How to Install and Setup AAD Sync Tool

1

Lets look at the Azure AD Sync Installation, and how its better then DirSync, even if its only in Preview. And it will be the replacer for DirSync.

Microsoft is realy pushing Cloud Computing either as IaaS or SaaS, but we don’t live in a Cloud Only world yet. We all know that, and Microsoft also knows this, and therefore still improves the integration between Cloud and OnPremise Collaboration.

Source: http://tinyurl.com/kz5gruu
TechNet Wiki AADSync

As mentioned in the Source, it is only Preview at the moment, so register and get a download link from the Microsoft Team developing this New tool.

Filename: MicrosoftAzureADConnectionTool.exe
Filesize: 47,5mb or 48,637 kb on disc

Prereqs:
Server: Windows Server 2012 R2 (2008 R2+)
.Net Framework 3.5 With all Updates

1. Start the self-extraction and it will start the Setup afterwards.

1

Installation Directory and Agree to the License terms.

2

but remember .Net Framework 3.5 and all updates, or you’ll end up googling ErrorCode 1603 which realy doesn’t say anything.

Error1603

2. Next we Connect to Our AAD With an Global Administrator:

4

But Directory Synchronization must be activated in Your tenant:

5

3. Connect to Your local Active Directory Domain Service With an Enterprise Admin, and for each Forest.

6

And this is where Azure AD Sync Tool is better then DirSync, supporting multiple forests With trust between.

7

4. Synchronization Options

8

Account Join, if Your users are represented in several of the forests you intend to synchronize to AAD, we can choose an attribute which will determine if it is the right user to synchronize.

Identity Federation, choose With attribute is Your Federated Identity. It should be an immutable ID, meaning never changed. Mostly we will use the UserPrincipalName as this is the UserName used for Office 365 users.

5. Enable Exchange Hybrid Deployment

9

It is necessary for Exchange Hybrid to Write certain attributes back to Active Directory objects when moving mailboxes to Exchange Online, so this Box will allow for AAD to do so.

6. Summary before installation

10

7. Finished :)

11

Tick the Box for starting synchronization now, or not if you wanne change settings before first sync. Can save you for one manual full sync process.

8. Synchronizing status

14

Just a New graphical status for the synchronizing process.

9. Changes from DirSync

Support for Multiple Forests.

Support for different federation ID attributes, but it isn’t yet supported for AAD to be anything else then UPN. Tried to specify mail attribute, but it still chooses UPN as UserName in AAD/Office 365.

Exchange Hybrid is NOT supported in AAD Sync Tool Beta.

Licensing a user in Office 365 will delete the usageLocation attribute, to avoid this follow these steps:

  1. Create a new inbound Synchronization Rule for the AAD Connector.
  2. Set it to “Join” and precedence “4000”.
  3. Leave the scope empty (apply to all) and on join use “sourceAnchor to sourceAnchor”.
  4. Add an inbound attribute flow from usageLocation to usageLocation.

This will now contribute the usageLocation attribute to the MV and prevent the attribute from being deleted.
If this issue has already occurred in your environment, then

  1. delete the content of the AAD Connector space
  2. Run import and sync.
  1. Create a new inbound Synchronization Rule for the AAD Connector.
  2. Set it to “Join” and precedence “4000”.
  3. Leave the scope empty (apply to all) and on join use “sourceAnchor to sourceAnchor”.
  4. Add an inbound attribute flow from usageLocation to usageLocation.

This will now contribute the usageLocation attribute to the MV and prevent the attribute from being deleted.
If this issue has already occurred in your environment, then

  1. Delete the content of the AAD Connector space
  2. Run import and sync.

Task Scheduler is not working as intended, but can be achieved With a workaround using a VBS Script in Task Scheduler.

Password writeback is not available With Azure AD Sync Tool.

Password Synchronization is not available either.

See also: Technet Social Wiki Article 24057

Leave a Comment