ConfigMgr 2012 / SCCM 2012 SP1 Step by Step Guide Part 22: Mobile Device Management - Domain Registration and User Sync in Intune
Back to main menu
Part 22 describes how to add a domain to your Intune registration and then to synchronise your Config Mgr users with Intune.
The process is in 3 sections
1. Add and verify a domain in Intune (it is assumed that you already have an Intune subscription or trial)
2. Add UPN to your Active Directory and create test user
3. Synchronise Users
1. Add and verify a domain in Intune (it is assumed that you already have an Intune subscription or trial). You can apply for a trial here
http://www.microsoft.com/en-us/windows/windowsintune/try.aspx
You will be asked to choose a new Inune domain name in the format: MyIntune@onmicrosoft.com
Log into Intune
https://account.manage.microsoft.com
See your default domain. However this domain cannot be used to integrate with Config Mgr You must use a domain that your on-premise Config Mgr can recognise. Therefore we need to add a public domain that you can verify you own (eg mydomain.com). We will add this domain as an additional UPN in Active Directory in Step 2.
Select "Add a Domain"
Enter the name of your domain
You are presented with instructions to verify that you control this domain name. The easiest way is to create a DNS A record as requested. This record can take up to 24 hours to propogate (normally will be available in a couple of hours)
After a couple of hours log into Intune and select "Click to verify domain"
Too soon
Domain is verified on the second attempt
2. Add UPN to your Active Directory and create test user
Open Active Directory Domains and Trusts.
On Active Directory Domains and Trusts snap-in right-click Active Directory Domains and Trusts and click Properties.
Type the alternate UPN suffix to match the domain registered in Intune (eg mydomain.com)
We are carrying out a test deployment and do not want to sychronise the entire domain. Therefore we created a test OU and user.
Navigate to properties of the new user - use the drop down arrow of the "User logon name" to change the UPN to mydomain.com
3. Synchronise Users
Log into Intune
Click Users and select Set Up Active Directory Synchronisation. Select Activate
Activate
See confirmation that Active Directory syncronisation is activated
Click to download the Directory Syncronisation Tool (DirSync)
Run installation of DirSync as Administrator
Enter your Intune credentials
Enter AD Enterprise Admin credentials
Do NOT select Synchronise now (this will synchronise all user accounts)
Browse to the DirSync folder and launch miisclient.exe as Administrator to open FIM
Select Management Agents and double-click SourceAD
Select "Configure Directory Partitions". Select Alternate Credentials and enter the AD Enterprise Admin account details
Select the Containers button and choose the previously created Intune test OU
Select SourceAD, righ click and select Run
Choose "Full Import Full Sync"
See successful Sync
Three hours later the synchronised user can be seen in Intune. Select the new user and Activate
You can now reset the password
Note that this is a straightforward method to sync users between Config Mgr and Intune. However it has the disadvantage that two passwords have to be maintained. To implement single sign-on you must deploy Active Directory Federated Services.
Part 22 describes how to add a domain to your Intune registration and then to synchronise your Config Mgr users with Intune.
The process is in 3 sections
1. Add and verify a domain in Intune (it is assumed that you already have an Intune subscription or trial)
2. Add UPN to your Active Directory and create test user
3. Synchronise Users
1. Add and verify a domain in Intune (it is assumed that you already have an Intune subscription or trial). You can apply for a trial here
http://www.microsoft.com/en-us/windows/windowsintune/try.aspx
You will be asked to choose a new Inune domain name in the format: MyIntune@onmicrosoft.com
Log into Intune
https://account.manage.microsoft.com
See your default domain. However this domain cannot be used to integrate with Config Mgr You must use a domain that your on-premise Config Mgr can recognise. Therefore we need to add a public domain that you can verify you own (eg mydomain.com). We will add this domain as an additional UPN in Active Directory in Step 2.
Select "Add a Domain"
Enter the name of your domain
You are presented with instructions to verify that you control this domain name. The easiest way is to create a DNS A record as requested. This record can take up to 24 hours to propogate (normally will be available in a couple of hours)
After a couple of hours log into Intune and select "Click to verify domain"
Too soon
2. Add UPN to your Active Directory and create test user
Open Active Directory Domains and Trusts.
On Active Directory Domains and Trusts snap-in right-click Active Directory Domains and Trusts and click Properties.
Type the alternate UPN suffix to match the domain registered in Intune (eg mydomain.com)
We are carrying out a test deployment and do not want to sychronise the entire domain. Therefore we created a test OU and user.
Navigate to properties of the new user - use the drop down arrow of the "User logon name" to change the UPN to mydomain.com
3. Synchronise Users
Log into Intune
Click Users and select Set Up Active Directory Synchronisation. Select Activate
Activate
See confirmation that Active Directory syncronisation is activated
Click to download the Directory Syncronisation Tool (DirSync)
Run installation of DirSync as Administrator
Enter your Intune credentials
Enter AD Enterprise Admin credentials
Do NOT select Synchronise now (this will synchronise all user accounts)
Browse to the DirSync folder and launch miisclient.exe as Administrator to open FIM
Select Management Agents and double-click SourceAD
Select "Configure Directory Partitions". Select Alternate Credentials and enter the AD Enterprise Admin account details
Select the Containers button and choose the previously created Intune test OU
Select SourceAD, righ click and select Run
Choose "Full Import Full Sync"
See successful Sync
Three hours later the synchronised user can be seen in Intune. Select the new user and Activate
You can now reset the password
Note that this is a straightforward method to sync users between Config Mgr and Intune. However it has the disadvantage that two passwords have to be maintained. To implement single sign-on you must deploy Active Directory Federated Services.
No comments:
Post a Comment