On Monday, Microsoft released a new version of the Windows Azure Active Directory (WAAD) Directory Sync (DirSync) Tool that can now be installed on a domain controller, http://social.technet.microsoft.com/wiki/contents/articles/18429.windows-azure-active-directory-sync-tool-version-release-history.aspx This has been something that has been asked for probably ever since the first version of the Office 365 DirSync tool was released. One of the main reasons for wanting to run DirSync on a DC is that for the majority of organizations going to Office 365 and wanting Identity integration with on-premises Active Directory, a key benefit of moving to the cloud is reducing on-premises server footprint. It didn’t make much sense to need to have a server, other than a DC, kept around just to run the DirSync Tool. Now the reason for not allowing DirSync to run on a DC was pretty straight forward. DirSync itself is basically a free version of Microsoft Forefront Identity Management (FIM) Server. And FIM itself had the requirement that it could not be run on a DC, so this same requirement was inherited in DirSync.

To Install the latest version of DirSync on a DC requires an additional step. Once you have installed per the instructions here, http://social.technet.microsoft.com/wiki/contents/articles/19098.howto-install-the-windows-azure-active-directory-sync-tool-now-with-pictures.aspx a change is needed at Step 6. You need to deselect the “Start Configuration Wizard” at the install Finished screen; exit the install wizard and then log-off and then logon to the DC and continue with the Configuration Wizard. The steps for installing on a DC can be found here, http://social.technet.microsoft.com/wiki/contents/articles/17370.best-practices-for-deploying-and-managing-the-windows-azure-active-directory-sync-tool.aspx#A11

As noted in the first link of this post, several other improvements were made to the latest version of DirSync:

  • Fix to address Sync Engine memory leak
  • Fix to address “staging-error” during full import from Azure Active Directory
  • Fix to handle Read-Only Domain Controllers in Password Sync

What is not totally clear is if running DirSync in a production environment is a fully supported configuration. In post about Best Practices for deploying and Managing WAAD DirSync, a note about DC deployment states:

We’ve heard your requests and are excited to announce that the Active Directory Sync tool (version 6553.0002 and newer) can be installed on an Active Directory Domain Controller!
Customers that want to deploy the Directory Sync tool on a Domain Controller for development purposes can now do so instead of deploying on a separate machine.

What is a bit unclear to me is what exactly is meant by “Development Purposes”. I have several inquiries into Microsoft to find out what is meant by this and if running DirSync on a DC is a fully supported configuration. As soon as I find an answer I will let you know.