DirSync Vs Azure Active Directory Synchronization Service (AAD Sync)
I thought, I was in too hurry to post my last blog on “Install and configure AAD Sync for Office 365“. Before I have published this blog, I should have mentioned about the DirSync and AAD sync. Because as of now I am getting few question regarding the difference between DirSync and AAD Sync. Anyway, let’s on this blog I will be describing about the DirSync and Azure Active Directory Synchronization Service (AAD Sync).
Azure Active Directory (AD) Connect (formerly known as the Directory Synchronization tool, Directory Sync tool, or the DirSync.exe tool) is a server-based application that you install on a domain-joined server to synchronize you’re on-premises Windows Server Active Directory users to the Azure Active Directory tenant of your Office 365 subscription. You can install Azure AD Connect on an on-premises server, but you can also install it on a virtual machine in Azure for the following reasons:
- You can provision and configure cloud-based servers faster, making the services available to your users sooner.
- Azure offers better site availability with less effort.
- You can reduce the number of on-premises servers in your organization.
So as on my earlier blog, we can have DirSync or AAD Sync on the server as of DC or we can have separate one. But, if I am going to install AAD Sync then what should be my specs of the machine. So, there I have made a chart that could help to understand the resource required for the AAD Sync.
| Number of Objects in Active Directory | CPU | Memory | Hard drive Size |
| Fewer than 10,000 | 1.6 GHz | 4 GB | 70 GB |
| 10,000-50,000 | 1.6 GHz | 4 GB | 70 GB |
| 50,000-100,000 Requires full SQL Server |
1.6 GHz | 16 GB | 100 GB |
| 100,000-300,000 Requires full SQL Server |
1.6 GHz | 32 GB | 300 GB |
| 300,000-600,000 Requires full SQL Server |
1.6 GHz | 32 GB | 450 GB |
| More than 600,000 Requires full SQL Server |
1.6 GHz | 32 GB | 500 GB |
But if you do have more than 300,000 objects on your environment, you need to contact Microsoft to enable replication of this objects. Now, let’s see what are the difference between DirSync and AAD Sync
Use the following key for each of the tables
● = Available Now
FR = Future Release
PP = Public Preview
On-Premises to Cloud Synchronization
| Feature |
Azure Active Directory Connect |
Azure Active Directory Synchronization Services (AAD Sync) |
Azure Active Directory Synchronization Tool (DirSync) |
Forefront Identity Manager 2010 R2 (FIM) |
Microsoft Identity Manager 2016 (MIM) |
| Connect to single on-premises AD forest |
● |
● |
● |
● |
● |
| Connect to multiple on-premises AD forests |
● |
● |
● |
● |
|
| Connect to multiple on-premises Exchange Orgs |
● |
||||
| Connect to single on-premises LDAP directory |
FR |
● |
● |
||
| Connect to multiple on-premises LDAP directories |
FR |
● |
● |
||
| Connect to on-premises AD and on-premises LDAP directories |
FR |
● |
● |
||
| Connect to custom systems (i.e. SQL, Oracle, MySQL, etc.) |
FR |
● |
● |
||
| Synchronize customer defined attributes (directory extensions) |
● |
||||
| Connect to on-premises HR (i.e., SAP, Oracle eBusiness,PeopleSoft) |
FR |
● |
● |
||
| Supports FIM synchronization rules and connectors for provisioning to on-premises systems. |
● |
● |
Cloud to On-Premises Synchronization
| Feature |
Azure Active Directory Connect |
Azure Active Directory Synchronization Services (AAD Sync) |
Azure Active Directory Synchronization Tool (DirSync) |
Forefront Identity Manager 2010 R2 (FIM) |
Microsoft Identity Manager 2016 (MIM) |
| Writeback of devices |
● |
● |
|||
| Attribute writeback (for Exchange hybrid deployment ) |
● |
● |
● |
● |
● |
| Writeback of users and groups objects |
● |
||||
| Writeback of passwords (from self-service password reset (SSPR) and password change) |
● |
● |
Authentication Feature Support
| Feature |
Azure Active Directory Connect |
Azure Active Directory Synchronization Services (AAD Sync) |
Azure Active Directory Synchronization Tool (DirSync) |
Forefront Identity Manager 2010 R2 (FIM) |
Microsoft Identity Manager 2016 (MIM) |
| Password Sync for single on-premises AD forest |
● |
● |
● |
||
| Password Sync for multiple on-premises AD forests |
● |
● |
|||
| Single Sign-on with Federation |
● |
● |
● |
● |
● |
| Writeback of passwords (from SSPR and password change) |
● |
● |
Set-up and Installation
| Feature |
Azure Active Directory Connect |
Azure Active Directory Synchronization Services (AAD Sync) |
Azure Active Directory Synchronization Tool (DirSync) |
Microsoft Identity Manager 2016 (MIM) |
| Supports installation on a Domain Controller |
● |
● |
● |
|
| Supports installation using SQL Express |
● |
● |
● |
|
| Easy upgrade from DirSync |
● |
|||
| Localization of Admin UX to Windows Server languages |
● |
● |
● |
|
| Localization of end user UX to Windows Server languages |
● |
|||
| Support for Windows Server 2008 and Windows Server 2008 R2 |
● for Sync, No for federation |
● |
● |
● |
| Support for Windows Server 2012 and Windows Server 2012 R2 |
● |
● |
● |
● |
Filtering and Configuration
| Feature |
Azure Active Directory Connect |
Azure Active Directory Synchronization Services (AAD Sync) |
Azure Active Directory Synchronization Tool (DirSync) |
Forefront Identity Manager 2010 R2 (FIM) |
Microsoft Identity Manager 2016 (MIM) |
| Filter on Domains and Organizational Units |
● |
● |
● |
● |
● |
| Filter on objects’ attribute values |
● |
● |
● |
● |
● |
| Allow minimal set of attributes to be synchronized (MinSync) |
● |
● |
|||
| Allow different service templates to be applied for attribute flows |
● |
● |
|||
| Allow removing attributes from flowing from AD to Azure AD |
● |
● |
|||
| Allow advanced customization for attribute flows |
● |
● |
● |
● |
Although Microsoft is deprecating the services DirSync and Azure AD Sync very soon, for detail will be blogging on my next blog.
Hope this blog was quite informative to you all…
[Solved]Adding Federation Domain… got Frozen for unexpectedly long time
![[Solved] Run any program with Elevated Privilege using Script (RUN AS).](/wp-content/themes/ribbon-lite/images/nothumb-related.png)
[Solved] Run any program with Elevated Privilege using Script (RUN AS).
Active Directory GPO Information Summary
About Author
pdhewjau
Prashant is a Principal Cybersecurity Specialist at Thakral One Nepal. His prior position as a Modern Work Security Specialist at Microsoft saw him providing invaluable guidance to major clients in Bangladesh, Brunei, Cambodia, and Myanmar, assisting them with their foundational security needs. Awarded the esteemed Microsoft Most Valuable Professional (MVP) accolade in 2017, Prashant is recognized globally among Microsoft peers. Since 2010, he has imparted his expertise as a Microsoft Certified Trainer (MCT), conducting specialized training across Nepal.