Updated on 28 August 2015
IMPORTANT: AAD Connect has replaced AADSync and DirSync. Reference: Azure Active Directory Sync
NOTE: On 16 April 2015, the latest version of AADSync was released, and is available here to download here.
NOTE: The following server specs provided are well below the anticipated requirements AADSync will need to run efficiently in a production environment but are sufficient for a lab deployment.
Before proceeding with the installation of Azure Active Directory Synchronization Services (AADSync), review the requirements. I also ensured that Active Directory synchronization was enabled in Office 365, as well as created a second global admin in Office 365 and a domain user in AD (with no other assigned group memberships) that will be used for AADSync to read the Active Directory (AD) schema.
In my lab, I will be installing AADSync in an environment and on a server with the following specs…
- Office 365 E3 Trial Subscription
- AADSyncAdmin (Office 365 Global Admin)
- Domains Added: (e.g. d5.com)
- Windows 2012 R2 Domain
- No forest trusts
- Single forest, single domain
- Internal domain name of d5.local
- Routable UPN suffix (e.g. d5.com)
- AADSyncAdmin (domain user)
- Windows 2012 R2 Standard server (virtual machine)
- Domain-joined server
- 1536 MB of memory
- 60 GB of disk space
Installation and Configuration
NOTE: For this post, we will be performing a basic installation and configuration of AADSync that includes a configuration for Exchange Hybrid and password synchronization. I will not be enabling password write-back as I am not an Azure AD Premium customer.
First, login to the server we will be installing AADSync as a user with local administrator privileges. Either the domain administrator or the AADSyncAdmin domain account we created should be sufficient.
Second, we will download Microsoft Azure Active Directory Sync Services (AADSync). The current version of AADSync is 1.0.0475.1202 (dated 16 December 2014). The name of the file is MicrosoftAzureADConnectionTool.exe with a size of 49.5 MB.
Third, double-click MicrosoftAzureADConnectionTool.exe to begin the installation.
- At the Welcome screen, agree to the license terms and click Install. After clicking install, the following are installed…
- Forefront Identity Manager Windows Azure Active Directory Connector
- Microsoft Azure AD Sync
- Microsoft Online Services Sign-in Assistant
- Microsoft SQL Server 2012 Command Line Utilities
- Microsoft SQL Server 2012 Express LocalDB
- Microsoft SQL Server 2012 Native Client
- Eventually, the configuration wizard will appear. Enter the credentials of our Office 365 global admin and click Next.
- This step will attempt to authenticate with our Office 365 account.
- Also, if Active Directory synchronization has not yet been activated in Office 365, this message will appear, “Directory Synchronization has not yet been enabled in Azure. Please go to the Management Portal and enable Directory Synchronization. Then try again.“
- After enabling, we can proceed to the next steps.
- Once we are able to proceed, the Azure Active Directory Connector is initialized.
- Now, I entered the credentials for the AD account I created previously.
- Enter forest name as NetBIOS or FQDN
- Enter username in the ‘domain\username’ format
- Enter password
- Click Add Forest
- If you receive this error, “Unable to verify user principal name and password. Please try entering credentials in the domain\username format.“, you most likely just entered the username and did not provide the domain name in front of it (e.g. domain\username). After fixing, click Add Forest.
- When the credentials are added successfully, a “Forests” field will display with verified forest credentials.
- Add additional forests as needed and click Next .
- The process will initialize the Active Directory Domain Services (AD DS) connector with the configured forests and gather schema information.
- For uniquely identifying our users, we will leave the default option as we only have a single forest and domain.
- The default “Matching across forests” option is “Your users are only represented once across all forests”. In our scenario, again, we only have one forest.
- If we had multiple forests, we could use the same option if only one account was present for each user.
- If we select “Match using”, we will be required that we identify users by matching AD forest attributes with Azure AD (O365) attributes. Using the AADSync install guide, we will use the same attributes as noted in the guide.
