Microsoft had released the initial dirsync tool to synchronize on premise AD user to office 365 and till recently, they updated the tool to support password synchronization. However in Feb 2015, Microsoft has released a completely different service – Microsoft Azure Active Directory Sync Services (AADSync). Azure Active Directory Sync allows you to onboard to Azure Active Directory and Office 365 with a single forest or multi forest on-prem Active Directory.
Caution:
- The tool needs an instance of SQL Server to store identity data. By default a SQL Express LocalDB is installed and the service account for the service is created on the local machine during the install.
- Since Express has a 10GB size limit (it enables you to manage approximately 100,000 objects.) If you anticipate managing a higher volume of directory objects, you need to point the installation process to a different version of SQL Server.
Steps:
- Install WAAD tool on new server
- Un-install Dirsync in Old Server
- Additional configuration of WAAD – OU Filtering
- Run Full Synchronization
Step1. Get your new Directory Sync Server ready and install the new WAAD Sync tool
Download AADSync: https://www.microsoft.com/en-us/download/details.aspx?id=47594
Installation of WAAD Sync Service
- Run the installer from the exe file
- If you wish you can add multiple forest here or just continue with configuring the sync service after the first forest is added.
- The Matching across forests feature allows you to define how users from your ADDS forests are represented in Azure AD. A user might either be represented only once across all forests or have a combination of enabled and disabled accounts.
You can use the Matching with Azure AD option to specify the attribute you want to use for identity federation. The source Anchor attribute is an attribute which is not changing during the lifetime of a user object. In single-forest and environments and where the account is never moved between forests, then object GUID is a good candidate. If the user is moved between forests or domains, then an alternative attribute must be selected.
The user Principal Name attribute is the user’s login ID in Azure AD. By default the user Principal Name attribute in ADDS is used. If this attribute is not routable or not suitable as the login ID a different attribute, such as mail, can be selected.
- Select the appropriate features needed as per your organizational requirements
- At this moment please Logoff and ReLogin.
- Following are the applications installed with the AADSync service
- Export the Azure AD Sync Encryption Key by opening the Utility from the installed programs.
We would come back and perform the full synchronization once the old dirsyc tool is uninstalled.
Step2. Uninstall dirsync tool from the old Dirsync Server
- Locate the Dirsync tool from Windows Control Panel Programs and Features and select uninstall
- Should you face any issue with complete uninstallation / cleanup of this tool, you can refer to my blog on Error Installing Directory Sync Tool.
Step3. Additional Configuration of WAAD Sync tool – OU Filtering
- Launch the Azure AD Sync Synchronization Service
- Open the Connectors tab. Select the local AD connector properties
- Select Container from the Configure Directory Partition Tab
- Select the OU that needs to be synced to office 365
Step4. Run Full Synchronization
- Launch the Azure AD Sync Synchronization Service once again
- Select the connector type Active Directory Domain Service and select Run from Action Pane
- Select Full Import for run profiles.
Conclusion:
It is important that we at times need to upgrade this key tool to take advantage of the latest features integrating on premise AD with Office 365. There are more reasons when organizations uses Hybrid Exchange when WAAD Tool allows AD Write back, the most useful feature we all waited for.
You can also perform an in-place upgrade of dirsync tool but it is not recommended as it is known to cause issue. For further reference please refer here.
