Installing Windows Azure Directory Sync (dirsync) Tool
Office 365 depends on Azure Active Directory for authentication to all its clouds offering. Hence it is absolutely mandatory to prepare your users in the cloud before you start using any of their cloud services. Though Microsoft offers a free domain for each subscription, but they are actually child domain of onmicrosoft.com. Hence in most cases, we need to keep our owned domain associated to Office 365 services and therefore the directory synchronization is the first step in achieving this. Every existing on-premise infrastructure will have a deployment of Active Directory to which all network objects depends. It’s not easy to give up such setup and adopt cloud Active Directory. Hence Microsoft has neatly provided tools to sync up the users to cloud along with their passwords and other attributes.
Directory Synchronization Road Map
By using the Microsoft Azure Active Directory Sync tool, your company’s administrators can keep your on-premises Active Directory continuously synchronized with Azure AD. Directory synchronization is intended as an ongoing relationship between your on-premises environment and Azure AD. Active Directory synchronization should be considered a long-term commitment to coexistence scenarios between your on-premises Active Directory and cloud. After you have activated directory synchronization, you can only edit synchronized objects in your on-premises environment.
1. Preparation Work
a) Permission required
- You need a domain admin account to your on-premise Active Directory
- You need a tenant admin account to your office 365 subscription
b) Download DirSync
- Log into the Office 365 Admin Portal
- Navigate to Users & Groups > Manage>Active Directory synchronization Set Up
- Click the download button in step 4
c) Activate Directory Synchronization – you must activate Directory synchronization before running dirsync tool.
For Office 365 customer:
- Log into the Office 365 Admin Portal
- Navigate to Users & Groups > Active Directory synchronization Set Up
- Click the “Activate” button in step 3
If you are an Azure customer:
- Log into the Azure portal
- Navigate to Active Directory > Directory Integration
- Click “Activate” in step 2
d) Hardware Software requirements for dirsync tool installation
- It must be installed on a 64-bit Windows Server OS (Windows 2008 and higher)
- It must be joined to Active Directory
- It can now be a domain controller, but if it is then you need to follow the additional instructions in the Best Practices for Deploying and Managing the Windows Azure Active Directory Sync Tool.
- It can be a virtual machine
The full list of requirements/details can be found in Prepare for directory synchronization
e) Before you begin you need the following information Ready
- A Windows Azure Active Directory/Office 365 user account that is a member of the Company Administrator group
- An Active Directory user account that is a member of the Enterprise Administrators group in all domains in your on-premises Active Directory Forest
2. Setting up DirSync
a) Extract the installation binaries
- Unpack the DirSync installation binaries
- Run DirSync.exeusing elevated administrative permission.
- Click Next to move on.
- Accept the EULA
- Specify the install path
- Install the components
- This will also install SQL Server 2012 Express SP1, the FIM Sync Engine.
3. Configuring DirSync
- Once installation is completed, it will prompt to start the configuration wizard.
If you are installing the Directory Sync tool on a Domain Controller (supported from Directory Sync tool build 6567.0018), follow these steps:
- De-select the “Start Configuration Wizard Now” checkbox
- Log-off (not restart) from your current session and re-login
- Launch the “Directory Sync Configuration” by running as administrator
- Click Next to proceed.
- Provide Windows Azure Active Directory/Office 365 global admin credentials. Before the Sync to is configured, you need an office 365 account with global admin permission to allow the sync tool to authenticate with Azure
- Provide on-premises Active Directory credentials. The Active Directory credential must be Enterprise admins which will create the necessary service account in the local AD.
- Hybrid Deployment – There are various features throughout Office 365 and Azure AD that depends on Hybrid Deployment being enabled. You need to decide if you want those features.
- Password Sync– You can choose to enable Password Sync for your tenant.
This lets your users sign into Azure Active Directory (and associated services like Office 365, CRM Online and InTune) with the same password as they use on-premises.
If you want to enable this, select the “Enable Password Sync” checkbox.
- If you want to start sync’ing now, select the “Synchronize your directories now” checkbox, and then click “Finish”.