Following last post of Hammet, regarding the coming multi AD forest synchronization feature for Office 365 (http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=590), this post will detail steps to install, configure and manage the directory synchronization tool currently in preview (beta).
The preview is available for download from the Connect website (the web portal for all Microsoft beta programs): http://go.microsoft.com/fwlink/?LinkId=396558
The following post has been written using the version 22.214.171.1240 of the tool.
IMPORTANT at this stage, the tool does not synchronize user’s password as it is the case with the ‘standard’ DirSync tool.
To install and use this multi forest connector, you must have the following:
- working trust relationship between your AD forests – as the main objective for this connector is to synchronize multiple AD forest to one Office 365 tenant
- an Office 365 tenant with the directory synchronization feature enabled
on the server which will run the connector
- Windows Server 2008, 2008 R2, 2012 or 2012 R2
- .Net 3.5 and .Net 4.5
- disable strong name signing verification using the sn.exe tool provided in the ZIP file downloaded – run the following command using a command prompt with elevated privileges sn –Vr *,*; this step is required only because the tool is currently in beta, we can expect this will not be required in general availability
Once all prerequisites have been matched and after you have downloaded the connector, just run the install program (WindowsAzureADConnectionTool.exe)
If stop here, you will be able to start again the initial configuration using the shortcuts shown on the desktop or in the Start menu
All files are extracted under the directory C:Program Files (x86)Windows Azure AD Connection.
What have been installed:
To start the configuration, you must create a service account on each Active Directory forest – these accounts don’t need any specific permissions; standard user permission is enough.
On your Office 365 tenant, you need to create also a “service” account with administrative privileges – like with the “normal” DirSync tool (don’t forget to use a strong password and disable password expiration for this account)
Launch the tool using the shortcut shown on the desktop or through the Start menu
Then you are asked for a directory location (default is C:Program Files (x86)Windows Azure AD Connection) and agree the license terms
Then it install the sign in client as well as the Windows Internal Database feature – at this stage you can not use an existing SQL instance
Then you are asked to enter your Windows Azure Active Directory global account; use the ‘service’ account created earlier on your Office 365 tenant
If you forgot to enable the directory synchronization on your Office 365 tenant you will get the following error message
Directory Synchronization has not yet been enabled in Azure. Please go to the Management Portal and enable Directory Synchronization. Then try again.
Note: it may take some time to get it enabled
If your tenant has been enabled for directory synchronization, you will go to the next step to define credentials for each AD forest to be synched with Office 365
All fields are required and the username field must be set using either domainuser or firstname.lastname@example.org
Each time a new forest has been successfully added, his name appears just below the Configured Forests
Once you have added all your AD Forests, just hit next to initiate the connector configuration by gathering AD configuration and schema details
Then you have to defined which attribute will be used to federate the identity as well as the option is a user account is duplicated across the different forest; for the purpose of this post, I assume I have no duplicate account
Then you can enable Exchange hybrid mode; NOTE you can enable this option even if your AD have not been extended with the Exchange schema
Finally you have reached the last step to summarize your connector configuration
And you can start to synchronize your directories; it will launch a command prompt and display the progress of the synchronization
|Office 365 Tenant Before Synchronization||Office 365 After Synchronization|
NOTE I didn’t configure any UPN for federation
As you can see, NOT ALL users/groups have been synchronized. Microsoft has already defined a standard filter to remove default AD objects such as ADMINISTRATOR account or ADMINISTRATORS group.
Starting then, you just have to assign an Office 365 service license to your users
NOTE after assigning a license, and so defining a User location, from the Office 365 portal, I ran into an issue during the next directories synchronization
Unable to update this object in Windows Azure Active Directory, because the attribute [UsageLocation], is not valid. Update the value in your local directory services.
Manage the connector
As for the “standard” DirSync tool, the multi AD forest is using ForeFront Identity Management.
Like with the simple DirSync, you can also configure filtering; to do so your account must be member of the FIMSyncAdmin – the account used for the installation and initial configuration has been automatically added but you need to logoff and logon again.
To open the FIM console, go to C:Program FilesMicrosoft Azure AD SyncUIShell and launch the missclient.exe file
To configure filtering, just follow the following post for each local directory connection http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=411
At this stage, I assume this is supported.
At this stage there is no settings available to define the frequency of the synchronization, meaning you have also to run a synchronization each time you are making an update.