Wednesday, December 31, 2014

Office 365 - Hybrid Migration - Part 3: DirSync

I had already outlined the DirSync process in a previous blog post (two in fact):



I will refer the reader to those posts and not repost the entire content here.

On the other hand, I will take into account some slight changes.

The Office 365 interface has changed slighty, so I'll post new screenshots for downloading and installing the DirSync.exe program.

Also, one important requirement has changed: it is now possible to install DirSync on a domain controller but this is not recommended.

For testing, it is possible to install DirSync on a ADFS server, but this is discouraged in a production environment. Indeed, when I attempted to install DirSync, there was a conflict with a newer version of the Microsoft Online Services Sign-On Assistant already installed for ADFS operations:




What is the solution?

First, uninstall the newer version and then attempt to install DirSync again. Once DirSync is installed, we can install the newer version of the Assistant over the version that came with DirSync.


In addition to reading my previous blog posts, the steps are also outlined under "Manage" in the Users section of Office 365 (see screenshots below):





When we click on "Manage" (previous screenshot), this is what we see:


I had already completed the first three steps (above) in my blog series about the Exchange 2007 Staged Migration. In the paragraphs below, we will "Install and configure the Directory Sync tool".

IMPORTANT NOTE:

Active Directory synchronization is already activated in my Office 365 tenant.

We can see this in the first of the two screenshots above. The option for Active Directory Synchronization is "deactivate" which means, logically, that it is activated. If not, we would click on the link to activate synchronization.

We can also verify this with Powershell (if we have installed the Office 365 module):

PS C:\> $cred = Get-Credential

Note: here we would enter our Office 365 credentials when prompted. By default, this would be the account used to setup your Office 365 tenant, for example:

jsmith@company.onmicrosoft.com


PS C:\> Connect-MsolService -Credential $cred

PS C:\> Get-MsolCompanyInformation | fl *synchr*

DirectorySynchronizationEnabled    : True
DirectorySynchronizationStatus       : Enabled
PasswordSynchronizationEnabled   : True

This is an alternate cmdlet:

PS C:\> (Get-MsolCompanyInformation).DirectorySynchronizationEnabled

If we want to activate Directory Synchronization with Powershell, this is the cmdlet:

PS C:\> Set-MsolDirSyncEnabled -EnableDirsync $true

Reference:





Installation

Now we can download DirSync from the Office 365 portal (see screenshots above) and then run the install program on the server we have selected for the directory synchronization operations. Ideally, DirSync would run on its own server, physical or virtual.

I will install DirSync on a Windows 2012 R2 server.

Please note that DirSync requires .NET Framework 3.5 SP1 - as well as .NET Framework 4.5. If version 3.5 is not installed, an error message will display:


We can correct this by installing the feature:



Once all the pre-requisites are installed, we can execute "dirsync.exe", the DirSync setup file:

We accept the LIcense Terms...



Select Installation Folder (the default location should be fine):


Once we click "Next" (above), the setup wizard installs DirSync...


We can configure DirSync immediately by selecting the "Start Configuration Wizard now" option:






Configuration

If we do not configure DirSync by checking the option above (last DirSync installation screenshot), we can click on the Configuration Wizard icon on the desktop. This opens the wizard: 


Next, we enter the credentials for our Office 365 account. By default, this would be the account used to setup your Office 365 tenant, for example:

jsmith@company.onmicrosoft.com




Then we enter domain admin credentials for our onsite Active Directory:


The next section is an example of a significant difference with my previous staged migration (please refer to the hyperlinks at the beginning of this post). If we intend to perform a hybrid migration, we must select the option below:


Although this was not always the case, DirSync can now synchronize passwords (in fact, the password hash) so, if we prefer, we can enable this option:


The wizard then configures DirSync:




At this point, we can perform an initial synchronization of the following Active Directory objects:
  • Users
  • Groups
  • Contacts

However, we may not want to synchronize all Active Directory objects in those categories. We may prefer to filter only the users in a particular Organizational Unit (OU). In that case, we would uncheck the "Synchronize your directories now" option and set a filter for synchronized objects.



How do we filter by OU?

We open the miisclient.exe file located here:

C:\Program Files\WindowsAzureActiveDirectorySync\SYNCBUS\SynchronizationService\UIShell

This opens the "Synchronization Service Manager".

We select "Active Directory Connector", right-click and then select "Properties".



We select "Configure Directory Partitions", click on "Containers" in the credentials section:



Note that the password synchronization option is checked (red dot).

We select the containers holding the objects we want to synchronize with Office 365:



But how do we trigger synchronization?

In my blog posts on the Exchange 2007 Staged Migration, I presented the "GUI method". We can also use Powershell cmdlets.

First, we import the DirSync module using one of two methods:


We can navigate to this location and execute the ImportModules.ps1 script...

C:\Program Files\Windows Azure Active Directory Sync\DirSync> .\ImportModules.ps1


Or we can execute the cmdlet...

C:\> Import-Module DirSync

This cmdlet triggers the actual synchronization with Azure Active Directory:

C:\>Start-OnlineCoexistenceSync


DirSync will run on a regular schedule afterwards (there is no need to repeat the operation manually - in normal circumstances).

No comments:

Post a Comment