Directory Sync isn’t everybody’s cup of tea, but if you are working with Office 365, it’s quite important. Before I explain what’s new about Azure AD Sync – let’s take a moment to quickly recap on what Directory Sync does, what your current options are and why Azure AD Sync is especially interesting.


If you plan on keeping Office 365 connected to your on-premises Active Directory, then you need something sitting in the middle to keep accounts in sync with Azure Active Directory, the cloud service used for identity management in Office 365. Azure AD isn’t like your normal on-premises AD as it’s a multi-tenant service run by Microsoft that requires software in the middle to create copies of your on-premises AD accounts in the cloud.


Typically the tool you will use to keep things in sync is the Windows Azure Active Directory Sync Tool, or DirSync to it’s friends. This is monitors changes in the local AD then connects via a web service to Office 365 and the Azure AD to update copies of accounts. Select changes are written back from the Azure AD to the local Active Directory in Hybrid environments, but for the best part it’s a one-way relationship and the actual user accounts syncronized to Office 365 and Azure AD become read-only in the cloud.


DirSync is a effectively software appliance installed on Windows, but under the hood it runs Microsoft’s premier identity management product, Forefront Identity Manager. This must be left mostly as is, apart from a few select changes to filter what is syncronized. It works well in single-forest environments and it’s the go-to choice for most environments, even some multi-forest environments.


If you have a more complicated environment, things can become a little more tricky. There are a range of options for multi-forest environments, ranging from using DirSync in one of the forests and migrating mailboxes in other forests to that forest as a “bridge”, or using the full-fat fully-licenced Forefront Identity Manager with the Azure AD Connector to syncronize multiple forests.


Whichever option you choose it can be complicated and usually my job is to help smooth over many of the creases that make migrations like this difficult. Right now though, there’s no perfect solution that makes complicated multi-forest scenarios a little bit easier, and the introduction of Multi-Forest Hybrid support in Exchange 2013 Service Pack One means that multi-forest migrations direct to a single Office 365 tenant are easier from an Exchange perspective, but need great directory sync to make it all work.


This is where Azure AD Sync comes in. The Azure AD Sync preview provides the next generation of directory synchronisation for multi forest environments and makes setup and configuration much, much easier, and more importantly – easy to support and keep up to date. At the moment, in preview, Azure AD Sync doesn’t yet do Hybrid scenarios – though I would expect that will come before it’s release – but does cover off many of the scenarios for multi-forest, such as resource forests, multiple Exchange organizations and the intracacies that can cause issues such as allowing a suitable immutableID to be chosen for scenarios where cross-forest moves exist.


Right now don’t implement the preview into any production environment – but if you are thinking about a multi-forest Office 365 migration later this year then it’s worth being aware of the preview and what it can and can’t do. Personally, I wouldn’t wait for the preview to turn into a production release before deploying as you won’t know when that could be or potential problems with the initial release. However, if you are planning for a long-term multi-forest Hybrid implementation then the potential to upgrade from FIM or a custom solution should be an end goal.

AADSync Technical Overview


Published: 4/22/2014 17:40