Part 1
-
Introducing the concepts of Identity Synchronization
and Federation
-
How to synchronize a .local domain
-
How to prepare Active Directory for Directory
Synchronization
You can access part 1 in this series here: http://sharepoint.protiviti.com/blog/Lists/Posts/Post.aspx?ID=142.
Setup Your Domain in Office 365
The next step
in the process of setting up directory synchronization is registering your
domain in your Office 365 tenant. You do
this by logging in to your Office 365 tenant as a tenant administrator and
clicking DOMAINS in the left hand
menu.
You’ll see
your Office 365 domain listed (*.onmicrosoft.com), but you need to add your on
premise domain to this list and Microsoft needs to verify that you own that
domain. This must be a publicly routable
internet domain and it must be the same domain that you setup as the Alternate UPN Suffix in the 1st
post in this series.
There are 3 steps in the process of adding a domain:
Step 1 here, specifying the domain name and confirming
ownership is the most critical step to Directory Synchronization.
-
Click Start
Step 1 and specify the domain name.
In my case I used maiolabs.com. Click Next.
-
Now you’ll need to confirm that you own this
domain. This can be done a couple of
different ways.
If your domain is managed at GoDaddy, Office 365 will allow
you to confirm ownership simply by performing a secure login to your GoDaddy
account that you use to manage this domain.
To do this, click Confirm
Ownership on the screen above. A window will appear asking you to sign into your GoDaddy account.
If you use this option to confirm ownership of your
GoDaddy domain, the process will complete immediately and you can continue to Step 2 and Step 3 with adding a domain.
Alternatively, if you manage your domain elsewhere,
you can follow the manual steps required to verify ownership. Simply click Follow the manual steps in the window above.
The manual steps require you to add a particular
record to your DNS configuration at your DNS hosting provider. I typically add the TXT record with the code
specifically provided by Microsoft here because it’s quite simple to do. Once added to the DNS record, you’ll have to
come back here and click Done, Verify
Now. This typically does not work
immediately after adding the DNS record.
You usually have to wait several hours for the record to be updated and
accessible. You can return to DOMAINS in
your Office 365 tenant later and try to verify again.
Ensure that you spell the code correctly when you add
it. It can take up to 72 hours for the
updated DNS record to be accessible by Office 365 to verify ownership, and you
don’t want to have a typo require you to have to wait excessively.
Once the domain ownership is verified, you must proceed
through Step 2 and Step 3 in the process of adding a
domain, however each step allows you to skip that step once you’re into
it. Once Step 3 is complete, your publicly routable internet domain will now
appear in your domain list with the status Setup
complete.
Activate
Directory Synchronization in Office 365
The step in this process is to activate directory synchronization in your Office 365 tenant. You do this by clicking USERS in the menu on the left and then clicking Set up beside Active Directory synchronization.
Clicking Set up
will bring up the following screen.
Click the Activate button.
This will bring up a confirmation window which contains a
very important point about this process.
The important point here is that once identities and groups
are synchronized to Office 365 from an on premise AD domain, those objects can
only be edited within the on premise AD domain.
Click Activate here to
continue.
Installing
and Configuring the Directory Synchronization Server On Premise
Now it’s time to actually install and configure the Directory
Synchronization server - this server application is also called DirSync and the
install file is DirSync.exe. You can
download DirSync.exe by clicking USERS
in the left hand menu, then clicking Set
up beside Active Directory
synchronization as shown above, and then clicking the Download button.
DirSync must be installed on a domain joined server. In its earlier releases DirSync had to be
installed on the domain controller itself, but now it can be installed on its
own dedicated server, which is recommended.
Ensure that you have the following prerequisites in place for the
Directory Synchronization Server before proceeding with the install:
-
Domain joined to the Active Directory forest you will
be synchronizing.
-
64 bit Windows Server Operating System (2008 with SP1
or later, 2008 R2 with SP1 or later, 2012, 2012 R2, all either standard,
enterprise or data center)
-
.NET 3.5.1 and .NET 4.0 Frameworks must be installed
-
PowerShell must be enabled in Windows Server 2008
Other
notes:
-
Access to the computer running DirSync should be
limited to users who have access access and permissions to make changes to the Active
Directory domain controllers.
-
Ensure that Microsoft
Online Sign-In Assistance is not already installed. If it is, uninstall it. The DirSync installation will try to install
this and the entire installation will fail if it is already installed.
-
Only 1 instance of DirSync can be installed within an
on premise AD forest
-
DirSync will synchronize all domains within the AD
forest
To install and run DirSync, you must have the following
permissions:
-
Local administrator permissions to the computer running
the Directory Synchronization server
-
Administrator permission to the local Active Directory
forest (part of the Enterprise Administrators group)
-
A service administrator in the Office 365 tenant
During the
DirSync install process, you’ll need to provide the username and password for
the on premise Active Directory administrative account and the service
administrator for Office 365. When
installing DirSync, the Configuration Wizard will create a service account that
is used to read from the local Active Directory and write to Azure AD. The
wizard creates this account using both your local Active Directory admin
permissions and your cloud admin permissions, which must be provided during the
installation process.
You can deploy and host DirSync within an Azure VM as long as
you have network connectivity between your on-premises network and your Azure Virtual Network. However, that's beyond the scope of this article.
Installing
DirSync.EXE
Once you’ve downloaded DirSync.exe to the Directory Synchronization
server, start the installation process:
-
Welcome screen - click Next
-
Accept the EULA and click Next
-
Select the installation folder and click Next
-
The installation process takes about 10 minutes
-
When the installation process is complete,
ensure the Start Configuration Wizard
now check box is on and click Finish
DirSync Configuration Wizard
Once the configuration wizard starts, you’ll be asked to
specify the Azure Active Directory Administrator credentials. Enter the username and password of the
service administrator account for Office 365 and click Next.
Click Next. You’ll then be asked to specify the Active
Directory Enterprise Administrator credentials.
Enter the username and password for an administrative user that is part
of the Enterprise Administrators group of the local Active Directory and click Next.
-
You’ll then be asked if you would like to Enable Hybrid Deployment. This feature allows Office 365 (Azure Active
Directory) to write changes to identities back into the on premise Active
Directory. An example of this is if a
user changes their password – with a Hybrid Deployment, this change will be
synchronized back to the on premise AD.
Select Enable Hybrid Deployment and click Next.
-
You’ll then be asked to Enable Password Sync. This feature allows password changes within
the on premise AD to be synchronized to Office 365. Although this is not true single sign on, it
does make the end user experience much better because they use the same
username and password for both on premise resources and Office 365, even as
passwords change.
Once the configuration process is complete, you’ll be asked to run your 1st directory Synchronization.
Click Finish. The
directory synchronization process will begin immediately.
If you return to Office 365, click USERS in the left hand menu and then Click Active Users, after a few minutes you’ll see user accounts and
groups from the on premise AD appearing in your Office 365 tenant.
My on
premise user accounts here are obviously dwarfs. J You’ll notice that user accounts that are
synchronized from on premise AD have a status of Synched with Active Directory and, as mentioned earlier, cannot be
edited in Office 365.
In order to
login to Office 365 and SharePoint Online with these new users, you’ll still
need to assign an Office 365 license to each user individually here. This directory synchronization process will
now occur automatically every 3 hours.
Once
licenses are assigned, user accounts that were synched from on premise AD can
now login to Office 365 using their same on premise username and password!