Azure Files SMB Access with Windows AD

  Рет қаралды 76,811

Travis Roberts

Travis Roberts

Күн бұрын

Пікірлер: 122
@jonathanvasquez8364
@jonathanvasquez8364 4 жыл бұрын
man, I am starting my journey in IT and I just started on july this year with Azure, so I have a lot to learn, I want to thank you and encourage to keep up this awesome job because it's very valuable to some of us
@Ciraltos
@Ciraltos 4 жыл бұрын
Thank you, glad to help!
@aksharderi
@aksharderi 4 жыл бұрын
My Company has just started using Azure and I have gone through some of your videos. I can`t thank you enough for making these videos. they are the best, very helpful and very educational
@Ciraltos
@Ciraltos 4 жыл бұрын
Glad you like them!
@jamesho4219
@jamesho4219 Жыл бұрын
About 17:09 - Configure NTFS access What is the purpose of adding role assignments through Access Control (IAM) if you can apply NTFS permissions from a Windows computer?
@fbifido2
@fbifido2 Жыл бұрын
Can you do a 2023 version of this video???
@terryseddon8781
@terryseddon8781 Жыл бұрын
Hey, when i do this, i get Assert-IsNativeAD : The cmdlet is stopped due to the storage account '' having the DirectoryServiceOptions value: 'None'. The DirectoryServiceOptions for the account needs to be 'AD' in order to run the cmdlet. what could be going wrong here?
@johnoutdoorvideos
@johnoutdoorvideos 3 жыл бұрын
The net use command at the end fails. It would also help people to know they need to update powershell and have dotnet4.7.2 or newer as prereqs.
@Ciraltos
@Ciraltos 3 жыл бұрын
Thanks for passing that along.
@grandmarkai
@grandmarkai 4 жыл бұрын
Great video Travis, very well done video. Your cadence and thoughtful presentations make configuring these services a snap.
@Ciraltos
@Ciraltos 4 жыл бұрын
Glad it was helpful!
@MohammadSameerA
@MohammadSameerA 2 жыл бұрын
Can you mount file share to a non-domain computer using active directory(Not using Acces Key)? or at least by entering the file share UNC on the non-domain computer, and supply a username and password?
@michaelbode9744
@michaelbode9744 4 жыл бұрын
I'm trying to figure out how to implement this for a client that wants to completely do away with their on-premises AD domain. Absolutely nothing in it is of use anymore except the data. They do not currently use Azure AD DS, just Azure AD (Office 365). ALL laptops are Azure AD domain joined (when they login to the PC, they use their full email address). My goal is to move their files from their server into an Azure File Share and have them map a drive to this File Share using what they currently have in place, a laptop that is Azure AD joined and logging in with their Azure AD account (their email address). Do we have to leave their on-premises AD domain in place? Do I have to implement Azure AD DS too? Again, they have local AD domain, which we just want to throw in the trash. They have Azure AD (Office 365) in place for several years now. They do not have Azure AD DS. Creating the File Share and mapping it as the Super User is really easy. Assigning the proper account that can modify the permissions to that folder, not so much. And to add the ability for a normal user to open any files/add any files in it, even harder.
@Ciraltos
@Ciraltos 4 жыл бұрын
The solution requires Kerberos authentication and the computers need to be domain joined. Based on your description, you may want to consider moving files to SharePoint and OneDrive that support cloud-only accounts instead of a file share.
@martinimpellam
@martinimpellam 2 жыл бұрын
My scenario was a bit different to this one - we already have AD DS setup on VMs in Azure, so can't have hybrid accounts (neither would we want to because it would clutter our Azure users up with AD users). The alternate method was to apply share level access for everyone, which is again done with yet more Powershell script.
@stephanerobert6541
@stephanerobert6541 10 ай бұрын
Did you have a procedure for configuring a MFP device to Scan to SMB on a Azure Share Folder?
@HatanoHaruhiko
@HatanoHaruhiko 3 жыл бұрын
This is an excellent walk thru to get Azure Storage Account join to Domain and use it as SMB file share. Thank you very much.
@Ciraltos
@Ciraltos 3 жыл бұрын
You are welcome!
@anshaaa320
@anshaaa320 5 ай бұрын
Can you do this if your device is Ad Registered and not hybrid/ad join?
