The windows azure active directory sync tool , has a new feature. ‘Password Synchronization‘
This is a really neat feature and will meet the needs of most businesses that need to synchronize identities to office365. Setting up ADFS farms is often overkill for small businesses as to do it properly you need a minimum of 4 servers. Two adfs proxy servers and Two adfs lan servers each in a different site for redundancy and high availability.
Now with password synchronization you only need one server or can install the dirsync service onto an existing server.So how do we configure password synchronization.
- Create a dirsync service account and add the account to the ‘FIMSyncAdmins‘ group on the server where you plan installing the service.
- Create this shorcut on the desktop ‘”C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe“
- Then as per the image below , right click on ‘Active directory Connector‘, ‘Configure Directory Partitions‘ and then ‘Containers‘ and select the OU’s that you want to synchronize.
- Create an OU and add the DirSync Server into that OU.
- Add the DirSync Server to that OU.
- IN GPO Management , Block Inheritance on the OU.
- Create a group policy object as follows. Navigate to ‘Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment‘
- Located “Login as a Service” and add the service account for the synchronization engine which could be typically ‘AAD_95a9bb5e2ba4‘
- Link the GPO to the OU prevously created and enforce the policy
- Logon to the DirSync server, GPUPDATE/FORCE
- Log off
- Log on
- Start the service
- Or you could simply use gpedit.msc and edit the local policy on the machine.