Following the announcement of the availability of a new AAD Connect preview build (March 2015 build), here is the some details regarding the installation and configuration steps for this build. I may not have covered everything here yet but will do new post if needed.
As quick reminder, if you already had the previous build installed, you have to uninstall it and restart your server as there is NO upgrade path to new build. But there is migration path from DirSync, with a limitation as attributes filtering configured this will NOT be migrated. That said, I would not recommend to perform such upgrade – especially for this build has this is still a beta version.
If you have to uninstall the previous build, please follow these steps:
- open a command prompt using the run as administrator
- go to the c:\program files\microsoft azure active directory connect folder
- run the following command dirsynctool.exe /uninstall
- follow the wizard to uninstall the tool
- complete the uninstallation process by opening the Control Panel\Add Remove program and uninstall Azure AD Connect from there
Quite few improvements since the previous beta build; you can now:
- Define to use a SQL instance
- Define the service account
- Set permissions
- Import previous settings
We will see what are these new configuration settings.
Installation Options
SQL Server Name
If you check this box, you will be asked to define the SQL server\instance to use to host the database used by the synchronization tool. This provide the same installation option than for DirSync with the /fullsql switch (see https://msdn.microsoft.com/en-us/library/azure/dn441161.aspx)
Service Account
This option allows you to define the service account to use to run the synchronization tool.
This service account does not need anymore any specific permission at the AD level (as it was the case with DirSync) BUT need the following permission on the local server where the tool is being installed
- Allow logon locally (if you plan to install it on a domain controller you have to update the GPO for domain controllers)
Permissions
This setting allows you to define your own group name for the synchronization tool. As reminder, this tool (as well as the “old” DirSync) is based on ForeFront Identity Manager which used his own local group to grant access to some of his configuration set. If you leave this option uncheck (and so with the name fields blank), the tool will use the default names (FIMAdministrator….)
Import Settings
This last option allows you to import connection settings from previous installation. This would be very helpful when you have a bunch of filtering settings defined (like attribute based filtering or OU based); you will not have to reconfigure it each time you have to install a new instance
Configuration
Once you have define the installation/configuration options, the next steps are the same than for the previous build:
- choose either the Express or Customized configuration
Usually the express configuration just setup the password synchronization and a single AD forest. If you want to setup a federation and/or multi AD forest synchro you have to choose the customized configuration.
As for previous synchronization tool (DirSync) or previous build, the Office 365 credentials must be Global administrator and if directory synchronization has not been enabled, the tool will do it for you.
Customized Configuration
This build has been improved at this step as you can now choose to setup just password synchronization, the federation or do not configure for the single sign in experience.
The do not configure option allows you to keep your existing federation in place (meaning you don’t have to deploy a new federation server on your existing ADFS environment as it was the case with the previous build if you wanted to use federated authentication)
You can then choose to synchronize all users and devices or just a bunch of it using a group; this could be helpful for a pilot implementation
As almost all the configuration steps are the same than for the previous build, I’m going directly to the last step which has a lot of new features; you can now enable the following features&