[MUSIC]
Corissa Koopmans: Welcome to the Azure AD Architecture
Deep Dive Series. I’m Corissa Koopmans and I’m a Program
Manager on the Azure AD Engineering team at Microsoft.
Ramiro Calderon: Hello, everybody. My name’s Ramiro
Calderon. I’m also a Program Manager in the Azure AD
Engineering team.
In this video today, we’re going to cover how Azure AD
Connect keeps Active Directory and Azure Active Directory
in sync.
Here on the left, we have on-premises Active Directory forest.
On the right side, we have Azure AD. For this flow, we will
refer to both AD and Azure AD as data sources. Then we
have Azure AD Connect here in the middle. As we saw before,
Connect is a brand of multiple components. And today, we’re
going to focus on the sync engine component of Azure AD
Connect.
So, you see here in the edges that there is a connector for
each data source. In the first step, there is an import process,
where the connector reads from the data source into a
working area that we call the connector space. Under the
covers, all of this is using SQL Server. The AD connector
uses LDAP to talk to Active Directory. The query targets
specific containers in AD that are in scope, which is helpful
to filter out objects that we don’t need to be synchronizing
to the cloud. It also uses a differential query to only get
the changes on the forest since the last import happened.
If there are multiple forests in the environment, you can
configure another connector, which creates a corresponding
connector space. The connector needs network connectivity
to the target forest.
The import steps run in sequence. So, we did AD first. Now,
the import is same for Azure AD and the cloud object changes
then are also stored in the Azure Active Directory connector
space.
The second step is a sync process, which takes objects from
all the connector spaces and then they run the rules to
calculate which objects need to be provisioned or
deprovisioned from where, and also the attributes and group
memberships, etc. Those calculations are stored in a working
area that we call the metaverse, which is also stored in a
SQL database data layer.
And finally, we have the export stage updating the connected
systems per the metaverse. This is where the objects in
Azure AD and AD on-premises are updated. For example,
if an Office 365 group was created in the cloud, then we
will write that group back to Active Directory as a distribution
group. If there is a new account of a new employee on
Active Directory, then Azure AD Connector will create the
user object in the cloud.
So, again, the export is happening in the sequence. You
can configure another instance of the sync engine in
staging mode in another machine, and that does exactly
the same cycle that we just saw, but it does not execute
the export phase in the data sources. And this completes
the synchronization flow.
Corissa: Thanks, Ramiro.
I will wrap up with some recommendations. The specific
flow we covered is called Delta Sync. The cycle runs on a
schedule to capture changes on a regular basis. By default,
it executes every 30 minutes. There is also a full sync when
we need to read everything from the data source and not
just the changes. This needs to happen in specific cases,
for example, when the machine is configured for the very first
time, if there are new domains, new containers, or new
attributes that we need to read. We also still see customers
doing full sync’s preemptively. And this is not necessary, so
please don’t do it.
As Ramiro said, this cycle is using SQL Server, so having a
high performance infrastructure is critical for large directories
so that it can complete the cycle on time. The nature of the
sync cycle benefits from a fast disk and enough memory.
We also recommend that you have a failover strategy for
the sync engine. You can use staging mode to have a
hot standby machine that allows you to resume export
in case the production machine is down. For this, it is
critical to have consistent configuration across both machines.
Thank you for listening and we hope you tune in for more
videos in the Azure AD Architecture Series.
Ramiro: Thank you very much.
[MUSIC]
