Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem

Leave a comment

Office 365: MS Directory Synchronization Tool Comparison


Over time, the number of free tools provided by Microsoft for synchronizing (and sometimes syncing back) on-premises AD and Azure AD has increased up to 3 (not to mention Azure Active Directory Connector for FIM 2010 R2):

  • Directory Sync aka DirSync
  • Azure AD Sync aka AADSync
  • Azure AD Connect aka AADConnect

While the first is apparently set for retirement and the two others would ultimately merge, it is still valuable to have a good idea of their capabilities and constraints before making the right choice for each implementation.

I will later publish the upgrade paths from DirSync to AADConnect.

Tool Comparison

The table hereunder is attempt to compare them as comprehensively as possible. Please note that 95% of credit for this comparison table go to French Directory Service MVP Maxime Rastello. Here is his original French article: DirSync vs Azure AD Sync vs Azure AD Connect : lequel choisir ?

Note: I will try to keep this table as up to date as possible at the following location: Office 365: MS Directory Synchronization Tool Comparison.

Tools Directory Sync
Azure AD Sync
Azure AD Connect
Latest Version Download 1.0.7020.0000
Public Preview 2
Version History TechNet Wiki Article MSDN Article Not Currently Officially Available
Multi-Domain Sync Yes Yes Yes
Multi-Forest Sync No Yes Yes
Filtering by OU Yes Yes Yes
Filtering by Attributes Yes Yes Yes
Customizable Attribute Set Yes But Not Supported Yes Yes
Customizable Sync Rules Yes Yes Yes
Sync On-Premises to Cloud
Users Yes Yes Yes
Contacts Yes Yes Yes
Security Group Yes Yes Yes
Distribution Group Yes Yes Yes
Password Yes Yes Yes
Extended Attributes No No Yes
(Requires Azure AD Premium)
Devices No No Yes
(Requires Azure AD Premium)
Sync Cloud to On-Premises
Users No No Yes
(Requires Azure AD Premium)
Contacts No No Future Release
Security Group No No Future Release
Distribution Group No No Future Release
Password (Write-back) No Yes
(Requires Azure AD Premium)
(Requires Azure AD Premium)
Office 365 Group No No Yes
(Requires Azure AD Premium)
Devices No No Yes
(Requires Azure AD Premium)
Office 365 UPN Selection Yes But Not Supported Yes Yes
Hybrid Exchange Migration Support Yes But Single-Forest Only Yes But Single-Forest Only Yes
3rd Party LDAP Server Support No No Future Release
Assistance to ADFS Set-up No No Yes
PowerShell Cmdlets Yes Yes Yes
Staging Mode No No Yes
Hosting Server Operating System Windows Server 2008 64-bit with SP1 or later
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 64-bit with SP1 or later
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Hosting Server .Net Framework v3.5 Service Pack 1
v4.5.1 v4.5.1
Hosting Server Domain Membership Member Server
Domain Controller
(Same Forest)
Member Server
Domain Controller
Member Server
Domain Controller
(Same Forest)
AD Functional Level Windows Server 2003 or Higher Windows Server 2003 or Higher Windows Server 2003 or Higher
Domain Controller Operating System Windows Server 2003 with SP1
Windows Server 2008 64-bit with SP1 or later
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Windows Server 2003 with SP1
Windows Server 2008 64-bit with SP1 or later
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Windows Server 2008 R2 with SP1 or later
Windows Server 2012
Windows Server 2012 R2
Note: SSO with AD FS option requires Windows Server 2012 or higher

Additional Information’s

Leave a comment

Revisiting the Microsoft Online immutable ID design decision

Hybrid Identity

Some time back I posted about Azure Active Directory synchronisation using Forefront Identity Manager (FIM) 2010 R2 and the Azure AD Connector. My focus was multi-forest deployments, but as we know this topology was required for several advanced scenarios too. Microsoft have since shipped Azure AD Synchronization Services (AADSync), soon to be rebranded Azure AD Connect (AAD Connect), which negates the need for FIM for most deployments and further solidifies the mentality that the Azure AD identity bridge should be separate from the enterprise identity management solution.

Having deployed quite a few FIM and AAD Connector topologies for large, enterprise customers, and having been involved in planning and design, implementation and deployment and post go live support and transfer to operations I have learned, the hard way, that the immutable ID design artefact is a massive consideration, too often overlooked and not understood. I talked about this in my post

View original post 1,074 more words

Leave a comment

Add or Modify SharePoint 2013 Search Topology using a PowerShell built User Interface

Karine Bosch's Blog

In SharePoint 2013, there is no real user interface to modify the search topology. Well, there is, but you can only use for a single server farm. If you have more servers in your SharePoint farm, you have to do this through PowerShell.

