m17_o365_aadconnect_v1.4
DESCRIPTION
M17_O365_AADConnect_v1.4TRANSCRIPT
Module 17Office 365 Active Directory SynchronizationPresenter NamePresenter Role
Conditions and Terms of UseMicrosoft ConfidentialThis training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in such packages is strictly prohibited.The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Copyright and Trademarks © 2014 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.Complying with all applicable copyright lAdmin Web Service is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content athttp://www.microsoft.com/about/legal/permissions/
Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
3
Overview This module covers the integration of an on-premises Active Directory with the Azure Active Directory through the use of the Azure AD Connect tool, including:• Purpose – What does it do?• Requirements• Permissions• Understanding Synchronization• Key Deployment Considerations
4
Objectives This module will cover:• Directory synchronization overview• The Azure AD Connect Tool• Preparing On Premises Active Directory for directory
synchronization• Password synchronization
5
What is the Azure AD Connect Tool?
• Azure AD Connect is the single tool and experience for connecting and synchronizing your on premises directories to Azure Active Directory
• Designed as a software based appliance• Set it and forget it• Relies on Forefront Identity Manager 2010 R2 (aka FIM)• Bundled with SQL Server 2012 Express LocalDB
• Enables a unified Global Address List (GAL) experience between your on-premises organization and Office 365 as well as:• The ability to manage all Active Directory user accounts on-
premises• The ability to synchronize on-premises Active Directory password
hashes• All account changes replicate automatically to Office 365• Required for single sign-on (ADFS)• Required for Exchange Hybrid Deployment or Staged Migration
6
Synchronization Direction
• Directory synchronization is mostly one way to Azure Active Directory
• Hybrid requires 7 attributes to be written back to the on-premises user objects for coexistence purposes
• Password write back capability (requires Azure AD Premium license)
• On-premises AD being the authoritative source for all changes• Delete a user on-premises and directory synchronization will
delete the corresponding user in Office 365
7
Software Requirements
System requirements:• Windows 2008, 2008 R2, 2012 and 2012 R2 supported• Microsoft .NET Framework 4.5• Windows PowerShell 3.0 or NewerAdditional requirements:• Standalone , Member Server or a Domain Controller • Local Administrator to install AADSync• Azure AD account “Global Administrator“The following components are installed automatically:• Forefront Identity Manager 2010 R2• Microsoft SQL Server Express 2012 LocalDB (a light version
of SQL Server Express)• Microsoft Online Services Sign-in Assistant
8
Network Requirements
• Synchronization with Office 365 occurs securely over HTTPS port 443
• Internal network communication will use typical Active Directory related ports
9
Hardware Recommendations and Directory service quota
• SQL Server Express has a 10GB size limit that enables you to manage approximately 100,000 objects
Number of objects in Active Directory CPU Memory Hard disk size
Fewer than 10,000 1.6 GHz 4 GB 70 GB
10,000–50,000 1.6 GHz 4 GB 70 GB
50,000–100,000 1.6 GHz 16 GB 100 GB
100,000–300,000 1.6 GHz 32 GB 300 GB
300,000–600,000 1.6 GHz 32 GB 450 GB
More than 600,000 1.6 GHz 32 GB 500 GB
10
Directory Service Object Quota
The default directory service quota is calculated according to the following guidelinesIf you don't have any verified domainsThe current directory service quota in Windows Azure AD is 50,000 objectsIf you have at least one verified domainThe default directory service quota in Windows Azure AD is 300,000 objects.What happens when quota is exceeded ?016: Synchronization has been stopped. This company has
exceeded the number of objects that can be synchronized. Contact Microsoft Online Services Support.
11
Azure AD Connect credentials and permissions
• Express Setup: requires more privileges to setup more easily, without requiring you to create users or configure permissions separately
• Credentials collected during Express Setup:
• Custom setup: offers more choices and options, but has situations where you need to ensure you have the correct permissions yourself
Wizard Page Credentials Collected Permissions Required Used For
Connect to Azure AD
Azure AD directory credentials
Global administrator role in Azure AD
-Enabling sync in the Azure AD directory.-Creation of the Azure AD account that will be used for on-going sync operations in Azure AD.