@myyutube4me
@myyutube4me 4 жыл бұрын
Great Video! Thank a lot Travis. However, I have follow your steps but finally struck at when login with an AD users and try to mounting storage map drive letter. I got the NET USE command always prompt require the username and password? But in your video I don't see you have enter any credentail ( minute 22:46). Can you advise on this?
@Ciraltos
@Ciraltos 4 жыл бұрын
Once NTFS permissions are set on the share, it should use the credentials of the logged on user just as any other SMB share. Be sure to be logged into a domain joined workstation with connectivity to the DC and the user has permissions to the share.
@redesseguridad934
@redesseguridad934 3 жыл бұрын
Thanks @@Ciraltos . I have the same problems. minute 22:46. When I try to map the file to the AD onpremise users, it doesn't recognize the permissions. In the AD onpremise I have created the groups AZfileReader, AZfileContributor, AZfileElevatedContributor and in the azure file they are added. What else could I validate?
@Beltechsa
@Beltechsa 3 жыл бұрын
Thanks. Do you have a video to what would be the best way to setup a fileserver on azure for sensitive information like a lawyer office or broker
@drlorafrancis
@drlorafrancis 2 жыл бұрын
Well can you use Group Policy to Map for users instead of NET USE? Can you not add a drive letter and assign the path similar to how we do regular files share?
@MattEOKC
@MattEOKC 3 жыл бұрын
This was very helpful, but some things I found making this work after 20 hours: 1) you have to disable Azure AD DS, which means your on-prem users can access the data but your cloud users can't. 2) I had to do this on an on-prem server, not a cloud server 3) I had to make the user account performing operation an owner of the entire cloud subscription 4) I had to use ServiceLogonAccount and not ComputerAccount 5) I had to use the full distinguished OU name 6) there is a 15 character limit on the name of your Storage Account Bottom line, if you want both on-prem and Azure cloud users to have access to your Storage Account data, this is not the way to do it. I'm told I have to make an Azure File Sync server. So, maybe that will work for you.
@saifahm1
@saifahm1 Жыл бұрын
Travis, you are a legend. Cant be explained in any better way.
@estlmachine2021
@estlmachine2021 3 жыл бұрын
How Can I use the old folder level securities from on-premises AD to new Azure file share folders?
@RicardoJosue
@RicardoJosue Жыл бұрын
How connect with phisical devices out of domain? when i try this i get error 86 network password, can you help me? greetings from mexico
@jhonatanhrz
@jhonatanhrz 3 жыл бұрын
What would happen if I need a service account connect to that Azure File?
@Tonyluo2001
@Tonyluo2001 2 жыл бұрын
Hi, thanks for the video. I'm currently trying to implement Azure File Share as file server within our on prem AD. I can successfully mount the share as a network drive like what you did in this video, but what we are trying to do is to map different folders from the file share as mapped drives automatically through Group Policy Objects. So different departments will see their own 'work drives' mounted on their laptop/workstation automatically. Can you advise what's the proper way to do so? Thanks.
@NeoZod19
@NeoZod19 3 жыл бұрын
Can we sync between windows server wrokgroup with azure? thx
@1981sunilkashyap
@1981sunilkashyap 4 жыл бұрын
i'm trying to configure the File share from the scratch. we don't have any on premises AD . We installed only ADDS in Azure. Travis can you help me out in this. pls Send me the Step by step guide or video that help me. it will be a very grateful help. As i'm new to azure.
@Real4D33L
@Real4D33L 3 жыл бұрын
does the machine have to be joined to a domain? or can we simply have line-of-site to a domain controller? or neither? We have a mix of azure ad only and hybrid azure ad machines...
@Ciraltos
@Ciraltos 3 жыл бұрын
I haven't tried, but the documentation indicates that it may work if the machine is not domain joined and has line of sight to the DC. docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable#prerequisites
@MuhammadSalman-qr2fg
@MuhammadSalman-qr2fg 4 жыл бұрын
Thank you for the great video but I am facing an issue with Join domain command, after I run it, I receive following error: ensure-kerb key exists : caught exception: an operation is currently performing on this storage account that requires exclusive access. Can you help?
@richardfl
@richardfl 3 жыл бұрын
So the only account that requires AD Synch is the service account for the replication? Do the end users all have to be AD Synch'd from AD DS to Azure AD?
@Ciraltos
@Ciraltos 3 жыл бұрын
All users accessing the share need to be synchronized. The share level permissions are grated with an RBAC role through Azure AD.
