Following the announcement of the availability of a new AAD Connect preview build (March 2015 build), here is the some details regarding the installation and configuration steps for this build. I may not have covered everything here yet but will do new post if needed.
As quick reminder, if you already had the previous build installed, you have to uninstall it and restart your server as there is NO upgrade path to new build. But there is migration path from DirSync, with a limitation as attributes filtering configured this will NOT be migrated. That said, I would not recommend to perform such upgrade – especially for this build has this is still a beta version.
If you have to uninstall the previous build, please follow these steps:
- open a command prompt using the run as administrator
- go to the c:\program files\microsoft azure active directory connect folder
- run the following command dirsynctool.exe /uninstall
- follow the wizard to uninstall the tool
- complete the uninstallation process by opening the Control Panel\Add Remove program and uninstall Azure AD Connect from there
Quite few improvements since the previous beta build; you can now:
- Define to use a SQL instance
- Define the service account
- Set permissions
- Import previous settings
We will see what are these new configuration settings.
SQL Server Name
If you check this box, you will be asked to define the SQL server\instance to use to host the database used by the synchronization tool. This provide the same installation option than for DirSync with the /fullsql switch (see https://msdn.microsoft.com/en-us/library/azure/dn441161.aspx)
This option allows you to define the service account to use to run the synchronization tool.
This service account does not need anymore any specific permission at the AD level (as it was the case with DirSync) BUT need the following permission on the local server where the tool is being installed
- Allow logon locally (if you plan to install it on a domain controller you have to update the GPO for domain controllers)
This setting allows you to define your own group name for the synchronization tool. As reminder, this tool (as well as the “old” DirSync) is based on ForeFront Identity Manager which used his own local group to grant access to some of his configuration set. If you leave this option uncheck (and so with the name fields blank), the tool will use the default names (FIMAdministrator….)
This last option allows you to import connection settings from previous installation. This would be very helpful when you have a bunch of filtering settings defined (like attribute based filtering or OU based); you will not have to reconfigure it each time you have to install a new instance
Once you have define the installation/configuration options, the next steps are the same than for the previous build:
- choose either the Express or Customized configuration
Usually the express configuration just setup the password synchronization and a single AD forest. If you want to setup a federation and/or multi AD forest synchro you have to choose the customized configuration.
As for previous synchronization tool (DirSync) or previous build, the Office 365 credentials must be Global administrator and if directory synchronization has not been enabled, the tool will do it for you.
This build has been improved at this step as you can now choose to setup just password synchronization, the federation or do not configure for the single sign in experience.
The do not configure option allows you to keep your existing federation in place (meaning you don’t have to deploy a new federation server on your existing ADFS environment as it was the case with the previous build if you wanted to use federated authentication)
You can then choose to synchronize all users and devices or just a bunch of it using a group; this could be helpful for a pilot implementation
As almost all the configuration steps are the same than for the previous build, I’m going directly to the last step which has a lot of new features; you can now enable the following features&
- Exchange Hybrid (ok, this one is not new)
- Azure AD app and attribute filtering (this one is the well know attribute filtering from DirSync AND the application management from Azure Application portal)
- Password writeback (also this is not new)
- User writeback – this option allows user accounts created on Azure AD (or Office 365 admin portal) to be created back onto your Active Directory
- Group writeback – this option is similar to the previous one but for groups
- Device writeback – this option automatically configure the synchronization of the Registered Device container; with DirSync you had to manually had this (see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=623). My point of view at this stage is the configuration is looks really more complicated with this, I hope this will be a little more simple in GA
- Device sync
- Directory extension attribute sync – allows you to sync specific attributes between on premises AD and Azure AD to allow to use them in cloud-based applications
NOTE1 if you plan to implement Device Writeback, ensure you have done the following:
- either you already have configured your current DirSync instance for device synchronization (as explained here http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=609)
- or prepare the directory by using the PowerShell module provided (Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncAdPrep.psm1" and then follow the documentation provided with the preview build – honestly at this stage this looks like very complicated while it has been very simple with DirSync)
NOTE2 the writeback feature for users and groups requires administrators have to define the OU where the Azure users/groups are writeback to AD. I recommend you use a dedicated OU for cloud users and groups synched back from Office 365
NOTE3 cloud users provisioned back on AD thanks to the writeback feature are still shown as Cloud after the synchronization while resetting the password on the AD “cloud” account does not reset the password for the account on Office 365 even if you have to have enabled the password synch off course
For each of the optional features enabled, an additional configuration steps may be required, like for Azure AD Apps or Azure AD attributes