical server without any latency (See the Visio below).

 CONCLUSION:

 This architecture was built out to refresh the software and hardware infrastructure of the manufacturing company.  It eliminated the baggage hardware, excess equipment, and minimized it to one host server solution with the guests VM’s providing the needs of the business.  All the servers are being managed by a single instance of vSphere client.  The backup solution is providing full and differential backups of their key data which can be accessed not only though the tape drives in case of a disaster, but also through extra storage carved out in the backup server itself for an instant restore.

As much as I would love to explain the software upgrade process from legacy Windows 2000 forest to the latest 2012 R2 forest, I’m keeping this post to a high level description of the infrastructure.  If there are any questions, please feel free to leave the comments.

I will be attending to my site with the latest and greatest project I’m currently in the middle of wrapping up.

To be continued ……