Today I decided to
ease myself into my next steps and build out a member server to sync AD
to. I reused some previous PowerShell to
deploy a member server and join it to my domain. It is possible to run the sync services on an
existing domain controller, but as a best practice I don't like to install
one-off applications on my domain controllers.
I like to keep them identical, thus the need for different member server
to perform the sync role.
I had previously
uploaded the Microsoft Azure AD Sync Services (aka AADSync) application to my
Azure file share, but you can find it at http://aka.ms/azureadsync. You will want to install and run the
Microsoft Azure AD Connection Tool.
Please note that Microsoft Azure AD Sync Services is DIFFERENT from
Windows Azure Active Directory Sync (aka DirSync)
Once the Sync Server
is built, you will want to kick off the installation of the application, but
not before you'd made some adjustments to your Azure Directory. In the Portal, I went to my directory and
created a new user account to be my Azure AD Administrator
(newuser@imperfectlab.com) and made it a Global Administrator. You will also need to go through the sign-in
process to set a non-temporary password.
Once you have this
account, you simply need to throw the switch under "Directory Integration
-> Directory Sync" from Inactive to Active. Once the setting is saved, the "Last
Sync" field will say "never synced". Now go over to your sync server and run that
connection tool.
You'll need the
account and credentials you created for the new Azure AD Admin and some
information about your domain. For the
addition of the forest, you'll need your domain name and the username and
password of a enterprise domain admin from your local domain. This will be different than the account your
created directly in Azure AD.
Leave the User
Matching page at the defaults but select "Password Synchronization"
from the Optional Features. Finally, review your configuration screen and
verify that "Synchronize Now" is checked and click finish. At this point, your users should sync into
Azure AD and after a few minutes you'll see a list of them in the portal.
If you want to make
any changes to the settings of your AD Sync, like adding in a feature, simply
rerun the tool after disabling the Azure AD Sync Task in Task Scheduler. The task will be re-enabled automatically when
you finish the wizard again.
If you want to force
a sync for Azure AD Sync Services for any reason, the default location of the
command line tool is:
c:\program
files\microsoft azure ad sync\bin\directorysyncclientcmd [initial|delta]
Happy Syncing!
-small.jpg)
How is Microsoft Azure AD Sync Services different from Windows Azure Active Directory Sync (aka DirSync)? Where can I find guidelines on when to use each of the product over the other?
ReplyDeleteAzure AD Sync Services ultimately replaces DirSync and you would want to use AAD Sync Services going forward. Rod Trent sums it up quickly here - http://windowsitpro.com/azure/azure-ad-sync-service-released-makes-dirsync-and-fim-obsolete and I found this post helpful for figuring out some of the differences between versions, particularly when needing to force a sync - http://blogs.technet.com/b/rmilne/archive/2014/10/01/how-to-run-manual-dirsync-_2f00_-azure-active-directory-sync-updates.aspx
Delete