It’s been about six months since “Azure AD Sync” (often called “AADSync”) was made generally available with the intended purpose to replace the previous DirSync tool. In addition to an overhaul under the hood, AADSync brought with it new features such as support for multiple Active Directory forests.
If you’re configuring Directory Synchronization for the first time, it is recommended to use AADSync instead of DirSync. If you have an existing DirSync environment, you might find that AADSync fills some requirements that DirSync does not.
Below are 10 quick little tidbits you might not have known about Azure AD Sync.
What’s in a Name?
Aside from “Azure AD Sync / AADSync” being a tongue-twister for consultants, I’ve found that it’s not uncommon for there to be confusion about what AADSync is. While it has “Azure” in the name, it’s still a locally installed product running on a server in your environment. It’s not a cloud service, it’s an updated version of the DirSync product you’re probably familiar with. Yes, that server could technically be running in Azure IaaS but now we’re just playing word games.
Upgrading from DirSync / FIM
Running DirSync or FIM with the Office 365 MA today? There is a migration process for you although it’s basically just installing the new AADSync product and disabling the old sync product. You can technically install them on the same server but given it’s probably on a virtual server, I prefer to install side-by-side on another virtual machine. If you’re feeling real cautious, create a new service account in the tenant and disable the old one at the time of cutover. Microsoft has a little guidance on the migration process: Moving from DirSync or FIM to Azure Active Directory Sync
Forcing a Synchronization
If you’ve been running DirSync for any length of time, your fingers are well trained at typing the command “
Start-OnlineCoexistenceSync“. In some odd decision that seems to be a step backwards, you force a sync in AADSync using a command-line utility and not PowerShell. Yes, a command-line utility.
To force a sync, navigate to “
C:\Program Files\Microsoft Azure AD Sync\Bin” and run:
DirectorySyncClientCmd.exe delta” for a delta sync and…
DirectorySyncClientCmd.exe initial” for a full sync
Not sure of the logic here, hopefully this is changed at some point and this is moved back into PowerShell.
Undocumented PowerShell Module
Despite the requirement to use the command-line to force a sync, there is in fact a PowerShell module for AADSync; the name of the module is “ADSync” (yes, one “A”). There appears to be 61 commands in the module, unfortunately there is almost no documentation on the syntax. You can gain insight into the syntax for some of the commands by exporting out your sync rules when configuring filtering.
Forcing a Password Sync
Like DirSync, the Password Sync process happens out-of-band from the general sync process. While the article “How to Use PowerShell to Trigger a Full Password Sync in Azure AD Sync” sounds encouraging, you’re currently presented with these detailed instructions:
You can sync password by using the PowerShell module and these instructions: How to Use PowerShell to Trigger a Full Password Sync in Azure AD Sync
Sync Rules Editor
Hidden in “
C:\Program Files\Microsoft Azure AD Sync\UIShell” is “
SyncRulesEditor.exe” which allows you to customize the synchronization rules. The interface is a bit “Resource Kit like” but it’s very powerful and mandatory in any type of complex multi-forest environment.
When to Use Full SQL
With DirSync, the guidance was always to use SQL when you had more than 50,000 objects in your Active Directory. With AADSync, this number is now 100,000 objects although it’s an estimate and the true limitation is the 10 GB database size limit with the embedded SQL Server Express. SQL Server 2008 to SQL Server 2014 is supported if you exceed the object limit.
Skipping the Initial Sync
Almost never do I select the option to kick off a sync during the initial configuration. I usually want to work on creating some filters and such to test out the process before I’m creating thousands and thousands of objects. If you skip the initial sync, you should be aware that the scheduled sync process (running as a task in the Windows Task Scheduler) will be disabled. So if you want the 3 hour scheduled sync to occur, you’ll need to go enable the task called “Azure AD Sync Scheduler”.
Service Account Permissions
If you install AADSync with the intention of using “Password Sync”, “Password Writeback” or “Exchange Hybrid”, you should be aware that the necessary permissions are not assigned in Active Directory. Those permissions are called out in the installation instructions: Install the AADSync Service.
Azure Active Directory Connect
…and after all this, Microsoft has a new tool coming for Directory Synchronization. I see it as more of a wizard of sorts but the idea is to make installing AADSync and AD FS easier for organizations to deploy. The plan appears for the new tool, “Azure AD Connect“, to actually replace AADSync although I suspect AADSync is just bundled in the install. I’m not real excited about this product just yet, what we have today seems to work. Trying to use a wizard-based application to remotely install AD FS on servers via WinRM (including machines in a DMZ) seems like we’re trying to make it too simplified and ultimately less flexible. I envision spending more time troubleshooting WinRM and firewall rules than it would normally take me to deploy an AD FS farm. Time will tell, this product is currently in preview with release expected later this year.
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.