Connect to AD DS
On-premises Active Directory credentials
Member of the Enterprise Admins (EA) group in Active Directory
Used as the local AD Connector account, that is, it is the account that reads and writes the directory information for synchronization.
N/A Logon credentials of the user running the wizard
Administrator of the local server
The wizard creates the AD account that will be used as the sync service logon account on the local machine.
12
Summary of the accounts that are created by Azure AD Connect
Account created Permissions assigned Used for
Azure AD account for sync
Dedicated Directory Synchronization Role
On-going sync operations (Azure AD MA account)
Express Settings: AD account used for sync
Read/write permissions on the directory as required for sync+password sync
On-going sync operations (Azure AD MA account)
Express Settings: sync service logon account
Logon credentials of the user running the wizard
Sync service logon account
Custom Settings: sync service logon account NA Sync service logon
account
AD FS:GMSA account (aadcsvc$) Domain user FS service logon
account
13
Objects that Synchronize
The Azure AD Connect tool synchronizes the following objects:• All Active Directory Users
• Synchronized as a logon enabled with no license assigned though
• Mailbox enabled users are synchronized as a mail-enabled users• Mail-Enabled Contacts• Mail-Enabled GroupsThe Azure AD Connect tool does not synchronize:• Built-in administrative user accounts• Built-in administrative groups• Exchange System Mailbox accounts• Dynamic Distribution Groups• Mail-enabled Public Folder objects
14
Objects that Do Not Synchronize
Contact objects:• DisplayName contains "MSOL" AND msExchHideFromAddressLists = TRUE • mailNickName starts with "CAS_" AND mailNickName contains "{“
SecurityEnabledGroup objects:• isCriticalSystemObject = TRUE• mail is present AND displayName is not present• Group has more than 15,000 immediate members
MailEnabledGroup objects:• DisplayName is empty • (ProxyAddress doesn't have a primary SMTP address) AND (mail attribute isn't
present/invalid - i.e. indexof ('@') <= 0) • Group has more than 15,000 immediate members
15
Objects that Do Not Synchronize (continued)
Object is a conflict object (DN contains \0CNF:)
User objects:• mailNickName starts with "SystemMailbox{"
mailNickName starts with "CAS_" AND mailNickName contains "{" sAMAccountName starts with "CAS_" ANDsAMAccountName has "}" sAMAccountName equals "SUPPORT_388945a0" sAMAccountName equals "MSOL_AD_Sync" sAMAccountName is not presentisCriticalSystemObject is not presentmsExchRecipientTypeDetails == 0x1000 OR 0x2000 OR 0x4000 OR 0x400000 OR 0x800000 OR 0x1000000 OR 0x20000000)
16
Mandatory Attributes
• Objects must contain values in the following core attributes to be considered for synchronization to Office 365 by Azure AD Connect:• cn• member (applies only to groups)• samAccountName (applies only to users)• alias (applies only to groups and contacts)• displayName (for groups with a mail or proxyAddresses
attribute populated)
17
DirSync and Account Status
Active Directory DirSync Action Office 365Mailbox Enabled Account Create Account Creates a mail-enabled user.
*Assigning a license will not create a mailbox as msExchMailboxGUID attribute is populated on-premises
Non-Mail Enabled Account Create Account Creates a user. *Assigning a license will create a mailbox
Modify Account Make changes to an existing account
Update changes
Delete Account Delete account Delete account and mailbox and license removed
Disabled account Disable account Sign-in blocked but still retains a license and mailbox
18
High Level Architecture Overview
ON-PREM IDENTITYBRIDGE
MICROSOFT CLOUD
SAAS APPS
IdentityManager
AD DS
HR
Other Apps
AAD SyncOr
AAD ConnectOr
DirsyncOr
FIM w/ ConnectorOr
MIM 2016
Admin WebService (AWS)
Cloud SyncFabric
GoogleBoxSalesforceOthers
Tenant forests forEXO, LYO, SPO, etc.
