It is possible to deploy a resource forest using Exchange and Lync in their Online version. For a similar scenario, there is a Forefront Identity Manager Connector for Windows Azure Active Directory (http://www.microsoft.com/en-us/download/details.aspx?id=41166). However, in the past few months, Microsoft has published a new tool, Azure Active Directory Synchronization Services (AAD Sync). Quoting the MSDN site http://msdn.microsoft.com/en-us/library/azure/dn790204.aspx, this new synchronization service allows the user to:
"Synchronize multi-forest Active Directory environments without needing the full blown features of Forefront Identity Manager 2010 R2".
Right now, this tool is in the general availability stage. In the How it works... section of this recipe, we will talk about the AAD Sync working logic. Now, we will see how to deploy it.
We need the installation files for AAD Sync, available at the Microsoft Azure Active Directory Sync Services page (http://www.microsoft.com/en-us/download/details.aspx?id=44225). The server that we will dedicate to AAD Sync must be joined to a domain that runs Windows Server 2008 SP2 or higher. It is necessary to deploy an Azure account with an Active Directory service, as shown in the following screenshot:
From a security point of view, it is a good practice to create a dedicated global administrator. The Directory Sync must be Activated on the user forest's Active Directory, as shown in the following screenshot:
Our scenario is based on a resource forest (Wonderland.lab) with Lync 2013 and Exchange 2013 deployed, a user forest (ForestB.lab), and an untrusted third forest (FIMDomain.lab). We will use the latter to install AAD Sync.
- Launching the installer on the Welcome screen will require the user to enter the installation path and to accept the license agreement, as shown in the following screenshot:
- Click on Install. In the next screen (Connect to Azure AD), the username and password of a global administrator for our Active Directory service in Azure are required. Insert the information and then click on Next. The screen is the one shown in the following screenshot:
- The setup process will now require credentials (the domain name, username with the domain or account format, and password) to connect to our domains. In our example, we have the resource forest (
wonderland.lab) and the user forest (forest.lab). The configuration is the one we can see in the following screenshot. For every forest, we have to click on Add Forest to confirm the information.
- Once a forest is added, AADSync will create an initial default configuration based on the services that the forest contains, such as Exchange and Lync.
- Click on Next when there is no more forest to add. The Uniquely identifying your users screen requires the user to select the matching attribute to use across the different forests and the matching that we will use on the Azure Active Directory. With Exchange deployed in our resource forest, we will use ObjectSID and
mxEXCHMasterAccountSID, while Azure AD will rely onObjectGUID/userPrincipalName. The configuration is shown in the following screenshot:
Click on Next. The next page, Optional Features, does not require any modifications for our scenario. Click on Next.
- The next screen, Ready to configure, will show a list of the domains and AD services we are going to connect. Click on Configure, as shown in the following screenshot:
- The last step is the Finished screen. By default, the Synchronize now flag will be selected. To manage the sync service, it is required to log off and log on again to apply the ADSyncAdmins membership. Click on Finish.
The concepts of metaverse and connector space that we have seen for FIM also apply to AAD Sync. There is no management agent in AAD Sync; all the data is gathered by the server using connectors (remote connections to the data sources). As we mentioned before, the flow of information can be inbound or outbound. We have a high-level overview in the following schema:
