In Part 1 of this series, we discussed the concept of Azure active directory and how you can as an IT admin or IT decision maker to offer a single sign on feature for around 2400+ cloud services (SAAS), also we discussed many great features that we can take advantage of it if we decide to using azure active directory such as Multi-factor authentication.
Also as we discussed and mentioned in Part 1, the first thing you recommend to do is to sync your users and passwords from local active directory to Azure active directory.
Syncing users and groups from local domain to Azure is optional, but if you didn’t synchronize you should recreate all users and group manual in azure AD, in addition the user will have multiple passwords, he will have the local password and Azure password since there is no syncing between both directories, if you do the sync the user’s will have single user account and single password in both directories and this is make scene.
Now the question is how IT Admins can sync their users, groups and passwords to cloud, in other word how they can be able to push all these identities to Azure AD.
Microsoft offer many tools to automate this process as we discussed in part 1, in this part we will discuss two sync tools offered by Microsoft, and in next part we will use one of them as a technical demo.
The first tool offered by Microsoft for syncing called DirSync, you can install this tool in any joined machine and even in the DC itself and start syncing the identities to cloud.
The second one is Azure AD Connect, this tool is the new version of DirSyn, you can upgrade from DirSync to Azure AD connect or install it directly and start syncing to cloud.
Now, lets talk a little bit about how the sync tools work ( In next part we will discuss deeply the technical part).
it’s a very simple process, you need to install the tool and provide administrative credential within setup wizard, then the tool will discover all identities in you local domain and start sync these info to the cloud, yes it’s simple as that, below is a very simple diagram for DirSync tool:
Now, i think as a reader you have two question you need to ask, the first question is how my identities will not overlap with other customers identities ! the second question how Microsoft will be sure that i am the owner of the domain i am trying to sync, in other word can i sync my users with any domain name !
It’s a very great and important question, the answer for first question is very easy, each customer will have it’s own tenant (Cloud space), when you try to sync your identities, the wizard will ask you for a tenant global admin credential, which means the wizard will ask Microsoft database: please let me know this credential refer to which tenant ?! then the identities will be synced to the appropriate tenant, so don’t worry your data will not and will never overlap with other customers, again each customer will have it’s own tenant.
Regarding the second question, you can’t sync the users with your domain name until you prove for Microsoft that you are the real owner of the domain, and this is very simple, Microsoft will provide you to Add a TXT record in you global DNS to be sure that you are the owner of the domain, Once you added they will allow you to use the domain name in the syncing process, we will come for this deeply later in this series.
So the question now, what is the general requirements to be able to sync your local identities to Microsoft Cloud.
lets summarize the general requirements as below:
1- you should have a local Active Directory with at least forest functional level 2003 or higher.
2- The domain controller operating system can be 32 bit or 64 bit, for windows 2003 it should be SP1 at least, It’s supported to be windows server 2008 or 2008 R2 in addition to windows 2012 and windows 2012 R2.
3- There is a limit for number of object to be created in your tenant, when you initially created the tenant you can create up to 50,000 objects, if you verify your domain the limit will be increase automatically to 300,000 objects, in anyway if you need to synchronize more even if you didn’t have any domain to verify you can contact Microsoft support and they will increase the limit for you.
4- The machine you need to run the sync tool on it must meet the following requirements:
It must run Windows Server as operating system. The following versions of the Windows Server operating system are supported:
64-bit edition of Windows Server 2008 Standard, Enterprise, or Datacenter edition with SP1 or later
Windows Server 2008 R2 Standard, Enterprise, or Datacenter edition with SP1 or later
Windows Server 2012 Standard or Datacenter
Windows Server 2012 R2 Standard or Datacenter
It must be joined to Active Directory. The computer must be joined to the Active Directory forest that you plan to synchronize. For the rich co-existence scenario, this is a requirement because the DirSync server explicitly enumerates and reaches out to all domain controllers in the forest in order to set permissions for write-back. This is not the case if you do not have Hybrid Deployment enabled.
The computer also must be able to connect to all the other domain controllers for all the domains in your forest. A forest is one or more Active Directory domains that share the same class and attribute definitions, site and replication information, and forest-wide search capabilities.
It must run the Microsoft .NET Framework 3.5 SP1 and the Microsoft .NET Framework 4.5.1 If you are running Windows Server 2008, the .NET Framework will already be installed; if not, you can download it from the following locations: Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4.5.1
It must run Windows PowerShell: If you are running Windows Server 2003, you need to download Windows PowerShell. If you are running Windows Server 2008, you need to enable Windows PowerShell. For more information, see Install Windows PowerShell on the directory sync computer.
It must be located in an access-controlled environment. Access to the computer that is running the Directory Sync tool should be limited to those users who have access to your Active Directory domain controllers and other sensitive network components. Only users or administrators that have the necessary permissions to make changes to domain controllers in Active Directory should have access to this computer.
It’s very important to note that till now there is no high available solution for Sync Tools, which means you should install the Sync tool one time only.
5- you should have an administrative privilege in your local AD in addition to the Azure tenant.
6- The hardware spec’s need to be met in the machine running the Sync tool, the below table summarize it as mention in Microsoft article:
This is a general requirements to run the directory sync tools, don’t worry usually all these requirements founded in customers site by default, some times you need to reconfigure or upgrade the environment, In Next part we will discuss the technical side more deeply.
If you already have an office 365 tenant and you already sync the users to office 365, you will have by default an Azure Active Directory account and no need to run the sync again since you will find all your identities appear in Azure AD, by the way office 365 use the Azure AD to authenticate the users in the cloud.
The last thing to discuss in this part, what is the major differences between DirSync and Azure AD Connect !
These days, Microsoft recommend to use Azure AD connect instead of DirSync, The major difference that Azure Ad Connect can synchronize multiple forest if you have since DirSync cannot do this, in addition to this there is some cloud services will not work with DirSync, Since both tools is very easy to setup we recommend to use Azure AD Connect now.
In Next Part we will start the technical part of how to implement this tool in deeply manner, so stay tuned 🙂
Ahmad Yasin in a Microsoft Cloud Engineer and the publisher of
AzureDummies blog. He also hold many certificates in office 365
and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions
and MCSA office 365.