Thursday, August 8, 2013

Exchange 2007 (SP3) - migration (staged) - Exchange Online (Office 365) - Part 4.1 - DirSync



Part 4.1

- Activate DirSync in Office 365
- Install and configure on-premises component




Now that we have subscribed to Office 365, configured Outlook Anywhere (if it had not already been configured), and added our own domain name, we can proceed to the following step which involves a component known as "DirSync".


Note: in this first post about DirSync, I will activate the cloud-side component and then install and configure the on-premises component. Synchronization will be covered in Part 4.2.

 

The "Directory Synchronization" tool will synchronize user, contact and group account information...
 
 
FROM: our onsite Active Directory database...
 
TO: the Office 365 user database.
 
 
Names have changed but it is currently called "Windows Azure Active Directory".
 
 
"Windows Azure AD can be used as a standalone cloud directory for your organization, but you can also integrate existing on-premise Active Directory with Windows Azure AD. Some of the features of integration include directory sync and single sign-on [...]."
 
What is Windows Azure Active Directory?


 

This can be configured in various places, and in a different order, but for this scenario, I will enable DirSync in Office 365 first and then, download and install the DirSync Tool on a Windows 2008 R2 (SP1) member server.
 
The first step is to login to the Office 365 admin center (or portal). Once logged in, there are at least two paths to configure DirSync. We can click on the setup tab and then on the Advanced Setup button under the "Extend your Setup" section (which takes us to "Onramp for Office 365")....

 



or click on "Users and Groups" in the menu at the far left.

I'll select this second option.
 
Next, we select "Active Directory Synchronization: Setup"



 
Setting up DirSync is a six step process.
 
1. Verify requirements.
 

A. Verify requirements for the Directory Synchronization computer.
 
I will not rewrite the entire document but simply summarize key points:
 
  • It must run a Windows 2008 R2 (SP1) or Windows 2012 Server operating system. Windows 2008 was supported but will apparently not function with the recently added (at the time of this writing) password synchronization feature.
  • It must be a domain member (not stand-alone).
  • It must NOT be a domain controller.
  • It must run or be able to run SQL. If SQL is not installed, the DirSync installation process will install SQL 2008 Express. This should suffice for up to 50,000 users.

B. Verify requirements for the Directory Synchronization computer.

In summary, the minimum supported domain controller is Windows Server 2003 SP1 (32 or 64 bit).
 
C. User permissions
 
The user installing and later running DirSync should have the following status:
 
- Local Administrator on DirSync server.
- Enterprise Administrator for onsite Active Directory.
- Administrator for your Office 365 account.
 
D. Performance
 
Office 365 supports (by default) synchronization of up to 50,000 user accounts. This is also the limit for SQL 2008 R2 Express.
 
For up to 50,000 users, the following specifications should suffice:
 
- 1.6 GHz processor
- 4 GB RAM
- 70 GB hard disk space


There is no required hard disk configuration. If an existing instance of SQL is not used, DirSync will apparently install SQL 2008 R2 Express in the following location with no possiblity for customization: C:\Program Files\Microsoft Online Directory Sync.



E. Verify UPN requirements.
 
The UPN suffix in place for onsite domain users must match the UPN suffix used in Office 365. This is not the case if, for example, the user UPN is username@company.local.
 
In that case, an alternate UPN suffix must be created in "Active Directory Domains and Trusts" and then assigned to users destined for migration to Exchange Online.
 

 
2. Verify domains
We have already configured our domains in a previous task.


 

3. Activate DirSync

 
Click on the Activate button:



 
Note that synchronized objects can only be managed onsite, in the "local" Active Directory. This means that, if you want to change a user property, such as their name, password, phone number, you must do it on an onsite domain controller.



 
A message indicates that "synchronization is being activated".



 
Another indicates that the process could take up to 24 hours.



 
This is why it is preferable to activate the directory synchronization feature in the Cloud first and then download and install the DirSync tool. Until activation completes, DirSync cannot function anyway.


When DirSync is finally ready - on the Office 365 side - , the information displayed should look like this:




If deactivate is the only option, that means that DirSync is activated.

 
4. Download and install the DirSync Tool.


Downloading the DirSync tool from Office 365


The DirSync tool can be downloaded from the Office 365 portal here:






Click the download button and save the dirsync.exe file.





Copy it to the server (if you do not access the Internet on your servers directly).


 
Installing the DirSync Tool
 
The DirSync server for this experiment is a Windows 2008 R2 Standard Server with SP1 and all updates applied (updates current at the time of this post).
 
The primary pre-requisite for DirSync is .NET Framework 3.5.1 and .NET Framework 4.0.
 
With Windows 2008 R2, version 3.5.1 can be installed using "Add Features".
 
I check the appropriate box:
 
 
 
This feature requests the installation of the IIS role:
 
 
 
 
I won't provide a screenshot for each step. I'll make the assumption, safe assumption I hope, that if you are managing a Windows 2008 server, you can follow the prompts from this point.
 
With Windows 2008, it was necessary (or at least recommended) to install .NET Framework Service Pack 1 and then some other patches. With 2008 R2, all these service packs and patches are apparently included.
 
I verified the .NET Framework 3.5.1 SP1 was installed by examining the following registry key(the .1 of 3.5.1 may designate this too, a cursory search online was not able to determine this).
 
HKLM\Software\Microsoft\NET Framework Setup\NDP\v3.5
 
 
 
I'll now install .NET Framework 4.0. This is not a Windows 2008 R2 feature so it must be downloaded. An online search for ".NET Framework 4.0" should lead you to the correct site. At the time of this post, it was:
 
 
At this point, I would recommend running a Windows Update check to see if there are any updates for either of the .NET Framework features.
 
 
Once we have installed the .NET Framework pre-requisites (and updates), we can install the DirSync tool.
 
1. Right click on the DirSync file (that you will have downloaded from the Office 365 site previously) and select "run as admin". Click on "Next" to proceed to the License Terms.


 

2. Accept the license terms.


 

3. Select install location.


 

4. Let the installation finish.



 
Now we configure the DirSync tool.

The introduction explains we will need the administrator credentials for both the online tenant (your Office 365 administrator account) and a local Active Directory Enterprise administrator. The Office 365 Active Directory is now called "Windows Azure Active Directory".




1. Enter your Windows Azure Active Directory credentials.



 
2. Enter your local Active Directory Enterprise administrator credentials.




3. Enable password synchronization by checking the box shown below.


Unless... for some reason, you do not want to synchronize passwords to Office 365.




 
If a screen about "Hybrid" options appears, skip to the next screen (we really have no choice since it is grayed out - it requires the presence of an Exchange 2010 server which is absent from our scenario).


Let setup work...

 
 
And finish...





Now, at this point, we could check the box "Synchronize your directories now".
 
 
But I will not do that.
 
That would synchronize the entire Active Directory (users, groups and contacts - and now user passwords). In many organizations, not all users (or groups) need to be synchronized with Office 365. In our case, only those who will use Exchange Online need to be synchronized. Importing other objects into Office 365 would be useless.
 
Although not possible in previous versions, the current version (at the time of this writing and presumably for later versions) allows an administrator to filter the users synchronized with Office 365, notably by OU (organizational unit), domain and attribute.
 
We will filter by OU - in the next blog post...


Lastly, I stated above that setting up DirSync is a 6 step process.

Steps 1 to 4 were covered in this blog post.

Steps 5 and 6 ("Verify Directory Synchronization" and "Activate Synchronized Users") will be covered in future posts.
 



 






2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. Right now, I am running the configuration wizard and it is running on our active Exchange server and it has been in the "configuring" stage with the progress bar going from left to right for over 3 hours now. Is this normal to take this long? When I was installing the Directory Sync tool itself, it took about 3 hours to finish the installation, but it did eventually finish.

    ReplyDelete