UPDATES: May 12 – error after assigning license and synchronization frequency
Following my previous post regarding the coming multi AD forest synchronization feature for Office 365 (http://blog.hametbenoit.info/2014/05/06/office-365-multi-active-directory-forest-synchronization-is-coming/), this post will detail steps to install, configure and manage the directory synchronization tool currently in preview (beta).
The preview is available for download from the Connect website (the web portal for all Microsoft beta programs): http://go.microsoft.com/fwlink/?LinkId=396558
The following post has been written using the version 18.104.22.1680 of the tool.
IMPORTANT at this stage, the tool does not synchronize user’s password as it is the case with the ‘standard’ DirSync tool.
To install and use this multi forest connector, you must have the following:
- working trust relationship between your AD forests – as the main objective for this connector is to synchronize multiple AD forest to one Office 365 tenant
- an Office 365 tenant with the directory synchronization feature enabled
on the server which will run the connector
- Windows Server 2008, 2008 R2, 2012 or 2012 R2
- .Net 3.5 and .Net 4.5
- disable strong name signing verification using the sn.exe tool provided in the ZIP file downloaded – run the following command using a command prompt with elevated privileges sn –Vr *,*; this step is required only because the tool is currently in beta, we can expect this will not be required in general availability
Once all prerequisites have been matched and after you have downloaded the connector, just run the install program (WindowsAzureADConnectionTool.exe)
If stop here, you will be able to start again the initial configuration using the shortcuts shown on the desktop or in the Start menu
All files are extracted under the directory C:\Program Files (x86)\Windows Azure AD Connection.
What have been installed:
To start the configuration, you must create a service account on each Active Directory forest – these accounts don’t need any specific permissions; standard user permission is enough.
On your Office 365 tenant, you need to create also a “service” account with administrative privileges – like with the “normal” DirSync tool (don’t forget to use a strong password and disable password expiration for this account)
Launch the tool using the shortcut shown on the desktop or through the Start menu
Then you are asked for a directory location (default is C:\Program Files (x86)\Windows Azure AD Connection) and agree the license terms
Then it install the sign in client as well as the Windows Internal Database feature – at this stage you can not use an existing SQL instance
Then you are asked to enter your Windows Azure Active Directory global account; use the ‘service’ account created earlier on your Office 365 tenant