Microsoft Releases Azure Active Directory Connect Preview 2
Microsoft has issued a second preview of its solution for connecting on-premises Active Directory environments with the cloud-based Microsoft Azure Active Directory service.
Preview 2 of the Azure AD Connect wizard can now be downloaded from the Microsoft Connect site here. The preview apparently was released on March 20, but it got announced by Microsoft on Wednesday. Microsoft had rolled out the first preview version back in December. The company plans to release the final Azure AD Connect solution sometime in the first half of this year, possibly in May.
Preview 2 of Azure AD Connect now lets organizations perform "in-place upgrades" from Microsoft's older Directory Synchronization (DirSync) or Azure AD Synchronization Service tools, if those tools are presently being used. Microsoft also improved Azure AD Connect by letting IT pros connect just a portion of their AD users to the Azure AD service, allowing pilots to be tested before general roll out.
One reason to sync to the Azure AD service is that it enables end users to use their on-premises passwords to access their local apps, as well as services accessed from the Internet cloud. Right now, even this one detail is kind of complicated because Microsoft has multiple tools for the purpose, with varying capabilities.
Microsoft actually has four tools with AD sync capabilities: DirSync, Azure AD Sync, Azure AD Connector and Forefront Identity Manager 2012 R2. Microsoft is gradually rolling up most of the sync capabilities into its Azure AD Connector solution. The Azure AD Connector is basically a wizard that executes complex configurations involving Active Directory Federation Services (part of Windows Server 2012), sync services and the Azure AD PowerShell module.
The DirSync tool is subject to deprecation, meaning that Microsoft isn't planning to actively develop that tool in the future, but it still may be the tool of choice for some organization's needs. Currently, Microsoft recommends using Azure AD Sync as the main tool for carrying out sync tasks. However, Azure AD Connect, currently at preview, is where Microsoft seems to be heading.
As for Forefront Identity Manager 2012 R2, Microsoft has previously indicated that it will be superseded by a new Microsoft Identity Manager product, which is expected to arrive sometime in first half of this year.
Still, which tool an organization chooses depends on which features they want supported when syncing up to the Azure AD service. IT pros can check the status of feature support for a given sync tool at this MSDN library article.
In a March 24 Microsoft Web presentation, "Extend Your Existing Active Directory to the Cloud," Adam Bresson, a senior product marketing manager at Microsoft, said that organizations should "use Azure AD Sync now" as their main sync tool. Azure AD Connect is Microsoft's next tool that's "coming tomorrow," he added. Here's Microsoft's advice, as related by Bresson:
Most important here is that we began with DirSync. DirSync plus ADFS will be supported for the next year. But we urge you to move IT pros to Azure Active Directory Sync. With Azure Active Directory connected … for the next several months and generally available, it will upgrade the version of Azure Active Directory Sync. So, by installing Azure Active Directory Sync today, you are future proofing the installation and the sync configuration. The goal here is Azure Active Directory Connect, which combines all of the features of Azure Active Directory Sync plus the additional installation options in Azure Active Directory Connect.
Bresson presented a slide showing that Azure AD Connect will have all of Azure AD Sync's features, and more, with a product rollout expected in the first half of this year.
Organizations that currently are using DirSync should consider upgrading to Azure AD Sync in the next six months, according to Bresson. His presentation, which shows how to set up the Azure AD Sync solution, is now available on demand and can be accessed here.
One of the current big limitations of the older DirSync tool is that it can't connect multiple on-premises forests to the Azure AD service. In such cases, organizations can use the Azure AD Sync tool or Forefront Identity Manager 2010 R2 right now. Alternatively, they can take their chances with using the Azure AD Connect preview, although that's not recommended for production environments.
Quite a lot of the features in the Azure AD Connect preview are still at the preview stage, even with this second preview release. For instance, features such as password writeback, user writeback, group writeback, device writeback, device sync and directory extension attribute sync are all considered to be at the "preview" stage of development with this release.
For organizations trying to configure Azure AD Sync behind a proxy server, Microsoft has specific instructions about having certain ports open, as described in this blog post. Additional links for troubleshooting such setups can be found in this post.
Microsoft also offers a more user-friendly description about setting up these tools in its book, "Exam Ref 70-533 Implementing Microsoft Azure Infrastructure Solutions." The book is available through the Microsoft Press Store, but Microsoft posted some of the chapters for free in this blog post. Some of the info is dated, though, due to Microsoft's recent tool updates.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.