@marcomav4131
@marcomav4131 4 жыл бұрын
If you have a hybrid setup, can you set up AADDS for a specific domain and use the SMB file share the way you would with "cloud only" setup and sort of ignore the fact that you have a hybrid setup? I ask because the users accessing wvd would be AAD created users, not synced from AD connect.... thanks in advance
@SebGedge
@SebGedge 2 жыл бұрын
can this be achieved without Azure AD DS?
@Minerva___
@Minerva___ 3 жыл бұрын
Great video and thanks for sharing but one thing that I feel a lot of videos if not, all videos overlook is mounting this for any user that connects to the VM. How can I have it so the drive is mapped for all users? I don’t want to manually mount the drive per user.
@mikeplowden1099
@mikeplowden1099 2 жыл бұрын
Travis, one thing I don't quite get: Consider my on-prem file server, I have a structure of folders which I granted permissions to many users and groups, inside one of those folders I create a new folder called "Private" which I block inheritance and only grant permissions to 3 x managers users (for example). How would this work in Azure files since the permissions are set on the Share in Azure RBAC? hope this makes sense... :/
@Ciraltos
@Ciraltos 2 жыл бұрын
NTFS style permissions will work with this solution, I cover it at about 18:44.
@andersjuuljensen9160
@andersjuuljensen9160 4 жыл бұрын
ohh MY Thanks... been looking on microsoft articles for a looong time but this made great sense and worked like a charm .. thanks.
@enzo3771
@enzo3771 Жыл бұрын
Great video, i have a question for you. Can a synchronized user on an azure ad joinded device access Azure File share ?
@lumilipadgaming5455
@lumilipadgaming5455 3 жыл бұрын
Hi Travis! I just followed your instructions. One thing I noticed is that the administrator can’t set/edit permissions past 2nd level of folders. any thoughts on how to fix this?
@ehababumoailish6574
@ehababumoailish6574 Жыл бұрын
Great video -- a question about SMB Perms , can i assign perms to Azure AD user (not synced from on-Prem AD DS) ?
@Ciraltos
@Ciraltos Жыл бұрын
it's possible to set share level permissions, that's controlled by RBAC roles. NTFS required the user to get a Kerberos ticket and that's generated at login to Windows AD or Azure AD DS. As of today, the user account has to be sourced from AD DS.
@ehababumoailish6574
@ehababumoailish6574 Жыл бұрын
i meant if i give access to Azure AD (Cloud user), he need to be synced with AD DS or hybrid to get Kerberos and able to access is this right? @@Ciraltos
@v2g2019
@v2g2019 2 ай бұрын
I have multiple domain and my system are added to Intune will this work ? I added Azure AD connect to replicate users
@Ciraltos
@Ciraltos 2 ай бұрын
It should. Here is a doc with more information. learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-multiple-forests
@SecurityMadeSimple
@SecurityMadeSimple 3 жыл бұрын
This is awesome Travis thank you so much. Just a quick one can we have DFS management pointing to the storage location directly . Or to use DFS we will need to use File Server Sync
@mikewillodea
@mikewillodea 2 жыл бұрын
Thanks Travis. Does this setup work as well for azure AD connected users who aren't sitting in the vnet?
@belessblind
@belessblind 3 жыл бұрын
Travis, Is it possible to enable File Locks? The behavior I'm seeing is: Test User 1 with Contributor: Opens file, makes edits Test User 2 with Contributor: Opens file right after Test User 1, also makes edits Test User 1: Finishes edits, saves file. Test User 2: Finishes editing after Test User 1, saves file. The modifications from Test User 2 now overwrite any changes Test User 1 made. Is this behavior expected or do I have a configuration issue?
@Ciraltos
@Ciraltos 3 жыл бұрын
Interesting, the link below indicates that file locks are fully supported (second to last bullet point) docs.microsoft.com/en-us/azure/storage/files/storage-files-faq#general
@belessblind
@belessblind 3 жыл бұрын
@@Ciraltos I thought so too. I've read that article and several others and it does seem that it's supported but I'm not seeing it in my environment. I will keep looking and update you if I find anything out. Thanks for replying back!
