This post will cover off the build of the Directory Synchronization Server. This will allow us to replicate the contents of our AD to Office 365, which will allow us to make use of the SSO features that we installed in the previous posts.
This will be the end goal architecture for setting up ADFS, ADFS Proxies and Directory Synchronization
The directory synchronization computer must meet the following requirements:
- It must be running the right version of Windows Server. The Directory Synchronization tool can be run on the 32-bit or 64-bit versions of the following Windows Server operating systems:
- 32-bit: Windows Server 2003 Standard or Windows Server 2008 Standard
- 64-bit: Windows Server 2008 R2 Standard or Windows Server 2008 Standard
- It must be joined to Active Directory. The computer must be joined to the Active Directory forest that you plan to synchronize. The computer also must be able to connect to all the other domain controllers for all the domains in your forest. A forest is one or more Active Directory domains that share the same class and attribute definitions, site and replication information, and forest-wide search capabilities.
- It cannot be a domain controller. The Directory Synchronization tool cannot be installed on Active Directory domain controllers.
- It must run Microsoft .NET Framework 3.x.
- It must run Windows PowerShell
- It must be located in an access-controlled environment. Access to the computer that is running the Directory Synchronization tool should be limited to those users who have access to your Active Directory domain controllers and other sensitive network components. Only users or administrators that have the necessary permissions to make changes to domain controllers in Active Directory should have access to this computer.
- You can view the hardware requirements for the Directory Sync Server, here
Install and Configure Directory Sync
- Base build DIRSYNC01 with Windows Server 2008 R2 SP1 (Standard or Enterprise)
- Add the server to the local domain and assign static IP addresses from your internal network (192.168.0.x)
- Create a domain service account for use with Directory Sync. This account must be a member of Enterprise Administrators
- While logged into DIRSYNC01 the service account open the Microsoft Online Admin Portal (https://portal.microsoftonline.com) and log in with a global administrator account.
- Create an online user service account (@contoso.onmicrosoft.com) for Directory Sync
- Grant that user Global Admin Rights
- You don’t have to apply a license to the user
- Set this users password to never expire
- Back on the Admin page, in the left pane, click Users.
- At the top of the Users page, click the link next to Active Directory synchronization.
- Select the correct version (either Windows 32-bit version or Windows 64-bit version) and click Download
Install Directory Sync
- Double click the file and launch the installer
- Click Next
- Accept the License Agreement and click Next
- Select the Installation Folder and Click Next
- The install starts – This process can take awhile
- Click Next to Finish the Installer
- On the last page of the installation program, select Start Configuration Wizard now, and then click Finish
Configure Directory Sync
- From the previous step, The Microsoft Online Services Directory Synchronization Configuration Wizard starts. Click Next
- Enter your online Service Account ID and Password for Directory Sync, Click Next
- Enter your domain Service Account ID and Password for Directory Sync, Click Next
- If the installer detects that you have Exchange 2010 in the domain, you will get this option. If you don’t have it installed, then the option the greyed out. Enable and Click Next, or just Click Next if it’s greyed out.
- Click Next to Finish the Installer
- Click Finish to start the first Synchronization
- NOTE: If you want to do OU filtering, then uncheck ‘Synchronize directories now’ and follow the steps detailed in this POST
Verify Directory Synchronization is Running
- The easiest way to do this is to login to the Office 365 Portal and check the users. If you see the domain users you are up and running
- You can also read the instructions below for more detailed analysis
The Complete Series of Posts
- Open Office 365 Account and Sign up for the E Plan Trail
- Add and Verify the primary SMTP domain
Setting up ADFS Servers with Windows NLB
Setting up ADFS Proxy Servers with Windows NLB
- Setup Directory Synchronization to Office 365
Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.
Office 365 MVP