As you already know, it is possible to synchronize your Active Directory with Office 365 (like with BPOS).

Before starting talking about the installation and configuration steps, there is few reminders about the limitation and prerequisites:

  • Limitations
    • DirSync is able to synchronize ONLY one AD Forest; if you have multiple forest, you may need multiple DirSync implementation and multiple Office 365 tenant OR (a better solution but more complex) implement a ‘technical’ AD Forest which will be synchronized with your existing AD Forest thanks to ForeFront Identity Manager and then use DirSync from this technical forest to synchronize with Office 365
    • DirSync can’t be installed on x64 bits platform; you must run a x32 bits OS
    • DirSync can synchronize ONLY 10 000 objects; if you need more, you have to open a support ticket
    • Once activated, DirSync can’t be disabled on Office 365
  • Prerequisites
    • You must have only one AD forest to synchronize
    • You must use a 32 bits OS version (from Windows Server 2003 to Windows Server 2008)
    • DirSync can’t be installed on a domain controller
    • Server running DirSync must be a member of the AD you want to synchronize
    • Framework 3.5 SP1 must be installed
    • PowerShell must be installed

 

Ok, let’s start:

First, enable Directory Synchronization on Office 365.

Enable Office 365 Directory Synchronization

Connect to the administration portal (https://portal.microsoftonline.com) and go to Management\Users

image

Then, click on Set up link available on the right of Active Directory Synchronization

image

Check the prerequisites (if it is not yet done Smile) and click on the Activate button

image

Confirm the activation; this warning reminds you that DirSync can’t be disable after

image

Then download DirSync tool by hitting the Download button; it is really important to use this tool and not the one which may be available from others Microsoft Downloads sites.

image

NOTE

If the download failed, go to the browser settings and disable the option Do not save encrypted page to disk

image

 

Install DirSync

First if you are using a proxy which requires authentication to access internet, you must allow unauthenticated access from the server running DirSync  to *.microsoftonline.com and *.verisign.com

So, let’s start the installation

Launch the dirsync.exe file and follow the installation wizard

 image

image

image

image

image

image

image

Once the setup has been completed successfully, it’s requiered to log off and log on again. I would recommend to restart the server instead.

 

Configure directory synchronization

During the synchronization configuration, you will need to provide your Office 365 credentials for your tenant as well as AD credentials. Please note that the AD account used must be Enterprise Administrator

image

image

image

Do not enable the Rich coexistence

image

image

image_thumb[2]_thumb

You can start immediately the synchronization

image_thumb[3]_thumb

image_thumb[4]_thumb

User list before synchronization User list after synchronization
image_thumb10_thumb1_thumb image_thumb[1]_thumb

Then activate the user accounts by assigning Office 365 license and location.

Check user account to enabled and click on the Activate Synced Users link

image_thumb[8]_thumb

image_thumb[9]_thumb

Once users activated, ask to receive the user list and password associated for providing the password to the user IF you have not configured Single-Sign On thanks to ADFS

image_thumb[10]_thumb

Synchronized user properties are not modifiable from the Office 365 administration portal

image_thumb[7]_thumb

 

Configuration error troubleshooting

1. In case you downloaded and installed wrong DirSync tool, you will have an error (Could not resolve synchronization endpoint) when trying to initiate the synchronization with Office 365.

image

2. If you have an error like this one: “The server configuration files were not imported. Check that the Microsoft Identity Lifecycle Manager (ILM) service is running.

image

Verify that:

  • Your user account is a member of the Microsoft Identity Lifecycle Manager Administrator group
  • The ILM service is running
  • The AD account used for the synchronization is member of the ILM Administrator group (MIISAdmins) (local group on the server running DirSync) as well as member of the Local Administrator group
  • The local MIIS account is member of the Local Administrator
  • This may also be due to the use of a wrong version; ensure you have download the DirSync tool from the Office 365 administration portal
  • Check if the service  .Net Tcp Port Sharing Service is started
  • image_thumb[5]_thumb