AADConnect, AADSync, and DirSync. Oh, my.

Note: The information in this post is relative to the time that I am writing it. As products evolve, I will try to update this post so that the information here stays as correct as possible.

This year we are in a transition from an older sync tool (DirSync) to a new set of sync technologies, AAD Sync + AAD Connect (which will become one integrated tool before they GA). In addition, we have Forefront Identity Manager, which is great for managing complex on-premises identity workflows. So we get a lot of questions around which technology to use for which purpose.  In this post I will walk you through the different options here and what they do.  This isn’t going to be an extensive comparison between the product but rather a high-level overview. I will include links to external sites with more information where applicable.

 

Directory Sync

When it comes to synchronizing an on-premise directory with Azure (more specifically, an Azure AD tenant), the most commonly-known product is the Directory Sync tool (aka DirSync). If you have an Office 365 subscriptions, this is most likely the product that you are familiar with, since it is the one offered to you from the Office 365 portal when you are setting up synchronization, which looks like this:

 

 

DirSync is also available through the Azure Management Portal. When configuring synchronization between an Azure domain and your on-premise AD, the portal will offer the DirSync download in step 3, which looks like this:

 

In either case, you will be offered the currently available version of DirSync, which is version 1.0.x. The DirSync team makes regular updates to the version of DirSync that is available, so the version number here is approximate.

 

Forefront Identity Manager

When it comes to the actual synchronization of data (copying of users and attributes), DirSync relies on Forefront Identity Manager (aka FIM). If you have DirSync installed and examine the list of installed application, you will see both DirSync and FIM in that list:

 

FIM itself is highly adaptable platform for synchronizing data from one place to another, with the ability to synchronization with SQL databases, Active Directory, Azure Active Directory, LDAP, and other data stores. However, the setup and configuration of FIM can be tedious for less-experienced users. For users wanting to synchronize their on-prem AD with AAD, the setup process is almost always the same. To simplify thing, DirSync was create the streamline the process.

It's still possible to setup FIM to synchronize on-prem AD with AAD, but most users opt to install DirSync given its ease of deployment.

 

Azure Active Directory Synchronization Service

The eventual successor to DirSync is the Azure Active Directory Synchronization Service, also known as AADSync. As discussed on the overview page, AADSync provides new features that DirSync does not have, though at the same time lacks a few features currently in DirSync. A comprehensive comparison between DirSync and AADSync can be found here: Directory Integration Tools Feature Comparison. As of this writing, the comparison page was updated less than a week ago, so I believe the information is correct.

AADSync has both a simplified deployment experience (in following with DirSync), but is also a "next generation" synchronization server (to supersede FIM). The main selling point of AADSync is that is has the capability to synchronize from multiple Active Directory forests to a single AAD tenant - a feature that is not present in DirSync.

 

Azure Active Directory Connect

Today customers have the option between DirSync and AADSync to use as a synchronization technology. Both have their pros and cons, though at some point in the future AADSync will be the single choice.

However, a growing number of customers are interested in not just identity synchronization, but also federation. Federation (as described in a previous post) is where an on-premise service is utilized to authenticate users, typically Active Directory Federation Services (AD FS). For customer interested in federation, selecting a synchronization technology (DirSync or AADSync) is only the first part of deployment, after which servers need to be deployed and configured, and the Azure AD configuration updated accordingly.

This is where Azure Active Directory Connect (aka AADConnect) come in. As first mentioned on the AD Team Blog, AADConnect is a deployment solution for all of your DirSync/AADSync/AD FS needs. In the same way that DirSync simplifies the installation and configuration of FIM, AADConnect will simplify the deployment and configuration of your end-to-end identity setup. AADConnect isn't a synchronization engine like FIM or AADSync - simply installing AADConnect won't cause identities to magically begin synchronizing with AAD. What is does do however is provide an easy-to-understand experience  for deploying whatever technologies are required, based on your needed.

As an example (and I will cover this is more detail in a future post), instead of asking "Do you want DirSync or AD FS?", AADConnect asks "Do you want Password Sync or Single Sign-On?".

 

Distinctions like this are how we plan to simplify the process of installing and configuring an identity solution based on what you need, not what you know.

 

Wrap Up

With any luck, this post has shed a bit of light on the confusion among the various technologies mentioned above. Still confused? As a question below and I will expand the post as needed.