@Ciraltos
@Ciraltos 3 жыл бұрын
Your issue reminded me of the same problem with Azure File Sync. Not sure if this helps any, but the problem seems similar. feedback.azure.com/forums/217298-storage/suggestions/32091997-global-file-locking-for-azure-file-sync
@belessblind
@belessblind 3 жыл бұрын
@@Ciraltos We opened a ticket with Microsoft on this and heard back today that file lock is not supported in this scenario so it's unfortunately a deal breaker. I really thought this would be a basic feature but it turned out to be one of those things that you assume, get 99% of the way there, and then get burned. Hopefully they are able to implement it soon and we can look at doing this again. I could really see driving a lot more business towards Azure if they can get this right.
@pronabdey2091
@pronabdey2091 4 жыл бұрын
Hi, can you tell me. At server files/data are kept encrypted at rest.
@pronabdey2091
@pronabdey2091 4 жыл бұрын
Can I configure this settings in intranet domain.
@rafiurrahman4270
@rafiurrahman4270 4 жыл бұрын
Hi Travis, I am getting this error! Please need some help to figure it out. System error 5 has occurred. Access is denied.
@Ciraltos
@Ciraltos 4 жыл бұрын
Have you tried the steps in this link? docs.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems#error-5-when-you-mount-an-azure-file-share
@TheCdron
@TheCdron 3 жыл бұрын
Hi Travis, great video. I just have a question. The part where you run the command: $StorageAccount.AzureFilesIdentityBasedAuth.DirectoryServiceOption. The result you get is "AD". When I run it I don't get AD, just empty. I am pretty sure I did everything by the book. Where do I have to look at? Best regards, Ron
@TheCdron
@TheCdron 3 жыл бұрын
Sorry. I copied your command and now the result is AD :) Sorry about that!
@akbarkarimi7562
@akbarkarimi7562 3 жыл бұрын
Travis that was awesome and how can we map the File Share on the client's workstations via the group policy?
@lmb25315
@lmb25315 2 жыл бұрын
Have always loved your videos my man. First time posting a question here. What is a solution in Azure or Windows to auto-deploy and Azure File Share to Windows VMs as a drive letter? I have tried using the PowerShell connect script to run on startup via GPO but have been unsuccessful. Thanks!
@AhmadAbdi
@AhmadAbdi 2 жыл бұрын
Thanks Travis, Does the DC need to be on the same Azure VNet or will it work if left on Premise?
@Ciraltos
@Ciraltos 2 жыл бұрын
It will work if the DC is on premisis, providing there is connectivity to the VNet over VPN or ExpressRoute.
@AhmadAbdi
@AhmadAbdi 2 жыл бұрын
Thanks for confirming Travis!
@nidi2234
@nidi2234 4 жыл бұрын
Hey Travis. How does this work with mounting via P2S VPN?
@miguelmonteiro7898
@miguelmonteiro7898 4 жыл бұрын
Hello Travis, I am a Beginner in azure, and I have a big question, I need to enable Azure flies or Storage Sync with AD authentication (on primises), but I need to limit access to the administrators of my domain in on primeses, is it possible to do that?
@Ciraltos
@Ciraltos 4 жыл бұрын
Yes, once the share has been setup, give the admin NTFS permissions just as you would in an on-premises file server.
@t3fLoN77
@t3fLoN77 4 жыл бұрын
Does it work over AT&T UVerse?
@danielcortez7431
@danielcortez7431 3 жыл бұрын
Espectacular video, muchas gracias Travis nuevamente.
@Ciraltos
@Ciraltos 3 жыл бұрын
Thanks!
@muggzytp
@muggzytp 3 жыл бұрын
Great video. Has anyone experienced issues with NTFS permissions. When I set Owner permissions at the top level and enable inheritance. The ownerr permissions get overwrtitten each time a user creates a file or folder.
@michaelbode9744
@michaelbode9744 4 жыл бұрын
Would you recommend using a File Share over an attached VHD? Price is no object. Speed is. So, I guess, which is fastest? - just to delve a tad deeper, would either be good enough for housing a database file that is constantly in use such as QuickBooks. Or would that type of DB file be better being on the same VHD as the OS on the VM? Great Videos by the way! Mostly interested in Azure.
@TiteufMela
@TiteufMela 2 жыл бұрын
Hi, Thank you for this amazing video! And what if i want to decomission my file server after doing these steps? is it possible?? The users that they access to the file server on premise will still able to access to azure file Share?
@TiteufMela
@TiteufMela 2 жыл бұрын
Also , i don't see if the permissions on premise are migrated to azure file share or not?
