Microsoft Syncing On-premises and Cloud Active Directory Services

Despite multiple options for syncing Active Directory (AD) accounts, Microsoft knows it needs to make syncing between on-premises and cloud servers as seamless as possible in order to keep growing market and mind share for its cloud platform, Microsoft Azure.

Thus the company has launched a another preview of its Azure AD Connect solution to let enterprises conduct "in-place upgrades" from the older Microsoft Directory Synchronization (DirSync) or Azure AD Synchronization Service tools, if they're in current use. The Redmond software giant also improved Azure AD Connect by letting IT staffers connect only segements of their AD user base to the Azure AD service, allowing pre-testing of pilot projects before they're rolled out for general availability.

One reason to sync to the Azure AD service is that it enables end users to use their on-premises passwords to access their local apps, as well as services accessed from the Internet cloud. Microsoft actually has four tools with AD sync capabilities: DirSync, Azure AD Sync, Azure AD Connector and Forefront Identity Manager 2012 R2. Microsoft is gradually rolling up most of the sync capabilities into its Azure AD Connector solution. The Azure AD Connector is basically a wizard that executes complex configurations involving Active Directory Federation Services (ADFS, part of Windows Server 2012), sync services and the Azure AD PowerShell module.

The DirSync tool is subject to deprecation, meaning that Microsoft isn't planning to actively develop that tool in the future, but it still may be the tool of choice for some organization's needs. Currently, Microsoft recommends using Azure AD Sync as the main tool for carrying out sync tasks. However, Azure AD Connect, currently at preview, is where Microsoft seems to be heading.

As for Forefront Identity Manager 2012 R2, Microsoft has previously indicated that it will be superseded by a new Microsoft Identity Manager product, which is expected to arrive sometime in the first half of this year.

Still, which tool an organization chooses depends on which features they want supported when syncing up to the Azure AD service. IT pros can check the status of feature support for a given sync tool by referencing Directory Integration Tools page.

In a Web presentation, "Extend Your Existing Active Directory to the Cloud," Adam Bresson, a senior product marketing manager at Microsoft, said that organizations should "use Azure AD Sync now" as their main sync tool. Here's Microsoft's advice, as explained by Bresson:

Most important here is that we began with DirSync. DirSync plus ADFS will be supported for the next year. But we urge you to move IT pros to Azure Active Directory Sync. With Azure Active Directory connected … for the next several months and generally available, it will upgrade the version of Azure Active Directory Sync. So, by installing Azure Active Directory Sync today, you are future proofing the installation and the sync configuration. The goal here is Azure Active Directory Connect, which combines all of the features of Azure Active Directory Sync plus the additional installation options in Azure Active Directory Connect.

Bresson presented a slide showing that Azure AD Connect will have all of the features of Azure AD Sync, and more, with a product rollout expected in the first half of this year (see Figure 1).

AD Sync Tools
[Click on image for larger view.] Figure 1. The three Microsoft Active Directory sync tools and capabilities. Source: Microsoft Web Presentation

Organizations currently using DirSync should consider upgrading to Azure AD Sync in the next six months, according to Bresson. His presentation, which shows how to set up the Azure AD Sync solution, is now available on demand.

One of the current big limitations of the older DirSync tool is that it can't connect multiple on-premises forests to the Azure AD service. In such cases, organizations can use the Azure AD Sync tool or Forefront Identity Manager 2010 R2 right now. Alternatively, they can take their chances with using the Azure AD Connect Preview, although that's not recommended for production environments.

Quite a lot of the features in the Azure AD Connect Preview are still at the Preview stage, even with this second Preview release. For instance, features such as password writeback, user writeback, group writeback, device writeback, device sync and directory extension attribute sync are all considered to be at the "Preview" stage of development with this release.

For organizations trying to configure Azure AD Sync behind a proxy server, Microsoft has specific instructions about having certain ports open, as described in this blog post. Additional links for troubleshooting such setups can be found in this post.

Microsoft also offers a more user-friendly description about setting up these tools in its book, "Exam Ref 70-533 Implementing Microsoft Azure Infrastructure Solutions." The book is available through the Microsoft Press Store, but Microsoft posted some of the chapters for free in a recent blog post. Some of the info is dated, though, due to the recent Microsoft tool updates.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.