Upgrading Dirsync to Azure Active Directory Connect Public Preview – March 2015 update

In this blog post I am going to review the upgrade process of Dirsync to the new AAD-Connect. The March 2015 preview now makes it possible to perform an in-place upgrade from Dirsync to AAD-Connect. This entire process took 30 minutes for me in my lab environment, but your performance and time may vary because I am running a small environment on SSD hard disks =).

Important: You must read the “Azure AD Connect Public Preview 2 Readme” file – there are too many requirements and prerequisites in that Readme file to summarize in this blog post, so please do not skip that reading.

I also recommend reading the “New Sync features in Azure AD Connect Public Preview 2.docx”

You can download the AAD-Connect March Preview, Readme file, and the New Sync Features document from the Connect site here:
https://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=53949

image

image

After the prerequisites are installed, AAD-Connect detects Dirsync and will now upgrade it in-place:

image

Next, I am prompted to enter my Azure AD Administrator Credentials

image

Lastly, I am ready to click Install. I recommend unchecking the box to start synchronizing after install. You can always start it manually later when you are ready.

image

This part of the wizard took about 10 minutes to uninstall Dirsync and install AAD-Connect.

image

Next, I clicked on the icon on the desktop “Azure AD Connect”

image

I then signed in.

image

image

I then type in an Enterprise Admin account

image

If I want to connect to an additional forest, I can do that here:

image

Next, I select that I want to enable password writeback. You will notice that user, group and device writeback are greyed out and not selectable. This is because we have not yet run the AD preparation steps necessary to enable those features. See the bottom of this blog post for details on enabling those features.

image

And one last confirmation by clicking Install

image

And one last confirmation that the installation was successful

image

Enabling User, Group and Device Writeback

In the readme file, it describes the powershell commands to run that will enable this enhanced functionality.

For group writeback, your on-prem Exchange server must be running Exchange 2013 CU8. Also, the default Sync Rules will not add the address book attribute. Find the value from your Exchange server and add this as a custom attribute flow.

The Initialize-ADSyncDomainJoinedComputerSync Function will initialize your Active Directory forest to sync Windows 10 domain joined computers to Azure AD. This function will need to be run on each forest to allow Windows 10 computers to authenticate against ADRS.

image

The Initialize-ADSyncDeviceWriteBack Function will initialize your Active Directory forest for write-back of device objects from Azure AD to your Active Directory. It will also set up the necessary permissions on the AD Connector account. This only needs to be run on one forest even if AzureADConnect is being installed on multiple forests.

Note: I received errors when running this command.
image

The Initialize-ADSyncGroupWriteBack Function will initialize your Active Directory forest for write-back of group objects from Azure AD to your Active Directory. It will grant permissions to an AD Connector account for modifying objects in a pre-existing group WirteBack container. Please use this same container for Group WriteBack when you run the wizard. This function only needs to be run in one forest.

I created a new organizational unit for these objects called “CloudUsersAndGroups”

image

Initialize-ADSyncGroupWriteBack -GroupWriteBackContainerDN “OU=CloudUsersAndGroups,DC=thecloudtechnologist,DC=com”

image

The Initialize-ADSyncUserWriteBack Function will initialize your Active Directory forest for write-back of user objects from Azure AD to your Active Directory. The users will be created with a random password so you have to reset the password in ADDS for the user to actually be able to login.

Initialize-ADSyncUserWriteBack –UserWriteBackContainerDN “OU=CloudUsersAndGroups,DC=thecloudtechnologist,DC=com”

image

Note: The Azure AD Premium feature password writeback does not work for users configured for user writeback. In other words, if you have a cloud identity, and that user is synced to the on-premises AD, then the password writeback feature will not update the newly created on-prem AD account version of the cloud identity user. I assume it would still reset the cloud identity portion.

After running these commands, I went back to the wizard but the options were still greyed out. This may be because my AD Schema is not running Exchange 2013 CU8, so I will update my schema and then update this blog post after that is done.

image

Next, read how to configure Azure AD Password Write-back on MSDN (I recommend reading all seven (7) articles under ‘Password Management’
https://msdn.microsoft.com/en-us/library/azure/dn510386.aspx 

image

In the Azure AD Tenant, I enabled the toggle “USERS ENABLED FOR PASSWORD RESET”

image

And when I scroll down, I now see that Password write back service status is ‘Configured’

image

What does the user experience look like for self service password reset?

Typically, the user will click on the “Can’t access your account” link below the Office 365 sign-in page at http://portal.office.com

image

Otherwise, they can also bookmark directly to the self-service password reset page:
https://passwordreset.microsoftonline.com

SNAGHTMLa144c75

They will be prompted to authenticate with text message, email or phone call. You can configure which of these options you want the user to enter. The user can also register for self service password reset and populate this contact information in advance, or an administrator can pre-populate it (again, please read the MSDN articles above for more details).

image

The user can then select the new password which must conform to the on-premises password policy.

image

Leave a Reply