Synchronizing On-premises Active Directory with Azure Active Directory

Posted by Anand Pandey

Azure Active Directory (AC) is a great way of managing identity in the cloud, enhance security and provide simple access to different apps. Synchronization of on-premises user with Azure AD can make it easy for the user to access different resources on both on-premises and cloud environments using a single set of credentials.

Azure AD connect is the Microsoft tool designed to meet and accomplish hybrid identity goals. It provides two-way synchronization with the password write-back feature enabled.

Prerequisites to synchronize the directories

  1. Azure Subscription
  2. Azure AD Connect tool
  3. On-premise Forest Functional Level 2008 or higher (we can do it with the 2003 forest level too, but we will lose some of the functionalities like password write-back as password changes to on-cloud functionality doesn’t replicate to on-premises.)
  4. A verified domain name in Azure AD. Azure AD Connect only synchronizes users to domains that are verified by Azure AD. The domain should be a valid Internet domain (for example, .com, .org, .net, .us, etc.) If the on-premise Active Directory only uses a non-routable domain (for example, .local), it won’t match the verified domain on Azure AD. The fix for this issue is to either change the primary domain in on-premises Active Directory or add one or more UPN suffixes. (We can sync up to 50,000 objects without verifying the domain.)
  5. A domain joint server running Server 2008 SP2 or higher to install Azure AD Connect with the following requirements:
    • .net framework 4.5.1
    • PowerShell 3.0 or higher
    • SQL server 2012 Express (by default installed with Azure AD connect and supports 100,000 objects. If the number of objects is more, we may require SQL 2008 or higher with latest SP).
    • Hardware Requirement:
      Object in AD CPU Memory Drive Space
      Fewer than 10,000 1.6 GHz 4 GB 70 GB
      10,000 to 50,000 1.6 GHz 4 GB 70 GB
      50,000 to 100,000 1.6 GHz 16 GB 100 GB
      100,000 to 300,000 1.6 GHz 32 GB 300 GB
      300,000 to 600,000 1.6 GHz 32 GB 450 GB
      Greater than 600,000 1.6 GHz 32 GB 500 GB
      • Open the following ports from Azure AD Connect to on-premise AD:
        • DNS: TCP/UDP Port 53
        • Kerberos: TCP/UDP Port 88
        • RPC: TCP Port 135
        • LDAP: TCP/UDP Port 389
        • SSL: TCP Port 443
        • SMB: TCP Port 445

Below are the steps to synchronize on-premises AD with Azure AD.

  1. Preparing on-premises active directory for synchronization
  2. Installing and configuring Azure AD Connect tool
  3. Monitoring, troubleshooting and validating

Let us discuss all these steps in detail.

Preparing on-premises active directory for synchronization

While preparing for synchronization, we need to ensure that we are not synchronizing garbage. The need is to either clean up or set some restrictions. We can set for the following restrictions for cleanup:

  1. UPN suffix is necessary, but should only feature valid characters – letters, numbers, dashes, and underscore
  2. No duplicate UPNs or proxy address attributes
  3. The synchronizing groups must have the following attributes:
    • Members
    • Alias
    • Display Names

We can also use the following tools to clean up and change the properties and attributes of AD objects.

  1. ADModify.NET: Free open source tool from Microsoft (CodePlex) that allows you to modify attributes of multiple Active Directory objects
  2. IdFix: It identifies errors such as redundancy and formatting in the directory. It attempts to repair objects to prepare for synchronization.

In addition to the above cleanup and changes, we must select a small number of users that we will synchronize first. We can select the users before selecting service accounts, which are more critical.

Installing and configuring Azure AD Connect tool

We can download the Azure AD connect tool from the following source:

Download the Azure AD connect and save to the domain joint server. Make sure the server has the all the prerequisite mentioned above.

Double-click on the AzureADConnect file to initiate the installation process.

After installing the package, the highlighted icon will appear on the desktop.

There are two ways to install Azure AD Connect: Express and Customize

Express: this is generally suited for a single forest, wherein all the default server and setting are automatically applied.

Customize: this is to customize the installation location, SQL Server, service account, and other settings.

‘Express Settings’ is the by default option one gets on launching the tool; however, we can customize the installation by selecting the ‘Required Components’ tab.

Express Setting is the most preferred scenario of the two; therefore, we are proceeding with the same.

After installing the required component, the wizard will prompt you to connect to the Azure AD.

Enter the username and password of the global administrator for Azure AD and then connect with the on-premises AD DS using the enterprise admin credentials.

After connecting, we are redirected to the ‘Ready to configure’ window, wherein we can check the options to

  • Start the synchronization process when configuration completes
  • Exchange hybrid deployment

On checking the option to start the synchronization process, clicking the install button will initiate the process to synchronize on-premises AD to Azure AD.

We can skip initiating the synchronization process during installation and proceed with it later through the following PowerShell command:

We can customize the synchronization interval time using the following PowerShell command:

We use the Get-AdSyncScheduler cmdlet to check the synchronization scheduling settings:

Monitoring, troubleshooting and validating

Synchronization Service Manager Console is there to help us monitor and manage the synchronization process. The Synchronization Service Manager is a part of Azure AD Connect tool and is installed with the bundle. We can launch the console through the start menu of the same server on which we have installed Azure AD Connect.

We can manage the synchronization progress under operation tab of the synchronization service manager console.

We can select the OU and restrict the user we want to synchronize with the Azure AD Synchronization Manager.

Before selecting the OU and objects ensure you have stopped the synchronization through the PowerShell command:

To enable it again use the following PowerShell command:

In the console, navigate to connector tab >> Properties >> Configure Directory Partitions

It will prompt for enterprise admin credentials, and once we enter the credentials, it will open up the OU tree for selection.

To validate the AD object synchronization we can go to Azure AD through the Azure portal and check the source tab of any user from the list of users synchronized.

That completes the process of synchronizing on-premises Active Directory with Azure Active Directory. Planning on-premises active directory for synchronization, installing & configuring Azure AD Connect tool, and monitoring, troubleshooting & validating are the three steps to complete the synchronization process.

We hope the details included in the blog post will prove effective when you try to synchronize on-premises AD to Azure AD.

Let us know your thoughts below in the comments section.

That’s it from us, until next time!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *