With the Azure Active Directory Connect product (AAD Connect) being announced as generally available to the market (more here, download here), there is a new feature available that will provide a greater speed of recovery of the AAD Sync component. This feature was not available with the previous AAD Sync or DirSync tools and there is little information about it available in the community, so hopefully this model can be considered for your synchronisation design.
Even though the AAD Sync component within the AAD Connect product is based on the Forefront Identity Manager (FIM) synchronisation service, it does not take on the same recovery techniques as FIM. For AAD Sync, you prepare two servers (ideally in different data centres) and install AAD Connect. Your primary server would be configured to perform the main role to synchronise identities between your Active Directory and Azure Active Directory, and the second server installed in much the same way but configured with the setting ‘enable staging mode’ being selected. Both servers are independent and do not share any components such as SQL Server, and the second server is performing the same tasks as the primary except for the following:
- No exports occur to your on-premise Active Directory
- No exports occur to Azure Active Directory
- Password synchronisation and password writeback are disabled.
Should the primary server go offline for a long period of time or become unrecoverable, you can enable the second server by simply running the installation wizard again and disabling staging mode. When the task schedule next runs, it will perform a delta import and synchronisation and identify any differences between the state of the previous primary server and the current server.
Some other items you might want to consider with this design.
- Configure the task schedule on the second server so that it runs soon after the primary server completes. By default the task schedule runs every 3 hours and launches at a time which is based on when it was installed, therefore the second server task schedule can launch up to a few hours after the primary server runs. Based on the average amount of work the primary server takes, configure the task schedule on the second server to launch say 5-10 minutes later
- AAD Sync includes a tool called CSExportAnalyzer which displays changes that are staged to be exported to Active Directory or Azure Active Directory. This tool is useful to report on pending exports while the server is in ‘staging mode’
- Consider using ‘custom sync groups’ which are located in your Active Directory domain. The default installation of the AAD Sync component will create the following groups locally on the server: ADSyncAdmins, ADSyncOperators, ADSyncBrowse and ADSyncPasswordSet. With more than one AAD Sync server, these groups need to be managed on the servers and kept in sync manually. Having the groups in your Active Directory will simplify this administration.
NOTE: This feature is not yet working with the current AAD Connect download and this blog will be updated when working 100%.
The last two items will be detailed in future blogs.
Thanks a lot very interesting as always
David, is there a certain setting required for the AD custom sync groups? I’m trying to set these(with pre-created AD groups, of course) and keep getting an error in the event logs that the groups are not found.
Hi Andrew, you are doing nothing wrong, that function does not work (yet). I’ve been communicating with the product group and it appears to be a bug and waiting on confirmation and when it is likely to be fixed. I’ll update the blog when I know. Cheers.
Thanks for the response, David. I actually have a premier support case open right now with them and just received the same response from the engineer, who got that info from the product group. The only way to use AD groups is if you install AAD Connect on a domain controller, which we won’t be doing.
I wanted to update this so you knew the result. According to the produc group, the ability to install on a member server and assign AD groups for the custom sync groups will be added in the next release.
I have a Azure free trial at the moment but have not received my Azure AD credentials. Is this because I am on a free trial? Or is it because I don’t have AADSync downloaded?
I’m trying to link my SQL Server Express to my Azure account but obviously cannot without credentials.
Thanks for the assistance.
The link below is what I found for the AADSync, however it directs me the download for AD Connect. Any assistance would be greatly appreciated.
You can download the most recent version of Azure AD Sync using the following link: http://go.microsoft.com/fwlink/?LinkId=511690
Will the staging mode topic get the mentioned future blog post? I’m looking for the way to setup and configure this the correct way.