Wednesday, October 9, 2013

Windows Azure Active Directory Sync tool (DIRSYNC) – the basics

I thought that I’d do some posts on DIRSYNC and how it works with Office 365 as there seems to be plenty of confusion out there about it. DIRSYNC is pretty simple in reality so let’s kick things off with the basics of installing DIRSYNC, we’ll get into the more advanced stuff later.

Windows Azure Active Directory Sync tool (DIRSYNC) is an application that provides one way synchronization from a company’s on premise Active Directory (AD) to Windows Azure Active Directory. This tool allows a limited set of user objects (including logins and passwords) to be copied to Office 365 so that the information in Office 365 is identical to that in the on premise AD.

Activating the Directory Synchronization (DIRSYNC) tool should be considered a long term commitment to co-existence. Once you have activated Directory Synchronization, you can only edit synchronized objects using the on-premise management tools.

A local network administrator needs to install the DIRSYNC tool on only one member server computer in an organization’s on premise network. To complete this process they will also need to have global administrative rights on the Office 365 tenant they are seeking to synchronize to.

The computer used for Directory Synchronization must meet the following requirements:

- It must be joined to the on premise Active Directory. It must be able to connect to all of the other Domain Controllers (DCs) for all of the forest.

- It cannot be a domain controller (thus can’t be run on SBS).

- It must run on a supported 64 bit Windows Server system which is:

o 64 bit version of Windows Server 2008 R2 SP1 Standard, Enterprise or Datacenter

o 64 bit version of Windows Server 2012 Standard or Datacenter

- It must run Microsoft .NET Framework version 3.5 SP1 and .NET Framework version 4.0

- It must run Windows PowerShell.

- It must be located in an access controlled environment.

When you install the Directory Sync tool, the configuration wizard will create a service account called MSOL_AD_SYNC in the standard Users organizational unit (OU) that will be used to read from the on premise AD and write to Windows Azure AD. The MSOL_AD_SYNC is given the following permissions:

- Replicate directory Changes

- Replicate Synchronization

- Replicating Directory Changes All

Enabling Directory Synchronization

The first step in the process to configure Directory Synchronization between an on premise AD and an Office 365 tenant is to login to the Office 365 tenant as a global administrator and then select users and groups from the menu on the left hand side.

clip_image002

This should display a list active users, however above this you will find the option Active Directory ® synchronization. Select the Set up link to commence the configuration process.

clip_image004

You will then be taken to the above list of steps as shown above.

After reading the documentation concerning synchronization using the link Learn how to prepare for directory synchronization you need to ensure that you have any custom domains already configured and verified.

The next step in the process is to select the Activate button for option 3 Activate Active Directory synchronization.

clip_image006

You will then be prompted to confirm the activation of AD Synchronization by pressing the Activate button.

clip_image008

When you are returned to the list of steps you will note that option 3 now indicates that Active Directory synchronization is activated as shown above.

clip_image010

You may see the above message that Active Directory synchronization if being activated. This process may take up to 24 hours to complete.

Installing DIRSYNC

You will then need to download and install the AD Synchronization software (DIRSYNC). Once downloaded, you launch the application to commence the installation process.

clip_image012

If the machine on which you attempt to install DIRSYNC is not joined to an AD domain you will receive the above error and be unable to proceed further.

clip_image014

Click the Next button to commence the installation process.

clip_image016

Select I accept radio button and then press the Next button to continue.

clip_image018

Here you alter the default installation directory if desired. It is recommended that you leave it with its default setting and press the Next button to continue.

clip_image020

You should now see the components being installed. This may take a few minutes to complete.

clip_image022

When complete, you will receive a message like that displayed above to indicate the process is now complete.

Press the Next button to continue.

clip_image024

You can elect whether to commence the DIRSYNC configuration process, which is selected by default.

When you have made your choice press the Finish button to complete the DIRSYNC installation.

clip_image026

Press the Next button to commence the configuration wizard.

clip_image028

Enter the details for your Office 365 tenant global administrator and press Next to continue. Office 365 needs to be accessible during this process.

clip_image030

If you have only just activated Directory Synchronization in the Office 365 portal, as previously noted, you may have to wait up to 24 hours for the activation to complete. If you don’t you will receive an error like that shown above and will have no option but to wait for the activation to complete.

clip_image032

You now need to enter the details of an enterprise administrator for your local Active Directory and press the Next button to proceed.

clip_image034

You now receive the option to enable Hybrid Deployment. In most cases you want to leave this option unchecked and press the Next button to proceed.

clip_image036

Next, you can elect whether you want the passwords from your local Active Directory accounts synchronized with accounts in Office 365. Normally you would check this option and press the Next button to proceed.

clip_image038

You will now see DIRSYNC being configured. This may take a few minutes and you need to wait until this process is complete.

clip_image040

When the configuration is complete, press the Next button to continue.

clip_image042

You will now be given the opportunity to synchronize the local AD user properties to your Office 365 tenant. In most cases you will leave this option checked and select the Finish button to complete the DIRSYNC configuration.

clip_image044

You’ll now see a dialog providing you information about how to verify that everything is synchronizing as expected. This will be covered next so press the OK button to close the dialog.

clip_image047

If you now login to your Office 365 tenant as an administrator and then select users and groups from the menu on the left hand side you should see a list of all your users.

If you look closely at the status of most users you will find that it says Synced with Active Directory. Select any of these users to view their properties.

clip_image049

You should find that users synchronized from your local Active Directory are not automatically assigned a license. You need to do this manually via the console or via PowerShell. Don’t forget that you can have multiple licenses in Office 365 tenants and DIRSYNC has no way of knowing what license you want to assign to what user.

Verify DIRSYNC

To verify that synchronization is taking place correctly at any stage, navigate to the on the member server you installed DIRSYNC:

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell

Then double-click miisclient program.

clip_image051

You should see the Synchronization Service Manager appear as shown above. You will also probably notice some initial synchronization activity in the top window.

clip_image053

To check that information is being correct copied to Office 365 edit a user properties in your local Active Directory that you know is synchronized to Office 365. In this case the Job Title field has been updated to the string Marketing Manager for the user Lewis Collins.

Save these changes.

The next step is to force an immediate synchronization. To do this navigate to:

C:\Program Files\Windows Azure Active Directory Sync

And run dirsyncconfigshell.psc1

clip_image055

In the PowerShell window that appears type:

Start-onlinecoexistencesync

And press the Enter key to execute the command.

clip_image058

If you now return to the Synchronization Service Manager you should see additional synchronization activities are displayed.

clip_image061

If you select one of these items you will notice a list of statistics down in the lower left hand window. On the Updates line there is a hyperlink, select this to view more details.

clip_image064

In this case we see that the update refers to the user that was modified in the local Active Directory.

You can select this line and then select the Properties button in the bottom left for further information.

clip_image067

In the Connector Space Object Properties window you should details about the user, including the field that was updated in Active Directory.

This confirms that DIRSYSNC has processed the changed and sent it successfully to Office 365.

clip_image070

If you now login to Office 365 as an administrator and navigate to the list of active users again and then select the modified users (here Lewis Collins).

clip_image072

To verify the change in this case, select the details tab on the left menu under the user name and you should see the information shown above.

Under additional details you will find that the Job Title field in Office 365 is now the same as that in the local Active Directory, therefore verifying that DIRSYNC has worked successfully.