Hello and welcome to Planning for Directory Synchronization Using Azure AD Connect Cloud Sync. In this lesson, we'll take a look at the things you need to think about and address prior to installing and configuring Azure AD Connect Cloud Sync. Let's start with an overview of what topologies support Azure AD Connect cloud sync of which there are four. Azure AD Connect cloud sync supports single on-prem forest, single Azure AD Tenant topologies, and it supports multiple on-prem forest single Azure AD Tenant topologies. You can also use it with its topology that consists of an existing on-prem forest with Azure AD Connect and a new forest with Cloud provisioning. And when you are piloting Azure AD Connect Cloud Sync in an existing hybrid Active Directory forest. The first topology a single on-prem forest with a single Azure AD Tenant is the simplest and most common topology that is supported by Azure AD Connect Cloud Sync. In this topology, the on-prem forest can consist of a single domain or multiple domains while the cloud piece consists of a single Azure AD Tenant.

The image on your screen shows what this typically looks like. The multiple on-prem forest single Azure AD Tenant topology is another common topology that organizations will often use. This topology features multiple AD forests on-prem each consisting of one or more domains along with a single Azure AD Tenant. And in this topology, all on-prem forests are synced to a single Azure AD Tenant. The image on your screen shows what this typically looks like. The third supported topology that I mentioned earlier consists of an existing on-prem forest with Azure AD Connect and a new forest with cloud provisioning. This topology is quite similar to the multi-forest topology we just covered. However, in this topology, you have an existing Azure AD Connect environment already in play and then you bring on a new forest using Azure AD Connect Cloud Sync. The image on your screen shows what this topology typically looks like.

The piloting topology that I mentioned includes the existence of both Azure AD Connect and Azure AD Connect Cloud Sync in the same forest. In this topology, you need to ensure that an object like a user account is only in scope and only one of the two sync tools. The image on your screen right now shows what this topology typically looks like. When considering which topology is required, you need to think about a couple of different things. For example, you need to ensure that all users and groups are uniquely identified across all forests and you need to ensure that you don't have matching across forests occurring with Azure AD Connect Cloud Sync. It's also important to remember that a user or group can only be represented once across all forests. I should also mention that for sync, the source anchor for objects is chosen automatically. If present, the ms-DS-ConsistencyGuid attribute is used, otherwise, ObjectGUID is used.

It's important to note that you can't change the attribute that's used for the source anchor. And then before we wrap this lesson up, I just want to touch on the key prerequisites for Azure AD Connect Cloud Sync. Before using Azure AD Connect Cloud Sync, your organization needs to create a group Managed Service Account that Cloud Sync uses to run the Cloud Sync agent. This group Managed Service Account is a managed domain account that provides automatic password management and simplified a service principal name management. It also allows management delegation to other administrators and extends this functionality over multiple servers.

You also need Domain Administrator or Enterprise Administrator credentials in order to create the Azure AD Connect Cloud Sync group Managed Service Account I just mentioned. A hybrid identity administrator account for your Azure AD Tenant that's not a guest user is also required. And you'll also need at least one on-prem Windows 2016 or later server for the Cloud Sync agent to be installed on. That said, you can just install the Cloud Sync agent on a domain controller instead if necessary. If you need or want high availability for Azure AD Connect Cloud Sync having multiple active Cloud Sync agents installed and running is useful. That being the case, Microsoft recommends that you deploy three active agents installed to attain high availability. And then lastly, if you have a firewall between your servers and Azure AD, you have to ensure that the agents can make outbound requests to Azure AD over port 80 and port 443.