Home / Nerdio Academy / Nerdio / Nerdio Fundamentals: Domains

Nerdio Fundamentals: Domains

0 commentsJune 08, 2019Videos

Joseph Landes
In this session, we are going to talk about how Nerdio for Azure handles the topic of domains. This includes things like adding a domain, managed versus federated domains, and public versus internal domains. Enjoy the session.

Joseph Landes
First thing that we’re going to look at are domains. I know it’s kind of an obscure thing to start with, but it is a concept that comes into play in the users module quite a bit and all the other modules, like groups and shared mailboxes, so I figured we’d start there. Domains in Nerdio are available through the onboarding module domain screen right here. We’d spend a long time on domain trust, so we’re not going to talk about that at all. What we are going to look at is this section right here that says domains. There is a timestamp at the top, which means it is a cached list. You can refresh it easily from here, and you can add new domains.

Joseph Landes
Here’s how this works. When a Nerdio for Azure environment is provisioned, there is a default domain that starts with the account ID.nerdio.net that gets added into the account. This makes it so out of the box, the environment can be used. It’s got email addresses. It’s got integration with Office 365, so it’s a full usable environment. This domain kind of stays there. It’s mandatory. It cannot be removed. It’s analogous to the on microsoft.com domain that Office 365 provides you when you sign up.

Joseph Landes
In addition to this domain that’s there by default, whenever NFA’s provisioned, when you plug it into or you plug in the credentials for Office 365 on the provisioning screen, you will go into that environment, enumerate all the domains that are there. As long as they are verified, which means that somebody who added that domain is actually confirmed with the DNS record that they own that domain, as long as the domain is verified, it’s going to also be brought into this view. It’s going to be added to DC01, to the Nerdio.int active directory as a UPN. That domain can also be used right out of the box.

Joseph Landes
But none of the address objects that will get created by default will have that domain. They will all have the 5009 or whatever account ID.nerdio.net, so that nothing can possibly conflict with any of the existing objects. Okay? That’s how domains come into play when an environment is provisioned. You can also add additional domains. Imagine, you know, your Office 365 environment doesn’t yet have any verified domains. You’re starting out fresh. Now, you want to actually add an email domain and start migrating users email or mailboxes, et cetera. What you can do is you can click the add domain button and you have two types of domains. There is a public domain and internal domain. The public domain creates a configuration in multiple places. It adds a UPN to active directory and it also submits a request to Office 365 for the domain creation record.

Joseph Landes
Let’s go ahead and create a domain called vadim.com. We’re going to make it a public domain, which means it’s going to be the UPN and it’s going to be created in Office 365. Obviously, I don’t own that domain, so Office 365 has to verify that I’m an owner of that domain. What it will do is it will return back a randomly generated DNS TXT record that has to be added to that particular domain that I just added into this view. If I’m going go into DNS and if I own that domain, I’ll be able to add this record. Then, I’d be able to click the done button right here. Click okay. This will go in and try to validate that that record exists. If it does, it will change from verification or waiting for verification to setup complete. That just means the domain is now fully usable in an environment.

Joseph Landes
Before it’s setup complete, it may be listed in this screen. But it’s sort of in this temporary state where it cannot be used in the app, because it hasn’t been verified yet. Okay. Obviously, what’s going to happen now is, you know, this domain is being added. It’s going to come in with the verification record. I won’t be able to verify it, so I’m going to go ahead and delete it. Then, this domain that I’m verifying right now should fail with a message that says, you know, “We couldn’t find the TXT record,” as would be expected.

Joseph Landes
Okay. Now, the other types of domain that you can add is an internal domain. Let’s say you want to add an internal domain. There aren’t too many use cases for this, but sometimes you just want, you know, another sign-in that’s not dependent on a publicly available domain. We can do something like internal.local. Click save. This will not do anything in Office 365. This will simply add it as a UPN to the environment. It will become available right away, but it can not be used as an email address. It can only be used as a username. Then, the next thing that you’ll notice is that each domain that’s a public domain, in parentheses next to it has a status. Either it’s managed or it’s federated. Okay?

Joseph Landes
We spoke about this in the past, but the difference between managed and federated is where the authentication happens. For managed domains, the authentication happens on the Microsoft Cloud. For federated domains, authentication gets sent back to the ADFS server or whatever the federation provider is. In this case, we have the 5009@nerdio.net, which was created by default when the environment was provisioned. It created this federated domain. But this one domain that we pulled in maybe during provisioning or maybe we added later on, the way I’m adding this one right now, the way I’m adding vadim.com right now — assuming we get validated — it will always start out as a managed domain. Let’s see what the user experience looks like.

Joseph Landes
If I go to portal.office.com … Now, I’m already logged in, so let me go into an incognito mode. Go to portal.office.com. I log in as, you know, test@5009.nerdio.net. As expected, I’m going to be redirected to the ADFS sign-in screen, right? Okay. Now, the ADFS proxy’s probably off, so that’s why I can’t log in. But basically, that would be the expectation. Now, if I go to this domain, test5009.nerdio.net, which is a managed domain, which means authentication happens on … It happens on the Microsoft side … you can see I’m no longer being redirected. I’m being prompted for my password right there. That’s the difference.

Joseph Landes
Now, how can you get from one to the other? We had a whole discussion on what the advantages are and why you would want to use one versus the other, so I’m not going to rehash that. I just want to show you that if you have a managed domain, you can easily convert it to federated by clicking this button right here. You can come in. You can click convert as federated. It will take it from managed to federated. Okay. What else can you do? You can obviously delete a domain, like this one I just added. I will not be able to validate it, so I’m going to go ahead and just delete it, which will remove the UPN or anything else that it has done. That’s going to clean things up.

Joseph Landes
You can also set domain as managed when you click on set as managed. What that will do is when you add a new user or group object, the email address that gets selected by default from the dropdown list of the domains list will be whatever the default domain is. The default domain is designated with a little star. If I set this as default and click confirm without checking this box, it’s going to move the star from here to here. This check box allows for a really easy, clean way of reassigning email addresses while retaining the old one.

Joseph Landes
Imagine a company name is Adar, email address is adarIT.com. You decide to change your name to Nerdio. The email address is now getnerdio.com. Both of them are in the system. We decide that we want everybody to have a nerdio.com address, but we don’t want to use the adarIT.com addresses. We could come in here, click on getnerdio.com, set as default, check this box. It would go through all of the objects, add a getnerdio.com email address, and set it as the primary reply-to address. But it would also retain all of the adarIT.com addresses as aliases on those accounts. Okay? That’s what this is for. It’s a one-time thing. You generally don’t check this box for multiple domains. The confirm button is available even with the box unchecked, so that’s how that worked.

Joseph Landes
There is our error message that we expected. We don’t have the CNAME or the TXT record in place, so this domain failed. Let’s go ahead. The validation of the domain failed. Let’s go ahead and delete it. Now, both of these are going to get deleted within a minute. Okay. Remember that little I I was telling you about yesterday? You can mouse over it. It will show you exactly what the error message is. You go into management logs, management tasks. You can see this error and there is the actual command that generated the error. Here is the more precise wording that this provided.

Videos in the series