MSEndpointMgr

Install and Configure AADSync for a Hybrid setup with Intune and ConfigMgr 2012

In a world that is becoming more and more mobile, it’s important to keep up with the technology and empower the users with the tools and services they need. For the past year or so, Microsoft has stepped up its game when it comes to mobile devices and released a bunch of cool services and tools for us administrators. Microsoft Intune as we all have heard about as of now (I hope), can be integrated with ConfigMgr 2012 in order to provide a single pane of glass management solution for on-premise and mobile devices. This scenario is called a hybrid scenario, which leverages all of the capabilities that ConfigMgr 2012 brings as an on-premise management solution together with Microsoft Intune as an endpoint for the mobile devices.
As for the topic in this blog post, we’ll be dealing with one of the main pillars for the hybrid setup, the synchronization of on-premise Active Directory user accounts to the Microsoft Intune (Azure Active Directory tenant really) with Azure Active Directory Synchronization tool (AADSync). Lately I’ve been reading some articles and blog posts regarding how to install the configure AADSync, which in fact are great articles, although I’ve not come across an article that describes the complete process. Since this is a new technology that not many are familiar with yet, I decided that I’d put together a blog post on how to install and configure AADSync, from start to finish.

Overview

Here’s a brief overview of what this blog post contains:

  • What is AADSync
  • Installation requirements
  • Installation scenario
  • Service accounts
  • SQL Server configuration
  • Install AADSync
  • Sycnhronize accounts

What is AADSync

Azure Active Directory Synchronization (AADSync) is a tool that enables you to integrate your on-premises Active Directory Domain Service with your Azure AD directory. It will allow you to perform the following tasks:

  • Synchronize multi-forest Active Directory environments without needing the complete feature set of Forefront Identity Manager 2010 R2
  • Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal (7) set of user attributes
  • Configuring multiple on-premises Exchange organizations to map to a single Azure Active Directory tenant

With AADSync you’ll get the following features:

  • Password Synchronization
  • Password Write-Back
  • Exchange Hybrid Deployment
  • Azure AD app and attribute filtering

Installation requirements

As for the installation requirements, AADSync can be installed on the following version of Windows Server:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

It’s possible to install AADSync on either a workgroup server, domain member server or directly on a domain controller (last option should be thought through carefully). When managing environments with more than 100.000 users, a full version of SQL Server is required, SQL Server Express or SQL Server LocalDB is not sufficient in those scenarios.
In order to complete some of the steps in this blog post, you’ll also need to download and install the following components:

Installation scenario

In this scenario I’m going to install all of the required components including AADSync on a dedicated server running Windows Server 2012 R2. It’s supported to install AADSync on a domain controller, but to be honest I don’t think that’s good idea. You’d not want any extra load on your domain controllers in my opinion.
If you’ve read any of the other blog posts about AADSync, or the documentation on TechNet, there’s barely any mentioning of how to install and configure AADSync with an existing SQL Server (or new installation of SQL Server Express). If you would install AADSync out of the box, by first downloading the setup file and run it directly clicking your way through the wizard, what you’ll then get is AADSync running with SQL Server LocalDB (which is a developer version of SQL Server Express). Instead, I’ll show you how to install AADSync in a more advanced scenario where I’ll install and configure SQL Server 2014 Express. I’m doing this to give you an idea of how the process differs from the normal setup, that basically is clicking Next and Next a few times (great setup wizard Microsoft!). By doing this, we’ll also get control over the service account that AADSync will be running under, instead of the one that the wizard automatically creates.

Service accounts

Before we go ahead and install any software, we need to create some service accounts. We need a service account in your Azure Active Directory tenant and a service account in your on-premise Active Directory.

SQL Server service account

Since we’re going to install SQL Server 2014 Express, we need to create a domain user account that we make use of during the installation. For this post I’ve created a domain user account called AADSync_SQL.

Azure Active Directory tenant service account

This service account is used by AADSync to connect to your Azure Active Directory tenant and it has to be a Global Administrator. In my Intune tenant I’ve created a Global Administrator account with login name of [email protected].

On-premise Active Directory service account

The on-premise Active Directory service account is used by AADSync to connect to your on-premise Active Directory, and it should be a regular user account. In my lab environment, and for demonstration purposes for this post I’ve created a domain user account called AADSync_SA with no further permissions as of yet. If you wish to enable any of the features mentioned above, like Password Synchronization for instance, you’ll have to give the service account some special permissions. For your convenience, I’ve previously created a PowerShell script that will simplify this process for you. You can download the script here. For detailed instructions on how to use the script to delegate the required permissions for each feature, see the corresponding section below.

