What You Need to Do Before Your DirSync Will Hit the Fan: A Fast Upgrade Guide!

DirSync, Azure AD Sync, Forefront Identity Manager and Azure AD Connect, so many ways to synchronize your identities to Microsoft Cloud Support identities’ repository. But only one will become utmost effective and supported. This actually just happened in April.

Wait! What?

Microsoft officially announced the end of support for DirSync & Azure AD Sync on April 13th, 2017. Azure AD Connect is becoming the tool that will officially support identity synchronization. It doesn’t mean that previous tools will stop working now, but their support ends. Therefore, it is highly advised and quite a prudent idea to migrate to Azure pretty fast. The final deadline for this will be the end of the year, 2017.

This implies that beyond the specified date, DirSync & Azure AD Sync will stop working. Similarly, Microsoft Forefront Identity Manager 2010 R2 with Service Pack 1 mainstream support will end on 10th of October 2017. However, its extended support will end later, thought to be on the 11th of October 2022.

Farewell (other) sync tools!

A farewell schedule calendar happened and will happen as follows;

  • On April 13th, 2016, Windows Azure Active Directory Sync (“DirSync”) and Microsoft Azure Active Directory Sync (“Azure AD Sync”) were announced as deprecated.
  • On April 13th, 2017, Support Ends.
  • On December 31st, 2017, Azure AD will no longer accept communications from any other synchronization tools besides Azure AD Connect.

What exactly does “Support Ends” mean?

Support ending means that these tools will no longer be supported by Microsoft. Just to mention, briefly, imagine that in the case anything happens to your tool, you will be informed that such support case ticket cannot be opened from the Microsoft Cloud Support. Furthermore, Microsoft stops issuing patches, updates, and fixes. Quite stressful.

Microsoft cloud support

DirSync – end of the support

Why Azure AD Connect?

You may wonder or have lots of questions why Microsoft is phasing out such effective working tools. If you want my opinion, it’s time to focus! Azure AD Connect is like the result of the Darwin evolution in synchronization tools. To begin, they were a couple of them. Starting with DirSync which was built just as a solution on top of the existing product. It seemed daunting for Microsoft to have another tool mutated and grown to replace Azure AD Connect. This implies that it could be most probably the tool to be used in the future.

Azure AD Connect, to say, is completely rewritten. It provides not only synchronization but also with recently added functionalities including pass-through authentication. It has an identity bridge between your on-premises AD and Azure AD. Microsoft puts a lot of efforts for the latest versions to significantly increase the usability of the tool, integrate many features and technologies.

Some of the features include auto upgrade or possibility to install Active Directory Federation Services farm (AD FS) directly from the Azure AD Connect Wizard. Oh, BTW – AD FS can now be replaced in some scenarios by one of the Azure AD Connect features called Azure AD Pass-through. Haven’t heard? Ask us at Predica!

Azure AD Connect is your bridge between on-premises AD and your Azure AD. This allows synchronization of identities and much more!  Simply placed in organization structure can bring many benefits:

Microsoft cloud support

Azure AD Connect

The Benefits

What will you gain? Among others include:

  • Password synchronization and writeback – with this, you can take advantage of cloud-based password reset
  • Device writeback – this may not be an immediate benefit for everyone. However, you will really like it in the future as Mobile Device Management becomes a part of IT culture and a requirement of business. With Device writeback, you can have your devices registered in Azure (i.e. using Microsoft Intune) and use them as a conditional access in AD FS.
  • Prevent accidental deletes – this tech will be watching your operations right now and stop if there is some suspicious activity in a sync.
  • Automatic upgrade – from now on the tool will update itself, no need to remember about it! Awesome, isn’t it?
  • Azure AD Pass-through – alternative scenario to AD FS deployment, which is only possible with Azure AD Connect (not working with DirSync or Azure AD Sync)
  •  !! NEW!! Using group Managed service account – this facilitates an easy way to pass security audits.

How to act?

With such a critical software, formerly acting as a bridge between on-premises and Azure worlds becomes deprecated, one can easily see the potential threats. This could result in service disruptions, no help whenever required and even possibility of data breach or loss among other viable threats. Therefore, what are the remedies available?

Step #1 CHECK

Verify which tool you are using and whether it had any modifications in the synchronization process or not.

To check if you have DirSync installed run following PowerShell cmdlet, use:

(GP “hklm:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Online Directory Sync”).DisplayVersion.

Another, one of the easiest ways to verify which tool has been installed is to use “Uninstall a program” from your control panel to look through the list of installed software. Of course, take caution not to actually uninstall it, just check the version.

Please note: Even if you have Azure AD Connect below 1.1.x, you should plan your migration to the latest version.

It is important to mention that starting with version 1.1.x can provide one very crucial feature which is an automatic upgrade, many improvements, and fixes.

A complete list of version changes can be found here: Azure Connect history.

Step #2 PLAN

There are several things that you should consider. Highlighted below are some of the key factors.

  • What options to configure – should your Device Writeback be configured? Or maybe password synchronization? Why? Why not?
  • What attributes to synchronize – different Microsoft Azure services require a different set of attributes to be synchronized. Do you need them all or maybe you can filter them out?
  • How to plan for failover – in case one of your Azure AD Connect servers fail, you may need it for sure.
  • You can customize your rules right now – maybe you were limited by the previous tool, but now you can do this!
  • Do you have multiple forests or single Azure AD tenant? Now it’s a non-problem! Plan your multi-tenancy identities synchronization.
  • Disaster recovery, operations, and backup procedures – every solution should be well documented. This is terms of up to date architecture, operations and in case needed – deployment guides. All for future references and easiness in maintaining the solution.

Step #3 DO!

If you need help with all of it, we have done it so many times, here at Predica. So to say, it is like a standard heart surgery. But as in the surgery, even if it is standard procedure, it is better to be at least consulted with someone skilled.

So how does the whole process look like in Predica?

  • First, when we get the request, we set up a quick assessment call with the technical expert. During the call, we make sure what is the current setup of the environment, the scope, the potential impact, which tool is to be deployed and what extra configuration had been applied. If the customer has an up to date architecture documentation, that’s even better. Although in that case we also want to make a quick double check if it reflects the current deployment status.
  • Then (in most cases offline) we share all the prerequisites and requirements that are needed to perform the upgrade before scheduling the upgrade session.
  • During the upgrade session, we think about what’s critical for our customers – the backup, disaster recovery and we plan and perform them before the upgrade.
  • After the upgrade, we test and quickly verify if it has been successful and whether there are no unexpected issues.
  • At the last stage, which is optional, we work offline to prepare the updated architecture, backup, and recovery, operations documents (or we create those if not already in place)


To many people, this not only comes as a surprise but a daunting activity to undertake. However, with the support from us at Predica, consider your problems sorted. All you need to do is make the call!

Do you want to get more information about trends in Security and Identity area? Then register for the Upcoming Free Webinar this Wednesday!


There are several tools you can use to manage your cloud identity sync. However, only Azure AD Connect will remain supported for the foreseeable future. To avoid service interruptions, verify which solution you are currently using and upgrade it if necessary. Don’t hesitate to ask us for help!


See also

SharePoint Is Dead, Long Live SharePoint


Omada Enables Advanced Governance Control In Microsoft Azure


Crucial Questions To Ask Your Future SaaS Applications Provider


Get the latest!

Watch now!

Our experience.

What's new?