I thought that I’d do some posts on DIRSYNC and how it works with Office 365 as there seems to be plenty of confusion out there about it. DIRSYNC is pretty simple in reality so let’s kick things off with the basics of installing DIRSYNC, we’ll get into the more advanced stuff later.

Windows Azure Active Directory Sync tool (DIRSYNC) is an application that provides one way synchronization from a company’s on premise Active Directory (AD) to Windows Azure Active Directory. This tool allows a limited set of user objects (including logins and passwords) to be copied to Office 365 so that the information in Office 365 is identical to that in the on premise AD.

Activating the Directory Synchronization (DIRSYNC) tool should be considered a long term commitment to co-existence. Once you have activated Directory Synchronization, you can only edit synchronized objects using the on-premise management tools.

A local network administrator needs to install the DIRSYNC tool on only one member server computer in an organization’s on premise network. To complete this process they will also need to have global administrative rights on the Office 365 tenant they are seeking to synchronize to.

The computer used for Directory Synchronization must meet the following requirements:

– It must be joined to the on premise Active Directory. It must be able to connect to all of the other Domain Controllers (DCs) for all of the forest.

– It cannot be a domain controller (thus can’t be run on SBS).

– It must run on a supported 64 bit Windows Server system which is:

o 64 bit version of Windows Server 2008 R2 SP1 Standard, Enterprise or Datacenter

o 64 bit version of Windows Server 2012 Standard or Datacenter

– It must run Microsoft .NET Framework version 3.5 SP1 and .NET Framework version 4.0

– It must run Windows PowerShell.

– It must be located in an access controlled environment.

When you install the Directory Sync tool, the configuration wizard will create a service account called MSOL_AD_SYNC in the standard Users organizational unit (OU) that will be used to read from the on premise AD and write to Windows Azure AD. The MSOL_AD_SYNC is given the following permissions:

– Replicate directory Changes

– Replicate Synchronization

– Replicating Directory Changes All

Enabling Directory Synchronization

The first step in the process to configure Directory Synchronization between an on premise AD and an Office 365 tenant is to login to the Office 365 tenant as a global administrator and then select users and groups from the menu on the left hand side.

This should display a list active users, however above this you will find the option Active Directory ® synchronization. Select the Set up link to commence the configuration process.

You will then be taken to the above list of steps as shown above.

After reading the documentation concerning synchronization using the link Learn how to prepare for directory synchronization you need to ensure that you have any custom domains already configured and verified.

The next step in the process is to select the Activate button for option 3 Activate Active Directory synchronization.

You will then be prompted to confirm the activation of AD Synchronization by pressing the Activate button.

When you are returned to the list of steps you will note that option 3 now indicates that Active Directory synchronization is activated as shown above.

You may see the above message that Active Directory synchronization if being activated. This process may take up to 24 hours to complete.

Installing DIRSYNC

You will then need to download and install the AD Synchronization software (DIRSYNC). Once downloaded, you launch the application to commence the installation process.

If the machine on which you attempt to install DIRSYNC is not joined to an AD domain you will receive the above error and be unable to proceed further.

Click the Next button to commence the installation process.

Select I accept radio button and then press the Next button to continue.

Here you alter the default installation directory if desired. It is recommended that you leave it with its default setting and press the Next button to continue.

You should now see the components being installed. This may take a few minutes to complete.

When complete, you will receive a message like that displayed above to indicate the process is now complete.

Press the Next button to continue.

You can elect whether to commence the DIRSYNC configuration process, which is selected by default.

When you have made your choice press the Finish button to complete the DIRSYNC installation.

Press the Next button to commence the configuration wizard.

Enter the details for your Office 365 tenant global administrator and press Next to continue. Office 365 needs to be accessible during this process.

If you have only just activated Directory Synchronization in the Office 365 portal, as previously noted, you may have to wait up to 24 hours for the activation to complete. If you don’t you will receive an error like that shown above and will have no option but to wait for the activation to complete.

You now need to enter the details of an enterprise administrator for your local Active Directory and press the Next button to proceed.

You now receive the option to enable Hybrid Deployment. In most cases you want to leave this option unchecked and press the Next button to proceed.

Next, you can elect whether you want the passwords from your local Active Directory accounts synchronized with accounts in Office 365. Normally you would check this option and press the Next button to proceed.

You will now see DIRSYNC being configured. This may take a few minutes and you need to wait until this process is complete.

When the configuration is complete, press the Next button to continue.

You will now be given the opportunity to synchronize the local AD user properties to your Office 365 tenant. In most cases you will leave this option checked and select the Finish button to complete the DIRSYNC configuration.

You’ll now see a dialog providing you information about how to verify that everything is synchronizing as expected. This will be covered next so press the OK button to close the dialog.

If you now login to your Office 365 tenant as an administrator and then select users and groups from the menu on the left hand side you should see a list of all your users.

If you look closely at the status of most users you will find that it says Synced with Active Directory. Select any of these users to view their properties.

You should find that users synchronized from your local Active Directory are not automatically assigned a license. You need to do this manually via the console or via PowerShell. Don’t forget that you can have multiple licenses in Office 365 tenants and DIRSYNC has no way of knowing what license you want to assign to what user.

Verify DIRSYNC

To verify that synchronization is taking place correctly at any stage, navigate to the on the member server you installed DIRSYNC:

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell

Then double-click miisclient program.

You should see the Synchronization Service Manager appear as shown above. You will also probably notice some initial synchronization activity in the top window.

To check that information is being correct copied to Office 365 edit a user properties in your local Active Directory that you know is synchronized to Office 365. In this case the Job Title field has been updated to the string Marketing Manager for the user Lewis Collins.

Save these changes.

