Saturday, August 10, 2013

Exchange 2007 (SP3) - migration (staged) - Exchange Online (Office 365) - Part 4.2 - DirSync

Part 4.2

- Filter objects to be migrated by OU (organizational unit).
- Synchronize (and configure scheduled synchronization).

 
In part 4.1, we activated DirSync in Office 365 and installed the DirSync tool on a local (on-premises) server. We could have initiated synchronization immediately by checking a box at the end of the DirSync tool installation. However, some organizations may first want to limit what objects are synchronized with Office 365 or, more specifically, to Exchange Online. Only then would synchronization be initiated.
 
 
 
Filtering objects to be synchronized.
 
 
We can filter objects by three criteria:
 
  1. OU (organizational unit)
  2. Domain (obviously only useful in a forest with multiple domains)
  3. Attribute
 
We will filter by OU.
 
The tool we will use for filtering the objects to be synchronized is called "Forefront Identity Manager" (2010 R2 in our case). The name of the executable file is miisclient. It can be found (by default) at the following location (creating a shortcut might be helpful):
 
 
C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell
 
 
When FIM opens (note that it is also called "Synchronization Service Manager"), select the "Management Agents" tab and then "Active Directory Connector". This was previously named "SourceAD".
 




Right click on the highlighted line and select "Properties". When the resulting window opens, select "Configure Directory Partitions".





 
We can leave the default settings here with one exception: I will select the option to synchronize passwords as indicated in the illustration above. Of course, if your organization does not wish to use this feature, you can leave it unchecked. This will not affect other operations.
 
 
If we click on "Targets", we see that the target for password synchronization is "Windows Azure Active Directory". The value "disabled" for "Password Management" does not prevent password synchronization from occurring.
 



For filtering, we select "Containers" which is right above the Password Synchronization section:



Enter your credentials when prompted:
 



 
Since we intend to filter by OU, we'll select the organizational units containing objects that we want to synchronize with Office 365 - or more specifically Windows Azure Active Directory. In this exercise, objects to be synchronized are located in the "Contacts" and "Exchange Online" containers:



Now we have filtered, by OU, objects to be synchronized.
 
 


Configuring synchronization


The easiest way to initiate synchronization - if filtering is not desired - is to check the box shown below at the end of the DirSync tool installation:




One option for initiating directory synchronization is to complete the wizard once again after you have configured filtering.
 
Otherwise, the most simple way to initiate - and automatically schedule - directory synchronization is to run the following Powershell cmdlet:
 
 
Start-OnlineCoexistenceSync
 
 
 ---------------------------------------------------------------------------------------------------------------------
 
Note: this section is optional - the Powershell cmdlet does everything that needs to be done for synchronization to occur. What follows would be more useful for troubleshooting the synchronization process step-by-step.
 
 
FIM  (miisclient) can be used to trigger synchronization manually - essentially for troubleshooting. For synchronization to be successful, from start to finish, a number of steps must be completed.





As mentioned before, we would go to the following location (the same for filtering by OU) to force a manual synchronization:


C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell


As shown in the illustration above, we would then go to:

- Management Agents
- Active Directory Container
- Run (under Actions)
- Full Import Stage Only

Making sure that each step finishes before starting the following, this would be the complete procedure to follow (according to Microsoft Technical Support):


  1. Active Directory Connector -> Run -> Full Import Stage Only
  2. Active Directory Connector -> Run -> Full Import Full Sync
  3. Windows Azure Active Directory Connector -> Run -> Full Import Full Sync
  4. Windows Azure Active Directory Connector -> Run -> Delta Import Delta Sync
  5. Windows Azure Active Directory Connector -> Run -> Export

It is not clear why a Delta Sync would be required (if indeed it is) immediately after a Full Sync. However, this procedure was tested with Microsoft Technical Support for troubleshooting and does work.
 
Once again, any current operation should finish in an "Idle" state before one proceeds to the following step.






1 comment:

  1. A huge thanks to you for sharing the technique of SYNCBUS.....really this kind of Tech Services are too good for the tech customers who required convenient and Affordable Tech Support
    your all services and the SYNCBUS solutions that you'v mentioned, its too appreciable........

    ReplyDelete