Module: Azure AD Connect Essentials

1. INTRODUCTION TO AZURE AD CONNECT (AD CONNECT)

Azure AD Connect is a Microsoft tool that facilitates the synchronization of on-premises Active
Directory (AD) with Azure Active Directory (Azure AD). It ensures seamless user and group
synchronization, enabling single sign-on (SSO) and other identity-related features across hybrid
environments.
Sample Interface of AD Connect

Download Here - https://www.microsoft.com/en-us/download/details.aspx?id=47594

2. WHAT IS IDFIX TOOL?

Idfix or Identity Fix is a tool for Azure AD Connect that helps identify and resolve issues related to user
objects during synchronization. It scans your on-premises AD for inconsistencies and provides
recommendations for remediation before syncing to Azure AD.

Interface of IdFix

Can be Downloaded here - https://microsoft.github.io/idfix/Step%202%20-%20Install%20IdFix/

3. EXPRESS VS. CUSTOMIZED SYNC
Express Settings:
Quick and straightforward setup that automatically configures synchronization rules suitable for most
organizations.
Customized Settings:
Allows fine-grained control over synchronization. Enables customization, filtering, attribute mapping,
and transformation rules. Useful for complex scenarios or specific requirements.

4. OU FILTERING AND ATTRIBUTE FILTERING

OU Filtering – Choose to selectively sync specific organizational units (OUs) from on-premises AD
to Azure AD which can helps reduce unnecessary synchronization overhead.
Attribute Filtering - Choose which attributes (e.g., phone number, department) to synchronize that is
used to exclude sensitive or irrelevant attributes for customizable based on organizational needs.

Interface for Filtering

5. SYNCHRONIZATION SERVICE APP AS A MONITORING TOOL

The Synchronization Service App, also known as Microsoft Entra Connect, is an application that
facilitates synchronization between your on-premises Active Directory Domain Services (AD DS) and the
Microsoft Entra tenant associated with your Microsoft 365 subscription.
As a monitoring tool is Part of Azure AD Connect installation that provides real-time monitoring and
troubleshooting. View sync cycle status, connector space, and metaverse data and use for Diagnosing
synchronization errors and conflicts.
Included to it
  Azure AD Connect Health is a monitoring tool specifically designed for Azure AD Connect. It
serves two primary purposes:
 Monitoring ADFS Infrastructure: It keeps track of the status of your Active Directory
Federation Services (ADFS) infrastructure.
 Monitoring Sync Engine: It also monitors the synchronization engine of Azure AD Connect.
 Synchronization Service Manager: To manage and monitor directory synchronization, you can
use the Synchronization Service Manager console.
Organizations that already use DirSync or Azure AD Sync can benefit from Azure AD Connect Health by
migrating to it or performing an in-place upgrade from supported configurations1.
Azure AD Connect Health helps you monitor the status of this sync engine, ensuring smooth
synchronization between your on-premises identity infrastructure and Azure AD.
It provides insights into any issues or errors related to synchronization, allowing you to take proactive
measures

Synchronization Settings
6. PowerShell Commands to Force Sync in Azure AD Connect

To force an immediate synchronization:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

This triggers a delta sync, updating changes since the last sync cycle.
To modify synchronization schedule:

Set-ADSyncScheduler -SyncCycleEnabled $true -SyncCyclePollInterval <interval_in_minutes>

Replace <interval_in_minutes> with your desired sync frequency (e.g., 30 for every 30 minutes).
6. COMMON ISSUES IN AD CONNECT
1. Connection to Azure AD:

Indication:
 New user accounts added in on-premises Active Directory do not appear in Azure AD or take an
unusually long time to appear (more than 30 minutes).
 After an on-premises user changes their password, they can’t authenticate to Azure AD.
 If the password-writeback feature is used, password resets in Azure AD do not work for on-
premises users.
 Synchronization errors are visible under Azure AD Connect Health.
 Directory administrators receive email notifications from Azure AD regarding sync issues.

Common Causes:
 Connection to Azure AD: Ensure that the Azure AD Connect server has a stable connection to
the necessary URLs, IP addresses, and port numbers (TCP 80 and 443) listed in the Microsoft
documentation. You can verify connectivity using Telnet.
 Proxy Configuration: If Azure AD Connect communicates with Azure AD via a proxy, ensure
that the proxy configuration is correctly set in C:\Windows\Microsoft.NET\Framework64\
v4.0.30319\Config\machine.config.

Resolution:

 Verify network connectivity to Azure AD.

 Check proxy settings if applicable.

2. Connection to On-premises Domain Controllers:

Indication:
 Users won’t synchronize, and changes won’t flow between on-premises and Azure AD.
Common Causes:
 Firewall rules blocking necessary ports (e.g., 80, 443, 53, 88, 389, 445, 636).
 DNS resolution issues.
 Network segmentation preventing communication.
Resolution:
 Review firewall rules and allow necessary traffic.
 Ensure proper DNS resolution.
 Adjust network segmentation if needed.

3. Installation and Configuration Issues

Indications
 The sync engine won’t be able to authenticate with your on-premises Active
Directory.
 If the Azure AD Connect server cannot communicate with Azure AD or your on-
premises domain controllers, synchronization won’t work.
Common Causes:
 Credentials are not matched
 During installation, if you provide incorrect credentials (such as service account
credentials), it can lead to synchronization failures.
Resolution:
 Double-check the credentials you provide during installation.
 Ensure that the service account has the necessary permissions in both Azure AD and your
on-premises AD.