Active Directory Integration with Office 365: Directory Sync

The first two articles in this series focused on integrating and installing local Active Directory with Office 365 and setting up federation and single sign-on. Both are great features for any organization looking to realize the benefits of mixing on-premise Active Directory with the cloud-based messaging, collaboration, and other features of Office 365. In today’s article, we’ll complete the trifecta and perform the steps necessary to activate local Active Directory synchronization with Office 365.

Activating Microsoft Directory Synchronization

Federation and single sign-on allow Office 365 to trust the authentication of users performed by Active Directory, but user accounts must be synchronized between the systems for everything to work. While user information could manually be duplicated in Office 365, that would get very old, very fast. Thankfully, the Microsoft Directory Synchronization Tool offers a better way.

The Microsoft Directory Synchronization Tool replicates certain objects and attributes from the local AD with Windows Azure Active Directory. Windows Azure AD is the cloud back-end that provides identity and access capabilities for Office 365. Objects replicated include user and groups and the attributes synchronized are those typically found in Exchange’s Global Address List such as description, phone number, and the like. Review the Microsoft Support article for a complete list of synchronized attributes.

Note: There are a few things to be aware of before turning on Directory Synchronization. First and foremost, it’s not easy to turn off. In other words, Directory Synchronization should be viewed as permanent. So don’t turn it on just to give things a whirl. Disabling synchronization requires use of a PowerShell cmdlet. You may also effectively turn things off by limiting the scope so that no local AD objects get synchronized. Also keep in mind that once Directory Synchronization is active, all synchronized users can only be managed locally. You can’t modify synchronized objects through the Office 365 Admin Center. This is probably the goal in the first place, but something to be aware of nonetheless.

There are a number of requirements for installing the Directory Synchronization Tool. For instance, the tool cannot be installed on a Domain Controller, nor can it be installed on the computer running Active Directory Federation Services 2.0. Wherever it’s installed, that computer must be joined to the Active Directory domain and it must be capable of running SQL Server 2008 Express, the .Net Framework 3.5, and PowerShell.

Synchronization is scheduled by default to run every three hours. Synchronized objects should show up almost immediately in Office 365, but they may take up to a day to appear in the Offline Address Book or Lync Online.

Let’s get this show on the road by activating Active Directory synchronization within the Office 365 Admin Center.

  • Open Internet Explorer.
  • Navigate to the Office 365 Admin Center.
  • Login with a Microsoft Online Services ID that has administrator privileges.
  • From the Dashboard, click Users and Groups.
  • On the users and groups page, click Set up next to Active Directory synchronization.

Fig 1 - AD Sync Setup

  • Under Activate Active Directory synchronization click the Activate button.

Fig 2 - AD Sync Activate

  • When prompted, click Activate to confirm you really want to enable synchronization.

Confirm AD Sync Activate

Active Directory Synchonization Using PowerShell

It’s also possible to complete these steps using the Windows Azure Active Directory Module for Windows PowerShell.

  • Logon to the computer where the Windows Azure Active Directory Module for Windows PowerShell is installed.
  • Run the Windows Azure Active Directory Module for Windows PowerShell by right-clicking the icon and selecting Run As Administrator.
  • Enter $cred = Get-Credential
  • Enter the Microsoft Online Services ID you would use to sign in to Office 365 and click OK.
  • Enter the cmdlet Connect-MsolService -Credential $cred to connect to the Microsoft Online Service.
  • Enter the cmdlet Set-MsolDirSyncEnabled -EnableDirSync $true

The activation process will begin immediately, but it may take up to 24 hours to show complete in the Office 365 Admin Center.

Fig 4 - AD Sync Activating Message

Directory Synchronization Troubleshooting

Don’t attempt to configure the Microsoft Online Services Directory Synchronization Tool until activation completes. Speaking of which, an unusual snag occurred during the course of preparing this article. Twenty four hours came and went, yet the activation process still continued to display “being activated.” This little snafu required a 72-hour unexpected jaunt through Microsoft’s Office 365 support system. The adventure nearly caused me to pull my hair out (if I had any left) and could warrant a dedicated article of its own. In case you encounter this problem, I want to give you some Petri exclusive tips right here, right now.

