Thanks for your interest in Quest On Demand Group Management, your go-to software as a service solution for tackling group management challenges in a hybrid world. I'm Matthew Vinton, Senior Systems Consultant at Quest, and today I'm going to take you on a short tour of how to connect your on-premises environment to On Demand Group Management.
In order for On Demand Group Management to be able to manage both hybrid groups-- those are groups that are synchronized from an on-premises Active Directory environment-- into Azure Active Directory using Azure Connect, as well as standalone groups-- and these are groups that aren't synchronized at all. They may be excluded from the Azure AD Connect scope.
But in order for On Demand Group Management to be able to manage these, we need to set up an on-premises agent. This on-premises agent will exist on a server and will communicate and form the liaison, if you will, between the on-premises Active Directory environment and the Quest On Demand software as a service.
To begin with, the first thing you should do is define a service account. The on-premises agent doesn't run under a service account, but it does use a service account in order to both communicate with on-premises Active Directory, as well as, if required, to communicate to an on-premises exchange environment.
You can see here that I have an on-premises service account called SVC-ODGM for On Demand Group Management. Now I have gone through the process of doing a least privilege delegation for this account. That is, I know all the groups that I want On Demand Group Management to be able to manage are within this OU structure here. So I use the delegation wizard to allow this account the rights to be able to manage the membership of groups within there.
If you also needed to manage hybrid distribution groups or mail-enabled security groups, then you'll need to make certain that this account is also a member of the recipient management role in your on-premises exchange environment.
Once we have this account defined, then our next step is to install the agent. We can find the agent by goin to QuestOnDemand.com. And rather than going into Group Management, instead here in the dashboard, we're going to go to Settings, and Agents.
From here, we need to download two things. The first thing we're going to do is download the agent itself. So download a ZIP file and we'll be extracting the agent from there.
And secondly, we need to generate an installation key. This installation key is how the on-premises agent authenticates the Quest On Demand Service. This will generate and download a file that has the extension of OPA key.
One important step-- it's a little technical, but some versions of Windows when you download a ZIP file from the internet will block the contents of that file. So just to double check, right click on the newly downloaded ZIP file, choose Properties. And if you see something here that says security, this file came from another computer, choose Unblock. Click OK. And now, we'll unzip the contents of this file into a new directory where we don't mind the service running from.
Go back to Downloads, and now copy your OPA key file into the same location. Double click on setup.exe. That's going to ask several questions-- yes, do wish to install the on-premises agent. You can accept the default for the agent name. And now it's going to register the service against the software as a service on demand platform. In a moment we'll see the agent registered in here. And there's another step that we need to complete.
Now that the agent has registered in On Demand Group Management, we can see it here to the left. Click on the agent. You'll see some information about the kind of server it's coming from, when it is last checked in. But the important thing that we need to work on is down a little bit lower.
We scroll down. We need to add the local domain to the domains that the agent is responsible for. Now that the domain has been added, we configure that domain. In here is where we enter information about the service account we created earlier.
If we needed to manage exchange on-premises, which I do not in this environment, we would enter the EWS or Exchange Web Services URL here. And then either use these same credentials, which is what I would probably recommend, or you could use alternate credentials in order to manage the Exchange environment, which is safe.
And now at this point, when the On Demand Group Management service next checks in, it will grab this information and begin to synchronize the on-premises environment into On Demand Group Management to enable the management of hybrid groups, as well as on-premises groups.
Thank you.
