A few weeks ago, Microsoft released a new version of DirSync. For those of you don’t know, Dirsync is a tool that enables you to easily sync your Active Directory users and changes to Azure Active Directory.
The biggest change that we saw in this new version is password synchronization. With the newest version of the Dirsync software installed, you are now able to sync password hashes from your local Active Directory to the cloud, thus enabling users to login with corporatelocal domain credentials without the need for an ADFS server. The best part is that if you have installed and set up Dirsync already, there is just one more box to click to enable password synchronization.
The password synchronization feature works by sending a hashed value of passwords from your local domain out to the Azure Active Directory environment. A couple key notes about this new feature:
- Plain text passwords are NOT synchronized
- Reversible-encryption is NOT required in your local active directory
- No schema changes are required in your local active directory.
What does this mean? It means this is very secure.
The benefits of this new solution from Microsoft are twofold:
- Smaller companies that run a few servers are able to run the Dirsync application anywhere in their environment, EXCLUDING the domain controller. This eliminates the associated costs of a separate Active Directory Federated Services (ADFS) server.
- There is cost and time savings realized by your IT department avoiding patching, maintenance, and troubleshooting of an ADFS server.
We tested and successfully implemented the solution. In the test, we used two Windows Azure virtual machines running Windows Server 2012 – one domain controller and one server to run DirSync – and a new Office 365 trial account.
DirSync’s standard sync interval is three hours, but you can run manual syncs or even change the sync interval.
Change sync interval:
C: Program FilesMicrosoft Online Directory SyncMicrosoft.Online.DirSync.Scheduler.exe.Config
Edit the tag <add key=”SyncTimeInterval” value=”3:0:0” />
The values in this tag follow the format hours : minutes : seconds. Also note that the synchronization process can take some time depending on how much information needs to be synced.
When passwords are changed in the local Active Directory, we were able to use the new password to log in to Office 365 within 30-60 seconds.
We also explored what happens when accounts are deleted. After DirSync is enabled, any account that is deleted within Active Directory will be deleted in the Online Service Portal after the next directory synchronization. If you try to re-create the account in Active Directory after this, there will be a new account in Office 365, and the account will not be mapped back to the old account in the cloud. Accounts created within AD cannot be deleted on the cloud side, but you still assign and remove licensing for the online dashboard.
Looking for more nitty-gritty details on this solution? Checkout this recently published TechNet article:
Still have questions? See if they are answered in this wiki:
Need help configuring DirSync? Just give a call and we’ll be glad to help.