Install the Azure Active Directory Sync Service
Updated: July 22, 2015
Important
This topic will be archived soon.
There is a new product called “Azure Active Directory Connect” that replaces AADSync and DirSync.
Azure AD Connect incorporates the components and functionality previously released as Dirsync and AAD Sync.
At some point in the future, support for Dirsync and AAD Sync will end.
These tools are no longer being updated individually with feature improvements, and all future improvements will be included in updates to Azure AD Connect.
The objective of this topic is to provide you will all the information you need to successfully install Azure AD Sync in your environment.
Installation Requirements
The objective of this section is to list the requirements that need to be fulfilled to install Azure AD Sync in your environment.
Azure AD Sync enables you to integrate your on-premises Active Directory Domain Service with your Azure AD directory.
As a consequence of this, you need access to your on-premises Active Directory Domain Service as well as access to a valid Azure subscription that has an Azure AD directory installed.
To install Azure AD Sync, you need a computer running the Windows Server operating system.
The following versions are supported:
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Your computer can be stand-alone, a member server or a domain controller.
The following components need to be installed:
.Net 4.5.1
PowerShell (PS3 or better is required)
You need an account with local administrator privileges on your computer to install Azure AD Sync.
Azure AD Sync requires a SQL Server database to store identity data. By default a SQL Express LocalDB (a light version of SQL Server Express) is installed and the service account for the service is created on the local machine.
SQL Server Express has a 10GB size limit that enables you to manage approximately 100.000 objects.
If you need to manager a higher volume of directory objects, you need to point the installation process to a different version of SQL Server.
AAD Sync supports all flavors of Microsoft SQL Server from SQL Server 2008 to SQL Server 2014.
Before You Begin
You must have the following steps completed before you can install Azure AD Sync:
Create an AD account to connect to AD DS
Create an account to connect to Azure AD
The following sections provide the related steps.
Create an AD account to connect to AD DS
When you configure Azure AD Sync, you need to provide the credentials of an account that is used by Azure AD Sync to connect to your AD DS.
You can use a regular user account because the account only needs the default read permissions.
The following sections provide more details about the permissions required by the AD DS account and the attributes it needs access to.
Permissions for password synchronization
If you want to enable password synchronization between your on-premises AD DS and your Azure Active Directory for your users, you need to grant the following permissions to the account that is used by Azure AD Sync to connect to your AD DS:
Replicating Directory Changes
Replicating Directory Changes All
Both permissions are required to enable the account to read password hashes from your on-premises AD DS.
Office 365 Exchange Hybrid AAD Sync write-back attributes and permissions.
If you want to enable rich co-existence between your on-premises Exchange infrastructure and Office 365 (Exchange Hybrid), you can do this by selecting the Exchange hybrid deployment optional feature. When selecting this feature, you enable AAD Sync to write-back attributes to your on-premises environment.
The following table lists the attributes per object type that require write-back:
Object Type |
Data source Attribute |
Contact |
proxyAddresses |
Group |
proxyAddresses |
User/InetOrgPerson |
msExchArchiveStatus |
msExchBlockedSendersHash |
|
msExchSafeRecipientsHash |
|
msExchSafeSendersHash |
|
msExchUCVoiceMailSettings |
|
msExchUserHoldPolicies |
|
proxyAddresses |
The account you configure in the Connect to Active Directory Domain Services dialog page needs to have specific permissions to the attributes above.
The following table lists the minimum set of permissions that are required for this account using DSACLS nomenclature.
Object Type |
Data source Attribute |
Permission / Access Right |
Inheritance |
Contact |
proxyAddresses |
Write |
The child objects only |
Group |
proxyAddresses |
Write |
The child objects only |
User/InetOrgPerson |
msExchArchiveStatus |
Write |
The child objects only |
msExchBlockedSendersHash |
Write |
The child objects only |
|
msExchSafeRecipientsHash |
Write |
The child objects only |
|
msExchSafeSendersHash |
Write |
The child objects only |
|
msExchUCVoiceMailSettings |
Write |
The child objects only |
|
msExchUserHoldPolicies |
Write |
The child objects only |
|
proxyAddresses |
Write |
The child objects only |
Password write-back and change password permissions.
The password write-back feature provides your users with a convenient method to reset their on-premises passwords in the cloud. During the configuration of Azure AD Sync, you can activate password write-back as optional feature.
For each forest you have configured in Azure AD Sync, the account you have specified for a forest in the wizard must be given the “Reset-Password” and “Change Password” extended rights on the root object of each domain in the forest. The right should be marked as inherited by all user objects.
Use the following procedure to setup permissions on each of the accounts you have configured.
How configure “Reset Password” and “Change Password” extended rights
Open Active Directory Users and Computers
At the top, under View make sure that Advanced Features are turned on.
On the left, right-click the root domain and select Properties.
Select the Security tab and click Advanced.
On the Permissions tab, click Add.
Click Select a Principal and select the account that was specified during setup.
In the drop-down, select Descendant User objects.
In the Permissions section select Reset Password and Change Password.
Click Ok. Click Apply. Click Ok.
Create an account to connect to Azure AD
When you configure Azure AD Sync, you need to provide the credentials of an account that is used by Azure AD Sync to connect to your Azure AD.
You should apply the following best practices to this account:
You should create a separate account that is only used by Azure AD Sync.
You should configure the account with a strong password that is 16 characters long.
