DirSync, Azure AD Sync, Forefront Identity Manager and Azure AD Connect – so many ways to synchronize your identities to Microsoft Cloud Support identities’ repository. But only one will become most effective and supported. This update has actually just landed in April.
Microsoft officially announced the end of support for DirSync & Azure AD Sync on April 13th, 2017. Azure AD Connect is becoming the tool that will officially support identity synchronization.
It doesn’t mean that previous tools will stop working now, but their support ends. Therefore, it is highly advisable and quite a prudent idea to migrate to Azure pretty fast. The final deadline for this will be the end of the year, 2017.
This implies that beyond the specified date, DirSync & Azure AD Sync will stop working. Similarly, Microsoft Forefront Identity Manager 2010 R2 with Service Pack 1 mainstream support will end on 10th of October 2017. However, its extended support will end later, thought to be on the 11th of October 2022.
Farewell (other) sync tools!
A farewell schedule calendar happened as follows;
- On April 13th, 2016, Windows Azure Active Directory Sync (“DirSync”) and Microsoft Azure Active Directory Sync (“Azure AD Sync”) were announced as deprecated.
- On April 13th, 2017, support ended.
- As of December 31st, 2017, Azure AD no longer accepts communications from any other synchronization tools besides Azure AD Connect.
What exactly does “Support Ends” mean?
Support ending means that these tools will no longer be supported by Microsoft. Just to mention, briefly, imagine that in the case anything happens to your tool, you will be informed that such support case ticket cannot be opened by Microsoft Cloud Support. Furthermore, Microsoft stops issuing patches, updates, and fixes. Quite stressful.
Why Azure AD Connect?
You may wonder or have lots of questions as to why Microsoft is phasing out such effective working tools. If you want my opinion, it’s time to focus!
Azure AD Connect is like the result of the evolution in synchronization tools. To begin with, there were a couple of them, starting with DirSync which was built just as a solution on top of the existing product. It seemed daunting for Microsoft to have another tool mutated and grown to replace Azure AD Connect. This implies that it could most probably be the tool used in the future.
Azure AD Connect has been completely rewritten, so to speak. It provides not only synchronization but also recently added functionalities, including pass-through authentication. It has an identity bridge between your on-premises AD and Azure AD. Microsoft has put a lot of effort into the latest versions to significantly increase the usability of the tool, integrate many features and technologies.
Some of the features include auto upgrade or possibility to install Active Directory Federation Services farm (AD FS) directly from the Azure AD Connect Wizard. Oh, and BTW – AD FS can now be replaced in some scenarios by one of the Azure AD Connect features called Azure AD Pass-through. Haven’t heard of it? Ask us!
Azure AD Connect is your bridge between the on-premises AD and your Azure AD. This allows the synchronization of identities and much more! Simply placed in organization structure, it can bring many benefits:
What will you gain? Among others the features include:
- Password synchronization and writeback – with this, you can take advantage of cloud-based password reset
- Device Writeback – this may not be an immediate benefit for everyone. However, you will really like it in the future as Mobile Device Management becomes a part of IT culture and a business requirement . With Device Writeback, you can have your devices registered in Azure (i.e. using Microsoft Intune) and use them as a conditional access in AD FS.
- Prevent accidental deletes – this tech will be watching your operations right now and stop if there is some suspicious activity in a sync.
- Automatic upgrade – from now on the tool will update itself, no need to remember about it! Awesome, isn’t it?
- Azure AD Pass-through – alternative scenario to AD FS deployment, which is only possible with Azure AD Connect (not working with DirSync or Azure AD Sync)
- !! NEW!! Using group Managed service account – this facilitates an easy way to pass security audits.
How to act?
With such critical software, formerly acting as a bridge between on-premises and Azure worlds, becoming deprecated, one can easily see the potential threats. This could result in service disruptions, no help when required and even a possibility of data breach or loss among other viable threats. Therefore, what are the remedies available?
Step #1 CHECK
Verify which tool you are using and whether it had any modifications in the synchronization process or not.
To check if you have DirSync installed run following PowerShell cmdlet, use:
(GP “hklm:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Online Directory Sync”).DisplayVersion.
Another, one of the easiest ways to verify which tool has been installed is to use “Uninstall a program” from your control panel to look through the list of installed software. Of course, take caution not to actually uninstall it, just check the version.
Please note: Even if you have Azure AD Connect below 1.1.x, you should plan your migration to the latest version.
It is important to mention that starting with version 1.1.x can provide one very crucial feature which is an automatic upgrade, many improvements and fixes. A complete list of version changes can be found here: Azure Connect history.
Step #2 PLAN
There are several things that you should consider. Highlighted below are some of the key factors.
- What options to configure – should your Device Writeback be configured? Or maybe password synchronization? Why? Why not?
- What attributes to synchronize – different Microsoft Azure services require a different set of attributes to be synchronized. Do you need them all or maybe you can filter them out?
- How to plan for failover – in case one of your Azure AD Connect servers fail, you may need it for sure.
- You can customize your rules right now – maybe you were limited by the previous tool, but now you can do this!
- Do you have multiple forests or a single Azure AD tenant? Now it’s a non-problem! Plan your multi-tenancy identities synchronization.
- Disaster recovery, operations, and backup procedures – every solution should be well documented. This is in terms of up to date architecture, operations and in case they’re needed – deployment guides. All for future reference and ease of maintaining the solution.
Step #3 DO!
If you need help with all of it, we have done it many times. In a way, it is like a standard heart surgery. But as with surgery, even if it is a standard procedure, it is better to at least consult with someone skilled.
So what does the whole process look like at Predica?
- First, when we get the request, we set up a quick assessment call with the technical expert. During the call, we find out what is the current setup of the environment, the scope, the potential impact, which tool is to be deployed and what extra configuration has been applied. If the customer has up to date architecture documentation, that’s even better. Although in that case we also want to make a quick double check if it reflects the current deployment status.
- Then (in most cases offline) we share all the prerequisites and requirements that are needed to perform the upgrade before scheduling the upgrade session.
- During the upgrade session, we think about what’s critical for our customers – the backup and disaster recovery, and we plan and perform them before the upgrade.
- After the upgrade, we test and quickly verify if it has been successful and that there are no unexpected issues.
- At the last stage, which is optional, we work offline to prepare the updated architecture, backup, and recovery, operations documents (or we create those if not already in place).
To many people, this not only comes as a surprise but a daunting activity to undertake. However, with the support from us at Predica, consider your problems sorted.
All you need to do is < get in touch! >