Using Azure AD Connect to synchronize Active Directory Lightweight Directory Services (AD LDS) and other LDAPv3 directories to Azure Active Directory

Sander Berkouwer

2 weeks ago

An estimated 97% of all organizations with over 50 people use Active Directory Domain Services (AD DS) as their on-premises directory service. This, however, leaves a lot of organizations with other directories, that are largely LDAPv3-compatible.

How would these organizations embrace Azure Active Directory, as the world and Microsoft’s investments shift to cloud-based directory services? I decided to find out, with Active Directory Lightweight Directory Services (AD LDS) as a prime example of an LDAP v3-compatible directory in combination with Azure AD Connect.

Getting ready

Before you can configure Azure AD Connect with Active Directory Lightweight Directory Services (AD LDS) and other LDAPv3 directories, you’ll need to meet the following requirements:

Active Directory Lightweight Directory Services (AD LDS) or another LDAPv3 directory

You’ll need Active Directory Lightweight Directory Services (AD LDS) or another LDAPv3 directory installed and populated with the objects that you’d want to synchronize to Azure Active Directory.

The directory needs to support connections using secure sockets layer (SSL).

The directory needs to have a service account that is part of the LDAP tree and has sufficient permissions to enumerate the attributes for the objects in scope.

Windows Server

You’ll need to have a Windows Server installation ready to install Azure AD Connect on. The Windows Server installation, obviously, doesn’t need to be domain-joined.

The Windows Server installation needs to trust the certificate that is used to secure the connections to the directory.

Azure AD Connect

You’ll ideally want to download the latest version of Azure AD Connect.

How to configure Azure AD Connect

Perform these steps to configure Azure AD Connect with Active Directory Lightweight Directory Services (AD LDS) and other LDAPv3 directories:

Copy AzureADConnect.msi to the Windows Server installation you intend to use for Azure AD Connect.
Double-click AzureADConnect.msi to install the product.
After initial installation, the Microsoft Azure Active Directory Connect wizard appears.
On the Welcome to Azure AD Connect page, click on te x in the right top corner of the screen to close the wizard.
Open a Command Prompt window (cmd.exe) with local administrator privileges and run the following commands:

cd "C:\Program Files\Microsoft Azure Active Directory Connect"

AzureADConnect.exe /EnableLDAP

The Microsoft Azure Active Directory Connect wizard appears again.
On the Welcome to Azure AD Connect page, select the I agree to the license terms and privacy notice.
Click Continue.
On the Express Settings page, the Use express settings button is disabled:

Click Customize.
On the Install required components page, make the appropriate changes for the Azure AD Connect installation, by selecting any of the available options.
- Specify a custom installation location
- Use an existing SQL Server
- User an existing service account
- Specify custom sync groups
- Import synchronization settings (Preview)

Note:
By selecting none of the available options, you would install Azure AD Connect in C:\Program Files, install and use SQL Server Express, use a virtual service account (VSA) and create the default four ADSync* groups.

Click Install.
On the User sign-in page, the Do not configure option is the only option available:

Click Next.

Note:
To allow users to sign-in using single sign-on, deploy a federation solution. Then, federate the userPrincipalName suffix using the Convert-MsolDomaintoFederated Windows PowerShell cmdlet or with the manual steps described here.

On the Connect to Azure AD page, enter your Azure AD global administrator credentials. Click Next. Perform multi-factor authentication and/or privileged identity management, when prompted.
On the Connect your directories page, enter the hostname for the Active Directory Lightweight Directory Services (AD LDS) instance, or other LDAPv3 directory, followed by the LDAP port (the default TCP port for secure LDAP is 636).
Click the Add Directory button.
The LDAP Directory information pop-up window appears:

Enter the information to connect to the LDAP directory.
Click OK.
The CONFIGURED DIRECTORIES list on the Connect your directories page will now list your Active Directory Lightweight Directory Services (AD LDS) or your LDAPv3-compatible directory.
Click Next.
On the Domain and OU filtering page, select the containers you want to include in the synchronization scope for Azure AD Connect, or select the Sync all domains and OUs option, to synchronize all objects in all containers.
On the Uniquely identifying your users page, accept the Users are represented only once across all directories. option and the mS-DS-ConsistencyGUID attribute as the source anchor.
Click Next.
On the Optional features page, the only available option is the Azure AD app and attribute filtering option:

Select this option and configure the accompanying settings if you’d want to limit attributes for the objects in scope for Azure AD Connect.
Click Next.
On the Ready to configure page, click Install.

On the Configuration complete page, click Exit.

Concluding

Organizations with other directories than Active Directory Domain Services (AD DS), that are LDAPv3-compatible, can embrace Hybrid Identity with Azure Active Directory.

Even without Active Directory, they can benefit from Microsoft’s investments shift to cloud-based directory services.