Microsoft Advises Shops Move Away from Older Active Directory Sync Tools

Microsoft said that IT pros have a year to move to the company's newer Azure Active Directory Connect tool.

Today, Microsoft announced a "deprecation schedule" for Windows Active Directory Sync (DirSync) and Azure Active Directory Synchronization Services (Azure AD Sync). The announcement appeared to be somewhat retroactive, though.

Microsoft will no longer develop those products after April 13, 2016. It won't support them after April 13, 2017, per the announcement.

Dead Products
In the recent past, Microsoft had said that DirSync and Azure AD Sync would be deprecated, but it hadn't specified an exact date. The "deprecated" term means that the products continue to work, but Microsoft stops developing them. It's Microsoft's way of signaling a dead product.

Monty Python's "Dead Parrot" comedy sketch maybe provides an apt metaphor for what this actually means for IT pros.

Going forward, Azure AD Connect is Microsoft's favored sync tool. It has the most capabilities of all of Microsoft's synchronization tools so far, according to Microsoft's recently updated Azure article, "Hybrid identity directory integration tools comparison," linked here (Microsoft tends to move this document around, so search for the title if the link fails). Even Microsoft Identity Manager 2016 currently lacks some capabilities that are enabled by the free Azure AD Connect tool.

Azure AD Connect is a wizard-like tool aimed at simplifying directory synchronization tasks. It used to be that only some sync tasks could be performed by using the older tools, but Microsoft seems to have quietly removed those restrictions.

Migration Options
IT pros using the two older tools have two options to move to Azure AD Connect, according to this Azure article. They can perform an in-place upgrade to Azure AD Connect under certain circumstances. Alternatively, they can perform a parallel deployment (also known as a "swing migration"), which involves using a new server running Azure AD Connect.

Microsoft also has a tool known as the Azure AD Connector for Forefront Identity Manager and Microsoft Identity Manager. Microsoft's article linked above indicates that this tool is at "feature freeze." It's not formally deprecated, Microsoft claims, but "no new functionality is added and it receives no bug fixes," which sounds very much like a deprecated product. In other words, it has ceased to be. Microsoft wants you off it.

DirSyn users and users of the Azure AD Connector for Forefront Identity Manager (FIM) won't have the option to perform an in-place upgrade to Azure AD Connect, according to this Azure article:

An in-place upgrade will work for moving from Azure AD Sync or Azure AD Connect. It will not work for DirSync or for a solution with FIM + Azure AD Connector.

Moreover, Microsoft only recommends an in-place upgrade when organizations have "less than about 100,000 objects" on a single server. The reason for that restriction is that it will take a lot of time to perform the upgrade under that circumstance. With more than 50,000 objects, it will take "more than 3 hours to do the upgrade," Microsoft explained, in this Azure article.

Consequently, some organizations will need to go through the swing migration process to move to Azure AD Connect. The swing migration process involves using two servers to perform the upgrade.

Despite all of the complexity involved in the retooling with Azure AD Connect, Microsoft has claimed that IT pros prefer using Microsoft's free tools over third-party software tools to sync up with Azure AD. Earlier this month, Microsoft indicated that it had 100,000 customers syncing their on-premises directories with Azure AD. Alex Simons, director of program management for the Microsoft Identity Division, said that the tools use breakdown was as follows:

45k are using Azure AD Connect, 46K are using DirSync, 7.5K are using Azure AD Sync and just over 500 are using Microsoft Identity Manager or FIM. The remaining 1% are using other solutions.

Back in January, Simons had described the use of Azure AD sync tools in terms of percentages. He said at that time that Azure AD Connect was used by 17 percent of tenants. In contrast, DirSync was used by 50 percent, while Azure AD Sync had a 9 percent use rate. Based on those figures, it seems that Azure AD Connect's popularity has rapidly grown in just a few months' time. It's the preferred tool for multiple forest environments, which the older tools can't handle.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

comments powered by Disqus
Most   Popular