@Ciraltos
@Ciraltos 2 жыл бұрын
It would be possible to decom a file server, but it may not work well is some situations. I would suggest using private endpoints to keep access to SMB shares off the internet. That will require express route or a VPN. SMB has a history of poor performance over WAN connections. it doesn't do well with latency. My suggestion is to use Azure File Sync to keep a cached copy of the files local to the user.
@TiteufMela
@TiteufMela 2 жыл бұрын
@@Ciraltos Do you have some topics talking about azure file sync migration ?
@sergeserge478
@sergeserge478 4 жыл бұрын
Hello Travis, Thank you for the very good video! Should the serviceLogonAccount 'cirfiletest01' be synchronized with Azure AD? In short, does service account hybrid identity or Windows AD only ? Thank you
@karthikexplorincity
@karthikexplorincity 3 жыл бұрын
Thank You.. Your Videos are great.. i have been looking for this.. Your video explains it very clearly.
@Ciraltos
@Ciraltos 3 жыл бұрын
Glad it was helpful!
@m12652
@m12652 Жыл бұрын
Great stuff… would be great if you did a video on setting up Azure for collaboration with anything on-premises. I am currently trying to set up a VPN with AAD, Kerberos and a file share. Despite this being described in the documentation in a step by step guide, as entirely possible. I.e. there is nothing in the prerequisites mention a VM or an on-site AD server etc. Microsoft have been unable to deliver. So far I’ve been told it’s possible, not possible, only possible if I use AADDS, that didn’t work… one “lead tech” told me the solution was to get all users connected with the admin connection. Not recommended by Microsoft, another told me I had to set up onsite AD, another that we’d all need virtual machines (again no mention of VMs in the prerequisites)… it’s a nightmare lol the story changes every day. A well produced independent video on setting up azure for collaboration between associates, nothing on premises, simple vpn, no public access, vms etc. and a properly manageable file share (I.e full permissions functionality)… would be brilliant.
@Ciraltos
@Ciraltos Жыл бұрын
It sounds like you want a modern Azure AD only deployment but want to keep some legacy technologies in the mix. Azure AD doesn't fully support Kerberos, it supports web authentication protocols such as OAuth, SAML and OpenID. If you want cloud only, use cloud only (modern auth) services. Give up the VPN and move files into OneDrive and SharePoint. If you need to use SMB with NTFS permissions and Azure AD joined VMs, the only way that will work (today) is by sourcing the users from Windows AD and replicating them to Azure AD. Azure AD can create Kerberos tickets, but setting up the file share requires line of sight to Windows AD. Users have to be sourced from Windows AD. learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#azure-ad-kerberos-for-hybrid-identities
@m12652
@m12652 Жыл бұрын
@@Ciraltos thanks Travis… one drive is too slow and nobody wants sharepoint (thankfully 😉), all we need is some way to add users, a share we can control access to and assign permissions… and most importantly one we can mount on any machine connected to the vpn (or whatever), It doesn’t matter if it’s Kerberos etc., that’s just what I found in some documentation. We need low latency and security etc. Great videos by the way, love the no-nonsense approach 👍
@wowchannel01
@wowchannel01 4 жыл бұрын
Can we use this feature for non federated domains?
@Ciraltos
@Ciraltos 4 жыл бұрын
The example I used was not federated, I used Password Hash Synchronization and Pass Through Authentication will work as well.
@wowchannel01
@wowchannel01 4 жыл бұрын
@@Ciraltos thanks a lot
@JohnQ85
@JohnQ85 4 жыл бұрын
@@Ciraltos what if we use Okta for O365
@Southpaw07
@Southpaw07 4 жыл бұрын
cool stuff, but does ntfs permissions style require an on-premises Windows DC in Azure?
@Ciraltos
@Ciraltos 4 жыл бұрын
No, a DC is not needed in Azure, but there does need to be connectivity to the DC from the VNet. That includes AD sites and DNS.
@michaelbode9744
@michaelbode9744 4 жыл бұрын
@@Ciraltos Do you have a video on VNets with maybe a brief on AD Sites and DNS?
@TS-xr4eu
@TS-xr4eu 3 жыл бұрын
Awesome video Travis! This was super clear and straightforward and worked. This is helping me build out my test environment before I go live later this year! A++++
@Ciraltos
@Ciraltos 3 жыл бұрын
Glad it helped!
@lucianosma
@lucianosma 4 жыл бұрын
Thank you very much. You saved me. Good job!!
