You possibly don’t want your client computer joined to a domain nor any messing around with your client computer DNS settings either. So here are the three commands you need to run in an elevated command prompt on your client computer.
reg add "HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ClientDns" /v SkipAutoDnsConfig /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ServerDiscovery" /v SkipAutoDNSServerDetection /t REG_SZ /d true
reg add "HKLM\SOFTWARE\Microsoft\Windows Server\ClientDeployment" /v SkipDomainJoin /t REG_DWORD /d 1
SImple you would think but there are a few steps more than what you may first think to getting SSO through Windows Azure Active Directory working.
Next you need to install Active Directory Federated Services. You do this through Server Manager->Roles on your WSE box. The go to the flag in Server Manager and select the post deployment details. Follow the wizard creating new managed service user and creating the KDS root key as instructed.
Install the Windows Azure Active Directory Module. You will also need the Microsoft Online Services Sign-In Assistant for IT Professionals BETA module too. Install .net 3.5 through roles and features.
In my case I had an already confirmed domain but I needed to convert this to Federated for SSO. Use Connect-MsolService with the organizational account for your domain and then the Convert-MsolDomainToFederated –DominaName “domain.tld”
In Windows Azure you should confirm that the domain name is now marked as verified and is configured for SSO.
Log off and log back on again – actually I did a restart to install updates.
Then download dirsync and install on your local WSE.
After running it you should all be in sync. If you change identities used for the sync then you’ll need to run the tool again.
Renaming a domain can break things and generally is unsupported. One reason you may wish to do this is to keep an old domain server around but want to reuse the NetBIOS name when installing a new domain. My requirements were for experimentation and should not be used in production. Proceed at your own risk and it’s possible you will stop functions that rely on AD, user, certificate and computer authentication from working. If you are just trying to make room then all may be well.
1. Check you are working with the right domain controller (in this scenario we only consider this is one)
2. Open DNS Manager and add a New Zone Under Forward Lookup Zone. Select Primary and replicate To all DNS servers running on domain controllers in this domain. Enter the new domain name. Then Select Dynamic Update, Click Allow only secure dynamic updates (recommended for Active Directory) and finish the wizard. You should now see the new Domain name is listed in DNS Manager.
3. Open a Command Prompt as Administrator and run:
- rendom /list
- notepad Domainlist.xml
- change all occurrences of DNSname to match your new domain – do the same with the NetBoisName for ForesetRoot – then save and close
- rendom /showforest
- rendom /upload
- rendom /prepare
- rendom /execute – and wait to be signed off
4. Login into the new domain (beware the login will default to the old login for now as it was the last used one) and check that all is well in computer properties.
5. Open Command Prompt again as Administrator and run (replace OLD_ and NEW_’s with your domains:
- gpfixup /olddns:<OLD_DOMAIN> /newdns:<NEW_DOMAIN>
- gpfixup /oldnb:<OLD_NETBIOS> /newnb:<NEW_NETBIOS>
- rendom /clean.
- rendom /end
6. Rejoin old domain computers to this renamed DC or whatever you were wanting to do before.