Azure Active Directory (AAD)
19
Core AAD Connect Concepts
UserPrincipalName:• Used to sign-in to the cloud services• Recommended to be the same as users primary SMTP address• Needs to use a domain suffix that is registered and verified in the
tenant• Critical for successful single sign-on using AD FS• If missing, is constructed as:
• sAMAccountName + “@” + Microsoft Online Default Domain (i.e. [email protected])
SourceAnchor:• Used as the immutable identifier for any given object that is
synchronized between on-premises and Office 365• Base64-encoded value generated from AD object’s on-premises
ObjectGUID • Providing the AD object is never deleted, the ObjectGUID will never
change• SourceAnchor is the DirSync term and ImmutableID is the ADFS
term
20
Source of Authority
• Refers to the location where Active Directory objects are mastered (on-premises or Office 365)
• Activating directory synchronization and installing Azure AD Connect makes the on-premises Active Directory the source of authority
• Once enabled, changes to objects replicated to Office 365 can only be made on-premises
• Deactivating directory synchronization transfers the source of authority back to the Azure AD
21
Hard Match vs. Soft Match
For attribute updates, the Admin Web Service must identify what Azure AD object to act upon:
• HardMatch attempted first:• Checks to see if the object already exists with the same
SourceAnchor value (ObjectGUID) from the on-premises AD
• SoftMatch if no hard match found:• Authoritatively matches an object in Office 365 with on-premises
through a matching ProxyAddresses value• If a match exists, stamp the ObjectGUID from on-premises as base64-
encoded SourceAnchor attribute in Azure AD Connect Database• SourceAnchor flows into Azure Active Directory object’s
ImmutableID, allowing Source Of Authority Transfer from Office 365 to on-premises
22
Sync OverviewOn-Premises
AAD Connect uses two managements agents:• “Active Directory Connector” management agent• “Azure Active Directory” management agentAAD Connect stores information in two places:• Connector Space• MetaverseConnector Space:• Replica of the managed objects in the Active Directory• Each management agent or connector has its own connector spaceMetaverse:• Aggregate information about a managed object (i.e. User, Group, etc.)Synchronization data flow:• User is imported from AD into the Active Directory Connector Connector space• User is projected to the Metaverse• User is provisioned to the Azure Active Directory Connector space• User is exported to the Office 365 Admin Web Service
Microsoft Confidential
Sync Overview On-Premises (Continued)Synchronization data flow:
23
AD DS
AD DS
CONNECTOR
CONNECTOR
CONNECTOR
Run Profiles and Steps:Full ImportDelta ImportFull SynchronizationDelta SynchronizationExport
CONNECTOR SPACE
CONNECTOR SPACE
CONNECTOR SPACEMETAVERSE
INBOUND SYNC RULE
INBOUND SYNC RULE
OUTBOUND SYNC RULE
24
Sync Overview Office 365
Office 365 Admin Web Service receives the object data from AAD Connect• Import from AAD Connect:
• Only specific attributes defined in FIM are synchronized for each object
• Validate that changed data is not corrupted at the attribute level:• Data is normalized using “_” for UPN and SamAccountName• Otherwise when an update is invalid for attribute a rejection
email is sent to the tenant contact• If an update is a user Account Creation event:
• Admin Web Service attempts to create an account for the user• Failure causes a reject email to be sent to the tenant contact
25
Sync Overview Office 365 (continued)
• If an update is an attribute change event:• Hard-match process to verify object already exists in Azure
AD• Hard-match failure causes reject email to AAD Connect
administrator• Ships data to the Azure Active Directory:
• Object creations and hard-matched object updates pushed at the attribute level
26
Forward and Back Sync
Forward-sync from Azure Active Directory to individual services:• Each online application in Office 365 has their own
directory service• Once an object is changed in Azure AD, further
synchronization daemons are constantly running that parse relevant changes and ship them to these services’ directory partitions
• Can cause delay in applications becoming available to newly commissioned accounts/users
27
Forward and Back Sync (continued)
Back-Sync/Write-Back:• There are certain attributes for the Exchange Online (ExO)
service that require reverse propagation to the on-premises environment for Exchange co-existence features to work
• Back-Sync: Data is changed in the ExO partition and then sync’d back to Azure AD using daemons similar to those used for Forward-sync
• Write-back: Data is shipped from Azure AD, back through Admin Web Service, to AAD Connect service using bi-directional FIM functionality
• AAD Connect updates local the AD objects with these updated attributes
28
Write Back Attributes
Attributes that are written back to the on-premises Active Directory from Azure Active Directory in an Exchange Hybrid deployment scenario:
Write-Back attribute Exchange "full fidelity" featuremsExchArchiveStatus Online Archive: Enables customers to archive mail.