One of my South-African Premier Field Engineer colleagues Scott Stewart developed a tool on top of PowerShell WITH UI to create or modify a search topology.

Read more about it here: “Add or Modify SharePoint 2013 Search Topology using a PowerShell built User Interface

A few screenshots to get you curious 🙂

Search topology tool

Search topology

It looks like a very promising tool! Have fun with it!

View original post

Leave a comment

Create a Real-Time IT Dashboard with PowerBIPS

Simply brilliant!

Rui Romano Blog - A place to share my thoughts

Last week we published on GitHub a powershell module for the new PowerBI developer REST API’s named “PowerBIPS”, download it here:

In this post I will demonstrate the ease of use of this module and show you step-by-step how to build a powershell script that upload server stats to PowerBI allowing the users to build a real-time IT dashboard like this:


The script is divided in the following steps (full script):

  1. Import the PowerBIPS module
  2. Get the Authentication Token
  3. Create a PowerBI DataSet
  4. Upload data to PowerBI

Import the PowerBIPS module

The script starts by importing the powershell module:

# Module need to be installed on %USERPROFILEWindowsPowershellModules
Import-Module PowerBIPS -Force

Or by pointing directly to the .psm1 file:

Import-Module <path to module>PowerBIPS.psm1 –Force

After this all the PowerBIPS cmdlets are available for use in the PowerShell console.

Get the Authentication Token

Next we need to get the…

View original post 462 more words

1 Comment

Exchange: Network Ports and Flows References

Having recently dealt with MS Exchange vs. Firewall and flows issues, I thought it might be interesting to post a summary of useful links related to network ports and flows used by Exchange and various clients . Bottom line: Exchange and firewalls ain’t no good friends but you already knew that don’t you?

Clients and Mailflows

Unified Messaging

Hybrid Deployments

Other Resources

Leave a comment

SharePoint: Perspectives on Apps (From other Blogs)

It took quite a while for the dust thrown in the air after SharePoint 2013 App model introduction to fall back on the ground.

Now it seems to become clear that apps will never become the replacement for so-called “deprecated” (always use that word cautiously) development models.

You will find hereunder a serie of worth-reading well argumented blog posts discussing around this still hot topics.

Happy reading and coding!

Leave a comment

SharePoint: MS15-022 (Critical) Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3038999)

Once again, SharePoint Server 2007, 2010 and 2013 are affected by a vulnerability categorized as Critical by MS that can allow remote code execution. The matching Office suite version are affected as well.

More information:

Important: SharePoint Server 2013 updated with March PU or Service Pack 1 can receive this security update through Windows Update.

Leave a comment

OneDrive: Major REST API Evolution

Microsoft has recently updated the REST API available for OneDrive by adding or improving the following features:

The start point for everything related to the OneDrive API:

And yes, you can (still) interact with OneDrive from PowerShell too:

Leave a comment

SharePoint 2013: February 2015 Cumulative Update released

The February 2015 CU for SharePoint 2013 (aka build number 15.0.4693.1001 ) has just been released. Download Links:

KB Articles:

Besides SharePoint, Office OneDrive Client get updated as well with fixes for long paths and large lists:

All Office-related February updates: Office Updates Blog [MSFT]: February 2015 Office Update Release


SharePoint: SNI vs. Windows WebDAV Client


SNI stands for Server Name Indication, an improvement to the SSL/TLS protocol recently added to Windows (from Windows Server 2012/IIS 8). Its purpose is to allow using multiple SSL certificates on the same web server’s IP address and port. In a certain sense, you could say it is to HTTPS what host header is to HTTP. Similarly to host header, this feature must be implemented in both client and server sides because it relies in additional information’s passed as part of the SSL handshake process initiated by the client. As consequence, older browsers (as well as older client applications in general) are not compatible.

The Problem

Now SharePoint comes into the picture. One key client functionality is the Explorer View exposed by Windows WebDAV Client. Although Microsoft continuously updates its browser, the WebDAV client did not recently receive any update to support SNI. Therefore, if you configure SharePoint together with IIS to use HTTPS using SNI, Windows Explorer browsing SharePoint will simply stop functioning displaying an error such as “A device attached to the system is not functioning”. The problem will sadly occur with Windows 8 as well but is fixed from Windows 8.1.


There is currently no real solution and very few workarounds:

  • On IIS: Use unique combination of web application, certificate and IP address and/or port. Every time a new web application is created on SharePoint, you will have to reconfigure it on each server in the IIS configuration in order to use another IP address or another port.
  • On Windows/HTTP.sys driver: Use a fallback certificate. This blog post details the procedure to do so: How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2
  • On a hardware load balancer: identically to what can be done on IIS, a unique virtual IP address for each web application together with its own certificate can be used. On the SharePoint side, you can whether use no certificate at all or a used self-signed one.

More Information