Azure File Share and On-Premises Active Directory

Подписаться 750

Просмотров 36 тыс.

50% 1

This tutorial goes over the steps required to create an Azure File Share and connect it to an existing on-premises Active Directory. 😉
You can also connect your Azure File Share to Azure Active Directory as well. 😎
Get the benefits of resilience, backup and recovery along with replacing aging on-prem servers with this cloud service. 🦊
Are you a non-profit needing tech advice on your cloud strategy?
techhelpfornonprofits.org
References:
Get an Azure Account:
azure.microsoft.com/en-us/free/
Azure Storage Account Review
docs.microsoft.com/en-us/azur...
Azure Storage Account Redundancy
docs.microsoft.com/en-us/azur...
Azure Routing vs Internet Routing
docs.microsoft.com/en-us/azur...
Comparison between Azure Storage Tiers
docs.microsoft.com/en-us/azur...
Connecting Azure Storage Account to On-Prem AD
docs.microsoft.com/en-us/azur...
Mount Azure File Share locally
docs.microsoft.com/en-us/azur...

Хобби

Опубликовано:

1 сен 2021

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 71

@myolds_1david952 Год назад

Wow, this is by far the best explanation on the subject. Thank you and keep up the good work.

@rahulsingh-iq4gd Год назад

That’s what I was looking for a long time .. tired of Microsoft documents that always bounce of my head I really appreciate your work bro .. again thank you.

@maksimkovalenko752 2 года назад

Thanks a lot ! Great video with really simple describing of all actions

@liriasawsomeimovies4714 Год назад

How do Microsoft get it so horrendously wrong and send people (me at least) into a downward spiral of deep confusion ..and then you find this ! WOW simply excellent !! really really (& really again) appreciate this proper detailed lead by example video ...

@joyan0001 Год назад

Great video. Exactly what I was looking for. Thanks!

@seeingyou3050 Год назад

Simplest explanation i've seen regarding this topic. Thank you for the great work!

@techhelpfornonprofits Год назад

Thank you

@joeblow5213 2 года назад

This is by far this best video for this process I have watched. You went into some detail that others skipped - thank you so much, this helped me get past some of the road blocks I was running into.

@techhelpfornonprofits 2 года назад

Glad it helped!

@SA-zx8zj Год назад

@@techhelpfornonprofits showed the script was copy-pasted to client's PowerShell to create Z: drive. Is their an easier way? I have 600+ client (most companies have 1000s of employees) and do I need to repeat 600 times?. Thanks.

@techhelpfornonprofits Год назад

@@SA-zx8zj You could do this in a number of ways. If you have Active Directory you could push this out using Group Policy or you could use a third party app like www.fasttrackscript.com/

@jeebsnabil6472 2 года назад

Thank you kindly, this was really helpful and saved me a lot of frustration - particularly when joining the storage account to on premises Active Directory. I don't understand why this published script has commands that don't work but your guide got me through it successfully.

@techhelpfornonprofits 2 года назад

Glad this video helped you!

@pro818 Год назад

This is exactly what i trying to get my IT folks to do for me ...

@ramkey55www 2 года назад

thanks a lot

@msolvedtech 5 месяцев назад

That's great

@aeekhout 2 года назад

Hi, excellent video, thank you, which system operative do you use in the video?

@techhelpfornonprofits 2 года назад

Thank you Alexander. I'm using Windows 10 to access the Azure portal.

@TiteufMela Год назад

Hello, Thank you for this amazing videos. Question : what are the prerequisites needed to migrate azure files precisely, what are privilieges needed in the Local AD and what are privileges needed in Azure in order to create a resource group, storage account, fileshare,...? Thank you

@techhelpfornonprofits Год назад

Thanks Taofik. I would start by looking at roles for storage in AZ. learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

@camundson3 Год назад

Thank you so much for making sense out of Microsoft babble!!!!

@techhelpfornonprofits Год назад

@camundson3 Thanks for the comment.

@aizat27 2 года назад

Good video. I have a couple of questions. Can the access permission be applied to the each folder inside the storage account instead of applying the permission for the whole storage account? Secondly, if the permission is applied at storage account level to a user, and the role is contributor, I suppose the user would be able to modify the storage account? I will be testing these scenarios. Just asking here first, if you happen to know the answers :)

@techhelpfornonprofits 2 года назад

aizat27 - great questions. There is an option to add a directory, but I haven't messed with changing permissions at that level (ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-0ZQVjhp8g4s.html.) As for contributor permissions, yes the user would be able to modify the storage account. Here is the list of RBAC roles and their permissions (docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)

@stephanerobert6541 6 месяцев назад

Did you know if a MFP device can scan with SMB on a Windows Logged has AZURE? Azure seems overwritten all policies and local account created for SMB doesnt work anymore when a user is joint a AZURE account. Did you have a procedure how to configure a MFP device?