msExchUCVoiceMailSettings Enable Unified Messaging (UM) Online voice mail: This attribute is used only for UM-Microsoft Lync Server integration to indicate to Lync Server on-premises that the user has voice mail in online services.
msExchUserHoldPolicies Litigation Hold: Enables cloud services to determine which users are under Litigation Hold.
ProxyAddresses Enable Mailbox: Offboards an online mailbox back to on-premises Exchange
(LegacyExchangeDN as X500)msExchSafeSendersHash Filtering: Writes back on-premises filtering and online
safe and blocked sender data from clients. msExchBlockedSendersHashmsExchSafeRecipientsHash
29
Microsoft Online Default Routing Domain
The Microsoft Online Default Routing Domain is constructed from the tenant name (contoso.onmicrosoft.com)• All Office 365 users receive this domain as an email address
in a non-hybrid scenario• This special email address is inextricably linked to each
Exchange Online recipient• The domain cannot be managed, changed, or deleted• The email address can be over-ridden as the primary SMTP
address by using the attributes in the on-premises Active Directory user object but will always remain as a users secondary SMTP address
30
AAD Connect and SMTP Addresses
Active Directory Attribute Active Directory Value Office 365 Value
proxyAddresses SMTP:[email protected] SMTP:[email protected]:[email protected]
proxyAddresses smtp:[email protected] SMTP:[email protected]:[email protected]
proxyAddresses SMTP:[email protected]:[email protected]
SMTP:[email protected]:[email protected]:[email protected]
mail [email protected] SMTP:[email protected]:[email protected]
UserPrincipalName [email protected] SMTP:[email protected]:[email protected]
31
AAD Connect Process
1. Prepare the on-premises Active Directory• Account and attribute clean-up (idFix)• UPN of users matches federated domain (if using ADFS)
2. Create and verify your custom domain(s)3. Setup Identity Federation (if applicable)4. Enable Directory Synchronization in the Portal or via
PowerShell Set-MSOLDirSyncEnabled –EnableDirSync $True5. Download and run Directory Synchronization6. Verify the synchronization was successful7. Activate users by assigning them a license in the Portal or via
PowerShell
32
Estimating Synchronization Time
*Actual times may vary depending on activity and environmental factors such as available bandwidth, object count and throttling by the service
33
Password Sync Overview
• Password Synchronization is the process of copying a customers on-premises password hash to Azure Active Directory
• Allows the customer to use their on-premises password to log into their Office 365
• Password Synchronization does not replace Identity Federation
• Changes to on-premises passwords are synced to the cloud in minutes.
• If the user is currently logged into a cloud service with their old password, then change their password in the on-premises AD, their current cloud service session will continue uninterrupted
34
Are Passwords safe?
• The Password Sync tool, Azure AD, and all associated services never see or store the on-premises user's plain text password
• A digest of the Windows Active Directory Password Hash is used for transmission between the on-premises AD and Azure Active Directory
• To authenticate a user, the password presented by the user is hashed and compared with the stored hash
• The digest of the Password Hash cannot be used to access resources in the customer's on-premises environment.
