Here we are with a new series of posts dedicated to Azure Active Directory Connect. Since the information and details cover different areas including installation, configuration and tuning I have decided to cover them with separate articles.
The purpose of this post is to provide a short overview of what Azure Active Directory Connect tool is (AAD Connect from now on 🙂 ) and also show the steps for a first installation into a test environment. The next articles will cover the configuration, troubleshooting and a little bit of testing!
So what is it the AAD Connect? It is a tool that by mean of a synchronization service integrates the information and details like identities between the Local Active Directory and Azure AD instances. This means that the end user experience will be much more simplified as there would be less impact on remembering or using different account names and/or passwords when accessing services and applications hosted in Office 365. This means end-users will have a seamless access regardless the app is on premise or online.
Historically the same purpose has been accomplished by other tools with some some limitations now addressed by the AAD Connect tool. Namely these are the DirSync and Active Directory Sync (AADSync). At the time of writing AAD Connect Tool is the latest release of the synchronization mechanism between the AD on premise and online.
Now what can AAD Connect tool can effectively do for me?
This one is responsible for creating users/groups/devices and keep them in sync between the local and online instance of Active Directory
This one is needed only when setting up complex environments where the scenario is including an hybrid deployment leveraging the local AD infrastructure to enforce policies with regards to SSO and other 3rd parties mechanisms of authentication
When using complex deployements (for example integrating AD FS) then this component it is essential to include all the info and details you need in one place on the Azure Portal.
So what is it needed to install the AAD Connect tool? Here you are the shopping list:
An Administrator Account for Active Directory used for syncronization from on-premise to on-line
A Global Admin Account for Azure AD
Local SQL Express Edition if less than 100,000 AD objects
Dedicated SQL Server and 100Gb disk space if AD objects on premise are more than 100,000
A test user/group/device object to test the syncronization! 🙂
At this point we are ready to start with the setup!
In my case I have two machines in my lab. One acting as a Domain Controller and the other as the machine where the AAD Connect tool will be installed. Also please note that upon the launch of the wizard the name of the Forest and Domain have already been identified. When launching the setup there are two options for a standard or custom installation. In this case we’ll explore the custom one to visit some settings as per screenshots below.
For example a custom installation gives us the ability to locate all the components (AAD binaries and Local SQL install) onto e dedicated directory. Also it is possible to use a specific account that will run the syncronization process from AD on premise to the Azure AD. Personally I prefer to use a custom Admin account with specific permissions rather than let the application create a new one. Depending on which feature we want to enable during the synchronization specific permissions need to be granted to this account. This will be covered in a different topic. For now an account that belongs to Domain Administrators already has all the required permissions.
At this point we can choose the Single Sign On method. For our purpose we select the Password Synchronization. This way will be easier for the users to access the applications on both premise and online. Please note that even if same users can have the same password on both premise and online this does not constitute a SSO environment as there’s no token that can be verified. In this case we can rather talk of Same Sign On as opposed to Single Sign On available through Federation with AD FS.
We now configure the account with Global Admin rights to access the Azure AD environment
From here it is possible to specify multiple domains within the same forest
Since in this example I’m using a single domain the defualt options are a good fit
Ideally in this phase would be better to enter the name of a small group of objects to synchronize. I want to leave the default option and then configure the Directory Partitions later on to point the AAD Connect tool to specific OUs
From here we can select which services should be enabled during the synchronization. Should we select for example the option for Password writeback this means that password changes made in Azure AD will be reflected to the AD instance on premise. I want to dedicate a separate post for these options.
The wizard is now ready to configure the synchronization engine and rules based on our selection. As shown in the screenshot below I have deselected the option to “Start the synchronization process as soon as the configuration completes”. Since I have not selected any AD group for synchronization I do not want the engine to import everthing but only specific portions of AD or better Organizational Units. Also because synchronization is disabled we need to re-enable this process also by adding a custom schedule. By default the sync schedule is every 3 hours.
The Configuration is now complete.
On the desktop a new icon will be added to review or change the current configuration. Very useful for troubleshooting and testing scenarios. It is worth mentioning that “Staging Mode” prevents the Export function from Local AD to Azure AD. The Staging mode not only is very useful when evaluating the changes (from Import and Sync operations in the Metaverse Search) before pushing them but also when coexisiting with previous releases of synchronization tools like DirSync and AAD Sync or even with High Availability scenarios. Only one AAD Connect tool in staging mode per AD is supported.
As a last point before wrapping up this post it is also worth mentioning other binaries that are installed from the wizard which include:
Azure AD Connect
Syncrhronization Service Key Management
Synchronization Rule Editor
The Azure AD Connect icon is the one that gives us the opportunity to revisit and change the installation.
The Synchronization Service Key Management allows to export and backup the keys used to encrypt data in Azure AD to a file.
The Synchronization Service and Rule Editor will be covered in my next posts about AAD Connect tool.