Microsoft recently released the latest version of the Directory Synchronisation tool; Azure Active Directory Synchronisation Services (AADSync). The “one sync to rule them all” is likely going to be your first choice for synchronising identities to the Microsoft cloud.
Installing and configuring the tool is relatively straight forward for the majority of deployments and this process is well documented at the Microsoft Azure Documentation Centre. If your organisation has a large number of identities (100,000+), Microsoft recommends deploying the AADSync tool with a full installation of SQL. This process, including the backup & restoration of AADSync, is not so well documented and something I am going to cover in this post.
Installing AADSync with full SQL
Prerequisites
1. A Windows Server for AADSync. Windows 2008 to 2012 R2 is supported. PowerShell 3+ and .Net 4.5 are required.
2. An SQL Server. SQL 2008 to SQL 2012 R2 is supported.
3. An Office 365 account with Global Administrator permissions. You can set the password to never expire via PowerShell:
Set-MsolUser -UserPrincipalName aadsync@contoso.onmicrosoft.com -PasswordNeverExpires $true
4. An Active Directory user account to act as a service account. This doesn’t require any special permissions but you should set the password to never expire. In my demo this account is contoso\aadsync.
5. An Active Directory user account for the installation. This account should be a member of the Administrators group on the AADSync server & requires sysadmin privileges for the target SQL instance.
6. The AADSync Installation Media
Installing AADSync
1. Log on to the AADSync server with the installation account and launch the AADSync installation executable you downloaded earlier (MicrosoftAzureADConnectionTool.exe). Close the installation screen when it opens.
Up to this point, the installation process has already created a local folder in ‘C:\Program Files\Microsoft Azure AD Connection Tool’ that includes the AADSync files and a ‘DirectorySyncTool’ shortcut will have been created in the start menu and on the desktop.
2. Open a command prompt (run as administrator) and execute the following command to install to a full SQL database:
DirectorySyncTool.exe /sqlserver localhost /sqlserverinstance <Instance Name> /serviceAccountDomain <Domain Name> /serviceAccountName <Service Account>
/serviceAccountPassword <Password>
The /sqlserverinstance and /serviceAccount* parameters are all optional. If you don’t specify the SQL instance name, it will use the default instance. If you don’t specify the serviceAccount details, the installation will create a random service account to run the AADSync service. I highly recommend specifying the serviceAccount parameters so that you know the credentials; which will be required later for the backup & restore process.
In my demo, I decided to use the aadsync account and install to the default instance, so my installation command looks like:
“C:\Program Files\Microsoft Azure AD Connection Tool\DirectorySyncTool.exe” /sqlserver sqlserver.contoso.com /serviceAccountDomain contoso /serviceAccountName aadsync /serviceAccountPassword P@ssw0rd
3. At this point, the installation wizard will open and you can run through the configuration as normal; a process that is well documented here. Once the installation has completed a database called ‘ADSync’ will have been provisioned to the target SQL instance.
Backup the AADSync Service
There is no need to backup the AADSync server itself, only the database. You can use any standard backup processes to backup your SQL database, though this will be useless in the event you need to restore the database & attach a replacement AADSync server unless you have the encryption keys. To create a backup of the encryption keys:
1. Disable the ‘Azure AD Sync’ scheduled task and ensure all synchronisation jobs have completed.
2. Disable the ‘Microsoft Azure AD Sync’ service.
3. Start the ‘Synchronization Service Key Management’ from start menu. Make sure you ‘Run as administrator’.
4. Select ‘Export key set’ and click ‘Next’.
5. Enter the credentials of the AADSync service account (this is why we specified the credentials during the installation).
6. Specify a location to store the for the encryption key backup file and click ‘Next’ & ‘Finish’.
The wizard will have generated a .bin file in the location you specified. You need to store this in location that will allow you to connect a replacement AADSync server to the database (i.e. not on the current AADSync server).
Restore the AADSync Service
1. Restore your AADSync SQL database from backup.
2. On your new AADSync server, install the AADSync service following the same steps as in you did for the initial install, specifying the remote SQL server and service account details. Setup will run through as usual and then display the following screen – note the ‘Unable to retrieve configuration settings..’ error:
The event viewer explains the issue in more detail:
At this point I logged off/on again to ensure my account had enumerated the correct permissions (as a newly added member of the AADSyncAdmins security group).
3. Open a command prompt (run as administrator) and execute the following command to restore the encryption keys:
miisactivate.exe <encryption key file> <AADSync service account> <password>
In my lab, I executed: “C:\Program Files\Microsoft Azure AD Sync\Bin\miisactivate.exe” C:\Temp\AADSyncKey.bin contoso\aadsync *
4. A warning is displayed to explain that activating this server, with the original running may cause data corruption. Our original server is no longer online so we can say ‘Yes’.
5. Enter the password for the AADSync service account. Note that the * in step 3 will prompt you to enter the password.
6. You receive a notification that the operation completed successfully. You will also see an event that shows the AADSync service is now up and running.
7. At this point you will need to re-enable the ‘Azure AD Sync’ scheduled task to resume normal operations.
nice job
Installed on a DC, when I try to export the key I get the following…. A required privilege is not held by the client. The service account is a member of the groups mentioned above. I think its looking for the local admin rights which is not available on a DC.
Nice article David. I have a particular issue, I have a regular install of DirSync without full SQL and I am getting errors about truncating the logs. I tried to connect to the database using the SQL tool on a separate SQL server, but it couldn’t find a database. I am at a loss as to how I can resolve the issue. Any ideas?