The next step is to force an immediate synchronization. To do this navigate to:

C:\Program Files\Windows Azure Active Directory Sync

And run dirsyncconfigshell.psc1

In the PowerShell window that appears type:

Start-onlinecoexistencesync

And press the Enter key to execute the command.

If you now return to the Synchronization Service Manager you should see additional synchronization activities are displayed.

If you select one of these items you will notice a list of statistics down in the lower left hand window. On the Updates line there is a hyperlink, select this to view more details.

In this case we see that the update refers to the user that was modified in the local Active Directory.

You can select this line and then select the Properties button in the bottom left for further information.

In the Connector Space Object Properties window you should details about the user, including the field that was updated in Active Directory.

This confirms that DIRSYSNC has processed the changed and sent it successfully to Office 365.

If you now login to Office 365 as an administrator and navigate to the list of active users again and then select the modified users (here Lewis Collins).

To verify the change in this case, select the details tab on the left menu under the user name and you should see the information shown above.

Under additional details you will find that the Job Title field in Office 365 is now the same as that in the local Active Directory, therefore verifying that DIRSYNC has worked successfully.

In previous posts I’ve details how to connect to Office 365 administration using PowerShell:

https://blog.ciaops.com/2012/09/configuring-power-shell-access-in.html

I’ve also detailed how to connect to SharePoint Online using PowerShell:

https://blog.ciaops.com/2013/05/connecting-powershell-to-sharepoint.html

So now I’ll show you how to connect to Lync Online with PowerShell.

The first thing you should do is follow the initial blog post:

https://blog.ciaops.com/2012/09/configuring-power-shell-access-in.html

to ensure the Microsoft Online Assistant and the Microsoft Online Services Module for Windows PowerShell are installed.

As with SharePoint Online you are going to need to have PowerShell V3 installed before using Lync Online with PowerShell. If you are doing this on a Windows 8 desktop, then PowerShell V3 is already installed. If not, then you are going to need to download and install Windows Management Framework 3.0 which includes PowerShell 3.0.

Next you’ll to install the Lync Online Management Shell. This is located here:

http://www.microsoft.com/en-us/download/details.aspx?id=39366

Accept the license terms and conditions and press the Install button to commence.

Accept the UAC and select Yes to continue.

The installation will check to see what software is installed on your system.

All going well the installation should complete successfully. Select the Close button to complete the process.

Once you have all that installed run the Microsoft Online Services Module for Windows PowerShell as an administrator.

Accept the UAC by pressing Yes.

The next step is to load in the Lync Online cmdlets for use in this session. These cmdlets are called:

lynconlineconnector

So at the PowerShell prompt type:

import-module lynconlineconnector

If you haven’t already logged into your Office 365 tenant as an administrator using PowerShell command you will need to do as detailed in previous posts using the command:

$cred=get-credential

Next, use the following commands to connect to the Lync Online Service.

$session = New-CsOnlineSession -Credential $cred

Import-PSSession $session

You should notice a banner appear across the top of the window as the modules are loaded as shown above.

If everything is correct, PowerShell will simply be returned to a prompt. Now you can execute commands against Lync Online. For example the following will display your Lync tenant information:

get-cstenant

Now you can start exploring all the cmdlets that are available for Lync Online which you can find at:

http://technet.microsoft.com/en-us/library/jj994021.aspx

The general default with Exchange Online is to have things enabled. Thus, things like POP3 are enable on all mailboxes by default. This makes it easier for people to connect to the service using a variety of methods. Of course there are reasons why you may want some of these disabled and that is easy to do via a number of different methods in Office 365.

If you want to use the web portal login as an administrator to Office 365.

When you are greeted by the Office 365 admin center select Admin from the menu bar at the top right.

 

 

 

 

 

From the menu that appears select Exchange.

Select the mailbox you wish to configure and many of the settings will appear on the right. You can modify these from here but to get access to all the options now select the Edit icon (which is the picture of the pen just above the column headings).

If you now select the mailbox features option from the menu on the left hand side you see a list of links on the right than allows to control the different protocols and features of the mailbox.

For example if you select the Disable link under the POP3 heading you will be prompted to whether you wish to disable POP3 for this mailbox as shown above.

By holding down the control key and selecting multiple mailboxes you can make bulk edit changes by selecting from the options on the right. In the case above, I have selected all 7 mailboxes and select the link to enable POP3. All I need do is now confirm this to update all these accounts together.

Using the web portal allows you to make changes to accounts easily, however if you need to complete this process repeatedly on a large number of mailboxes then using PowerShell is a better option.

The first step is to connect to Office 365 using PowerShell which I have covered in a previous blog post here:

https://blog.ciaops.com/2012/09/configuring-power-shell-access-in.html

You can then run a variety of PowerShell commands to disable the different features of different mailbox. The details of those commands are found here:

http://support.microsoft.com/kb/2573225/en-us

For example, to disable POP3 for the same user above the command would be:

Set-CasMailbox barry.jones@kumoalliance.net.au -PopEnabled $False

Again, that is great when you only need to do a few mailboxes, but what happens when you need to do lots? Here’s a script that should do the job for all your users (provided you don’t have thousands):

Get-CASMailbox | Set-CASMailbox -PopEnabled $False

I will also point you to the following blog article:

http://blogs.technet.com/b/zarkatech/archive/2011/08/09/automatically-disable-pop3-amp-imap-in-office-365.aspx

which shows you how to achieve this using Office 365 security groups to more easily determine exactly who and who doesn’t have access. This is a great option if want to restrict only a subset of your users from having access to features like POP3 in Office 365.

The important takeaway here is that most of Exchange features are enabled in Office by default. You can easily change them via the web portal but an even better method would be to user PowerShell, where you can even integrate security groups to provide even more granular control.