Azure AD Connect — Dispel the Fear

People who are unfamiliar with Azure AD Connect (AADC) are often not sure which changes will be pushed to their Active Directory Domain Services (ADDS) or their Azure Active Directory (AAD) after installation or major configuration changes.

This post will give you are overview how you can validate changes AADC is going to export to your ADDS and AAD. I will refer to ADDS and AAD as “target system(s)”.

Making sure nothing happens

After every installation or configuration change you will be provided with a checkbox to decide if the synchronization process should be started. Simply uncheck it and you can be sure nothing will happen to your target systems.

You can also use PowerShell to determine if the synchronization process is started, further you can start and stop it. Going forward, make sure it is set to “False”.

Get-ADSyncScheduler
Set-ADSyncScheduler -SyncCycleEnabled $false
Set-ADSyncScheduler -SyncCycleEnabled $true

Azure AD Connect also offers a feature called “Staging Mode” to make sure no changes will be made to your target systems — After this post you should not need it anymore, or at least have a better understanding what it does.

Validating changes

Open the Synchronization Service Manager

Usually a quick search does the trick, however you will find it here:

C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe

The synchronization service consists of four tabs:

“Operations” — A history of the AADC activities

“Connectors” — List and configuration of the connectors to ADDS and AAD

“Metaverse Designer” — not relevant for this post

“Metaverse Search” — Allows you to search for objects within AADC

Run profile basics

Every connector has “run profiles” which control their actions.

Import — Will import data from the target system into AADC

Synchronization — Will calculate the changes required on target systems

Export — Will export data to the target systems. This is the only run profile that will make changes to your ADDS or AAD.

Importing the latest data from AAD and ADDS

Now we are going to import the latest data from your AAD and ADDS into Azure AD Connect. The following actions will not make any changes to your target systems.

1. Go to the operations tab
2. Right-click the AAD connector (Usually the name includes your onmicrosoft.com address)
3. Click run
4. Select the run profile “Full Import”
5. Click ok
6. Watch the “State” of the connector it will change from “Idle” to “Running”
7. Once the AAD connector is back in “Idle” state repeat the same steps for the ADDS connector

When you are running the import you will be provided with statistics about the data that has been imported. You can also click on the statistics to get more details. The following video will show you the process, in this case no new data has been imported from AAD but a view changes from ADDS.

Calculating the changes for the target systems

Next Azure AD Connect needs to calculate the changes required on the target system. We will do this by running a Full Synchronization on both connectors. The following actions will not make any changes to your target systems.

1. Right-click the ADDS connector
2. Click run
3. Select the run profile “Full Synchronization”
4. Click ok
5. Wait for the synchronization to finish and repeat the same steps for the AAD connecor

Once again you will be provided with statics, this time they will tell you which changes are going to happen to your target system. Further you can always check the “Connector Space” of a connector to see which changes are going to happen with the next export run. You can also use the Metaverse Search to find a specific object and check his connectors. The following video shows the process.

Searching for pending exports of a connector:

1. Right-click the connector
2. Click “Search Connector Space”
3. Set scope to “Pending Exports”
4. Select Add, Modify and Delete
5. Search

Everything looks good?

Then go ahead and run a “Export” run profile to make changes on your target systems. Alternatively you can simple re-enable the synchronization process and start it.

Set-ADSyncScheduler -SyncCycleEnabled $true
Start-ADSyncSyncCycle

So when should I use “Staging Mode”?

If you enable the staging mode for AADC it simple doesn’t run the Export run profiles for your connectors, it will continue to automatically run Imports and Synchronizations. It is up to you if you want to use it :)

Notes

The required time for Full Import and Full Synchronization highly depends on the amount of objects in your target systems.