Azure, Microsoft

Azure AD Connect

Summary

Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals.

Plan

Cost

Prerequisite

Add custom domain name to Azure AD

Required Account

  • Active Directory Domain Service Enterprise Administrator Account
  • Azure AD Global Administrator

Build

Download Azure AD Connect 

Express installation of Azure AD Connect

Accounts

AD DS Connector account

If you use express settings, then an account is created in Active Directory that is used for synchronization. The created account is located in the forest root domain in the Users container and has its name prefixed with MSOL_. The account is created with a long complex password that does not expire. If you have a password policy in your domain, make sure long and complex passwords would be allowed for this account.

AD account

If you use custom settings, then you are responsible for creating the account before you start the installation. See Create the AD DS Connector account.

User account

A local service account is created by the installation wizard (unless you specify the account to use in custom settings). The account is prefixed AAD_ and used for the actual sync service to run as. If you install Azure AD Connect on a Domain Controller, the account is created in the domain. The AAD_ service account must be located in the domain if:

  • you use a remote server running SQL server
  • you use a proxy that requires authentication
Sync Service Account

The account is created with a long complex password that does not expire.

This account is used to store the passwords for the other accounts in a secure way. These other accounts passwords are stored encrypted in the database. The private keys for the encryption keys are protected with the cryptographic services secret-key encryption using Windows Data Protection API (DPAPI).

Virtual service account

A virtual service account is a special type of account that does not have a password and is managed by Windows.

The VSA is intended to be used with scenarios where the sync engine and SQL are on the same server. If you use remote SQL, then we recommend to use a Group Managed Service Account instead.

Azure AD Connector account

An account in Azure AD is created for the sync service’s use. This account can be identified by its display name.

The name of the server the account is used on can be identified in the second part of the user name. In the picture, the server name is DC1. If you have staging servers, each server has its own account.

The account is created with a long complex password that does not expire. It is granted a special role Directory Synchronization Accounts that has only permissions to perform directory synchronization tasks. This special built-in role cannot be granted outside of the Azure AD Connect wizard. The Azure portal shows this account with the role User.

There is a limit of 20 sync service accounts in Azure AD. To get the list of existing Azure AD service accounts in your Azure AD, run the following Azure AD PowerShell cmdlet:

Get-AzureADDirectoryRole | where {$_.DisplayName -eq "Directory Synchronization Accounts"} | Get-AzureADDirectoryRoleMember

To remove unused Azure AD service accounts, run the following Azure AD PowerShell cmdlet: 

Remove-AzureADUser -ObjectId <ObjectId-of-the-account-you-wish-to-remove>

Note: Before you can use the above PowerShell commands you will need to install the Azure Active Directory PowerShell for Graph module and connect to your instance of Azure AD using Connect-AzureAD

For additional information on how to manage or reset the password for the Azure AD Connector account see Manage the Azure AD Connect account

Validate

#Check Sync Schedule
Import-Module ADSync
Get-ADSyncScheduler
#Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta
#Full Sync
Start-ADSyncSyncCycle -PolicyType Initial

Uninstall

Uninstall Azure AD Connect

Leave a Reply

Your email address will not be published. Required fields are marked *

Close Bitnami banner
Bitnami