Azure AD Connect 1.1.524.0 brings a ton of new functionality to Hybrid Identity

Microsoft released a new version of its Azure AD Connect tool earlier this week (May 15) dubbed the May 2017 release.

This is the big release, a lot of us have been hoping for, because it brings a ton of new functionality. Personally, this release solves one of my ten biggest pains with Azure AD Connect in one fell swoop!

Also, since the last version, the accompanying text for the releases is more human readable. I provided feedback on the brevity of these texts a couple of times and it’s refreshing to see someone describing issues and functionality this clearly!

 

What’s New

Azure AD Connect sync

  • Sync Rule Changes
    The following sync rule changes have been implemented:

    • Updated the default sync rule set to not export attributes userCertificate and userSMIMECertificate if these attributes have more than 15 values.
    • AD attributes employeeID and msExchBypassModerationLink are now included in the default sync rule set.
    • AD attribute photo has been removed from the default sync rule set.
    • Added preferredDataLocation to the Metaverse schema and Azure AD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
    • Added userType to the Metaverse schema and AAD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
    • Azure AD Connect now automatically enables the use of the ConsistencyGuid attribute as the Source Anchor attribute for on-premises Active Directory objects
      Further, Azure AD Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it is empty.

Note:
This latter feature is applicable to new deployment only.

  • New PowerShell troubleshooting functionality
    New troubleshooting Windows PowerShell Cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash Synchronization related issues.
  • Support for synchronizing Public Folders
    Azure AD Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to Azure AD. You can enable the feature using the Azure AD Connect wizard under Optional Features.
  • Automatic creation of Service Accounts with Custom Settings
    Azure AD Connect requires AD DS accounts to synchronize from on-premises AD.
    Previously, if you install Azure AD Connect using Express mode, you can provide the credential of an Enterprise Admin account in Azure AD Connect and leave it to Azure AD Connect to create the AD DS account required. However, for custom installations and adding forests to existing deployments, you must provide the AD DS account instead. Now, you also have the option to provide the credentials of an Enterprise Admin account during custom installation and let Azure AD Connect create the AD DS account required.
  • Azure AD Connect now supports SQL Always On Availability (AOA).
    However, you must configure the SQL Server infrastructure before installing Azure AD Connect. During installation, Azure AD Connect detects whether the SQL instance provided is enabled for SQL AOA or not. If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication.

Tip!
When setting up the Availability Group Listener, it is recommended that you set the RegisterAllProvidersIP property to 0. This is because Azure AD Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property.

  • New Database cleanup PowerShell functionality
    If you are using LocalDB as the database for your Azure AD Connect server (as with Express Settings) and it has reached its 10-GB size limit, the Synchronization Service would no longer start. Previously, you needed to perform a ShrinkDatabase operation on the LocalDB to reclaim enough database space for the Synchronization Service to start, after which, you could use the Synchronization Service Manager to delete run history to reclaim more database space.
    Now, you can use the Start-ADSyncPurgeRunHistory PowerShell Cmdlet to purge run history data from LocalDB to reclaim database space. Further, this cmdlet supports an offline mode (by specifying the -offline parameter) that can be used when the Synchronization Service is not running.

Note:
The offline mode can only be used if the Synchronization Service is not running and the database used is LocalDB.

  • Automatic compression of sync error details
    To reduce the amount of storage space required, Azure AD Connect now compresses sync error details before storing them in LocalDB/SQL databases. When upgrading from an older version of Azure AD Connect to this version, Azure AD Connect performs a one-time compression on existing sync error details.
  • Improved Full import triggering
    Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing objects are properly included/excluded from directory synchronization. Now, Azure AD Connect automatically triggers Full import during the next sync cycle. Further, Full import is only be applied to the AD connectors affected by the update.

Note:
This improvement is applicable to OU filtering updates made using the Azure AD Connect wizard, only. It is not applicable to OU filtering updates made using the Synchronization Service Manager.

  • Group-based filtering support for computer objects
    Previously, Group-based filtering supported Users, Groups, and Contact objects only. Now, Group-based filtering also supports Computer objects.
  • Improved Connector Space data deletion logic
    Previously, you could delete Connector Space data without disabling the Azure AD Connect sync scheduler. Now, the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the scheduler is enabled. Further, a warning is returned to inform you about potential data loss if the Connector space data is deleted.
  • Partial PowerShell transcription requirement resolved
    Previously, you had to disable PowerShell transcription for the Azure AD Connect wizard to run correctly. This issue is partially resolved. You can enable PowerShell transcription if you are using Azure AD Connect wizard to manage the synchronization configuration. You must disable PowerShell transcription if you are using the Azure AD Connect wizard to manage an AD FS configuration.

