Thursday 19 March 2015

Installing the Azure Active Directory Sync Service (AAD Sync)

EMS Landing page

Meet DirSync's big brother - Microsoft Azure Active Directory Sync Service. The official documentation can be found here

https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx

Azure AD Sync is the new synchronization service that will allow customers to do the following:
  • Synchronize multi-forest Active Directory environments without needing the complete feature set of Forefront Identity Manager 2010 R2.
  • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
  • Configuring multiple on-premises Exchange organizations to map to a single AAD tenant
A full feature comparison of DirSync and AAD Sync can be found here

https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx



You see that AAD Sync is essential when managing multi-forest environments. DirSync can still be used for single-forest. However note that DirSync does not support write-back of passwords from self-service password resets.

Also see FAQ:


https://msdn.microsoft.com/en-us/library/azure/dn783460.aspx

Some points of note for AAD Sync:
  • Can be installed on a Domain Controller
  • Supports SQL Express for all but very large organisations (100,000 objects)
  • Uninstalling DirSync and then installing AAD Sync on the same server seems to be troublesome

See here for installing the service:

https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx

The following Operating System versions are supported:
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
Your computer can be stand-alone, a member server or a domain controller.
The following components need to be installed:

  • .Net 4.5
  • PowerShell (PS3 or better is required)
This document also provides assistance on the account permissions required to install and maintain the service. For the purposes of demonstration in my lab I will use the Domain Admin account (this is not best practice in production).

Martyn Coupland has written a good blog about this here

http://www.martyncoupland.co.uk/2015/03/permissions-used-in-aadsync.html 


Download AAD Sync from here

http://www.microsoft.com/en-ie/download/details.aspx?id=44225


Extract and launch the tool.


The Microsoft Azure Active Directory Sync Services installation wizard starts. Agree to the terms and click "Install".


 The AAD Sign-In client is installed.


 SQL Express is installed.


 The Synchronization Service is installed. The tool now restarts and can take a little while to be available again. Don't be alarmed.


Enter your Azure AD credentials (Global Administrator).


The Azure AD Connector is initialized.


Enter your local AD details (in the format domain\username) and select "Add Forest".


 See that you can repeat for multiple forests - lovely. Click "Next".


The installer gathers forest/domain schema information.


See the previous links for official documentation to give you guidance here. I chose the defaults which is to use UPNs to match local users with Azure AD. Click "Next". 


You can choose optional additional features here. I have chosen "Password Synchronization" and "Password write-back". 


See what happens when I choose "Azure AD app and attribute filtering". More configuration items become available.


 We can filter by Apps.


 We can filter by attributes.


Click "Configure" to continue.


The selected options are configured.


Initial configuration has been completed. Uncheck the "Synchronize now" box (unless you want your entire AD synchronized with Azure). I want to carry out further configuration to select a specific OU.

Sign out of Windows at this stage and log back in.


Locate and launch the Azure AD Sync Synchronization Service.


Open the Connectors tab. See the AD Domain Services connector. Double click to see the properties.


Navigate to "Configure Directory Partition". Select "Containers".


Enter your credentials.


Now you can choose your OUs. Select OK to close the dialog boxes.


Select Run.


Choose "Full Import".


See successful import to Azure. However, this is not immediate and it will take some time for the users to be available in Azure (I am impatient so thankfully there is a way to force the sync).

Previously with DirSync we used "start-onlinecoexistencesync". This has now been replaced in AAD Sync with "DirectorySyncClientCmd.exe".


 Navigate to C:\Program Files\Microsoft Azure AD Sync\Bin and launch DirectorySyncClientCmd.exe


Users from my selected OU are available in Azure AD within a few minutes (almost immediately).






3 comments:

  1. Nice! Is there any reason to use DirSync instead of AAD Sync? Also there is Azure Active Directory Connect (current version is public preview not meant for production use) that is going to replace DirSync and AAD Sync if I have understood correctly.

    ReplyDelete
    Replies
    1. Thanks. Yes, that's right. Azure AD Connect will be the way to go in the future. Azure Active Directory Connect encompasses functionality that was previously released as DirSync and AAD Sync. These tools will no longer be released individually. Future improvements and the latest functionality will be included in updates to the Azure Active Directory Connect.

      Currently there is one situation where you require DirSync rather than AAD Sync. AAD Sync does not yet support the write-back of devices. See here

      https://msdn.microsoft.com/en-us/library/azure/dn757582.aspx

      Delete
  2. Thanks, Gerry.


    Todd
    https://oddytee.wordpress.com/?s=aadsync

    ReplyDelete