Meet DirSync's big brother - Microsoft Azure Active Directory Sync Service. The official documentation can be found here
Azure AD Sync is the new synchronization service that will allow customers to do the following:
- Synchronize multi-forest Active Directory environments without needing the complete feature set of Forefront Identity Manager 2010 R2.
- Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal set of user attributes (only 7!)
- Configuring multiple on-premises Exchange organizations to map to a single AAD tenant
You see that AAD Sync is essential when managing multi-forest environments. DirSync can still be used for single-forest. However note that DirSync does not support write-back of passwords from self-service password resets.
Also see FAQ:
Some points of note for AAD Sync:
- Can be installed on a Domain Controller
- Supports SQL Express for all but very large organisations (100,000 objects)
- Uninstalling DirSync and then installing AAD Sync on the same server seems to be troublesome
See here for installing the service:
The following Operating System versions are supported:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
The following components need to be installed:
- .Net 4.5
- PowerShell (PS3 or better is required)
Martyn Coupland has written a good blog about this here
Download AAD Sync from here
Extract and launch the tool.
The Microsoft Azure Active Directory Sync Services installation wizard starts. Agree to the terms and click "Install".
The AAD Sign-In client is installed.
SQL Express is installed.
The Synchronization Service is installed. The tool now restarts and can take a little while to be available again. Don't be alarmed.
Enter your Azure AD credentials (Global Administrator).
The Azure AD Connector is initialized.
Enter your local AD details (in the format domain\username) and select "Add Forest".
See that you can repeat for multiple forests - lovely. Click "Next".
The installer gathers forest/domain schema information.
See the previous links for official documentation to give you guidance here. I chose the defaults which is to use UPNs to match local users with Azure AD. Click "Next".
You can choose optional additional features here. I have chosen "Password Synchronization" and "Password write-back".
See what happens when I choose "Azure AD app and attribute filtering". More configuration items become available.
We can filter by Apps.
We can filter by attributes.
Click "Configure" to continue.
The selected options are configured.
Initial configuration has been completed. Uncheck the "Synchronize now" box (unless you want your entire AD synchronized with Azure). I want to carry out further configuration to select a specific OU.
Sign out of Windows at this stage and log back in.
Locate and launch the Azure AD Sync Synchronization Service.
Open the Connectors tab. See the AD Domain Services connector. Double click to see the properties.
Navigate to "Configure Directory Partition". Select "Containers".
Enter your credentials.
Now you can choose your OUs. Select OK to close the dialog boxes.
Choose "Full Import".
See successful import to Azure. However, this is not immediate and it will take some time for the users to be available in Azure (I am impatient so thankfully there is a way to force the sync).
Previously with DirSync we used "start-onlinecoexistencesync". This has now been replaced in AAD Sync with "DirectorySyncClientCmd.exe".
Navigate to C:\Program Files\Microsoft Azure AD Sync\Bin and launch DirectorySyncClientCmd.exe
Users from my selected OU are available in Azure AD within a few minutes (almost immediately).