Password Synchronization

1. Download the Set-AADSyncPermissions.ps1 script from the link above, and put it in e.g. C:\Scripts on any of your domain controllers.
2. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature PasswordSynchronization -IdentityName AADSync_SA -Inheritance All -Verbose
138_2
Password Write-Back

1. Download the Set-AADSyncPermissions.ps1 script from the link above, and put it in e.g. C:\Scripts on any of your domain controllers.
2. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature PasswordWriteBack -IdentityName AADSync_SA -Inheritance All -Verbose
138_1
Exchange Hybrid Deployment

1. Download the Set-AADSyncPermissions.ps1 script from the link above, and put it in e.g. C:\Scripts on any of your domain controllers.
2. Run the following command:

.\Set-AADSyncPermissions.ps1 -Feature ExchangeHybrid -IdentityName AADSync_SA -Inheritance All -Verbose
138_3

SQL Server configuration

Before we go ahead and install SQL Server 2014 Express, we need to grab the correct installation file. Browse to:
https://www.microsoft.com/en-us/download/details.aspx?id=42299
1. Click on Download and select the following file:
ExpressAndTools 64BIT\SQLEXPRWT_x64_ENU.exe
2. Once you have downloaded the installation file, execute it to continue.
3. Click OK in the popup labeled Choose Cirectory For Extraced Files.
4. Click on New SQL Server stand-alone installation or add features to an existing installation.
138_5
5. Accept the license terms and click Next.
138_6
6. On the Microsoft Update page, click to check for updates on Microsoft Update and click Next.
138_7
7. On the Feature Selection page, you have the option to select what features to install. We’re going to use the defaults and as well for the directories on the bottom. If you wish to divide your installation of SQL Server 2014 Express, you can do so now, but that will not be covered in this post. Click Next.
138_8
8. On the Instance Configuration page, leave the default Instance name as SQLEXPRESS unless you’d like to name it otherwise. It’s important that you take a note of the Instance name if you choose to change it from the default, since we’ll be referencing it at a later stage. Click Next
138_9
9. As for the Server Configuration page, we need to specify the service account and password for Database engine. We don’t need to select any specifik Collation, so when you’ve entered the correct service account user name and password, click Next.
138_10
10. On the Database Engine Configuration page, click Add and browse for the On-premise Active Directory service account (in my lab environment that’d be AADSync_SA), not the SQL Server Service account. When you’ve added the account, click Next and the installation will automatically begin.
138_11_1
11. Once the installation has completed, click Close.
The installation and configuration of SQL Server 2014 Express is now complete, and we move on with installing AADSync.

Install AADSync

1. Download AADSync from the following link:
https://www.microsoft.com/en-us/download/details.aspx?id=44225&
2. Once you’ve downloaded MicrosoftAzureADConnectionTool.exe, launch it and wait for it to extract. When you see the following as in the picture below, close the installation wizard. We’re not going to install AADSync as of yet.
138_18
3. Open an elevated Command Prompt and browse to the following destination:
C:\Program Files\Microsoft Azure AD Connection Tool
4. Run the following command:

DirectorySyncTool.exe /SQLServer localhost /SQLServerInstance SQLEXPRESS /ServiceAccountDomain CONTOSO /ServiceAccountName AADSync_SA /ServiceAccountPassword YOURPASSWORD

138_14
The command above launches the installation wizard of AADSync instructing the software to use the specified parameters with the service account and domain information. It also instructs what SQL Server and Instance to use. We need to do this in order for AADSync to use the SQL Server 2014 Express installation that we setup previously. Remember to change the values to reflect your environment.
5. On the Welcome page, accept the licens terms and specify an alternative installation path if you wish. I’ll use the default one for this demonstration. Click Install.
138_15
6. Once the wizard has successfully installed the Syncronization service and made sure the connection to the SQL Server was successful, the wizard will show you the Azure AD Credentials page. Enter the credentials for your Global Administrator account. Click Next.
138_16
7. On the AD DS Credentials page, enter your forest root domain FQDN (in my lab environment that’s contoso.com) and specify the credentials for the On-premise Active Directory service account (AADSync_SA). When you’ve specified the credentials, click on Add Forest.
138_17
8. Click Next once the forest has been added.
138_19
9. On the User Mapping page, you have the option to specify how the user mapping between Azure Active Directory and your On-premise Active Directory will be configured. For this demonstration, I’ll choose the default options since my lab environment are not really any advanced setup where you’d need to find any matching attributes for instance. I’d suggest that you read up on the following article on MSDN if you’re not sure what to go with:
https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_AccountJoin
Once you’ve figured out what is a suitable configuration for your environment and made the configuration accordingly, click Next.
138_20
10. Depending on what features you’d like to enable, select those on the Optional Features page and click Next. I need to point out that if you choose to enable any of the features, make sure that you’ve given your On-premise Active Directory service account the proper permissions by using the PowerShell script that we’ve talked about earlier in this post.
138_21
As an additional note, if you were to enable the Azure AD app and filtering feature, the wizard will add two pages where you’d have to provide additional configuration options. That’s not the scope of this post, but you can read more about the different features on the following link:
https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_OptionalFeatures
When ready, click Next.
138_21
11. On the Configure page, click Configure.
138_22
12. Once the configuration has been completed, make sure that you un-check the Synchronize now check box. If you’d to make the synchronization right now, your entire On-premise Active Directory would be synced to your Azure Active Directory tenant, and that’s perhaps not the desired outcome.
138_23
You might also want to sign out and back in, if told so by the wizard.

