Sunday, June 2, 2013

Windows Azure Active Directory Sync Tool


The windows azure active directory sync tool , has a new feature. 'Password Synchronization'

This is a really neat feature and will meet the needs of most businesses that need to synchronize identities to office365. Setting up ADFS farms is often overkill for small businesses as to do it properly you need a minimum of 4 servers. Two adfs proxy servers and Two adfs lan servers each in a  different site for redundancy and high availability.

Now with password synchronization you only need one server or can install the dirsync service onto an existing server.So how do we configure password synchronization.


  1. Create a dirsync service account and add the account to the 'FIMSyncAdmins' group on the server where you plan installing the service.
  2. Create this shorcut on the desktop '"C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe"
  3. Then as per the image below , right click on 'Active directory Connector', 'Configure Directory Partitions' and then 'Containers' and select the OU's that you want to synchronize.

So that is how to set up password synchronization.You need an adfs farm if you want Single Sign on, But single sign on is only for web services like 

OutlookWebApp
Sharepoint 
portal.microsoftonline.com

So if a customer is going with only exchange online then this can be setup very quickly and passwords will be synced.

Now one more thing , after you reboot the 'Forefront Identity Manager Synchronization Service'wont start! So how you get around this is as follows. 

  1. Create an OU and add the DirSync Server into that OU. 
  2. Add the DirSync Server to that OU.
  3. IN GPO Management , Block Inheritance on the OU.
  4. Create a group policy object as follows. Navigate to 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment'
  5. Located "Login as a Service" and add  the service account for the synchronization engine which could be typically 'AAD_95a9bb5e2ba4'
  6. Link the GPO to the OU prevously created and enforce the policy
  7. Logon to the DirSync server, GPUPDATE/FORCE
  8. Log off
  9. Log on 
  10. Start the service
  11. Or you could simply use gpedit.msc and edit the local policy on the machine.

At the time of writing this post , the version of windows azure directory sync tool was Forefront Identity manager 2010 R2 Version: 4.1.3451.0






3 comments:

  1. If you enable the password sync can you roll this out by user bases or it will roll out across the whole environment?

    ReplyDelete
  2. Since this is a single server, I would imagine adding the fim sync service account directly to machine's local "log on as a service" policy would do the trick. Since most of us virtualize these days, no real benefit in going through the overhead of an OU and GPO.

    ReplyDelete
  3. i agree with Anonymous nr2.
    i wonder what will be on multi server



    that small active direcory tool

    ReplyDelete