Tech Tip: Building a Highly available Azure AD Connect

One of big obstacles with Hybrid Identity in Microsoft Azure these days is with synchronization and ensuring availability for the bridge between on-prem Active Directory and Azure AD. This has evolved a lot over the last couple of years, and has added many new features and ways to authenticate. But one of the big obstacles that remains is Azure AD connect high availability, and built-in redundancy for the different components. 

From a high availability perspective, there is no built-in redundancy for the sync engine which leaves us only in an active/passive setup, using a staging server feature in Azure AD Connect. 

The staging mode will make the server active for import and synchronization, but it does not run any exports. A server in staging mode is not running password sync or password writeback, even if you selected these features during installation. So if you have Azure AD Connect with Password Hash Synchronization feature enabled, when you enable staging mode, the server stops synchronizing password changes from on-premises AD. 

It’s also possible to have more than one staging server when you want to have multiple backups in different datacenters to provide full redundancy and you are not required to have a backend SQL cluster to handle Azure AD Connect high availability. This allows for easier portability across multiple locations. 

Monitoring and failover for Azure AD connect high availability 

An important step to monitor Azure AD Connect is to setup Azure AD Connect Health, to give notification to different service desk and emailing lists in case of failure. Should be noted that using Azure AD Connect Health requires an Azure AD Premium license
• The first Connect Health Agent requires at least one Azure AD Premium license.
• Each additional registered agent requires 25 additional Azure AD Premium licenses

Having this feature enabled will give you insight and email notification if the sync has stopped. Even if you have an active/passive Azure AD Connect it will not automatically failover if something happens to the Azure AD connect server.

Setting up Staging mode on a separate server is a simple process, and is done using the Azure AD Connect Wizard where you in the last configuration pane specify “Enable Staging mode”

Once the setup is Complete you can see the following (Synchronization is currently disabled)

Now we can run some simulations and import the AD users to the metaverse.
This is done on the ADConnect server
The scheduler will by default run every 30 minutes. In some cases, you might want to run a sync cycle in between the scheduled cycles or you need to run a different type.
Make sure to run Powershell in Administrator level.
Once Powershell is open type import-module adsync and hit enter. From that point you can choose the type of sync that you would like to run.

Delta sync cycle

A delta sync cycle includes the following steps:
• Delta import on all Connectors
• Delta sync on all Connectors
• Export on all Connectors

It could be that you have an urgent change which must be synchronized immediately which is why you need to manually run a cycle. If you need to manually run a cycle, then from PowerShell run Start-ADSyncSyncCycle -PolicyType Delta.

Full sync cycle

If you have made one of the following configuration changes, you need to run a full sync cycle (a.k.a. Initial):
• Added more objects or attributes to be imported from a source directory
• Made changes to the Synchronization rules
• Changed filtering so a different number of objects should be included

If you have made one of these changes, then you need to run a full sync cycle so the sync engine has the opportunity to reconsolidate the connector spaces. A full sync cycle includes the following steps:
• Full Import on all Connectors
• Full Sync on all Connectors
• Export on all Connectors

In case of a failure and you want to promote the staging server to Primary you just rerun the Azure AD connect Wizard and remove the “Enable Staging Server”

Is it important if the other former primary comes back online that the sync services needs to be stopped and changed to Staged mode, or else you will be running in a non-supported topology by Microsoft.

I really hope that in the future Microsoft will be improve Azure AD connect high availability by adding an availability group or group of sync engines like we have with the passtrough authentication agents. Since Azure AD Connect now with passtrough is becoming a more crucial part of the infrastructure for hybrid identity, but still missing an important aspect that ADFS had which was high-availability.