@milkminer6006 Год назад

Hey man. I love how you were thorough and detailed with this. I will be using this video to implement a project for a customer. Couple of question though... Does the identites need to synced to azure ad for this to work? Where do you perform the task of the unzipping the azure hybrid module, and running the commands? Is that sopposed to be on the domain controller?

@techhelpfornonprofits Год назад

@milminer6006 thanks for the comment. You will need your local AD to sync to Azure AD to use the azure modules. As long as you're running the commands from a domain joined computer with proper permissions you should be good. No need to run from a DC. (requirements at 11:43 in video)

@milkminer6006 Год назад

@@techhelpfornonprofits Thanks man. I appreciate your response. I didn't have a domain join machine, so I ran it on the DC and got it to work. The storage account now says 'configured' for active directory. My problem is connecting to the file share with a hybrid identity from a windows computer using a point to site VPN. Do you have any content that shows how to do that? MSFT documentations are not very clear.

@techhelpfornonprofits Год назад

@@milkminer6006 your P2S VPN connection should already be using your AD credentials to authenticate. Are you not able to use those creds to access the file share?

@milkminer6006 Год назад

@@techhelpfornonprofits Thanks for your response. No, when I authenticate with the Azure AD hybrid identity and try to map the drive that would've been attached to a private endpoint it doesn't work. I am yet to find a video that does everything right through for the active directory configured approach.

@Marcel-dt5du 3 месяца назад

Awesome, thank you. Would the steps be identical if using a private endpoint to connect to the file share? I guess the AD registration would have be slightly changed, right?

@techhelpfornonprofits 3 месяца назад

@Marcel-dt5du If using a private endpoint you would still need a way to sync your AD to Azure.

@Marcel-dt5du 3 месяца назад

@@techhelpfornonprofits thanks. And what a coincidence, today I was working with our admin getting this done. We are getting network credentials errors when trying to mount the drive. I was thinking that maybe we should use the internal IP instead of the hostname when registering the storage account in the AD? Public connectivity is disabled for that storage account

@techhelpfornonprofits 3 месяца назад

@@Marcel-dt5du That shouldn't make a difference, but who knows. Did it work?

@Marcel-dt5du 3 месяца назад

@@techhelpfornonprofits I can only try again next week. Will post an update to it

@phil8894 10 месяцев назад

This video helped me already alot, thanks! One question: When connecting I am prompted to enter username/password. If I do so, it's working. But it should work without any authentication. Any idea why is that? Thanks!

@techhelpfornonprofits 10 месяцев назад

@phil8894 If you're getting prompted for a username/password that makes me think your Active Directory is not syncing to Azure AD. You'll need to make sure that's working first.

@dpeluzzo 3 месяца назад

Do you need active directory ports open from onpremise to join a storage account to the domain? Thanks!

@techhelpfornonprofits 3 месяца назад

@dpeluzzo it's assumed that you already have active directory syncing to Azure so no you won't need to open ports on active directory server if you have that setup.

@mahavirsaroj4136 2 года назад

what did you mentioned under the domain in the script.. You grayed out most of the line in powershell script

@techhelpfornonprofits 2 года назад

Mahavir - Can you tell me where on the timeline you're referring to?

@HARPzC 2 года назад

Hi there. Just set this up today and it's worked, thanks so much. However I've come across a stumbling block. At 22.41 in the video, I tried adding my account to give full control but get “Failed to Enumerate Objects in the Container” Error Can you advise? All role assignments have been added and I've done exactly what you've done In your video. Thanks 🙂

@itcomputeguru Год назад

Hey Chris, I found same issue on a post. Hope it helps. docs.microsoft.com/en-us/answers/questions/782818/azure-storage-file-access-security-issue-on-ad-joi.html

@techhelpfornonprofits Год назад

How about this docs.microsoft.com/en-us/answers/questions/782818/azure-storage-file-access-security-issue-on-ad-joi.html

@HoundDogZA 2 года назад

The PC you're on has to be domain joined and also signed into the relevant AD account, correct? i.e. you can't just use any PC and map a drive "using different credentials"?