35
Password Sync Limitations
Password Sync and Federated Identities• Customers cannot have both Password Synchronization and Federated
authentication configured for the same domain (namespace). • The Password Sync feature will not synchronize passwords for users
with Federated Identities• Customers must manually remove/disable federation from individual
accounts, making them a managed account, before they can utilize Password Synchronization
Password Complexity Policy• Password Synchronization requires all on-premises synchronized users
to follow the on-premises Active Directory password policy• Users managed in the cloud remain with cloud defined Password
Policies• Password Synchronization sets cloud password for all on-premises
synchronized users to “Never Expire”
36
How does Password Hash Sync work?
• Azure AD Connect monitors the pwdLastSet user attribute to identify password change events, such as resets
• It then extracts and hashes the user’s password from the on-premises Active Directory and to Azure AD
• The synchronization process is similar to that of objects, with the difference that passwords are synchronized in minutes, rather than the default three (3) hours for objects
• Password hashes are sync’d in batches of up to 50 users per batch
• Passwords are never sent to Azure AD nor stored in AAD in clear text
• Password has sync can be used together with password write-back to enable self service password reset (Azure AD Premium license needed)
37
Enable Password Hash Synchronization
• Select “Enable Password Synchronization” in the configuration wizard of AAD Connect
38
Password Hash Sync versus SSO
• Talking point A, • * Talking point B, • * Talking point C,
39
Password write back
• Talking point A, • * Talking point B, • * Talking point C,
40
Monitoring Password Synchronization using the event logs
Event logsEvent ID Description Cause
650 Provision credentials batch start. Count: 1 Password synchronization starts retrieving updated passwords from the on-premises AD DS.
651 Provision credentials batch end. Count: 1 Password synchronization finishes retrieving updated passwords from the on-premises AD DS.
653 Provision credentials ping start. Password synchronization starts informing Azure AD that there are no passwords to be synced. This occurs every
30 minutes if no passwords have been updated in the on-premises AD DS.
654 Provision credentials ping end. Password synchronization finishes informing Azure AD that there are no passwords to be synced. This occurs
every 30 minutes if no passwords were updated in the on-premises AD DS.
656 Password Change Request - Anchor : H552hI9GwEykZwof74JeOQ==, Dn : CN=Viola
Hanson,OU=Cloud Objects,DC=contoso,DC=local, Change Date : 05/01/2013 16:34:08
Password synchronization indicates that a password change was detected and tries to sync it to Azure AD. This identifies the user or users whose password changed and will be synced. Each batch contains at least one user and
at most 50 users.
657 Password Change Result - Anchor: eX5b50Rf+UizRIMe2CA/tg==, Dn : CN=Viola
Hanson,OU=Cloud Objects,DC=contoso,DC=local, Result : Success.
User or users whose password was successfully synced.
41
Forcing Full Password Sync
To trigger a full Password Sync to re-synchronize all user passwords• Import the Powershell module by running Import-Module AdSync• Run Get-ADSyncConnector |FL Name to get the connectors
name• Disable password sync by running the cmdlet Set-ADSyncAADPasswordSyncConfiguration -SourceConnector <OnPremADDomain> -TargetConnector <AzureADDomain -Enable $false • Re-enable password sync by running the cmdlet
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector <OnPremADDomain> -TargetConnector <AzureADDomain> -
Enable $true
42
Forcing Delta Objects Sync
DirSync is scheduled to perform delta syncs once every three hours:• You can force an immediate synchronization rather than wait
3 hours• For example, for employee terminations, or bulk attribute
changes
To force object synchronization:• Open the Command Prompt • Navigate to the folder C:\Program Files\Microsoft Azure AD
Sync\Bin• Then run DirectorySyncClientCmd.exe Delta to trigger a delta
DirSync
43
Verifying and Monitoring DirSync
You can verify if DirSync has performed a successful sync by:• Looking for Event ID 104 in the Application Event Logs• Running Get-MSOLCompanyInformation and checking the
LastDirSyncTime value• Checking the emails sent to the technical contact of the tenant• Using miisclient.exe to view the status of the last sync cycle
44
Throttling Sync
• Throughput shared across tenants at Admin Web Service layer (throttled per directory partition)
• DirSync client automatically handles throttling and retries again
• Error Code 81 – Server Busy gets logged in the event logs when DirSync has been throttled
• Throttling can lead to variable sync times especially for a first full sync cycle after installation
45
DirSync and Deletes
• Objects owned by DirSync cannot be edited directly in the portal, but they can be deleted via PowerShell directly in the Office 365 tenant
• Remove-MSOLUser/Contact/Group will allow you to delete an object that is owned by DirSync
• Deleted objects get moved to a Recycle Bin in the tenant• To view contents run Get-MSOLUser –ReturnDeletedUsers• Purge Recycle Bin using Remove-MSOLUser -RemoveFromRecycleBin• If object still exists on-premises, will be recreated on next Sync cycle• If deleted on-premises, object needs to be restored from on-premises• Use the AD Recycle Bin (requires W2K8 R2 Forest Functional Level)• Or AD authoritative restore of deleted object(s)
46
Accidental Deletes
Scenario:• On-premises AD Admin accidentally deletes a user object in
AD (Oops)• DirSync propagates delete to the cloud• User object is deleted in the cloud (mailbox lost)
What do you do now?
