Azure Active Directory: Sync local Active Directory

Azure Active Directory is the new way to provide Cloud services, like Application, Office 365, Rights Management Services e much more. When you create a new Office 365 subscription, behind the scene you use AAD to create and manage users and groups. In a new era where there are billion of mobile devices and where every users have many passwords is very important find a solution to reduce the business risk and simplify the user experience.

 

With Azure Active Directory Connect is possible keep synchronized your local Active Directory with Azure. The most important benefit is the Single Sign-On, that allow users to use one single set of credentials.

 

AAD Connect is the new version of Azure DirSync, and now is in a preview version available from Microsoft Connect web site.

 

We will see how to configure a new Azure Directory in order to sync your local AD.

 

First of all, create a new Directory into Azure as showed in figure 1.

 

2015_03_20_AzureADC_01
Figure 1 – New Directory

 

After creation, by default with the suffix .onmicrosoft.com, I suggest to create a new account with Global Administrator permission. This account will be used to manage future integration, like Office 365, and also for AAD Connect. Once you finish add the public domain, figure 2. This step is required if you want use the Single-Sign-On for your user.

 

2015_03_20_AzureADC_02
Figure 2 – Public Domain

 

Security is a priority so before use a new public domain is required validation, as showed in figure 3, in this way Microsoft has confirm that you are the owner of domain. Create a new TXT/MX DNS record into your DNS Provider and after few minutes you will be ready to validate the domain.

 

2015_03_20_AzureADC_03
Figure 3 – Domain Validation

 

Now it’s possible activate integration with local Active Directory, as showed in figure 4.

 

2015_03_20_AzureADC_04
Figure 4 – Integration with Local AD

 

To sync AD there are these requirements:

 

  • Windows Server 2008 or higher DC
  • Windows Server 2008 R2, 2012 or 2012 R2 for AADC
  • Local Active Directory enterprise administrator credentials
  • Azure Active Directory global administrator account

 

Azure Active Directory Connect can be installed into Domain Controller but I prefer use a separate machine to avoid problems (for example unexpected restart). Run the setup, as showed in figure 5. During wizard will be installed the prerequisites components.

 

2015_03_20_AzureADC_05
Figure 5 – AADC Setup

 

Once all the components are installed, the setup will ask what kind of deployment you want: Express or Custom – figure 6. Express setup is perfect of classic scenario to synchronize single forest with passwords. Custom setup is suggest when you want synchronize one or more forest, when you want deploy Active Directory Federation Services or when there are different requirement like configure Exchange Hybrid Mode.

 

2015_03_20_AzureADC_06
Figure 6 – Custom Configuration

 

In this case I closed the wizard without sync after wizard’s closing, figure 7, because I want filter the OU Sync. Like DirSync, AADC use Forefront Identity Manager 2010 R2 to synchronize the object . By default the entire domain is merged with Azure but I don’t like it because all the users and groups will be sync on Azure, included service accounts and security groups.

 

2015_03_20_AzureADC_07
Figure 7 – Configuration Complete

 

Run the Synchronization Service Manager from Start Menu and open proprieties of your local domain, as showed in figure 8.

 

2015_03_20_AzureADC_08
Figure 8 – Synchronization Service Manager

 

Select which OU you want sync and close FIM. Now there’s a new problem: if your local domain is different from public domain, is necessary add a new UPN suffix to enable the SSO and this is possible from Active Directory Domains and Trusts, as showed in figure 9.

 

2015_03_20_AzureADC_09
Figure 9 – New UPN

 

Now it’s time to run the first Directory Sync and to do this you must run the DirectorySyncClientCmd.exe from path C:\Program Files\Microsoft Azure AD Sync\Bin\. After few minutes all the users/groups will be available from Azure AD web site, as showed in figure 10. If the infrastructure is complex, sync could require hours.

 

2015_03_20_AzureADC_10
Figure 10 – Users synced

 

Finish! Very easy right? Now you can enable new services like Application, Password Reset, Multi-Authentication and much more.