@techhelpfornonprofits 2 года назад

Good question Jonnathan. Your PC/laptop doesn't have to be domain joined, but it does have to be able to talk to the domain controller. Using a domain joined computer does allow for single sign-on. Here is more info about requirements. docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable

@Tonyluo2001 Год назад

Thanks a lot for the video. I followed along and did add the file shares into AD. But I can't find a way to map it through Group Policy Object. Is it possible? We are trying to do it because every department shall be able to see their own folders (from the azure file share) as mapped drives based on the Drive Mapping GPO.

@techhelpfornonprofits Год назад

How about this activedirectorypro.com/map-network-drives-with-group-policy/

@Tonyluo2001 Год назад

@@techhelpfornonprofits Thank you, but what's the syntax for the path to the drive/folder in this case? The link you sent is to deal with a folder inside a local file server. The address of a Azure File Share has a syntax up to the file storage account, like: FileStorageAccountName.file.core.windows.net. And that doesn't point to the file share nor a folder inside a file share.

@kranthikumar1758 Год назад

What is the actual reason for this setup. I think no other service in azure has this kind of ALLOW mechanism. They are simply based on RBAC. Why we cant only set RBAC to the files.

@soukainabaida6916 2 года назад

is this solution available for cloud only method, i mean i wan decomission my on-premises server FileShare

@techhelpfornonprofits 2 года назад

Definitely Soukaina. Just skip the steps after testing from client. azure.microsoft.com/en-us/services/storage/files/#features

@abdalrahmannasser4884 7 месяцев назад

thank you for you video. However, I followed the same exact steps, but i fail when mounting with error "The password is invalid for " the AD Connect sync is working, the Storage account is public. i am using a domain admin account and running PowerShell as admin. Any ideas to fix?

@Glitch-Coder 4 месяца назад

i do facing the same issue, not where was the issue

@RicardoJosue Год назад

How connect with phisical devices out of domain? when i try this i get error 86 network password, can you help me? greetings from mexico

@techhelpfornonprofits Год назад

I don't believe that's possible since it needs AD permissions to allow access to the share in Azure.

@JamesWBurns Год назад

is there anyway you can map the drive using Group Policy? Running the script on hundreds of client machines is not feasible for us

@techhelpfornonprofits Год назад

@JamesWBurns take a look at this post jotelulu.com/en-gb/support/tutorials/deploy-powershell-script-using-gpo/

@JamesWBurns Год назад

@@techhelpfornonprofits thanks

@basa820 Год назад

Hello, is the PowerPoint available for download?

@techhelpfornonprofits Год назад

@BruceSa I didn't create a PowerPoint. If you're talking about the Powershell commands they are here for connecting to Azure learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable and they are autogenerated when you setup the file share for connecting to the share.

@MohammadSameerA Год назад

Where is the part where you use the command Join-AzStorageAccount?

@techhelpfornonprofits Год назад

You mean Join-AzStorageAccountforAuth? ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-0ZQVjhp8g4s.html

@TiteufMela Год назад

hello, thanks for the video, in order to test in my personal lab how could i do the on permis server?

@techhelpfornonprofits Год назад

You can create and active directory test environment using this Github repository github.com/pluralsight/PS-AutoLab-Env

@TiteufMela Год назад

is this solution available for migrating files from on prem to azure file share?

@techhelpfornonprofits Год назад

@@TiteufMela After you've mapped your azure file share locally you should be able to copy any on prem files to that share.

@TiteufMela Год назад

@@techhelpfornonprofits thank you, last question please , to copy the file and folders we should one of solution and if i am using robocopy how can i do that? thare are some consideration to take ? Can put me a link as a demo? thank you so much

@techhelpfornonprofits Год назад

@@TiteufMela Sorry so late in responding. Yes, I would suggest robocopy. There are a ton of posts on syntax. After you copy I would verify the permissions.

@user-ir8wh8mj7h Год назад

Hi I am getting an error at 17.56 when I use Join-AzStorageAccount ` -ResourceGroupName $ResourceGroupName ` -StorageAccountName $StorageAccountName ` -OrganizationalUnitDistinguishedName $OuDistinguishedName ` it throws an error + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException

@user-ir8wh8mj7h Год назад

Assert-IsDomainJoined : The cmdlet, script, or module must be run in a domain-joined environment.