locked
Information on AAD Connect - Scheduler and sourceAnchor attribute RRS feed

  • Question

  • Hello Experts

    I have two Azure AD Connect questions:AAD connect schedule:

    1. As per this link, the default sync schedule is 30 mins, but I am not clear on the frequency of Delta and Initial (full) sync. Every 30 mins, it will run Delta sync or full sync?
    2. While AAD Connect installation, it creates two accounts in on-premise AD - AD DS Connector account i.e. “ms-DS-ConsistencyGuid” as sourceAnchor and ADSync service account
    • If Ad Sync service account is used to run the synchronization service, then what is the primary use for AD DS Connector account?
    • What information does AD DS Connector account "write" to AD? For Sync, it only need read permissions then why it require "Write permissions"?

    Thanks in advance


    Alex

    Saturday, December 1, 2018 11:26 PM

Answers

  • It's always Delta sync, unless you specifically run a Full one. The accounts/permissions are documented here: https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/reference-connect-accounts-permissions
    Sunday, December 2, 2018 3:30 PM
  • Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are:

    AD DS Connector account: used to read/write information to Windows Server Active Directory

    ADSync service account: used to run the synchronization service and access the SQL database

    Azure AD Connector account: used to write information to Azure AD

    Also there are multiple features of AD connect in which the AD DS connector account writes back into AD.

    Example: Group writeback, Password writeback, device writeback etc. So it will need write permissions as well.

    All this is documented in detail in this article.

    Monday, December 3, 2018 6:08 AM

All replies

  • It's always Delta sync, unless you specifically run a Full one. The accounts/permissions are documented here: https://docs.microsoft.com/en-gb/azure/active-directory/hybrid/reference-connect-accounts-permissions
    Sunday, December 2, 2018 3:30 PM
  • Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are:

    AD DS Connector account: used to read/write information to Windows Server Active Directory

    ADSync service account: used to run the synchronization service and access the SQL database

    Azure AD Connector account: used to write information to Azure AD

    Also there are multiple features of AD connect in which the AD DS connector account writes back into AD.

    Example: Group writeback, Password writeback, device writeback etc. So it will need write permissions as well.

    All this is documented in detail in this article.

    Monday, December 3, 2018 6:08 AM