@Ciraltos
@Ciraltos 4 жыл бұрын
Glad I could help!
@mixdupjoe
@mixdupjoe 4 жыл бұрын
So, does this actually require your AD account be sync'd to AAD? Suppose I have two AD domains, no trust relationship between them. Domain A is replicated to AAD, and is the AAD I use to log into the Azure portal. Domain B is running solely on VMs inside the Azure environment. Could I run this command on a VM on Domain B logged into that VM as a domain admin on Domain B, but when I run Connect-AzAccount, I log in with my global administrator for Domain A in AAD? Would that get everything connected appropriately? And second question, how does the storage account talk to the domain controllers? You don't set a Vnet for a storage account, is there some proxying going on via the machine you ran this command on?
@Ciraltos
@Ciraltos 4 жыл бұрын
The accounts used to connect do need to be replicated to Azure AD and a trust relationship has to be set it you are using multiple domains. The notes section of this article outlines the requirements. docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable
@mixdupjoe
@mixdupjoe 4 жыл бұрын
@@Ciraltos Ah, that's unfortunate. We use a separate domain in our Azure VMs for a bit of separation in our hosting environment (we provide some legacy software in a SaaS sales model) from our corporate accounts. This was so close to what we needed
@Jmstr-p6h
@Jmstr-p6h 2 жыл бұрын
Thx, great video!
@pedro9485
@pedro9485 4 жыл бұрын
Amazing video, many thanks for your share !
@Ciraltos
@Ciraltos 4 жыл бұрын
Many thanks!
@RaphA.OliveR
@RaphA.OliveR 4 жыл бұрын
Thank you so much!!! That video helped a lot =)
@Ciraltos
@Ciraltos 4 жыл бұрын
Glad to hear that!
@archielaffan1249
@archielaffan1249 3 жыл бұрын
Hi I get the following at Join-AzStorage ...Note I am using an on prem dc linked to azure via a S2S. No DC in the cloud yet. PS C:\temp\AzFilesHybrid> Join-AzStorageAccountForAuth ` -ResourceGroupName $ResourceGroupName ` -Name $StorageAccountName ` -DomainAccountType "ServiceLogonAccount" ` -OrganizationalUnitDistinguishedName "OU=AzureFileShare,DC=****,DC=local" WARNING: Parameter -DomainAccountType is 'ServiceLogonAccount', which will not be supported AES256 encryption for Kerberos ti ckets. Get-AzResourceGroup : 17:08:27 - Provided resource group does not exist. At C:\Users\administrator.****\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.3.0\AzFilesHybrid.psm1:2060 char:32 + ... $resourceGroupObject = Get-AzResourceGroup -Name $ResourceGroupName
@archielaffan1249
@archielaffan1249 3 жыл бұрын
Is it possibly a DNS issue in resolving the name?
@christianibiri
@christianibiri 3 жыл бұрын
Great Video!
@Ciraltos
@Ciraltos 3 жыл бұрын
Thanks!
@rinku-blogadmin
@rinku-blogadmin Жыл бұрын
amazing
@ioannispapaioannou2778
@ioannispapaioannou2778 4 жыл бұрын
Great Video Travis. Thank you!!!!!!!! Maybe you or someone else can advise me on an error I get when I try to join one of my storages to AD DS. The objective is to have storage accounts on a WVD environment that I am creating and be able to apply Group Policies to those users from my DC. - My environment is in Azure. - I have a VM and is my DC as well. - I run the AD Connect on that VM and all the users are synced with my Azure Active Directory except the build in user which is an admin and is the same user (Administrator) that I had to create when I created that VM. So what I did I created that user on my Azure AD manually, BUT is not synced. So, when I ran the script to join the storage account to the AD DS everything went fine with only one failed. Here is what I get: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Name Result ---- ------ CheckADObjectPasswordIsCorrect Passed CheckADObject Passed CheckDomainJoined Passed CheckPort445Connectivity Passed CheckSidHasAadUser Failed CheckGetKerberosTicket Passed CheckStorageAccountDomainJoined Passed Skipped Issues found: ---- CheckSidHasAadUser ---- No Azure Active Directory user exists with OnPremisesSecurityIdentifier of the currently logged on user's SID (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx). This means that the AD user object has not synced to the AAD corresponding to the storage account. Mounting to Azure Files using Active Directory authentication is not supported for AD users who have not been synced to AAD. 