Following my previous post about the upgrade process from DirSync to AAD Connect (which failed), I decided to go ahead and uninstall DirSync to do a fresh install of AAD Connect.
So let start a fresh install by accepting the license agreement
Then you have the choice to do an Express configuration – which synchronize identities, password and all attributes from the current directory (based on the domain membership of the server) – or do a Custom configuration which let you decide what do synchronize
For the next steps, I choose to do a custom configuration
With the custom configuration you can choose to use a SQL instance (instead of using the SQL Express provided with the tool), define custom installation location, define your own FIN groups
If you choose to define your the service account (used to start the service not to synchronize your directory – even if you can use it for both it is always recommended to use dedicated account for each task) you have to use the following format domain\useraccount – UPN format is not accepted
I choose to define my own service account (to run the synchronization service) and use a SQL instance
Then when you start the installation, the wizard installs additional prerequisites like the sign-in assistant
As I choose to use SQL instance, it also creates the ADSync database on SQL and grants appropriate permission for the service account I defined
NOTE i f you uninstall AAD Connect and where using an SQL instance, the ADSync database will be also deleted
At the next step, you can define which authentication methods you want to use between password synchronization, federation or nothing (meaning you need to define the user’s password on Azure AD/Office 365)
I choose Password Synchronization – I already have ADFS configured and in use, so want to check what will happen there
Then you have to enter your global administrator credentials – as always it is recommended to have setup a dedicated account on your tenant with complex password which never expires
Then it connects to the tenant, validates the credentials and the account role
At the next step you can select which On Premises AD Forest you want to synchronize – if you have only one, that’s easy, if you have more than one you can add them here; strangely you have to manually enter the other AD forest in the FOREST field while with beta/preview version you were able to select them directly using the drop-down menu
The account does not need anymore to be Enterprise Admin BUT need to have permission to manage user and groups objects
Then it checks your directory schema and validates if it meets the prerequisites for synching with Azure Active Directory
If you are going to synchronize multiple AD Forest, you have to define the way to uniquely identity each identity against each directory services
Then you can synchronize the entire directory or select filtering options based on AD groups – this option can be helpful if you are planning a pilot
Do not forget you will be still able to do filtering based on OU or attributes later using the FIM console
Finally you can choose to enable additional features like Exchange Hybrid configuration, password write back…
In my case I enabled Exchange Hybrid, password write back (which requires AAD Premium) and also the new (still in preview) user and group write back (will covers this later in this post)
Then once you have selected (and configured) the additional features, you can check which AD attributes will be synchronized – you can check them using a CSV export
You can even unselect some of them using the I want to further limit the attributes exported to Azure AD and then uncheck the attributes you want
NOTE you will not be able to uncheck mandatory attributes like userprincipalname, accountenabled…
That’s it, you are ready to finalize the configuration. I would recommend to uncheck the Start synchronization if you want to configure OU based filtering
Unchecking this option will disable the scheduled task. Don’t forget to enable it after having configured your OU based filtering