Configure password policy for Azure Active Directory service account

Now that we’ve installed SQL Server 2014 Express and AADSync, we need to make sure that the password policy for the Azure Active Directory account is set so that the password doesn’t expire. First, we need to install some tools to help us accomplish that, download and install the following two tools:

Once both of the tools has been installed, save the following PowerShell script as Set-AADSyncSvcAccountPasswordNeverExpires.ps1 to e.g. C:\Scripts:

# Import MSOnline module
Import-Module MsOnline
# Credentials for Microsoft Online Service
$Credentials = Get-Credential -Message "Enter the username and password for a Microsoft Online Service"
# Connect to Microsoft Online Service
Connect-MsolService -Credential $Credentials
# Set Azure Active Directory Sync service account password never expires setting to True
Set-MsolUser -UserPrincipalName [email protected] -PasswordNeverExpires $True
# Verify that the configuration change was set
Get-MsolUser -UserPrincipalName [email protected] | Select-Object -Property PasswordNeverExpires

Make sure that you amend the script to reflect your Azure Active Directory Global Administrator service account for AADSync for the UserPrincipalName parameter.
1. Open an elevated PowerShell console and browse to C:\Scripts.
2. Run the Set-AADSyncSvcAccountPasswordNeverExpires.ps1 script.
3. When prompted, enter your credentials for the Global Administrator account and click OK.
138_24
4. Once the script has successfully executed, it will output the value to show you the current setting of the PasswordNeverExpired property.
138_25
We’ve now taken care of a vital thing that could cause problems in the future.

Synchronize accounts

Remember that we chose not to synchronize before? I wanted to show you how to be more granular with what to synchronize. In my lab environment, I have a particular OU where I’ve put all of my user accounts that I want to sychronize to my Azure Active Directory tenant. In order to do that, we have to make a slight adjustment to AADSync.

Granular synchronization configuration

1. Go to Start and launch Synchronization Service.
2. Click on Connectors.
3. Right-click on the connector representing your On-Premise Active Directory, it’s by default named after your forest, and select Properties.
138_26
4. Select Configure Directory Partitions and then click on Containers.
138_27
5. When prompted, enter the password for the service account already populated. Click OK.
138_28
6. Click on the top-level of your directory to de-select all of the selections. Make your selections of which OU’s you wish to synchronize. Click OK.
138_29
7. Click OK in the Properties window.

Start the synchronization

Now you’ve configured a more granular part of your On-Premise Active Directory so that you wont synchronize just about everything. In order to start the synchronization, we have to enable a scheduled task that AADSync creates.
1. Open Task Scheduler and select the root folder (Task Scheduler Library).
2. Right click on the Azure AD Sync Scheduler and select Enable.
138_30
The scheduled task essentially executes a tool called DirectorySyncClientCmd.exe that you could manually execute at any time, in order to perform a synchronization. The tool is available in the following location:
C:\Program Files\Microsoft Azure AD Sync\Bin
Now that wraps it up, we’ve now installed and configured SQL Server 2014 Express, AADSync and configured a more granular sync of resources. I hope this guide have helped you and provided useful information. If you have any questions, write a comment below.

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

2 comments

  • Another great post i’ll be adding to my onenotes. I have one question. Is this an alternative to setting up ADFS\DirSync? I assume if a client is not interested in O365 then setting up AAAD to allow WI to be integrated into SCCM is the way to go.
    So far my SCCM\WI projects were O365 clients.
    Thanks!!

    • Hi Rasheedah,
      This is a general setup for any Microsoft Online Services that uses an Azure Active Directory tenant. There might be other specific steps that you’d need to take for usage with other services, but in general the steps are the same.
      Regards,
      Nickolaj

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.