  • First, run the following cmdlets from the Windows Azure Active Directory Module for Windows PowerShell:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled
(Get-MSOLCompanyInformation).DirectorySynchronizationStatus
(Get-MSOLCompanyInformation).ObjectID

  • Capture a screenshot showing the output of all three cmdlets. It’ll be needed shortly.
  • Open a support ticket in the Office 365 Admin Center attaching the screenshot of the PowerShell cmdlet results. Also include the version of the OS including the service pack level of the computer where the Directory Synchronization Tool will be installed. This information serves no purpose in fixing this issue, but if it isn’t provided they’ll call you asking for it, delaying resolution. Avoid the frustration by providing it now. Hint: Windows Server 2008 R2 SP1 is a good answer.
  • Immediately call support with the ticket number. Do NOT wait for an email response unless you have boundless patience. I’m talking the kind of patience needed to run a large daycare facility.
  • When calling in, immediately ask for the case to be escalated.
  • When it’s suggested the problem is that the Directory Synchronization Tool hasn’t been run, calmly explain that’s a nice thought, but when you run the tool it will just produce “Error 15: Dirsync not activated,” hence why you opened the ticket in the first place.
  • Call frequently for updates.

Moving on! First, download the Microsoft Online Services Directory Synchronization (DirSync) Tool. Then, follow these steps.

  • Logon with administrative privileges to the member server where the DirSync tool will be installed.
  • Open Internet Explorer.
  • Navigate to the Office 365 Admin Center.
  • Login with a Microsoft Online Services ID that has administrator privileges.
  • From the Dashboard, click Users and Groups.
  • On the users and groups page, click Set up next to Active Directory synchronization.
  • Under Install and configure the Directory Sync tool, click Download.
  • When prompted, click Save As and choose an easy-to-remember folder to store the dirsync.exe file.

DirSync Tool Download

Only install and run the DirSync tool on one computer in the local AD domain.

  • Right-click the dirsync.exe file then click Run as administrator.
  • When the Microsoft Online Services Directory Synchronization Setup wizard appears, click Next.
  • The License Terms window appears. Click the radio button to accept, then click Next.

Fig 6 - DirSync Setup Wizard

  • Click Next to accept the default installation location.

Fig 7 - DirSync Setup License Terms

  • The setup wizard will do its thing. Don’t get concerned if it takes a few minutes.

Fig 9 - DirSync Setup Installing

  • Once complete, click Next to continue.
  • Verify the checkbox for Start Configuration Wizard is checked, then click Finish.

During installation, the DirSync tool creates a service account, MSOL_AD_SYNC, in the Users Organizational Unit of the local AD. This is the account the tool will use to read the local AD. If this account is ever moved, disabled, or removed you can probably guess what will happen: synchronization failures!

  • When the Microsoft Online Services Directory Synchronization Configuration Wizard Welcome Screen appears, click Next.

Fig 10 - DirSync Configuration Wizard Welcome

  • Enter the Microsoft Online Services ID credentials used when logging on to the Office 365 Admin Center, then click Next.

Fig 11 - DirSync Configuration Wizard Microsoft Online ID

As previously mentioned, if the Activate Directory Synchronization process in the Office 365 Admin Center hasn’t fully completed, the wizard will fail right here. This is a common problem that isn’t well documented and can have you reaching for an antacid in short order.

  • Enter credentials for an account in the local AD that has Enterprise Admin rights.

Fig 12 - DirSync Configuration Wizard AD Creds

  • Click Next

Enabling a Hybrid Environment

The next step enables support for a hybrid environment. Having a hybrid environment allows supporting a mix of both local Exchange mailboxes and online Office 365 Exchange mailboxes. It also enables archiving local mailboxes into the cloud. It enhances how spam protection and unified messaging interact between the cloud and local systems. All are good features to have, but enabling a hybrid configuration only works if you have Exchange 2010 SP1 locally. If not, sorry Charlie, you’re out of luck.

  • To enable a hybrid configuration, check the box next to Enable Exchange hybrid deployment. Otherwise clear the checkbox.

Fig 13 - DirSync Configuration Wizard Enable Hybrid

  • Click Next.
  • When prompted with Configuration complete, click Next.

Fig 14 - DirSync Configuration Wizard Complete

  • Verify the checkbox next to Synchronize directories now is selected, then click Finish.

Fig 15 - DirSync Configuration Wizard Sync Now

  • A friendly message box appears with a link to instructions for verifying directory synchronization. Click OK.

Fig 16 - DirSync Configuration Wizard Verifying Sync

During the initial synchronization, a copy of all the local AD users and groups is written to the Office 365 Windows Azure AD directory. From then on, the DirSync Tool simply checks for changes and writes those to the cloud as necessary.

Note: Synchronizing users doesn’t automatically grant them an Office 365 license. This is a good thing.

Very soon, all the local AD accounts will appear in the Office 365 Admin Center under the users and group node.

Fig 17 - Office 365 Admin Center Users

Congratulations! Federation, single sign-on, and directory synchronization are now all features that your organization can enjoy as part of a robust Office 365 implementation.

Stay tuned for future Petri articles covering various facets of Office 365 deployment, administration, and troubleshooting.