Fixes

Azure AD Connect sync

  • Improved Automatic Upgrade Logic
    Fixed an issue that causes Automatic Upgrade to occur on the Azure AD Connect server even if customer has disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. With this fix, the Automatic Upgrade process on the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade configuration.
  • Improved DirSync Upgrade resiliency
    During DirSync in-place upgrade, Azure AD Connect creates an Azure AD service account to be used by the Azure AD connector for synchronizing with Azure AD. After the account is created, Azure AD Connect authenticates with Azure AD using the account. Sometimes, authentication fails because of transient issues, which in turn causes DirSync in-place upgrade to fail with error “An error has occurred executing Configure AAD Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.onmicrosoft.com directory.” To improve the resiliency of DirSync upgrade, Azure AD Connect now retries the authentication step.
  • Improved DirSync Upgrade logic
    There was an issue with version 1.1.443.0 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization are not created. Healing logic is included in this build of Azure AD Connect. When you upgrade to version 1.1.524.0 or beyond, Azure AD Connect detects missing run profiles and creates them.
  • Improved DirSync Upgrade logic
    Fixed an issue that causes DirSync upgrade to fail with error “a deadlock occurred in sql server which trying to acquire an application lock” when the mailNickname attribute is found in the on-premises AD schema, but is not bounded to the AD User object class.
  • Improved Password Synchronization logic
    Fixed an issue that causes Password Synchronization process to fail to start with Event ID 6900 and error “An item with the same key has already been added”. This issue occurs if you update OU filtering configuration to include AD configuration partition. To fix this issue, Password Synchronization process now synchronizes password changes from AD domain partitions only. Non-domain partitions such as configuration partition are skipped.
  • Azure AD Connects on-premises Service account no longer has PASSWD_NOTRQ flag set
    During Express installation, Azure AD Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. Now, Azure AD Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account.
  • Improved Device Write-Back logic
    Fixed an issue that causes the Device Write-Back feature to automatically be disabled when an administrator is updating the Azure AD Connect synchronization configuration using the Azure AD Connect wizard. This issue is caused by the wizard performing pre-requisites checks for the existing Device Write-Back configuration in the on-premises Active Directory environment and the check fails. The fix is to skip the check if Device Write-Back was already enabled previously.
  • Improved OU Filtering logic
    To configure OU filtering, you can either use the Azure AD Connect wizard or the Synchronization Service Manager. Previously, if you used the Azure AD Connect wizard to configure OU filtering, new OUs created afterwards were included for directory synchronization. If you do not want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using the Azure AD Connect wizard.
  • Improved Stored Procedure logic
    Fixed an issue that causes stored procedures required by Azure AD Connect to be created under the schema of the installing admin, instead of under the dbo schema.
  • Improved TrackingId resiliency
    Fixed an issue that causes the TrackingId attribute returned by Azure AD to be omitted in the Azure AD Connect Server Event Logs. The issue occurs if Azure AD Connect receives a redirection message from Azure AD and Azure AD Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting.
  • Improved large object logic
    When Azure AD Connect receives LargeObject error from Azure AD, Azure AD Connect generates an event with EventID 6941 and message “The provisioned object is too large. Trim the number of attribute values on this object.” At the same time, Azure AD Connect also generates a misleading event with EventID 6900 and message “Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service.” To minimize confusion, Azure AD Connect no longer generates the latter event when LargeObject error is received.
  • Improved Synchronization Service Manager responsiveness
    Fixed an issue that causes the Synchronization Service Manager to become unresponsive when trying to update the configuration for the Generic LDAP connector.

 

Important information on this release

There are schema and synchronization rule changes introduced in this build.
Azure AD Connect Synchronization Service will trigger Full Import and Full Sync steps after you upgrade to this version. In some environments these steps may take several hours. During this timeframe other information is not synchronized.

 

Version information

This is version 1.1.524.0 of Azure AD Connect.
It was signed off on on May 15, 2017.

 

Download information

You can download Azure AD Connect here.
The download weighs 78,4 MB.

 

Concluding

To finally be able to use SQL Server Always-On Availability as the back-end database for Azure AD Connect implementations is a god send. Public Folder synchronization, as well as group filtering for device objects is also welcome, but not that important in the environments I manage.

With its many features, this is a good version to test your Azure AD Connect lifecycle management processes on.

Further reading

Ten things you should know about Azure AD Connect and Azure AD Sync
Azure AD Connect versions 1.1.484.0 and 1.1.486.0 offer great enhancements
Azure AD Connect v1.1.443.0 is here
Version 1.1.380.0 of Azure AD Connect fixes a bug in multi-domain scenarios
Azure AD Connect 1.1.371.0 offers PTA and S3O preview capabilities
Azure AD Connect version 1.1.343.0 with support for Windows and SQL Server 2016
Azure AD Connect version 1.1.281.0 has been released

7 Responses to Azure AD Connect 1.1.524.0 brings a ton of new functionality to Hybrid Identity

  1.  

    Can You elaborate on RegisterAllProvidersIP. Like where and how this should be set? Thanks for the article!

    • The RegisterAllPRovidersIP is a setting for the SQL Server Always On Availability Group Listener.
      It is explained in great detail on the Create or Configure an Availability Group Listener (SQL Server) page over at Microsoft Docs.

      If your Availability Group or Failover Cluster Instance has a listener name (known as the network name or Client Access Point in the WSFC Cluster Manager) depending on multiple IP addresses from different subnets, and you are using Azure AD Connect, potentially 50% of your client-connection requests to the availability group listener will hit a connection timeout. The recommended approach to solve this issue is to set the network name of your availability group listener to RegisterAllProvidersIP=0. (By default, it’s set to 1)

       
  2.  

    Hi Sander, thank you for the information! Setting this on a Listener that is also used for others applications (ex SharePoint) will potentially break something or not give HA to the other applications?

  3.  

    Hello. Can you tell me if v1.1.524.0 includes all prior updates? Thanks

    • Yes, every Azure AD Connect update is a cumulative update.

       
  4.  

    Hi, do you have a script or solution for setting write (back) access on the msds-ConsistencyGuid attribute for the AD Connect service account if using Custom installation ?

leave your comment