47
Accidental Deletes (continued)
Manual recovery:• Admin identifies object to be recovered on-premises and uses
the recycle bin feature or an authoritative restore of the object
Via AAD Connect:• When admin restores the user object in AD the object is
automatically recovered by AAD Connect, mailbox is also recovered, etc.
• Recovery is dependent on keeping the same SourceAnchor value
• New SourceAnchor value with same attribute values will not recover the user object in Office 365 and instead will create a new user
48
Filtering What Objects Sync
DirSync filtering is now supported, tread carefully.• You can sync , based on:
• Domain• OU• Attribute based
• Useful for filtering-out service accounts and protected objects• Incorrect filtering can mass delete objects (and their
mailboxes) from the Azure Active Directory• Filtering configuration is lost if you reinstall or upgrade the
DirSync tool
Configure filtering for directory synchronizationhttp://technet.microsoft.com/en-us/library/jj710171.aspx
50
Attribute based filtering
Follow-along Example of attribute-based filtering:1) Open Synchronization Rules Editor 2) Rule Types Inbound Select “In Fom AD – User Join”3) Click Edit4) Go to Scoping Filter5) Any users that match the query will sync
51
Troubleshooting
• Use the MIISClient UI to monitor export errors and track down objects
• Use the DirSync error mail notifications from Office 365• Search for duplicate proxyaddresses against Exchange online
by running Get-Recipient <allegedduplicateaddress>• Use the IdFix tool to identify and fix problem objects or
attributes in the on-premises Active Directory• The best approach is to make sure the AD objects are as clean
as possible before implementing AD Azure Connect
52
Key Deployment Considerations
• Complete Active Directory cleanup work before implementing DirSync
• Understand how “soft match” works• Consider Exchange schema extensions for non-Exchange AD
environments• Verify on-premises user objects have a value (not null) for UPN
suffix and that it is correct• The default routing domain (e.g. contoso.onmicrosoft.com) is
used for Office 365 UPN suffix if the on-premises UPN suffix does not contain a public routable DNS domain (i.e. cannot use *.local)
Verified domains• Add all SMTP domains as verified domains before synchronizing
Lab: Activate, Install and Configure Azure AD Connect Tool
53
54
Module Review
• What objects does the Azure AD Connect tool synchronize?• What port does Azure AD Connect use to synchronize with
Office 365?• How can you force directory synchronization to run?
55
Module Review (Answers)
• What objects does the Azure AD Connect tool synchronize?Answer: Users, contacts, and groups
• What port does Azure AD Connect use to synchronize with Office 365?Answer: HTTPS 443
• How can you force directory synchronization to run?Answer 1: Run DirectorySyncClientCmd.exe Delta from the Command prompt. OR Answer 2: Open Task Scheduler, and right-click and run the Azure AD Sync Scheduled Task
Module Summary
56
In this Lesson, you learned:• The on-premises requirements and preparation
required to run directory synchronization• How the Azure AD Connect tool synchronizes objects
and simplifies user provisioning and administration of objects
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION