Azure AD Connect

It is a sync engine of that connects on premises active directory with Microsoft Azure AD and sync active
directory objects with Azure AD. It has two namespaces that store the identity information.

1. The connector space (CS)

2. The metaverse (MV)

It can be installed in two ways: -

Express Settings

Express Settings is the default option and deploys sync with the password hash sync option for a single
forest.

Custom Settings

With custom settings, the administrator can connect one or multiple Active Directory forests and Can
use for below option:-

1. Password reset write back

2. Exchange hybrid deployment.
3. Password hash synchronization - A sign-in method that synchronizes a hash of a users on-
premises AD password with Azure AD.
4. Pass-through authentication - A sign-in method that allows users to use the same password on-
premises and in the cloud, but doesn't require the additional infrastructure of a federated
environment.
5. Federation integration - Federation is an optional part of Azure AD Connect and can be used to
configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD
FS management capabilities such as certificate renewal and additional AD FS server
deployments.
6. Synchronization - Responsible for creating users, groups, and other objects. As well as, making
sure identity information for your on-premises users and groups is matching the cloud. This
synchronization also includes password hashes.
7. Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a
central location in the Azure portal to view this activity.

Connector: A connector is a module that AAD Connect uses to connect (read/write) to a repository. AAD
Connect comes with different connectors for different data repositories like AD, SQL Server
Connected data source (CD): Data repository being synchronized by AAD Connect
Connector space (CS): Storage area used by AAD Connect to store staging objects from connected data
source. A separate CS is used for each connected data source.
Metaverse (MV): Storage area used by AAD Connect to store ‘synchronized objects’ i.e. objects that are
‘combined, integerated, global’ representation of objects from different connector spaces.
Source anchor: A unique attribute assigned to each staging object held inside connector space in AAD
Connect. Value of this attribute uniquely identifies the object inside the connected data source e.g. For
AD, objectGUID is the source anchor.
Pending import object: A staging object inside a connector space that’s been flagged as ‘pending
import’ which means AAD Connect has detected that this object has updates — Add, update, delete —
 that need to be processed during ‘inbound synchronization’ (Connector space → Metaverse).
Pending export object: An object inside a connector space that AAD Connect has flagged as being
having updats that need to be pushed to connected data source during ‘Export’. Outbound
synchronization (Metaverse → Connected space) either creates new pending export objects or flags
existing staging objects as pending export ones.
Joined object: A staging object in connector space that’s linked with a metaverse object. One metaverse
object can be linked with multiple connector space objects but not vice versa.
Disjoined object: A staging object in connector space that’s not linked with any metaverse object.
Import process: Step 1 of the synchronization cycle during which AAD Connect brings in updates from a
connected data source to it’s own connector space and either creates new ‘pending import’ staging
objects or updates existing staging objects. AAD Connect uses ‘source anchor’ attribute to match objects
from connected data source to their counterparts in connector space.
Synchronization process: Step 2 of the synchronization cycle during which AAD Connect does two
things — Inbound synchronization processes all ‘pending import’ objects and makes the updates to
corresponding linked objects in metaverse, outbound synchronization processes the updates from
metaverse objects and makes the updates to corresponding linked objects in connector space.
Export process: Step 3 of the synchronization cycle during which AAD Connect processes ‘pending
export’ objects and push out the changes to connected data source
Question: What creates a ‘pending import’ object?
Answer: Import process when it processes incoming changes from a connected data source.
Question: What creates a ‘pending export’ object?
Answer: Outbound synchronization process when it compares the objects in metaverse to their linked
counterparts in connector space.
Which objects are synced with Azure AD?

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis

Azure AD Connect Architecture

The sync engine creates an integrated view of objects that are stored in multiple connected data sources
and manages identity information in those data sources.

Connected Data Sources and Connectors

The sync engine processes identity information from different data repositories, such as Active Directory
or a SQL Server database. The data repositories that are synchronized by sync engine are called
connected data sources or connected directories (CD).

The sync engine encapsulates interaction with a connected data source within a Connector. Each type of
connected data source has a specific Connector. The Connector translates a required operation into the
format that the connected data source understands.
Connectors make API calls to exchange identity information (both read and write) with a connected data
source. The following illustration shows how a Connector connects a connected data source to the sync
engine.

Data can flow in either direction, but it cannot flow in both directions simultaneously. In other words, a
Connector can be configured to allow data to flow from the connected data source to sync engine or
from sync engine to the connected data source, but only one of those operations can occur at any one
time for one object and attribute. The direction can be different for different objects and for different
attributes.

To configure a Connector, you specify the object types and attributes that you want to synchronize.
These settings can be changed any time. When you use the Azure AD Connect installation wizard, these
settings are configured.

To export objects to a connected data source, the attribute inclusion list must include at least the
minimum attributes required to create a specific object type in a connected data source. For example,
the sAMAccountName attribute must be included in the attribute inclusion list to export a user object
to Active Directory.

If the connected data source uses structural components, such as partitions or containers to
organize objects, you can limit the areas in the connected data source that are used for a given
solution.

Internal structure of the sync engine namespace

The entire sync engine namespace consists of two namespaces that store the identity information.

3. The connector space (CS)

4. The metaverse (MV)

The connector space is a staging area that contains representations of the designated objects from a
connected data source and the attributes specified in the attribute inclusion list. The sync engine uses
the connector space to determine what has changed in the connected data source and to stage
incoming changes.
The sync engine also uses the connector space to stage outgoing changes for export to the connected
data source. The sync engine maintains a distinct connector space as a staging area for each Connector.

The sync engine can request only the changes made inside the connected data source since the last
communication session terminated or push out only the changes to identity information that the
connected data source has not yet received. When new data is received, sync engine always evaluates
whether the data has already been synchronized.

The metaverse is a storage area that contains the aggregated identity information from multiple
connected data sources, providing a single global, integrated view of all combined objects.

The following illustration shows the connector space namespace and the metaverse namespace within
the sync engine.

Connector space objects

The connector space has two attributes:

1. A globally unique identifier (GUID)

2. A distinguished name (also known as DN)