In a world that is becoming more and more mobile, it’s important to keep up with the technology and empower the users with the tools and services they need. For the past year or so, Microsoft has stepped up its game when it comes to mobile devices and released a bunch of cool services and tools for us administrators. Microsoft Intune as we all have heard about as of now (I hope), can be integrated with ConfigMgr 2012 in order to provide a single pane of glass management solution for on-premise and mobile devices. This scenario is called a hybrid scenario, which leverages all of the capabilities that ConfigMgr 2012 brings as an on-premise management solution together with Microsoft Intune as an endpoint for the mobile devices.
As for the topic in this blog post, we’ll be dealing with one of the main pillars for the hybrid setup, the synchronization of on-premise Active Directory user accounts to the Microsoft Intune (Azure Active Directory tenant really) with Azure Active Directory Synchronization tool (AADSync). Lately I’ve been reading some articles and blog posts regarding how to install the configure AADSync, which in fact are great articles, although I’ve not come across an article that describes the complete process. Since this is a new technology that not many are familiar with yet, I decided that I’d put together a blog post on how to install and configure AADSync, from start to finish.
Overview
Here’s a brief overview of what this blog post contains:
- What is AADSync
- Installation requirements
- Installation scenario
- Service accounts
- SQL Server configuration
- Install AADSync
- Sycnhronize accounts
What is AADSync
Azure Active Directory Synchronization (AADSync) is a tool that enables you to integrate your on-premises Active Directory Domain Service with your Azure AD directory. It will allow you to perform the following tasks:
- Synchronize multi-forest Active Directory environments without needing the complete feature set of Forefront Identity Manager 2010 R2
- Advanced provisioning, mapping and filtering rules for objects and attributes, including support for syncing a very minimal (7) set of user attributes
- Configuring multiple on-premises Exchange organizations to map to a single Azure Active Directory tenant
With AADSync you’ll get the following features:
- Password Synchronization
- Password Write-Back
- Exchange Hybrid Deployment
- Azure AD app and attribute filtering
Installation requirements
As for the installation requirements, AADSync can be installed on the following version of Windows Server:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
It’s possible to install AADSync on either a workgroup server, domain member server or directly on a domain controller (last option should be thought through carefully). When managing environments with more than 100.000 users, a full version of SQL Server is required, SQL Server Express or SQL Server LocalDB is not sufficient in those scenarios.
In order to complete some of the steps in this blog post, you’ll also need to download and install the following components:
- Microsoft Online Services Sign-in Assistant for IT Professionals
- Azure Active Directory Module for Windows PowerShell (64-bit)
Installation scenario
In this scenario I’m going to install all of the required components including AADSync on a dedicated server running Windows Server 2012 R2. It’s supported to install AADSync on a domain controller, but to be honest I don’t think that’s good idea. You’d not want any extra load on your domain controllers in my opinion.
If you’ve read any of the other blog posts about AADSync, or the documentation on TechNet, there’s barely any mentioning of how to install and configure AADSync with an existing SQL Server (or new installation of SQL Server Express). If you would install AADSync out of the box, by first downloading the setup file and run it directly clicking your way through the wizard, what you’ll then get is AADSync running with SQL Server LocalDB (which is a developer version of SQL Server Express). Instead, I’ll show you how to install AADSync in a more advanced scenario where I’ll install and configure SQL Server 2014 Express. I’m doing this to give you an idea of how the process differs from the normal setup, that basically is clicking Next and Next a few times (great setup wizard Microsoft!). By doing this, we’ll also get control over the service account that AADSync will be running under, instead of the one that the wizard automatically creates.
Service accounts
Before we go ahead and install any software, we need to create some service accounts. We need a service account in your Azure Active Directory tenant and a service account in your on-premise Active Directory.
SQL Server service account
Since we’re going to install SQL Server 2014 Express, we need to create a domain user account that we make use of during the installation. For this post I’ve created a domain user account called AADSync_SQL.
Azure Active Directory tenant service account
This service account is used by AADSync to connect to your Azure Active Directory tenant and it has to be a Global Administrator. In my Intune tenant I’ve created a Global Administrator account with login name of [email protected].
On-premise Active Directory service account
The on-premise Active Directory service account is used by AADSync to connect to your on-premise Active Directory, and it should be a regular user account. In my lab environment, and for demonstration purposes for this post I’ve created a domain user account called AADSync_SA with no further permissions as of yet. If you wish to enable any of the features mentioned above, like Password Synchronization for instance, you’ll have to give the service account some special permissions. For your convenience, I’ve previously created a PowerShell script that will simplify this process for you. You can download the script here. For detailed instructions on how to use the script to delegate the required permissions for each feature, see the corresponding section below.