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 However, the storage account got connected to my VM Domain Controller and I see the storage account name as a computer under the OU but I know that there is an issue. I also understand that the user that ran the script must be full in sync with the DC. So, I created another user on my VM and I gave him admin rights and that user was synced with my Azure AD. I went ahead and ran the same script again under that new Admin user account and I got this error now. Worst than before. Here it is: 000000000000000000000000000000000000000000000000000000000000000000000000000 Account SubscriptionName TenantId Environment ------- ---------------- -------- ----------- xxxxxx@yyyyyyyy.com Microsoft Azure xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx AzureCloud Name : Microsoft Partner Network (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) - xxxxxxxxxxxxxxxxxxxxxxxxxxxx - xxxxxx@yyyyyyyy.com Account : xxxxxx@yyyyyyyy.com Environment : AzureCloud Subscription : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Tenant : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx TokenCache : Microsoft.Azure.Commands.Common.Authentication.Core.ProtectedFileTokenCache VersionProfile : ExtendedProperties : {} New-ADAccountForStorageAccount : Unable to create AD object. Please check that you have permission to create an identity of type ComputerAccount in Active Directory location path 'OU=VASILIOSB,OU=CLIENTS,DC=AZUREWVD,DC=LOCAL' for the storage account 'vasiliossa' At C:\Users\portaladmin\Documents\WindowsPowerShell\Modules\AzFilesHybrid\0.2.2.0\AzFilesHybrid.psm1:4266 char:37 + ... eOverride = New-ADAccountForStorageAccount @newParams -ErrorAction St ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,New-ADAccountForStorageAccount PS C:\Users\portaladmin\Desktop> 000000000000000000000000000000000000000000000000000000000000000000000000000000 I will appreciate any help. Thank you, Ioannis
@Ciraltos
@Ciraltos 4 жыл бұрын
Hello, the account used to run the script has to be sourced from Windows AD and synchronized to Azure AD. Thanks
@eugenelipsky2660
@eugenelipsky2660 3 жыл бұрын
Hi @@Ciraltos Running into same issue with an on-prem AD account that is synced via AD connect to AAD and then from there to AADDS. Password has been reset on the account, synced through and I'm able to login to AADDS joined VMs via this account. VM where I'm trying to join the storage account to AADDS from is AADDS bound. Is using AADDS in this scenario not supported? Is the only option join storage account to ADDS?
@snehkataria4490
@snehkataria4490 4 жыл бұрын
Hello, Thanks for this video, I want to connect SMB file share with access key using API is that possible? I have user docs.microsoft.com/en-us/rest/api/storageservices/get-file this API for getting file and folder on my SMB file share. I have done this using a shared access signature. but I want to do this using the access key. How I can call the API using the access key
@James-sc1lz
@James-sc1lz 3 жыл бұрын
Thanks Travis. Your t shirt is far too big for you mate.
@Ciraltos
@Ciraltos 3 жыл бұрын
Ha! I bought that during the home made bread phase of the quarantine.
Deploy Azure AD Domain Service and Join a Server to the Domain
26:57
Travis Roberts
Рет қаралды 116 М.
Configure Azure Files Share with Windows AD NTFS Permissions
15:11
Travis Roberts
Рет қаралды 7 М.
Azure File Share and On-Premises Active Directory
28:38
TechHelpForNonProfits
Рет қаралды 38 М.
Azure Files SMB Access On-premises with Private Endpoints
11:02
Travis Roberts
Рет қаралды 35 М.
Azure Storage Tutorial | Introduction to Blob, Queue, Table & File Share
23:01
Adam Marczak - Azure for Everyone
Рет қаралды 231 М.
Getting started with Ansible 02 - SSH Overview & Setup
28:51
Learn Linux TV
Рет қаралды 259 М.
Azure AD App Registrations, Enterprise Apps and Service Principals
33:44
John Savill's Technical Training
Рет қаралды 240 М.
Private Endpoints and DNS in Azure
16:48
Travis Roberts
Рет қаралды 47 М.
Learn Microsoft Active Directory (ADDS) in 30mins
36:26
Andy Malone MVP
Рет қаралды 986 М.
OAuth 2.0 and OpenID Connect (in plain English)
1:02:17
OktaDev
Рет қаралды 1,8 МЛН
Azure NetApp Files
33:50
John Savill's Technical Training
Рет қаралды 18 М.
Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
30:57
Adam Marczak - Azure for Everyone
Рет қаралды 728 М.