0

I have Windows Server 2012 R2 Foundation which I want to be a DC named like office1.mycompany.org for domain mycompany.org. All users in that domain should be named like username@mycompany.org and use that credentials to access file server from their worsktations in same LAN with DC. Joining workstations to domain is not required.

Server does not have an external IP but it have outbound internet access. mycompany.org domain name is registered with AWS so I can change DNS records as I need.

Next step I planning is to make mailboxes for them using Exchange Online (or is it Office 365 now?). Requirement is they use same address as their logins for domain and same password.

So I read tonns of docs and questions, but still I am totally lost here where to start and what connect to what. Should I first create new domain on my server and then synchronize it? If so, synchronize it to what? As I understand, creating domain for mailboxes at Office 365 automatically creates new Azure AD, so should I synchronize on-premise AD with that directory?

Also I tried to create Azure AD and then connect server (while it still was not promoted to DC) to it using Azure AD Connect ('Use an existing service account' - 'Managed service account') using both custom domain name mycompany.org and mycompany.onmicrosoft.com. Both options failed (cannot resolve LDAP DNS record, as I see and I can't find any information on what this SRV record should point to).

Also, my wish (but not a requirement) is I can manage users and groups both from Azure portal and server GUI.

Wolfrevok Cats
  • 13
  • 1
  • 6
  • This is a standard configuration and there are lots of documents from Microsoft on how to setup Office 365 and Azure AD connect. The answer below is a good step by step, albeit far too brief to really understand the system - which is why you need to read the available documentation. You will not be able to manage users and groups solely from on-premise AD without an Azure AD premium subscription. And even then it will require some scripting to assign licenses, etc. – Appleoddity Sep 04 '17 at 15:48

1 Answers1

4

Here's how I have done it:

  1. Set up on-premise domain
  2. Create Office 365 account
  3. From Office 365 Admin page, provision Azure domain and verify ownership of domain
  4. Add recommended DNS settings to your public DNS.
  5. Create users on your on-premise domain controller
  6. If you use an FQDN like MyDomain.local, add your email domain suffix like MyDomain.com. For each user, change the UPN suffix to MyDomain.com.
  7. Install Azure AD Connect on the on-premise domain controller.
  8. Populate the ProxyAddresses user attribute with primary email address and all aliases. The primary address should be SMTP:User@email.com and all aliases should be smtp:UserAlias@email.com. SMTP capitalized indicates the primary email address.
  9. Force sync using PowerShell (C:\program files\Microsoft Azure AD Sync>Start-ADSyncSyncCycle). Not required, but I don't like to wait.
  10. Assign Office 365 licenses to users
  11. Log in to outlook.office365.com with a user account like Test@MyDomain.com and test email
Aaron D
  • 303
  • 3
  • 12
  • Thank you. Turns out it's really much simplier than I thought. Can you explain what part 8 is for? – Wolfrevok Cats Sep 05 '17 at 11:54
  • I can't see where to populate `ProxyAddresses` attribute. There is no field for that nor in "AD Users and Computers" snap-in, nor in `New-ADUser` cmdlet (with which I'm creating users). Is that attribute required if users have only one e-mail addres which is the same as their logon name? – Wolfrevok Cats Sep 05 '17 at 22:13
  • Office 365 will automagically use the ProxyAddresses field to determine primary and other email addresses. I like this because you can control everything from Active Directory. To view the attribute for a single user, you need Advanced Features enabled in the View menu. If you use the Import-CSV cmdlet with a CSV file you can import the ProxyAddresses attribute. – Aaron D Sep 07 '17 at 01:23