Password Synchronization
1. Download the Set-AADSyncPermissions.ps1 script from the link above, and put it in e.g. C:\Scripts on any of your domain controllers.
2. Run the following command:
.\Set-AADSyncPermissions.ps1 -Feature PasswordSynchronization -IdentityName AADSync_SA -Inheritance All -Verbose
Password Write-Back
1. Download the Set-AADSyncPermissions.ps1 script from the link above, and put it in e.g. C:\Scripts on any of your domain controllers.
2. Run the following command:
.\Set-AADSyncPermissions.ps1 -Feature PasswordWriteBack -IdentityName AADSync_SA -Inheritance All -Verbose
Exchange Hybrid Deployment
1. Download the Set-AADSyncPermissions.ps1 script from the link above, and put it in e.g. C:\Scripts on any of your domain controllers.
2. Run the following command:
.\Set-AADSyncPermissions.ps1 -Feature ExchangeHybrid -IdentityName AADSync_SA -Inheritance All -Verbose
SQL Server configuration
Before we go ahead and install SQL Server 2014 Express, we need to grab the correct installation file. Browse to:
https://www.microsoft.com/en-us/download/details.aspx?id=42299
1. Click on Download and select the following file:
ExpressAndTools 64BIT\SQLEXPRWT_x64_ENU.exe
2. Once you have downloaded the installation file, execute it to continue.
3. Click OK in the popup labeled Choose Cirectory For Extraced Files.
4. Click on New SQL Server stand-alone installation or add features to an existing installation.
5. Accept the license terms and click Next.
6. On the Microsoft Update page, click to check for updates on Microsoft Update and click Next.
7. On the Feature Selection page, you have the option to select what features to install. We’re going to use the defaults and as well for the directories on the bottom. If you wish to divide your installation of SQL Server 2014 Express, you can do so now, but that will not be covered in this post. Click Next.
8. On the Instance Configuration page, leave the default Instance name as SQLEXPRESS unless you’d like to name it otherwise. It’s important that you take a note of the Instance name if you choose to change it from the default, since we’ll be referencing it at a later stage. Click Next
9. As for the Server Configuration page, we need to specify the service account and password for Database engine. We don’t need to select any specifik Collation, so when you’ve entered the correct service account user name and password, click Next.
10. On the Database Engine Configuration page, click Add and browse for the On-premise Active Directory service account (in my lab environment that’d be AADSync_SA), not the SQL Server Service account. When you’ve added the account, click Next and the installation will automatically begin.
11. Once the installation has completed, click Close.
The installation and configuration of SQL Server 2014 Express is now complete, and we move on with installing AADSync.
Install AADSync
1. Download AADSync from the following link:
https://www.microsoft.com/en-us/download/details.aspx?id=44225&
2. Once you’ve downloaded MicrosoftAzureADConnectionTool.exe, launch it and wait for it to extract. When you see the following as in the picture below, close the installation wizard. We’re not going to install AADSync as of yet.
3. Open an elevated Command Prompt and browse to the following destination:
C:\Program Files\Microsoft Azure AD Connection Tool
4. Run the following command:
DirectorySyncTool.exe /SQLServer localhost /SQLServerInstance SQLEXPRESS /ServiceAccountDomain CONTOSO /ServiceAccountName AADSync_SA /ServiceAccountPassword YOURPASSWORD
The command above launches the installation wizard of AADSync instructing the software to use the specified parameters with the service account and domain information. It also instructs what SQL Server and Instance to use. We need to do this in order for AADSync to use the SQL Server 2014 Express installation that we setup previously. Remember to change the values to reflect your environment.
5. On the Welcome page, accept the licens terms and specify an alternative installation path if you wish. I’ll use the default one for this demonstration. Click Install.
6. Once the wizard has successfully installed the Syncronization service and made sure the connection to the SQL Server was successful, the wizard will show you the Azure AD Credentials page. Enter the credentials for your Global Administrator account. Click Next.
7. On the AD DS Credentials page, enter your forest root domain FQDN (in my lab environment that’s contoso.com) and specify the credentials for the On-premise Active Directory service account (AADSync_SA). When you’ve specified the credentials, click on Add Forest.
8. Click Next once the forest has been added.
9. On the User Mapping page, you have the option to specify how the user mapping between Azure Active Directory and your On-premise Active Directory will be configured. For this demonstration, I’ll choose the default options since my lab environment are not really any advanced setup where you’d need to find any matching attributes for instance. I’d suggest that you read up on the following article on MSDN if you’re not sure what to go with:
https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_AccountJoin
Once you’ve figured out what is a suitable configuration for your environment and made the configuration accordingly, click Next.
