Setting up Directory Synchronization with the NEW Office 365

Now that we have the AD FS and the AD FS Proxy Servers setup, we need to setup Directory Synchronization. Directory Sync gives you the ability to synchronize (one way to the cloud) your local Active Directory (or a portion of) to your Office 365 Account. This is a critical piece of the single sign-on solution for Office 365 as it works together with AD FS. Directory Sync is installed as a single server and cannot be made highly available.

We have AD FS setup already and we have base built the Directory Sync server with Windows Server 2012. The server has a static IP address and is domain joined.

Activate Directory Synchronization

Before we can setup and use the Directory Sync software, we need to activate it in the Office 365 Admin Center

  1. Open Internet Explorer

     

  2.  

  3. Click Users and Groups

     

  4. Click the Activate link next to Active Directory® synchronization

This process can take up to 24 hours.

 

Install Directory Sync Software

We need to download and install the Directory Sync software from the Office 365 Admin Center. This is a 64bit installer.

  1. Login to the Directory Sync Server with an Administrator account

     

  2. Open Internet Explorer

     

  3.  

  4. Click Users and Groups

     

  5. Click the Set up link next to Active Directory® synchronization

     

  6. Skip down to step 4 and click download

     

  7. Navigate to the downloaded file (dirsync.exe) and open it

     

  8. Click Next

     

  9. Accept the License Agreement

     

  10. Click Next

     

  11. Choose an install location

     

  12. Click Next

     

  13. Installing – This process takes a while, so be patient.

     

  14. Install complete, click Next

     

  15. Uncheck Start Configuration Wizard now

     

  16. Click Finish

     

  17. REBOOT the Directory Sync server before running the Configuration Wizard

 

Configure Directory Sync

Picking up from the last setup, we can now configure Directory Sync.

  1. Login to the Directory Sync Server with an Administrator account

     

  2. Open the Configuration Wizard from the Desktop shortcut

     

  3. Run the Wizard while logged in with an Administrator account.

     

  4. Click Next

     

  5. Enter a cloud account (@domain.onmicrosoft.com) that has Global Administrator role assigned in Office 365.

     

    ***Note*** I create an unlicensed service account in Office 365 for AD FS and Directory Sync. Assign these accounts Global Administrator role and set the passwords to not expire. This will prevent issues if the password changes or the

     

  6. Click Next

     

  7. Enter an Enterprise Administrator account

     

    *** Note*** Running the Wizard needs Enterprise Administrator credentials. Once the Wizard has completed, the credentials will not be used again.

     

  8. Click Next

     

  9. Enable Exchange Hybrid Deployment

     

    ***Note*** If Directory Sync detects that you have at least once Exchange 2010 SP1 or newer server in your Active Directory, you will be prompted to Enable Exchange Hybrid Deployment.

     

  10. Click Next

     

  11. The wizard will start the configuring process

     

  12. Completed click Next

     

  13. Uncheck Synchronize now (if you plan to implement OU filtering)

     

    ***Note*** If you want to filter the OUs that get synchronized to Office 365, then follow this BLOG post, Directory Synchronization – Filtering OUs to Synchronize to Office 365. Do not start the synchronization until you have setup OU filtering. This will prevent cleanup in Office 365.

     

    If you don’t want to do OU filtering, then leave this option checked.

     

  14. Click Finish

     

 

Force Synchronization to Office 365

 

Since we stopped the initial sync job in the last step, we need to manually start the first sync job. This is done automatically, if you give Directory Sync more time, or we can force it with PowerShell.

  1. Login to the Directory Sync Server with an Administrator account

     

  2. Open DirSyncConfigShell.psc1 (C:\Program Files\Microsoft Online Directory Sync\)

     

    ***Note*** I create a short cut to this file on my desktop

     

  3. Type Start-OnlineCoexistenceSync

     

  4. Press enter to execute the command

Successful synchronization can be confirmed in the Application Log on the Directory Sync server

You can also verify that the users are now shown in the Office 365 Admin Center. You will notice that the users status is now ‘Synced with Ac’, rather than ‘In cloud’.

 

Now that we have Federation and Directory Sync setup, we can test single-sign on with Office 365.

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

22 thoughts on “Setting up Directory Synchronization with the NEW Office 365

  1. Long

    Do you have the part#13. I am deploying the Exchange Hybrid Deployment. I have been waiting for this part. Thanks,

    Reply
  2. Omer

    i want sigle sign on with Office365 without Active Directory synchronization?? is it possible?? SSO will work without directory Sync??? Please reply me ..im new here….

    Reply
    1. Kelsey EppsKelsey Epps Post author

      Yes, you can sync AD to Office 365 and not use ADFS. The latest version of DirSync will allow you to sync passwords as well.

      Reply
  3. Joe

    You mentioned that you created an unlicensed service account in Office 365 for AD sync. In my testsystem the user must have the AD Windows Azure Role which requires a license. How do you get an unlicensed user to work with AD sync?

    Reply
  4. andrew

    in need synchronize users details(like phone number, position,etc) from office 365 into active directory on site. Is any way to do this

    Reply
  5. DITG

    Nice tutorial, Never set it up before but it’s pretty easy.

    The download link for the tool has changed somewhat though, i found it under Users –> Active users –> on top of the page there are links for the AD sync tool!

    Thanks!

    Reply
  6. Corrado

    Does DirSync create also the users in Office365 ?
    I have already created them so I only want to install and configure DirSync to have AD passwords and Office365 password aligned. Is it possible ?

    Reply
    1. Kelsey EppsKelsey Epps Post author

      If you created the users already, DirSync should soft match the accounts in the cloud to on-premise accounts, or it will error out.

      Reply
  7. jan willem

    One of the steps is Activate Directory Synchronization in the portal. I have been trying all the different menu’s, but activation is not to be found.

    Using sync tool give me the message that synchronisation has nog been activated.

    I seem to be missing something obvious, but what?

    Reply
    1. Kelsey EppsKelsey Epps Post author

      Sync needs to be activated in the portal. Click users and you’ll see a link at the top of the page for DirSync

      Reply
  8. Nick

    Nice article! Much Appreciated

    Can you confirm if access to Office 365 is maintained in an event DirSync is unavailable? (i.e. On-premises site hosting DirSync and AD is offline).

    Reply
    1. Kelsey EppsKelsey Epps Post author

      Yes, if DirSync goes down, all that you will lose are the changes from AD to Azure AD. You need to make sure that ADFS is up and running all the time, if you’re using.

      Reply
  9. Pingback: Does Microsoft have FREE training for the NEW Office 365? | Office 365 Technical Support Blog

Leave a Reply