You should set the “Password never expires” flag on the account.
To accomplish this task, you can use the following PowerShell script code:set-msoluser -UserPrincipalName syncaccount@contoso.com -PasswordNeverExpires $True
Your account must have Global Administrator as Organizational Role selected.
Installing and configuring Azure AD Sync
You can download the most recent version of Azure AD Sync using the following link: https://go.microsoft.com/fwlink/?LinkId=511690
To start the installation process, launch the executable called MicrosoftAzureADConnectionTool.exe.
This self-extracting executable puts all required files on the local drive and starts the installation process.
If you cancel the installation procedure, a shortcut is being created in the start menu and on the desktop.
If you need to use SQL Server or a domain account for the service account you need to cancel the wizard now. Up to this point, the installation process has already created a local folder that includes Azure AD Sync related files. You need the content of this folder to rerun the installation process with parameters.
To rerun the installation process, perform the following steps:
Open a command prompt, and then go to C:\Program Files\Microsoft Azure AD Connection Tool.
Start the wizard again with the following parameters:
DirectorySyncTool.exe /sqlserver localhost /sqlserverinstance InstanceName /serviceAccountDomain Azure AD Sync /serviceAccountName Azure AD SyncSvc /serviceAccountPassword VerySecretP@ssw0rd
Note
If you want to use the default SQL partition, then don’t specify this parameter.
At this point, you are ready to complete the dialog pages that are associated with the installation process.
To install the Azure AD Sync tool, you need to complete the following dialog pages:
Install
Connect to Azure Active Directory
Connect to Active Directory Domain Services
Configure User Matching
Optional features
Azure AD Apps
Azure AD attributes
Ready to configure
Finished
Install
As a first step of the installation process, you need to agree to the license terms and conditions and you need to specify the location of the Azure AD Sync.
Connect to Azure Active Directory
To connect to your Azure AD directory, the Azure AD Sync tool needs the credentials of an account with sufficient permissions.
For more details, see Create an account to connect to Azure AD.
Connect to Active Directory Domain Services
To connect to your Active Directory Domain Service, the Azure AD Sync tool needs the credentials of an account with sufficient permissions.
For more details, see Create an AD account to connect to AD DS.
Configure User Matching
On this page, you need to configure the following:
Matching across forests
Matching with Azure AD
Matching across forests
The Matching across forests feature allows you to define how users from your ADDS forests are represented in Azure AD.
A user might either be represented only once across all forests or have a combination of enabled and disabled accounts.
Setting |
Description |
My users are only represented once across all forests |
All users are created as individual objects in Azure AD. The objects are not joined in the metaverse. |
Mail attribute |
This option joins users and contacts if the mail attribute has the same value in different forests. It is recommended to use this option when your contacts have been created using GALSync. |
ObjectSID and msExchangeMasterAccountSID |
This option joins an enabled user in an account forest with a disabled user in an Exchange resource forest. This is also known as linked mailbox in Exchange. |
sAMAccountName and MailNickName |
This option joins on attributes where it is expected the login ID for the user can be found. |
My own attribute |
This option allows you to select your own attribute. Limitation in CTP: Make sure to pick an attribute which will already exist in the metaverse. If you pick a custom attribute the wizard will not be able to complete. |
Matching with Azure AD
You can use this option to specify the attribute you want to use for identity federation. The sourceAnchor attribute is an attribute which is not changing during the lifetime of a user object. In single-forest and environments and where the account is never moved between forests, then objectGUID is a good candidate. If the user is moved between forests or domains, then an alternative attribute must be selected.
The userPrincipalName attribute is the user’s login ID in Azure AD. By default the userPrincipalName attribute in ADDS is used. If this attribute is not routable or not suitable as the login ID a different attribute, such as mail, can be selected in the installation guide.
Optional features
If you have an Exchange hybrid deployment, then select this checkbox. This will write-back some attributes from Exchange online to the on-premises Active Directory.
Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this, please see https://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx.
If you want to review or limit the attributes which are synchronized with Azure AD, then select Azure AD app and attribute filtering. You will then get two additional pages in the wizard.
For more information about password synchronization, see Implement password synchronization with Azure Active Directory Sync
Azure AD Apps
If you want to limit which attributes to synchronize to Azure AD, then start by selecting which services you are using, If you configure this page, any new service has to be selected explicitly by re-running the installation guide.
Azure AD attributes
Based on the services selected in the previous step, this page will show all attributes which will be synchronized. This list is a combination of all object types being synchronized. If there are some particular attributes you need to not synchronize, you can unselect those. In the picture above the extensionAttributes and homePhone has been unselected and will not synchronize to Azure AD.
Ready to configure
This page provides you with summary of your configuration. You should carefully review this summary before you proceed with the next page.
If this step fails with an “Unable to communicate with the Windows Azure Active Directory service” error and you have a proxy server configured, you should add proxy settings to the “machine.config” file of your Azure AD Sync computer.
For more details, see <proxy> Element (Network Settings).
Finished
A default configuration has now been created and if you are ready to start synchronizing, then click Finish.
If you need to make some additional configuration before you start synchronization, then unselect the Synchronize now checkbox before you click Finish. This will create a disabled task in task scheduler. When you are done with your configuration, start the periodic synchronization by enabling this task.
See Also
Concepts
Azure Active Directory Sync
Azure Active Directory Sync Version Release History
Implement password synchronization with Azure Active Directory Sync