10. Depending on what features you’d like to enable, select those on the Optional Features page and click Next. I need to point out that if you choose to enable any of the features, make sure that you’ve given your On-premise Active Directory service account the proper permissions by using the PowerShell script that we’ve talked about earlier in this post.
As an additional note, if you were to enable the Azure AD app and filtering feature, the wizard will add two pages where you’d have to provide additional configuration options. That’s not the scope of this post, but you can read more about the different features on the following link:
https://msdn.microsoft.com/en-us/library/azure/dn757602.aspx#BKMK_OptionalFeatures
When ready, click Next.
11. On the Configure page, click Configure.
12. Once the configuration has been completed, make sure that you un-check the Synchronize now check box. If you’d to make the synchronization right now, your entire On-premise Active Directory would be synced to your Azure Active Directory tenant, and that’s perhaps not the desired outcome.
You might also want to sign out and back in, if told so by the wizard.
Configure password policy for Azure Active Directory service account
Now that we’ve installed SQL Server 2014 Express and AADSync, we need to make sure that the password policy for the Azure Active Directory account is set so that the password doesn’t expire. First, we need to install some tools to help us accomplish that, download and install the following two tools:
- Microsoft Online Services Sign-In Assistant
- Windows Azure Active Directory Module for Windows PowerShell
Once both of the tools has been installed, save the following PowerShell script as Set-AADSyncSvcAccountPasswordNeverExpires.ps1 to e.g. C:\Scripts:
# Import MSOnline module Import-Module MsOnline # Credentials for Microsoft Online Service $Credentials = Get-Credential -Message "Enter the username and password for a Microsoft Online Service" # Connect to Microsoft Online Service Connect-MsolService -Credential $Credentials # Set Azure Active Directory Sync service account password never expires setting to True Set-MsolUser -UserPrincipalName [email protected] -PasswordNeverExpires $True # Verify that the configuration change was set Get-MsolUser -UserPrincipalName [email protected] | Select-Object -Property PasswordNeverExpires
Make sure that you amend the script to reflect your Azure Active Directory Global Administrator service account for AADSync for the UserPrincipalName parameter.
1. Open an elevated PowerShell console and browse to C:\Scripts.
2. Run the Set-AADSyncSvcAccountPasswordNeverExpires.ps1 script.
3. When prompted, enter your credentials for the Global Administrator account and click OK.
4. Once the script has successfully executed, it will output the value to show you the current setting of the PasswordNeverExpired property.
We’ve now taken care of a vital thing that could cause problems in the future.
Synchronize accounts
Remember that we chose not to synchronize before? I wanted to show you how to be more granular with what to synchronize. In my lab environment, I have a particular OU where I’ve put all of my user accounts that I want to sychronize to my Azure Active Directory tenant. In order to do that, we have to make a slight adjustment to AADSync.
Granular synchronization configuration
1. Go to Start and launch Synchronization Service.
2. Click on Connectors.
3. Right-click on the connector representing your On-Premise Active Directory, it’s by default named after your forest, and select Properties.
4. Select Configure Directory Partitions and then click on Containers.
5. When prompted, enter the password for the service account already populated. Click OK.
6. Click on the top-level of your directory to de-select all of the selections. Make your selections of which OU’s you wish to synchronize. Click OK.
7. Click OK in the Properties window.
Start the synchronization
Now you’ve configured a more granular part of your On-Premise Active Directory so that you wont synchronize just about everything. In order to start the synchronization, we have to enable a scheduled task that AADSync creates.
1. Open Task Scheduler and select the root folder (Task Scheduler Library).
2. Right click on the Azure AD Sync Scheduler and select Enable.
The scheduled task essentially executes a tool called DirectorySyncClientCmd.exe that you could manually execute at any time, in order to perform a synchronization. The tool is available in the following location:
C:\Program Files\Microsoft Azure AD Sync\Bin
Now that wraps it up, we’ve now installed and configured SQL Server 2014 Express, AADSync and configured a more granular sync of resources. I hope this guide have helped you and provided useful information. If you have any questions, write a comment below.
Another great post i’ll be adding to my onenotes. I have one question. Is this an alternative to setting up ADFS\DirSync? I assume if a client is not interested in O365 then setting up AAAD to allow WI to be integrated into SCCM is the way to go.
So far my SCCM\WI projects were O365 clients.
Thanks!!
Hi Rasheedah,
This is a general setup for any Microsoft Online Services that uses an Azure Active Directory tenant. There might be other specific steps that you’d need to take for usage with other services, but in general the steps are the same.
Regards,
Nickolaj