- For example, select ObjectSID and msExchangeMasterAccountSID attributes. This selection most likely supposes we have multiple forests and Exchange organizations.
- For “Matching with Azure AD”, select objectGUID as the value for the ‘sourceAnchor’ attribute, and mail for the ‘userPrincipalName’ attribute.
- Again, we are maintaining the default options. Click Next.
- For Optional Features with version 1.0.0475.1202, I selected Exchange hybrid deployment and Password synchronization (by default none are selected). Click Next.
- Exchange Hybrid Deployment … Selected; To created a rich coexistence with my Exchange 2013 environment.
- Password Synchronization Selected; A new feature available with version 1.0.0470.1023 that was released in Oct 2014.
- Password Write-Back … Not selected; This feature became generally available on 11 December 2014 for Azure AD Premium customers.
- Azure AD App and Attribute Filtering … Not Selected; I have no interest currently in limiting what apps are available to my synched users or the number of attributes I want synched. Selecting this feature will present two additional option screens in the wizard.
- Now we are ready to configure. This screen will display a “pseudo” summary of what will be configured when we proceed to the next step. Click Configure.
- This task will connect both AD and Azure environments and create synchronization tasks in FIM 2010 R2.
- Lastly, we need to finish the configuration of AADSync.
- By default, the option to Synchronize Now is selected. However, if we want to configure filtering with AADSync we should uncheck the option, configure filtering and then sync.
- Click Finish.
- NOTE: The account used to install AADSync was added to a new local group and we must sign out of Windows before we can sync. On that note, I signed out and also restarted the server but yet synching did not start.
After logging out and back in, I opened the Synchronization Service application (aka miisclient.exe) to confirm all Active Directory objects have been successfully synchronized. I also confirmed in O365 that the on premise users, groups and contacts were present in the tenant. With AADSync, a scheduled task (Azure AD Sync Scheduler) is created that runs every 3 hours. However, synching can be performed manually outside of this schedule.
Troubleshooting (as needed)
In a prior installation, after logging out of and restarting the server, and then logging in and waiting several minutes, I checked my O365 account to verify AD objects had been synchronized but to my surprise nothing had been synched.
To complete the AADSync process and to get it to sync with O365, I had to manually start the Microsoft Azure AD Sync service but that did not sync the AD objects. Additionally, I had to access Task Scheduler to manually start (run) the Azure AD Sync Scheduler scheduled task.
Finally, within a few minutes of running the scheduled task, all AD users and groups from my forest were populated in the O365 account. My next post will go through the steps to configure filtering with AADSync.
With the Password Synchronization feature selected during the configuration, I am able to sign into the Office 365 portal with the user name and password synced from on premise.
I observed the following services created during the AADSync installation and configuration…
- Microsoft Azure AD Sync
- Microsoft Online Services Sign-in Assistant
Local Accounts and Groups Created
The following local accounts and groups were created on the server during the AADSync installation and configuration…
- Description: Service account for the Synchronization Service with installation identifier 93dff4b1-f77c-4400-9f4c-240bfac73b88 running on computer AADSYNC_SERVER.
- NOTE: The account name and service identifier will vary for each installation and environment.
NOTE: On 27 October 2014, AADSync version 1.0.0470.1023 included password synchronization (refer to AAD Sync Version Release History).
- Azure Active Directory Synchronization Services (AADSync)
- Requirements for AADSync
- Configure Filtering with AADSync
- Multi-Forest Deployment with AADSync
- Uninstalling AADSync
- Force Sync to Office 365 with AADSync
- AADSync Updates
- AADSync Version History
- Install the AADSync Service
- Microsoft Azure Active Directory Sync Services
- AADSync Frequently Asked Questions
- Deep Dive: Password Reset with On-Premise Sync in Azure AD Premium
- AAD Sync Version Release History
- AADSync: Forcing/Manual Syncs (by Henrik Walther)