It is possible to deploy a resource forest using Exchange and Lync in their Online version. For a similar scenario, there is a Forefront Identity Manager Connector for Windows Azure Active Directory (http://www.microsoft.com/en-us/download/details.aspx?id=41166). However, in the past few months, Microsoft has published a new tool, Azure Active Directory Synchronization Services (AAD Sync). Quoting the MSDN site http://msdn.microsoft.com/en-us/library/azure/dn790204.aspx, this new synchronization service allows the user to:
"Synchronize multi-forest Active Directory environments without needing the full blown features of Forefront Identity Manager 2010 R2".
Right now, this tool is in the general availability stage. In the How it works... section of this recipe, we will talk about the AAD Sync working logic. Now, we will see how to deploy it.
We need the installation files for AAD Sync, available at the Microsoft Azure Active Directory Sync Services page (http://www.microsoft.com/en-us/download/details.aspx?id=44225). The server that we will dedicate to AAD Sync must be joined to a domain that runs Windows Server 2008 SP2 or higher. It is necessary to deploy an Azure account with an Active Directory service, as shown in the following screenshot:
From a security point of view, it is a good practice to create a dedicated global administrator. The Directory Sync must be Activated on the user forest's Active Directory, as shown in the following screenshot:
Our scenario is based on a resource forest (Wonderland.lab
) with Lync 2013 and Exchange 2013 deployed, a user forest (ForestB.lab
), and an untrusted third forest (FIMDomain.lab
). We will use the latter to install AAD Sync.
wonderland.lab
) and the user forest (forest.lab
). The configuration is the one we can see in the following screenshot. For every forest, we have to click on Add Forest to confirm the information.mxEXCHMasterAccountSID
, while Azure AD will rely on ObjectGUID
/userPrincipalName
. The configuration is shown in the following screenshot:Click on Next. The next page, Optional Features, does not require any modifications for our scenario. Click on Next.
The concepts of metaverse and connector space that we have seen for FIM also apply to AAD Sync. There is no management agent in AAD Sync; all the data is gathered by the server using connectors (remote connections to the data sources). As we mentioned before, the flow of information can be inbound or outbound. We have a high-level overview in the following schema: