UPDATES: May 12 – error after assigning license and synchronization frequency
Following my previous post regarding the coming multi AD forest synchronization feature for Office 365 (http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=590), this post will detail steps to install, configure and manage the directory synchronization tool currently in preview (beta).
The preview is available for download from the Connect website (the web portal for all Microsoft beta programs): http://go.microsoft.com/fwlink/?LinkId=396558
The following post has been written using the version 126.96.36.1990 of the tool.
IMPORTANT at this stage, the tool does not synchronize user’s password as it is the case with the ‘standard’ DirSync tool.
To install and use this multi forest connector, you must have the following:
- working trust relationship between your AD forests – as the main objective for this connector is to synchronize multiple AD forest to one Office 365 tenant
- an Office 365 tenant with the directory synchronization feature enabled
on the server which will run the connector
- Windows Server 2008, 2008 R2, 2012 or 2012 R2
- .Net 3.5 and .Net 4.5
- disable strong name signing verification using the sn.exe tool provided in the ZIP file downloaded – run the following command using a command prompt with elevated privileges sn –Vr *,*; this step is required only because the tool is currently in beta, we can expect this will not be required in general availability
Once all prerequisites have been matched and after you have downloaded the connector, just run the install program (WindowsAzureADConnectionTool.exe)
If stop here, you will be able to start again the initial configuration using the shortcuts shown on the desktop or in the Start menu
All files are extracted under the directory C:\Program Files (x86)\Windows Azure AD Connection.
What have been installed:
To start the configuration, you must create a service account on each Active Directory forest – these accounts don’t need any specific permissions; standard user permission is enough.
On your Office 365 tenant, you need to create also a “service” account with administrative privileges – like with the “normal” DirSync tool (don’t forget to use a strong password and disable password expiration for this account)
Launch the tool using the shortcut shown on the desktop or through the Start menu
Then you are asked for a directory location (default is C:\Program Files (x86)\Windows Azure AD Connection) and agree the license terms
Then it install the sign in client as well as the Windows Internal Database feature – at this stage you can not use an existing SQL instance
Then you are asked to enter your Windows Azure Active Directory global account; use the ‘service’ account created earlier on your Office 365 tenant
If you forgot to enable the directory synchronization on your Office 365 tenant you will get the following error message
Directory Synchronization has not yet been enabled in Azure. Please go to the Management Portal and enable Directory Synchronization. Then try again.
Note: it may take some time to get it enabled
If your tenant has been enabled for directory synchronization, you will go to the next step to define credentials for each AD forest to be synched with Office 365
All fields are required and the username field must be set using either domain\user or email@example.com
Each time a new forest has been successfully added, his name appears just below the Configured Forests
Once you have added all your AD Forests, just hit next to initiate the connector configuration by gathering AD configuration and schema details
Then you have to defined which attribute will be used to federate the identity as well as the option is a user account is duplicated across the different forest; for the purpose of this post, I assume I have no duplicate account
Then you can enable Exchange hybrid mode; NOTE you can enable this option even if your AD have not been extended with the Exchange schema
Finally you have reached the last step to summarize your connector configuration
And you can start to synchronize your directories; it will launch a command prompt and display the progress of the synchronization
|Office 365 Tenant Before Synchronization||Office 365 After Synchronization|
NOTE I didn’t configure any UPN for federation
As you can see, NOT ALL users/groups have been synchronized. Microsoft has already defined a standard filter to remove default AD objects such as ADMINISTRATOR account or ADMINISTRATORS group.
Starting then, you just have to assign an Office 365 service license to your users
NOTE after assigning a license, and so defining a User location, from the Office 365 portal, I ran into an issue during the next directories synchronization
Unable to update this object in Windows Azure Active Directory, because the attribute [UsageLocation], is not valid. Update the value in your local directory services.
This seems due to the use of msExchUsageLocation attribute wich comes with Exchange schema; as my forets have not been updated with Exchange schema, this is why I got the error. The workaround is to update the AD schema with the Exchange one.
Microsoft confirmed they are working on it
Manage the connector
As for the “standard” DirSync tool, the multi AD forest is using ForeFront Identity Management.
Like with the simple DirSync, you can also configure filtering; to do so your account must be member of the FIMSyncAdmin – the account used for the installation and initial configuration has been automatically added but you need to logoff and logon again.
To open the FIM console, go to C:\Program Files\Microsoft Azure AD Sync\UIShell and launch the missclient.exe file
To configure filtering, just follow the following post for each local directory connection http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=411
At this stage, I assume this is supported.
A scheduled task – called Sync to Azure Active Directory - has been defined automatically after the configuration to run every 3 hours; so you may update the frequency of this scheduled task
At this stage there is no settings available to define the frequency of the synchronization, meaning you have also to run a synchronization each time you are making an update.