As you already know, it is possible to synchronize your Active Directory with Office 365 (like with BPOS).
Before starting talking about the installation and configuration steps, there is few reminders about the limitation and prerequisites:
- DirSync is able to synchronize ONLY one AD Forest; if you have multiple forest, you may need multiple DirSync implementation and multiple Office 365 tenant OR (a better solution but more complex) implement a ‘technical’ AD Forest which will be synchronized with your existing AD Forest thanks to ForeFront Identity Manager and then use DirSync from this technical forest to synchronize with Office 365
- DirSync can’t be installed on x64 bits platform; you must run a x32 bits OS
- DirSync can synchronize ONLY 10 000 objects; if you need more, you have to open a support ticket
- Once activated, DirSync can’t be disabled on Office 365
- You must have only one AD forest to synchronize
- You must use a 32 bits OS version (from Windows Server 2003 to Windows Server 2008)
- DirSync can’t be installed on a domain controller
- Server running DirSync must be a member of the AD you want to synchronize
- Framework 3.5 SP1 must be installed
- PowerShell must be installed
Ok, let’s start:
First, enable Directory Synchronization on Office 365.
Enable Office 365 Directory Synchronization
Connect to the administration portal (https://portal.microsoftonline.com) and go to Management\Users
Then, click on Set up link available on the right of Active Directory Synchronization
Check the prerequisites (if it is not yet done ) and click on the Activate button
Confirm the activation; this warning reminds you that DirSync can’t be disable after
Then download DirSync tool by hitting the Download button; it is really important to use this tool and not the one which may be available from others Microsoft Downloads sites.
If the download failed, go to the browser settings and disable the option Do not save encrypted page to disk
First if you are using a proxy which requires authentication to access internet, you must allow unauthenticated access from the server running DirSync to *.microsoftonline.com and *.verisign.com
So, let’s start the installation
Launch the dirsync.exe file and follow the installation wizard
Once the setup has been completed successfully, it’s requiered to log off and log on again. I would recommend to restart the server instead.
Configure directory synchronization
During the synchronization configuration, you will need to provide your Office 365 credentials for your tenant as well as AD credentials. Please note that the AD account used must be Enterprise Administrator
Do not enable the Rich coexistence
You can start immediately the synchronization
|User list before synchronization||User list after synchronization|
Then activate the user accounts by assigning Office 365 license and location.
Check user account to enabled and click on the Activate Synced Users link
Once users activated, ask to receive the user list and password associated for providing the password to the user IF you have not configured Single-Sign On thanks to ADFS
Synchronized user properties are not modifiable from the Office 365 administration portal
Configuration error troubleshooting
1. In case you downloaded and installed wrong DirSync tool, you will have an error (Could not resolve synchronization endpoint) when trying to initiate the synchronization with Office 365.
2. If you have an error like this one: “The server configuration files were not imported. Check that the Microsoft Identity Lifecycle Manager (ILM) service is running.
- Your user account is a member of the Microsoft Identity Lifecycle Manager Administrator group
- The ILM service is running
- The AD account used for the synchronization is member of the ILM Administrator group (MIISAdmins) (local group on the server running DirSync) as well as member of the Local Administrator group
- The local MIIS account is member of the Local Administrator
- This may also be due to the use of a wrong version; ensure you have download the DirSync tool from the Office 365 administration portal
- Check if the service .Net Tcp Port Sharing Service is started