Creating and Configuring a Microsoft Azure Website with a Custom Domain

Microsoft Azure offers a full PaaS (Platform as a Service) for web sites and applications. This should not be confused with Virtual Machines hosted in Azure, running the Internet Information Services (IIS) role to host websites. Microsoft Azure Websites are fully managed instances.

To create a new Azure Website instance you can use the Management Portal or PowerShell from the Azure SDK.

When you create an Azure Website you must specify a region where the instance should be provisioned, you must also give it a globally unique name.

This command outputs all the available regions to the subscription.

Get-AzureWebsiteLocation

This command checks the proposed name of your website is globally unique across Azure.

Test-AzureName –Website “Website”

The following Azure PowerShell command will create a web instance, the first two commands are to set variables that are called by the command itself.

$wsLocation = “West Europe” $wsName = “MyNewWebsite01316698339” New-AzureWebsite –Location $wsLocation –Name $wsName

When you return to the Management Portal, and click on Websites you should see the newly created website instance. To configure a Custom Domain you would normally click on Manage Domains, but it maybe greyed out for you like below.

This is because Custom Domains are not supported on the Free Trial website instances, therefore you must change the Web Hosting Plan Mode to either Basic or Standard. You can do this by click on the website, and then clicking on Scale. From here you click on the options under Web Hosting Plan Mode. Remember to Save the configuration using the Save icon.

When you return to the Websites pane, and you highlight the website the Manage Domains button should not be highlighted.

Click Manage Domains, this is where you find out what IPv4 address your new website instance is using in this example its 104.40.210.25, this is required when reconfiguring your public DNS.

You must create a couple of DNS records on your public DNS, the first can be an (A) record which is used to redirect clients connecting to your site to the Azure website, this is like a traditional website DNS name mapped to corresponding hosting IP.

The second is a CNAM record which is used by Azure to verify that you are the rightful owner of the domain you are configuring.

Your external DNS should have records configured like below;

Domain Name (ryanbetts.co.uk fort example) (A) Record > 104.40.210.25 (your Azure public IP)

awverify.domain.co.uk (CNAME) Record > awverify.websiteinstancename.azurewebsites.net

Once the external DNS configurations are in place return to the Manage Custom Domains and enter your domain under Domain Names, this will lookup DNS and verify the CNAME is in place to authenticate you. It will also associate the external domain with the Azure website.

Now if you browse to the website, using the external FQDN and the alias you should see an Azure Web Sites page, as nothing has been uploaded it will show an Error 404 on screen.

Azure Active Directory Sync Tool “A constraint violation occurred.” during Active Directory Sync with Office 365

When you try to run the first sync of your on-premise Active Directory to the Office 365 Azure AD instance you are halted by the error “A constraint violation occurred”, and you can either Cancel the sync or Retry. Performing a Retry does not resolve the issue.

As the Azure Active Directory Sync Tool is actually Forefront Identity Manager 2010 under the covers I thought I would look to see if that was operating correctly. The miisclient.exe is the interface you can use to see and edit the FIM 2010 configurations, it can be found at C:\Program Files\Windows Azure Active Directory Sync/SYNCBUS\Synchronisation Service/UIShell

When I tried to launch miisclient.exe the following error appeared “Unable to connect to the Synchronisation Service”, it was noted this could be related to a service or group membership. As I had seen this issue before with a traditional instance of Forefront Identity Manager I knew this was because the user account I was using was not a member of the FIMSyncAdmins group.

I opened up ADUC and checked the FIMSyncAdmins group and my user account was in there, so I logged out and then in again and rerun the sync job and it worked perfectly.

Configuring DirSync for Syncrhonization Between Azure Active Directory and Traditional On-Premise Active Directory

The purpose of the Azure Active Directory DirSync tool is to allow your on-premise users the ability to take advantage of Single Sign On (SSO) when using cloud-based applications in Microsoft Azure. Microsoft Azure Active Directory is different from a traditional Active Directory as it is a service offered by Microsoft.

Do not confuse Azure Active Directory with having Domain Controller VM's running in Azure that are configured to replicate between your on-premise domain. Azure AD is a managed cloud service from Microsoft.

The first step is to download and install the Azure Active Directory DirSync tool from the Technet website the following link will take you to the correct place http://technet.microsoft.com/en-us/library/jj151800.aspx, please note that the DirSync tool should be installed on a member server within the on-premise Active Directory and not a Domain Controller.

The installation is straight forward, click Next.

Accept the EULA and click Next.

Choose an installation folder and click Next.

The installation can take up to 10 minutes to complete.

While the DirSync tool is being installed return to the Azure Management Console and click Active Directory and then double click on the Azure Active Directory you want to configure the DirSync.

Click Users and then Add to create a new users within the Azure Active Directory.

Configure this user with a username and use the arrow button to continue.

Populate the user profile fields with the corresponding information, the import part here is that the Role must be set to Global Administrator this is required to configure DirSync.

The wizard will output a temporary password that will need to be reset.

Take note of the tempoary password as you will need it to reset the password before the account will work with DirSync.

Go over to the Azure Active Directory login website and use the e-mail address and temporary password to login. 

You will be prompted to reset the tempoary password, if you miss this step the Global Administrator account you configured will not work with the DirSync tool.

The next step is to ensure that Integration with Local Active Directory is activated on the Azure AD instance you can do this by going to the Properties of the Azure AD and selecting the Director Integration tab. From here select the Active button and ensure you Save the changes.

Accept the prompt about the impact of enabling activation by clicking the arrow.

The next step is to configure the Azure Active Directory DirSync tool, by default this will launch after it completes installation on the member server. 

Click Next.

Now you must specify that Global Administrator account that was created previously, click Next to continue.

You will next be prompted for an Active Directory Enterprise Administrator credential set, this is for the on-premise Active Directory. Click Next.

At this stage I have not enabled the Hybrid Deployment, click Next.

Ensure the Password Sync box is ticked and click Next.

The DirSync tool will configure all the required components.

On completion you will be asked if you want to perform the first directory sync, by default this happens every 3 hours.

To ensure the DirSync tool is working correctly return to the Azure Active Directory screen and click on Users this should then be populated with all the users you currently have in the on-premise domain.