Setting up DirSync between Active Directory and Office 365
The following article outlines the steps required to set up directory synchronisation between a Active Directory (On-Premise) and Office 365 (Windows Azure Active Directory).
The screenshots in this post are from an Office 365 tenant that is on Wave 15 (i.e. the new version). If your organisation has yet to upgrade then some of the images may differ slightly.
The first thing we want to do is tell our Office 365 tenant that we are going to setup directory synchronisation. This can take some time, so best do this step first.
1. Log into Microsoft Online Portal
2. Select the Users and Groups button within the Office 365 admin center.
3. On the right-hand page select Active Directory Synchronization set up
4. Select Activate under Step 3, Activate Active Directory Synchronization. Please note that this can take up to 24 hours to complete.
5. Once Active Directory Synchronisation has been activated, you will see the task change to ‘activated’
6. At this point we can go ahead and install the DirSync tool. From a member server in your on-premise domain, open up a browser a log into your Office 365 tenant.
7. Repeat steps 1 -3 to get back to the Active Directory Synchronisation page.
8. Select download against option 4, Install and Configure the Directory Sync Tool, this will download dirsync.exe onto your local machine.
9. Once downloaded, run dirsync.exe (NOTE: You must have .NET Framework 3.51 and .NET Framework 4.0 installed on the computer in order to run this tool) If you see an error message at this point then you can install .NET 3.51 from the Administrative Tools > Server Manager > Features > Add Features.
10. Select .Net Framework 3.5.1 Features and follow the installation instructions.
11. You may at this point need to check that you have also installed all security updates to .Net Framework 3.5.1.
12. .NET Framework 4.0 can be downloaded from here.
13. Once you have the right version of .NET Framework, go ahead and install dirsync.exe. At the Welcome screen click Next
14. Accept the EULA
15. Select the Installation Folder you wish to install the binaries into. The installation will begin.
16. When the installation is complete click Next
17. Check the Start Configuration Wizard now and click Finish
18. On the DirSync tool Configuration wizard welcome screen click Next
19. Provide credentials of an account with administrative permissions for your online tenant. These credentials will be saved and used to synchronize changes from your organization’s on-premise Active Directory with Windows Azure Active Directory.
Important: When you change the password for this account, you must run this wizard again to change the password used by the DirSync tool. Click Next
20. Provide the credentials for an account with administrative permissions on your organizations Active Directory. These credentials will be used to set the permission for the DirSync tool, which will sync changes in your organization’s Active Directory with Windows Azure Active Directory. These credentials are not saved.
21. The Hybrid Deployment page, if used, provides a unified email experience for you Office 365 and on-premise environment. A Hybrid deployment boasts features such as unified GAL, off-boarding and others.
This requires an Exchange 2010 server on-premise, as we don’t have one for this setup, this is greyed out.
22. Password Synchronisation. The Sync’ing of password from on-premise to cloud allows users to access Office 365 with the same password as the one they use for on-premise resources. If you require this then select Enable Password Sync, and click Next.
23. The DirSync tool will now configure your settings.
24. Select Synchronize your directories now and click Finish.
25. The configuration wizard presents you with a link to see how you can verify your directory has been synchronized. Click OK.
Monitoring and Testing Directory Sync
Once you have the dirsync tool installed we will need to test that it works correctly. There are a couple of ways you can test and monitor dirsync, ideally what we want to do is test both forced & automatic updates.
To monitor our changes we can use the Synchronization Service Manager tool, which ships with DirSync.
Navigate to the following directory on the member server you installed the dirsync tool C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell
To summarize, in the top frame you have a list of when dirsync ran, the bottom left frame gives you finer detail of the changes, for example the number of changes, add, deletes, etc.
To test a forced sync, navigate to you on-premise Active Directory and make a simple change on an account that you have on both platforms. In this example I’ve updated the Job Title details on the account Edward Tester.
Then log onto the member server where the dirsync tool is installed.
Navigate to the following directory. C:\Program Files\Windows Azure Active Directory Sync and run DirSyncConfigShell.psc1
Type Start-OnlineCoexistenceSync. Press Enter. This will force a sync between you on-premise Active Directory and Windows Azure Directory Services.
If you now open up the Sync Service Manager and you will see the update going through.
If you click and navigate further you can see the finer detail of the updated object, in this instance the object field we are attempting to sync.
You can now check you user object in Office 365, the change has been replicated.
The default sync between Office 365 and on-premise Active Directory is 3 hours. This can be changed to what ever suits your companies need. This previous article on Changing the default Office 365 DirSync Schedule outline the steps for this.
If you found this blog post useful, and want to refer to it again, why not download it as a PDF?
These other blog posts may be of interest to you:
- How Secure is DirSync with Password Sync? We analyse the security of the DirSync Password synchronization feature.
- Office 365 Administrator Account Best Practises – Ensure your Office 365 account is secured
- Finding Inactive Users in Office 365 – Users that have not logged on for a certain period of time.