So far in this series we’ve discussed the merits of Password Sync vs ADFS and the different migration types available to professionals with their eye on the cloud. Now I’d like to cover the actual implementation of a few of these options. Specifically, let’s discuss setting up DirSync with Office 365 Password Sync.
Setting up DirSync will probably be the easiest part of your Office 365 implementation, depending on your needs. Determining your needs is the difficult part, but we’ll cover that in a moment. Let’s get started with what to do.
First up, you need to prep your AD for synchronization with Office 365. Chiefly, this means getting your personal domain verified in Office 365 and setting the UPN of the users you plan to sync to match. I won’t go too far into detail on domain verification, because Microsoft does a good job of walking you through it in the console. Making your UPN match can be a more difficult step. To set up a new UPN, go to Active Directory Domains and Trusts and right-click on AD Domains and Trusts in the console window.
Choose Properties and this will bring up the window where you add your UPN suffixes. Just type in the suffix for your domain, (e.g. contoso.com or drewissoawesome.org) and click add.
Now you need to add the new suffix to the users. You can do this either through Active Directory Users and Computers by selecting a batch of users and changing the suffix in Properties or through PowerShell. Oh PowerShell, is there anything you can’t do?
Why did we go through all that trouble? You may have noticed that you were assigned a domain.onmicrosoft.com formatted (e.g. AwesomeDrew.OnMicrosoft.com) address when you signed up for Office 365. Any of your users who don’t have a domain matching one of your domains you verified in the portal receives a default user name of firstname.lastname@example.org. We want to provide the most consistent experience possible for our users, so we match the UPNs up, making their login email@example.com both inside and out.
Now that the UPNs match, it’s time for DirSync. First, go to the Office 365 admin portal, Users and Groups, and choose “Set up” next to Active Directory Synchronization.
This takes you to a screen with step-by-step instructions for setup, including a references and a download link for the latest version of DirSync. Like I said, Microsoft is very thorough now with guiding you through the setup process.
Click Activate to set it up on the Office 365 side and then download the file.
Next up is installing. Go to the server you set aside for DirSync. It should be at least Server 2008 Datacenter or higher. I recommend Server 2012 R2, of course. DirSync also requires 64-bit now, so keep that in mind.
With the latest version, loading it on a Domain Controller is supported, but not recommended for larger production environments. The install is essentially a Next, Next, Finish. You specify your admin login for Azure (Office 365), a login with access to your local directory, and then tell it whether this will be a hybrid deployment or not. What this means is it allows Azure Active Directory to write some attributes back to your local AD. The final step is to decide whether you want DirSync or not. We do in this case, so check that box!
And there you have it. You’re all set with Azure Active Directory Sync. DirSync will do the initial passthrough of your AD and sync up the users it can. You can watch them populate in Office 365 and it will send a digest of any issues it encountered to the Office 365 admin user. It is important to remember that DirSync is a living product and it changes continually. In fact, a Preview release just came out with some cool features that we’ll discuss next.
Now if you’ll excuse me, I have some domains to buy!