Happy Friday. Hopefully like most of us here in the Identity Division at Microsoft, you are finishing up and getting ready for a nice holiday break!
Mark is back to finish out the year with another Azure AD Mailbag post. This time he’s covering Azure AD Connect and setting up sync between Windows Server AD and Azure AD.
Have a great holiday season and we’ll look forward to hearing from you in 2016!
Alex Simons (@Alex_A_Simons)
Director of Program Management
Microsoft Identity Products and Services
Hey y’all, Mark Morowczynski here again with another post in our Azure Active Directory Mailbag series. If you’ve missed any of the previous mailbags, you can see all of them under the mailbag tag. Today we are going to focus on one of the most fundamental things you’ll need to do to leverage Azure Active Directory, and that’s the sync engine. Many people are familiar with this from Office 365. If you have Office 365 you already have an Azure Active Directory tenant underneath that. So if you have Office 365, you have Azure Active Directory! Now let’s dig in on all your sync related questions.
Question: I have a multi-forest environment and the network between the two forests is using NAT (Network Address Translation). Is using Azure AD Connect between these two forests supported?
Answer: Using Azure AD Connect over a NAT is not supported.
Question: I have multiple Azure AD tenants, am I able to update all of them with one Azure AD Connect?
Answer: No you cannot. The supported topologies are all documented at https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-topologies/
Question: Does Azure AD Connect support using a preferred domain controller? Can I use a specific domain controller to do the initial sync?
Answer: Yes you can pick a specific domain controller after the initial sync. On the connector, right click properties, then select configure directory partitions. The check box for only use preferred domain controllers.
Few things to keep in mind. We will still need to connect with a PDC if we are using password reset feature. The initial sync we rely on the DC Locator to find a DC so make sure your subnets are defined properly.
Question: I edited the rules in the Sync Rules Editor. How do I export the rules to save my configuration?
Answer: First, editing the out-of-box rules is not supported, as an upgrade will overwrite any changes to these rules. This goes for deleting the out-of-box rules as well. The best practice is to create your own rules and give them higher precedence (i.e. lower precedence number). If you absolutely need to change an out-of-box rule, make a copy of it and disable the original rule. You can find out more information about best practice for changing the default configuration here.
Now, once you’ve created your custom rules, or you’ve tweaked everything just the way you like it, you can export your rules in the Synchronization Rules Editor, selecting either Inbound or Outbound rules, then using CTRL or Shift to select multiple rules. Finish it off by clicking on Export and saving to the filename of your choosing 🙂
We hope you’ve found this post and this series to be helpful. For any questions you can reach us at AskAzureADBlog@microsoft.com, the Microsoft Forums, and on Twitter with @AzureAD, @MarkMorow and @Alex_A_Simons