Body:

Following last post of Hammet, regarding the coming multi AD forest synchronization feature for Office 365 (http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=590), this post will detail steps to install, configure and manage the directory synchronization tool currently in preview (beta).

The preview is available for download from the Connect website (the web portal for all Microsoft beta programs): http://go.microsoft.com/fwlink/?LinkId=396558

The following post has been written using the version 1.0.181.410 of the tool.

IMPORTANT at this stage, the tool does not synchronize user’s password as it is the case with the ‘standard’ DirSync tool.

Prerequisites

To install and use this multi forest connector, you must have the following:

  • working trust relationship between your AD forests – as the main objective for this connector is to synchronize multiple AD forest to one Office 365 tenant Smile
  • an Office 365 tenant with the directory synchronization feature enabled

imageimageimage 

on the server which will run the connector

  • Windows Server 2008, 2008 R2, 2012 or 2012 R2
  • .Net 3.5 and .Net 4.5
  • PowerShell
  • disable strong name signing verification using the sn.exe tool provided in the ZIP file downloaded – run the following command using a command prompt with elevated privileges sn –Vr *,*; this step is required only because the tool is currently in beta, we can expect this will not be required in general availability

image 

Install

Once all prerequisites have been matched and after you have downloaded the connector, just run the install program (WindowsAzureADConnectionTool.exe)

imageimageimage 

If stop here, you will be able to start again the initial configuration using the shortcuts shown on the desktop or in the Start menu

imageimage 

All files are extracted under the directory C:Program Files (x86)Windows Azure AD Connection.

What have been installed:

image 

Configuration

To start the configuration, you must create a service account on each Active Directory forest – these accounts don’t need any specific permissions; standard user permission is enough.

On your Office 365 tenant, you need to create also a “service” account with administrative privileges – like with the “normal” DirSync tool (don’t forget to use a strong password and disable password expiration for this account)

Launch the tool using the shortcut shown on the desktop or through the Start menu

imageimage 

Then you are asked for a directory location (default is C:Program Files (x86)Windows Azure AD Connection) and agree the license terms

image 

Then it install the sign in client as well as the Windows Internal Database feature – at this stage you can not use an existing SQL instance

imageimageimage 

Then you are asked to enter your Windows Azure Active Directory global account; use the ‘service’ account created earlier on your Office 365 tenant

imageimage 

image 

If you forgot to enable the directory synchronization on your Office 365 tenant you will get the following error message

Directory Synchronization has not yet been enabled in Azure. Please go to the Management Portal and enable Directory Synchronization. Then try again.

Note: it may take some time to get it enabled

image 

If your tenant has been enabled for directory synchronization, you will go to the next step to define credentials for each AD forest to be synched with Office 365

All fields are required and the username field must be set using either domainuser or user@domain.ext

Each time a new forest has been successfully added, his name appears just below the Configured Forests

imageimageimage 

Once you have added all your AD Forests, just hit next to initiate the connector configuration by gathering AD configuration and schema details

imageimageimage 

Then you have to defined which attribute will be used to federate the identity as well as the option is a user account is duplicated across the different forest; for the purpose of this post, I assume I have no duplicate account

image 

Then you can enable Exchange hybrid mode; NOTE you can enable this option even if your AD have not been extended with the Exchange schema

image 

Finally you have reached the last step to summarize your connector configuration

imageimageimageimageimage 

And you can start to synchronize your directories; it will launch a command prompt and display the progress of the synchronization

imageimageimageimageimage 

Office 365 Tenant Before Synchronization Office 365 After Synchronization
image image

NOTE I didn’t configure any UPN for federation

As you can see, NOT ALL users/groups have been synchronized. Microsoft has already defined a standard filter to remove default AD objects such as ADMINISTRATOR account or ADMINISTRATORS group.

Starting then, you just have to assign an Office 365 service license to your users Smile

NOTE after assigning a license, and so defining a User location, from the Office 365 portal, I ran into an issue during the next directories synchronization

Unable to update this object in Windows Azure Active Directory, because the attribute [UsageLocation], is not valid. Update the value in your local directory services.

Manage the connector

As for the “standard” DirSync tool, the multi AD forest is using ForeFront Identity Management.

Like with the simple DirSync, you can also configure filtering; to do so your account must be member of the FIMSyncAdmin – the account used for the installation and initial configuration has been automatically added but you need to logoff and logon again.

To open the FIM console, go to C:Program FilesMicrosoft Azure AD SyncUIShell and launch the missclient.exe file

imageimage 

To configure filtering, just follow the following post for each local directory connection http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=411

At this stage, I assume this is supported.

At this stage there is no settings available to define the frequency of the synchronization, meaning you have also to run a synchronization each time you are making an update.

Source: http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=592

Published: 5/9/2014 17:07
]]>