Office 365 – Multi AD Forest synchronization with Office 365: installation and configuration

UPDATES: May 12 – error after assigning license and synchronization frequency

Following my previous post regarding the coming multi AD forest synchronization feature for Office 365 (http://blog.hametbenoit.info/2014/05/06/office-365-multi-active-directory-forest-synchronization-is-coming/), this post will detail steps to install, configure and manage the directory synchronization tool currently in preview (beta).

The preview is available for download from the Connect website (the web portal for all Microsoft beta programs): http://go.microsoft.com/fwlink/?LinkId=396558

The following post has been written using the version 1.0.181.410 of the tool.

IMPORTANT at this stage, the tool does not synchronize user’s password as it is the case with the ‘standard’ DirSync tool.

Prerequisites

To install and use this multi forest connector, you must have the following:

  • working trust relationship between your AD forests – as the main objective for this connector is to synchronize multiple AD forest to one Office 365 tenant Smile
  • an Office 365 tenant with the directory synchronization feature enabled

imageimageimage 

on the server which will run the connector

  • Windows Server 2008, 2008 R2, 2012 or 2012 R2
  • .Net 3.5 and .Net 4.5
  • PowerShell
  • disable strong name signing verification using the sn.exe tool provided in the ZIP file downloaded – run the following command using a command prompt with elevated privileges sn –Vr *,*; this step is required only because the tool is currently in beta, we can expect this will not be required in general availability

image 

Install

Once all prerequisites have been matched and after you have downloaded the connector, just run the install program (WindowsAzureADConnectionTool.exe)

imageimageimage 

If stop here, you will be able to start again the initial configuration using the shortcuts shown on the desktop or in the Start menu

imageimage 

All files are extracted under the directory C:\Program Files (x86)\Windows Azure AD Connection.

What have been installed:

image 

Configuration

To start the configuration, you must create a service account on each Active Directory forest – these accounts don’t need any specific permissions; standard user permission is enough.

On your Office 365 tenant, you need to create also a “service” account with administrative privileges – like with the “normal” DirSync tool (don’t forget to use a strong password and disable password expiration for this account)

Launch the tool using the shortcut shown on the desktop or through the Start menu

imageimage 

Then you are asked for a directory location (default is C:\Program Files (x86)\Windows Azure AD Connection) and agree the license terms

image 

Then it install the sign in client as well as the Windows Internal Database feature – at this stage you can not use an existing SQL instance

imageimageimage 

Then you are asked to enter your Windows Azure Active Directory global account; use the ‘service’ account created earlier on your Office 365 tenant

Leave a Comment

Your email address will not be published.